Protecting employees’ personal data privacy

Labour Day is just around the corner. It's time to register your appreciation of employees!

Employees are valuable asset of an organisation. Their personal data privacy deserves organisations' respect.
 
From recruitment to day-to-day operation, organisations need to collect and use different kinds of personal data of employees. To give practical guidelines to employers and human resource practitioners on the management of employment-related personal data, the Privacy Commissioner issued the Code of Practice on Human Resource Management (the Code).

The Code offers HR managers a set of guidelines for the management of employment-related activities concerning collection, holding, accuracy, use and security, and data subject access and correction in relation to the personal data of prospective, current and former employees. For smaller-sized companies without a specialised HRM department, the Code is also useful in terms of illustrating the compliance requirements of the Personal Data (Privacy) Ordinance.

The annual promotional campaign jointly held by the PCPD and members of the Asia Pacific Privacy Authorities, Privacy Awareness Week (PAW), will take place between 6 and 12 May 2019. Themed on Compliance with Privacy Law, Data Ethics in Action, PAW 2019 aims at encouraging organisations to put data ethics in action in order to gain their customers’ or stakeholders' trust in data protection. Various promotion and public education activities will be organised during this week.

Symposium on "Data Ethics in Action"

Corporations and industry leaders upholding a high standard of personal data protection will share their experience and wisdom on how their organisations put data ethical values into practice. As privileged members of the DPOC, you are offered seats of this exclusive event.

Date: 9 May 2019 (Thursday)
Time: 2:30 pm to 5:00 pm
Venue: United Conference Centre, 10/F, United Centre,   
            95 Queensway, Admiralty, Hong Kong
Language: Cantonese

Speakers:

- Mr Albert WONG Hak-keung (Chief Executive Officer, Hong Kong
  Science & Technology Parks Corporation)

- Ms Diana CESAR (Chief Executive, Hong Kong, The Hongkong and    
  Shanghai Banking Corporation Limited)

- Mr Sunny CHEUNG Yiu-tong (Chief Executive Officer, Octopus
  Holdings Limited)

The response has been overwhelming. Only a small number of  seats are available!

Radio Drama Series: Property Management Practices and Protection of Personal Data

Property management practitioners and members of owners’ corporations collect and use large amount of personal data. To enhance the culture of protecting and respecting personal data privacy in property management industry, a four-episode radio drama series titled “Privacy Club House” (私隱住客會所) will be broadcast between 7 and 10 May (8:30 – 9:30 am, 12:00 noon – 1:00 pm, and 6:30 – 8:00 pm) on Commercial Radio 881. The common wrongdoings in the context of property management with reference to the Personal Data (Privacy) Ordinance will be highlighted. 

The drama features renowned broadcasters playing the lead characters of the longest-running radio drama “18/F Block C” (十八樓C座).

Feature interviews with Privacy Commissioner for Personal Data 

On 7 and 8 May (between 7:00 to 10:00 am), two interviews between the Privacy Commissioner and veteran broadcaster Mr Stephen Chan (陳志雲) will be broadcast on the current affairs radio programme “On a Clear Day” (在晴朗的一天出發). Privacy Commissioner will talk about PCPD’s initiatives in the Privacy Awareness Week and other topical issues. Please stay tuned!

Have your own PAW 2019

We cordially invite you to organise your own PAW activities within your organisations. This is a great opportunity for you to make staff, clients and stakeholders aware of what you are doing to put privacy at the heart of your business.

Please share with us your initiatives! PCPD will recognise participating DPOC members by displaying their organisations' names on PCPD  website.

Renew your membership to enjoy various privileges throughout the year! 

Act now to renew your membership.  Organisation members can enjoy 2 for 1 scheme upon renewal. Click below to find out more!

Personal Data Privacy and CCTV System in Taxi

Contributed by the Privacy Commissioner to a local newspaper forum section, this article provides advice on how to use CCTV responsibly in public transport, and illustrates the requirements under the Personal Data (Privacy) Ordinance relating to the collection and proper handling of personal data.

Hong Kong Shopping Mall Membership Programmes Compliance Checks (25 April 2019)

Privacy Commissioner's Response to the Suspected Clandestine Video-shooting of Artistes inside Taxi (21 April 2019)

The ePrivacy regulation: the next European initiative in data protection

A new ePrivacy regulation in EU is on its way. The Regulation Concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications is currently a draft under discussion.

A report found that majority of top mental health apps share user data with third-parties, but only 12% are clear about it in the privacy agreement

Reported by a recent study about smoking cessation and depression-centric mental health apps,  mental health data was flown to third parties. While many share information, only a few of the apps reported their practices in privacy agreements. The practice may imperil medical ethics and encroach on privacy law.

