Skip to content

DPOC e-Newsletter

Facebook Youtube

Privacy Commissioner Mr Stephen Wong delivered a presentation on "Data protection in the digital age" at the International Symposium on Data Governance and Emerging Technologies in Hangzhou, China (18 May 2019)


Read more

Privacy Commissioner co-hosts GPEN Enforcement Practitioners’ Workshop to strengthen international collaboration and experience sharing in personal data protection (25 May 2019)

Read the statement

Direct marketing offence admitted: Auction company and bank fined (21 and 27 May 2019)

Read 27 May's statement


Read 21 May's statement



Professional Workshop on Privacy Management Programme
(4 June 2019)

The recent incidents of massive data breach revealed the importance for organisations to adopt holistic and encompassing Privacy Management Programme to ensure that robust privacy policies and procedures are in place. This workshop will guide you through the key features of "Privacy Management Programme – A Best Practice Guide". Participants will be able to understand the  fundamentals and components of a Privacy Management Programme and how to maintain and improve it on an ongoing basis.

Enrol now!

Professional Workshop on Data Protection in Insurance
(25 June 2019)

Insurance practitioners handle a large amount of customers' personal data in their daily work. The workshop would talk about what insurance practitioners should do to protect customers' personal data when providing insurance services to them. Core concepts of data protection compliance illustrated by specific scenarios such as collection of customers’ medical data, engagement of private investigators in insurance claims and use of customers’ data for internal training, etc. will be examined.

Enrol now!

Data Protection & Business Facilitation - Guiding Principles for Small and Medium Enterprises

As small and medium enterprises (SME) may not have their own legal and compliance departments, they risk breaching the requirements of the Personal Data (Privacy) Ordinance arising from inadequate knowledge of the Ordinance. The publication provides specific examples and practical advice to help SME understand and comply with the Ordinance.

Read publication

More than 14,000 data breach reports received by UK watchdog

More than 14,000 data breaches have been logged in the UK alone during the first year since the introduction of GDPR, four times more than those logged from April 2017-18.

Read more

Face recognition mulled for Macau casino ops

The Macau government announced that it planned to install up to 1,600 video surveillance cameras. Of those, 200 cameras would be equipped with facial recognition technology.

Read more

46 percent of organisations consider taking personal data out of the cloud

A new study finds that 46 percent of organisations which store customer personally identifiable information in the cloud are considering moving it back on premises due to data security concerns. 33 percent of respondents that store all their sensitive data in the cloud experienced security incidents during the preceding 12 months.

Read more

Canada seeks to reform competition and privacy rules in Digital Charter

The Canadian government is now advocating the reforms to Canada's competition and privacy legislation as part of a suite of measures to rebuild a "foundation of trust" between Canadians and the digital world, with clear, meaningful penalties for violations of the laws and regulations that support the 10 priniciples laid out in the Digital Charter.

Read more

Penalty scheme for privacy offenses out this year - The National Privacy Commission

The National Privacy Commission is aiming to finalise a scheme before yearend to regulate penalty fees for entities violating data privacy rights and policies. Some of the infractions are unauthorised processing of personal data, unauthorised purpose of data collection and direct violation of commission policies and circulars.

Read more

Q: What are the privacy risks of using portable storage devices (PSDs)?

A: The use of PSDs means that large amounts of personal data can be quickly and easily copied to or retrieved from such devices. If such PSDs are lost or stolen, unauthorised or accidental access or use of those stored personal data may result. In extreme cases, even personal data contained in files already deleted or previously stored on reformatted PSDs could be recovered.

Q: What are the areas that a risk assessment should look into for formulating the policy associated with the use of PSDs?

A: The risk assessment should at least look into the following areas:

(a) What types of PSDs are used to store personal data?

(b) What kinds of personal data are stored on PSDs and what are their sensitivity to the persons involved?

(c) Under what circumstances and how often are PSDs used for the storage of personal data?

(d) What is the likely impact on data subjects if a data breach incident involving PSDs occurs?

(e) Are there any controls, administrative or technical, in place for the use of PSDs?

Extended Reading:
Guidance on the Use of Portable Storage Devices

Data Protection Principle 4 - Security of personal data

A law firm sent a letter about a data subject's private affairs to a general email address of the data subject's workplace, resulting in disclosing the letter to a third party

The Complaint

A law firm, acting on behalf of the complainant's husband, sent a letter regarding the complainant's divorce, which was underway, to a general email address of her workplace.

According to the law firm, it initially sent the letter to the complainant's personal email address but received no response. It subsequently sent the letter to the general email address of the complainant's office, which was obtained from the Internet. It clearly marked "Private and Confidential" in the subject heading of the email. Being unable to confirm other means of contact of the complainant from the information provided by her husband, the law firm had not contacted the complainant to ascertain whether she would personally check the emails received through the general email address of her office before sending the email to her. The law firm explained that it sent the letter to the complainant through the general email address of her office in the hope of getting her prompt response.


If the law firm needed to send the letter containing intimate data to the general email address of the complainant's office, it should have ascertained in advance if the complainant personally check the emails received via that office email address, or send the letter encrypted. The PCPD considered that the law firm had failed to take all practicable steps to ensure that the complainant's personal data was protected against unauthorised or accidental access, and hence was in breach of Data Protection Principle 4.

After the PCPD's intervention, the law firm undertook that when they had to deliver documents containing personal data or sensitive information to others under similar circumstances in future, they would communicate with the recipient in advance or encrypt the message.


Secure Socket Layer (SSL)

Make good use of SSL to protect online information.

Learn more

Motion Graphic Video – 6 Data Protection Principles

Understanding how the 6 Data Protection Principles represent the core of the Personal Data (Privacy) Ordinance covering the life cycle of a piece of personal data.

Learn more

For enquiry, please contact us.
Address: Room 1303, 13/F, Sunlight Tower, 248 Queen's Road East, Wan Chai, Hong Kong         Tel: (852) 2877 7179

You are receiving our e-Newsletter because you are a current member of the DPOC and it is a membership privilege we provide. If you do not wish to receive the e-Newsletter, please click here to unsubscribe.



The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.