(28 July 2015) At the media briefing today, the Office of the Privacy Commissioner for Personal Data (the "PCPD") released the report on a survey of the administration of 10 commonly-used public registers maintained by the Government, namely, Bankruptcy register, Births register, Business register, Companies register, Land registers, Marriage register, Register of notice of intended marriage, SFC register of licensed persons, Register of vehicles and Registers of electors. The protection of personal data contained in these registers was examined with reference to the guidelines formulated by the Government in 2000 (the "Guidelines").
2. Public registers contain personal data which can be made available for public access. They are subject to protection under the Personal Data (Privacy) Ordinance (the "Ordinance"), in particular, Data Protection Principle 3. Specifically, the personal data collected from a public register can be used only for purposes in line with or directly related to the purpose of setting up the public register, unless the explicit and voluntary consent of the data subject is obtained.
3. The Privacy Commissioner for Personal Data, Mr Allan Chiang, commented, "Personal data in the public registers, if used indiscriminately or without appropriate safeguards, would attract privacy risks, thus jeopardising the interests of the data subjects."
4. "For example, the unfettered access to the companies, land, and vehicles registers would put sensitive data such as Hong Kong identity card numbers, full residential addresses and signatures at stake. If the data was exploited by persons with malicious intent, the data subject would suffer the risks of financial loss, identity theft and personal safety (through stalking and surveillance)."
5. "In addition, there are risks of 'function creep', where data collected for one purpose is gradually used for other purposes such as direct marketing or data mining to which the individual has not consented. Further, information and communication technologies enable aggregation, matching and further processing of data in the public domain, thus creating profiles about people without their knowledge or consent. Such activities greatly increase their vulnerability to a variety of dangers, for example, human flesh search followed by cyber-bullying, and making decision and inferences about the individuals in ways that are unfair and discriminatory."
6. The survey concluded that compliance with the Guidelines in a number of areas was not satisfactory, with the following issues identified:-
7. The PCPD has forwarded the report to the relevant Government bureaux and departments, with recommendations on compliance with the Guidelines.
8. Mr Chiang remarked, "Public registers serve legitimate purposes in making data publicly accessible. At the same time, they also provide a rich source of personal data which is subject to the risks of commercial exploitation and fraudulent use. Against this backdrop, the Government has an important leadership role to play in safeguarding the data, particularly as it is collected from the citizens on a mandatory basis. The Guidelines it has formulated in 2000 for protecting personal data contained in public registers remain current and relevant. It is imperative for the Government bureaux and departments operating public registers to follow the Guidelines religiously. This responsibility is all the more important in the modern era of "Big Data" when advances in technologies have aggravated the attendant privacy risks."
9. "We hope that the Government will give due considerations to our recommendations and take appropriate follow-up action not just for the 10 public registers reviewed but all other public registers under its control."
10. "Meanwhile, we can only rely on the Ordinance to deter misuse of personal data in the public registers. This is far from satisfactory. First, without clear and explicit legislative specification of the purposes of the registers, we will continue to face legal uncertainties and challenges in our enforcement work.1 Further, the sanctions for misuse of personal data generally available in the Ordinance may not be strong enough to do full justice to the wrongful use of the very sensitive personal data contained in the registers."
Read the Survey Report online:
www.pcpd.org.hk/english/resources_centre/publications/surveys/files/survey_public_registers.pdf Read the Executive Summary online:
www.pcpd.org.hk/english/resources_centre/publications/surveys/files/survey_public_registers_summary_e.pdf
-END-
1 For example, PCPD's enforcement taken in 2013 against the compilation of an online index linking names with identification document numbers was criticised by some sectors (see PCPD's media releases dated 15 February 2013 and 16 February 2013 at
www.pcpd.org.hk/english/news_events/media_statements/press_20130215.html
www.pcpd.org.hk/english/news_events/media_statements/press_20130216.html)
PCPD's investigation in 2013 in relation to a mobile app "Do No Evil" which enabled search for target individuals' litigation and bankruptcy data by general consumers also aroused a lot of controversy (see PCPD's media statement on the investigation at www.pcpd.org.hk/english/news_events/media_statements/press_20130813.html). More recently, PCPD's enforcement notice against a website which re-identified the parties of matrimonial proceedings by name based on records of court judgement from the Judiciary (which are anonymised) was challenged by the website operator in the Administrative Appeal Board hearing and a Board decision is awaited.