Data breaches exposed nearly 2.7 million morsels of personal information in Japan in 2018

According to Kyodo News survey, at least 2.68 million pieces of personal information held by over 100 Japanese entities were subject to unauthorised disclosures in 2018. The data disclosures were confirmed and revealed by 104 organisations or companies including hotel operators and universities.

Recent Court and Administrative Appeals Board Decisions
(24 May 2019) Limited seats available!

This workshop (to be conducted by experienced lawyers of the PCPD) examines some recent decisions of the Hong Kong Court and Administrative Appeals Board in relation to the Personal Data (Privacy) Ordinance. There will be in-depth discussion and up-to-date knowledge on the interpretation of commonly used provisions of the Ordinance.

Q: Which of the following is direct marketing?

A. You send a direct mail to an address or the "occupant" of an address
B. You approach your existing customers by telephone to offer upgrade services
C. Your salesperson knocks on the door of a potential customer to promote your products

The correct answer is B.
Direct Marketing refers to the offering, or advertising of the availability of goods, facilities or services or the solicitation of donations or contributions for charitable, cultural, philanthropic, recreational, political or other purposes, by sending information or goods, addressed to specific persons by name, by mail, fax, email or by making telephone calls to specific persons (e.g. your existing customers). Hence, "direct marketing" under the Personal Data (Privacy) Ordinance does not include unsolicited electronic messages sent to telephones, fax machines or email addresses without addressing specific persons by name and person-to-person calls being made to phone numbers randomly generated. 

Q: Your customer has provided his consent to you for the use of her personal data in marketing your cosmetics. You can …

A. promote all goods and services provided by your organisation
B. provide special offers from your agents, subsidiaries & contractors
C. send him promotional offers in relation to your cosmetics

The correct answer is C. The products or services that you intend to market must fall within the class of marketing subject that the data subject has consented to.

Q: What should you do when your customer said "I do not wish to receive further marketing calls from your organisation" in a marketing call?

A. Call the customer again after 6 months
B. Put him into your organisation’s opt-out list and make sure the updated list is made known to all colleagues C. Ask the customer to submit a written request to your organisation

The correct answer is B.
Your customers may at any time require your organisation to cease to use their personal data in direct marketing, irrespective of whether they have given an earlier consent to your organisation for such use. The Personal Data (Privacy) Ordinance does not stipulate the means by which an opt-out request has to be made. This may be done orally or in writing.

Extended Reading:
New Guidance on Direct Marketing

Data Protection Principle 1 - Purpose and manner of collection of personal data

Excessive collection of copies of Hong Kong Identity Card (“HKID Card”) of parents by a kindergarten

The Complaint

The complainant applied for admission to a kindergarten for her son. Apart from the application form, the complainant was requested to provide a copy of her HKID Card. The complainant queried the purpose of the kindergarten to collect a copy of her HKID Card.

The kindergarten explained to the Commissioner that a copy of the complainant’s HKID Card was needed for verifying the relationship between the applicant (the student) and the complainant who submitted the application. The copy of the complainant’s HKID Card also facilitated the kindergarten to issue the “student pick-up card” for the parent/ guardian designated to pick up the student from school.

Outcome

Given that HKID Card number is sensitive personal data, data user should not collect a copy of HKID Card lightly without genuine need or justification.

For the purpose of simply verifying the relationship between the applicant and his parent/ guardian, the kindergarten could ask the parent/ guardian to present his HKID Card when submitting the application in person or when attending the school interview. The kindergarten could then verify the name on the HKID Card against the names of the parents recorded on the birth certificate of the applicant or any other relevant legal document. Based on the verification result, the kindergarten could issue the “student pick-up card” accordingly. If the kindergarten doubted the identity of the person who came to pick up a student, it might ask that person to present his HKID Card and verify his name against the record.

The Commissioner was of the view that the collection of copies of HKID Card of the parents/ guardians was excessive and in breach of DPP1(1).

After our intervention, the kindergarten agreed to stop collecting copies of HKID card of the parents/ guardians, and to destroy all copies of HKID Card previously collected.

"Privacy Management Programme: A Best Practice Guide" (Revised in 2018) 

Embrace personal data protection as part of your corporate governance. Have a look at the revised best practice guide of Privacy Management Programme here.

Online Training Platform

This one-stop portal is convenient for data users in different work contexts to get familiar with the requirements under the Personal Data (Privacy) Ordinance.

For enquiry, please contact us.
Address: Room 1303, 13/F, Sunlight Tower, 248 Queen's Road East, Wan Chai, Hong Kong         Tel: (852) 2877 7179

You are receiving our e-Newsletter because you are a current member of the DPOC and it is a membership privilege we provide. If you do not wish to receive the e-Newsletter, please click here to unsubscribe.

Copyright

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.