The Privacy Commissioner for Personal Data, Hong Kong (Privacy Commissioner), Mr Stephen Kai-yi WONG, today released the “2018 Study Report on Implementation of Privacy Management Programme by Data Users”.
During the period between October and November 2018, the Privacy Commissioner examined 26 organisations from different sectors (including insurance, finance, telecommunications, public utilities and transportation) to understand their implementation of Privacy Management Programme (PMP) within their organisations. The examination was part of the global Privacy Sweep exercise of the Global Privacy Enforcement Network. This is the sixth consecutive year for the office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) to participate in the Privacy Sweep. The theme of the Privacy Sweep 2018 is “Privacy Accountability”. Eighteen privacy enforcement authorities from around the world, including the PCPD, participated in the Sweep exercise. The exercise aimed to assess how well organisations have implemented accountability principle through PMP and their ability to manage privacy risk in all business processes. These organisations were selected due to their size and the vast amount of personal data held by them.
The findings show that despite that accountability principle is not a legal requirement, the performance of the participating Hong Kong organisations in implementing voluntary PMP is satisfactory, in particular:
-
All participating organisations have an internal data privacy policy and such policy has been embedded into their everyday practices;
-
Over 90% of the participating organisations have designated personnel at a sufficiently senior level responsible for privacy governance; and
-
96% of the participating organisations ensure that their staff members are given comprehensive training to ensure their understanding of organisational privacy policies, procedures and best practices.
The findings reflect that the participating organisations give weight to personal data privacy protection, and are willing to commit resources to this area. Nevertheless, the report reveals that nearly 40% of the participating organisations have room to improve in their procedures for notifying affected individuals and reporting to the regulatory authorities in the event of a data breach, and close to 20% of the participating organisations’ inventories of maintaining personal data were yet to be improved.
The Privacy Commissioner said, “Organisations have to accept that personal data that they hold belongs to the customers. Customers provide their personal data to organisations based on a relationship of trust. Therefore, organisations are responsible for handling personal data in accordance with three Data Stewardship Values, namely being respectful, beneficial and fair, in order to meet customers’ expectations.” This year’s Privacy Sweep echoes with the research report "Legitimacy of Data Processing Project", titled "Ethical Accountability Framework for Hong Kong, China", which was released in October last year by the PCPD. That report advocated the above-mentioned three Data Stewardship Values, resounding the goals of the privacy accountability.
To assist organisations in complying with the requirements of the Personal Data Privacy Ordinance (the Ordinance) and enjoying fairness, respect and benefit with their customers and employees, the Privacy Commissioner has the following recommendations to organisations in implementation of PMP:
-
Provide adequate data protection training: organisations should ensure that their staff members understand the requirements under the Ordinance and to observe the organisation’s policy in relation to personal data handling. If amendments are made to the organisation’s policy in relation to personal data handling or the Ordinance, the organisation should notify its staff immediately.
-
Conduct regular audit: Conduct regular audit to ensure that the policies and practices of the organisations are in compliance with the Ordinance and to identify whether there is room for improvement.
-
Handling of Data Breach Incident: Devise written procedures in relation to the factors to be considered, mechanism and practice when assessing whether data breach notification should be given to affected individuals and regulatory bodies.
-
Maintain a comprehensive personal data inventory: Each department of an organisation should prepare its own inventory of personal data held.
-
Maintain a record of data flow: Recording data flow can facilitate organisations to easily check and retrieve relevant information in future when necessary.
The Privacy Commissioner advocates that organisations should develop their own PMP, and embrace personal data protection as part of their corporate governance responsibilities and apply them as a business imperative throughout the organisation, starting from the boardroom. The Privacy Commissioner emphasises that nowadays organisations should ditch the mindset of conducting their operations to meet the minimum regulatory requirements only. They should instead be held to a higher ethical standard, and adopt the PMP as a strategic framework to assist them in building a robust privacy infrastructure that supported by an effective ongoing review and monitoring process to facilitate the compliance with the requirements under the Ordinance.