Skip to content

DPOC e-Newsletter

Facebook Youtube

Renew your membership to enjoy various privileges throughout the year!  Get entrance to Symposium on "Data Ethics in Action".

Act now to renew your membership.  Organisation members can enjoy 2 for 1 scheme upon renewal. Click below to find out more!


Renew now!

Flagship event of DPOC 2019-20 membership year

Corporations and industry leaders upholding a high standard of personal data protection will share their experience and wisdom on how their organisations put data ethical values into practice.  As privileged members of the DPOC, you are offered seats of this exclusive event, which will take place during the Privacy Awareness Week 2019. 

Enrol now!

“Grooving Privacy Evolution with Law Reform and Data Ethics” : Privacy Commissioner Delivered a Presentation in Panel Session “Reshaping Privacy Regulations – Compliance and Consequences” at 67th American Bar Association Antitrust Law Spring Meeting 2019 and Participated in International Hearings on “Competition and Consumer Protection in the 21st Century” by Federal Trade Commission in Washington DC, the United States
(7 April 2019)

Read media statement



Privacy Risks Associated with Fintech to be Addressed by Data Ethics Complementing Fair Enforcement : Privacy Commissioner Speaks to Banking Industry on Use of Personal Data in Digital Era (7 April 2019)

Read media statement



An Insurance Agent Convicted of Using Personal Data in Direct Marketing without Consent
(3 April 2019)

Read media statement


The Privacy Implications of Artificial Intelligence

AI technology can facilitate innovative application and  boost productivity, transform businesses and enhance the standard of living. However, the commercial development and adoption of AI raise a variety of ethical and privacy issues. The extensive and ubiquitous collection of personal data, together with unanticipated use and transfer of the data, has challenged data privacy frameworks around the world. This article illustrates the privacy challenges brought about by AI and explores the solution to tackle.

(This article is contributed by Mr Stephen Kai-yi WONG, the Privacy Commissioner for Personal Data to "Hong Kong Lawyer", the official journal of the Law Society of Hong Kong.)

Read the article

How privacy laws are changing to protect personal information

With the growing amount of personal data being created and exchanged, privacy laws are changing to address the real and perceived risks of harm resulting from the under- or unregulated data obtained.

Read more



The EU releases guidelines to encourage ethical AI development

The European Commission unveiled ethics guidelines that are designed to address the development of AI systems, listing seven requirements for trustworthy AI.

Read more

Half of Hong Kong consumers willing to give third parties access to their financial data to get higher returns and more-personalised services, Accenture Survey finds

According to Accenture’s research, which is based on a survey of more than 2,000 consumers in Hong Kong, 51 percent of respondents said they would be willing to securely share their data with a third-party provider if doing so would get them more-personalised services or tailored offers like a better mortgage rate or higher returns on savings and deposits.

Read more

Recent Court and Administrative Appeals Board Decisions
(24 May 2019)

This workshop (to be conducted by experienced lawyers from the PCPD) examines some recent decisions of the Hong Kong Court and Administrative Appeals Board in relation to the Personal Data (Privacy) Ordinance. There will be in-depth discussion and up-to-date knowledge on the interpretation of commonly used provisions of the Ordinance.

Enrol now!

Q: Why is a Privacy Impact Assessment (PIA) useful?

A: A PIA is useful in:

  • enabling the decision-maker to adequately consider the impact on personal data privacy before undertaking the project
  • directly addressing the privacy problems identified in the process and providing solutions or safeguards at the design stage
  • providing benchmarks for future privacy compliance audit and control
  • being a cost-effective way of reducing privacy risks
  • providing a credible source of information to allay any privacy concerns from the public and the stakeholders

Q: When should a PIA be undertaken?

A: A PIA should be undertaken by data users in both the public and the private sectors to manage the privacy risks arising from a project that involves:

  • processing (whether by the data user itself or by an agent appointed by the data user) or the building up of a massive amount of personal data;
  • the implementation of privacy-intrusive technologies that might affect a large number of individuals; or
  • a major change in the organisational practices that may result in expanding the amount and scope of personal data to be collected, processed, or shared.

Q: What are the key components that a PIA includes?

A: A PIA generally includes the following key components:

  • Data processing cycle analysis;
  • Privacy risks analysis;
  • Avoiding or mitigating privacy risks; and
  • PIA reporting.

Extended Reading:
Information Leaflet: Privacy Impact Assessments

Data Protection Principle 6 - Access to Personal Data

Data access request made by a Complainant on behalf of his son to a primary school

The Complaint

The Complainant on behalf of his son made a data access request (the DAR) to a primary school requesting copies of all the information pertaining to his son's application for admission to the primary school for two consecutive school years.

The primary school replied to the Complainant that it could provide the information relating to his son's application for only the current school year. As for the documents for the last school year, they had been destroyed in accordance with the school's usual practice. The Complainant suspected that the primary school had withheld the documents to which he was entitled, so he complained with the PCPD.

The Privacy Commissioner's investigation revealed that the primary school had destroyed all documents for the last school year at the time of receiving the DAR. It was discovered that the primary school had in its possession the total scores of the Complainant's son for the current year recorded in a Master Score Record (the Record). However, the primary school failed to provide the Complainant with the total scores of his son for the current school year. The primary school explained that it did not provide the Complainant with a copy of the Record because the Record also contained the names and scores of all applicants, not just the Complainant's son.


The Privacy Commissioner was of the view that the primary school had contravened section 19(1) of the Personal Data (Privacy) Ordinance by failing to provide the requested data contained in the Record on the ground that the primary school was obliged to provide the requested data contained in the Record to the Complainant by omitting other applicants' personal data under section 20(2)(b) of the Personal Data (Privacy) Ordinance.

Nevertheless, after the Privacy Commissioner had explained the requirements under 20(2)(b) of the Personal Data (Privacy) Ordinance to the primary school, it provided the Complainant with a copy of the Record with the personal data of other applicants edited out.

In view of the remedial action taken by the primary school, the Privacy Commissioner considered that the contravention had ceased and there was no likelihood of its repetition. In the circumstances, the Privacy Commissioner decided to put the primary school on warning, but not to serve an enforcement notice on the primary school in consequence of the investigation.

Extended Reading:

Proper Handling of Data Access Request and Charging of Data Access Request Fee by Data Users

Securing Online Information

If your organisations collect / process / store personal data using IT, you should familiarise yourself with possible causes of data breach.

Learn more

Tips on Maintenance of Devices

Understand what precautions to take before handing over a device for repair/sale/disposal.


Learn more

For enquiry, please contact us.
Address: Room 1303, 13/F, Sunlight Tower, 248 Queen's Road East, Wan Chai, Hong Kong         Tel: (852) 2877 7179

You are receiving our e-Newsletter because you are a current member of the DPOC and it is a membership privilege we provide. If you do not wish to receive the e-Newsletter, please click here to unsubscribe.



The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.