Date: 7 November 2019
Response to an enquiry on privacy issues arising from recent political movement
Thank you very much for your email enquiry. Our consolidated response from the perspective of personal data privacy follows:
Answer to Q1 & Q6
-
The Personal Data (Privacy) Ordinance (the Ordinance) was enacted to protect living individuals’ privacy in relation to personal data only.
-
According to the Ordinance, personal data is defined as any data relating directly or indirectly to a living individual; from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and in a form in which access to or processing of the data is practicable.
-
The Ordinance applies to data user who controls the collection, holding, processing, retention and uses of personal data. Data users should comply with all the data protection principles under the Ordinance and observe other requirements set out in other provisions of the Ordinance.
-
As an independent regulator for protecting personal data privacy, the Privacy Commissioner for Personal Data, Hong Kong (Privacy Commissioner) is responsible for monitoring data users’ compliance with the requirements of the Ordinance. If a person suspects that his privacy rights relating to personal data are infringed, he may complain to the office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD). Upon receipt of the complaint, the PCPD will take appropriate follow-up action. If there is a prima facie case, the PCPD may initiate an investigation to determine if there is contravention of the Ordinance.
-
Personal data privacy right is not absolute. It has to be balanced by other considerations such as public interest, public safety, public order and security. Further, the Ordinance provides statutory exemptions which data users may trigger in circumstances under which the application of certain data protection principles and provisions of the Ordinance may be exempted. Such exemptions include the prevention or detection of crime, the apprehension, prosecution or detention of offenders.
Answer to Q2:
-
To determine whether a particular piece of personal information constitutes “personal data” under the Ordinance, one has to take into account the totality of the circumstances, including but not limited to whether it is practicable for the identity of the individual to be directly or indirectly ascertained. If and only if the IP address, when read together with other information, may ascertain the identity of a living individual, it constitutes “personal data” under the Ordinance.
-
The Ordinance is a technology-neutral and principle-based legislation. This provides room for continued applicability of the Ordinance against changes in time. That being said, the Government is reviewing the Ordinance with the PCPD in the meantime.
Answer to Q3:
-
The Ordinance regulates all data users, including government departments and law enforcement agencies, in complying with the requirements of the Data Protection Principles of the Ordinance when collecting, holding, processing and using personal data.
-
There are provisions of exemption regarding use of personal data under the Ordinance, such as for crime prevention or detection, requirement or authorisation by law or court order. An exemption is a defence for a data user to avoid liability when he/she fails to comply with certain compliance requirements under the Ordinance. Data users should not routinely rely on exemptions but should consider them on a case-by-case basis.
Answer to Q4 and Q5:
-
The PCPD strives to protect personal data privacy rights as basic human rights, and advocates a balance between the convenience and economic benefits brought about by free flow of information and the protection of personal data privacy. Personal data privacy and freedom of information may conflict and complement with each other. A balance needs to be drawn.
-
The PCPD takes the view that the recent controversies and public concern about the Smart Lamppost initiative are attributable to the lack of trust towards the initiative. Despite the initiative’s good intentions, the public is reluctant to recognise its merits and focuses overwhelmingly on its potential personal data privacy issues. The PCPD believes that openness and transparency, which are also major pillars of data privacy protection that we advocate, should be prioritised for the implementation and promotion of the Smart Lamppost going forward. Openness and transparency will help address public queries about smart lampposts and understand the purpose and scope of the plan, thus enhancing trust in the initiative. With the openness and transparency principles, the multi-functional smart lampposts scheme will bring convenience to the public and will eventually be accepted and understood by the public.
-
As a member of the Multi-functional Smart Lampposts Technical Advisory Ad Hoc Committee, the Privacy Commissioner will, together with other committee members, examine personal privacy protection and related information security technology issues relating to the operation of multi-functional smart lampposts, and recommend measures to address concerns in individual smart lamppost applications.