1. It is noted that the Discussion Paper (CB(4)1124/15-16(01)) does not specifically mention about the collection of passengers’ personal data. Nevertheless, if the mobile apps or other technologies adopted in the proposed scheme shall involve the collection of the personal data, the relevant data user (e.g. franchise taxi operators) must comply with the requirements under the Personal Data (Privacy) Ordinance (“Ordinance”) including the six Data Protection Principles (“DPPs”) which regulate organisations (as the “data users”) engaging in the collection, holding, processing and use of personal data.
In the present context, DPP1 and 3 in Schedule 1 of the Ordinance will be of particular relevance. The taxi operators shall ensure that the personal data, being necessary and not excessive, must be collected in a lawful and fair way, for a purpose directly related to its function/activity. They are also required to notify the data subjects of the purposes of collection and the classes of persons to whom the data will be transferred. (DPP1)
Secondly, if a taxi operator wishes to use (or disclose/transfer) the personal data that it held, it is required to comply with DPP3, which provides that unless (i) with the voluntary and explicit consent of the passengers/ drivers, or (ii) any exemption under Part 8 of the Ordinance applies, personal data shall not be used for a purpose other than the purpose for which the data is collected or for a directly related purpose (e.g. for service booking).
Under section 58(1)(a) and (2) in Part 8 of the Ordinance, personal data disclosed for the purposes of crime prevention or detection etc. will be exempted from the requirements under DPP3 if the non-disclosure would be likely to prejudice such purposes.
It is important to assess the possible impact upon personal data privacy that may arise from a new proposal. If it is possible to identify the individual drivers or passengers, there is a risk of building the travel profile of an individual and that individual may be tracked or monitored through the collection, storage and aggregation of the relevant data. The idea put forward is still at preliminary stage. The PCPD suggests that a Privacy Risk Assessment (“PIA”) should be conducted by the relevant government department to identify potential risks involved which affects personal data privacy of the general public.
Ultimately, it would be a balancing exercise as to whether the public interests involved shall outweigh personal data privacy protection of individuals. In putting forward proposals, government departments or bureaux are urged to consider less privacy intrusive alternatives.
2. In circumstances where the personal data held by the taxi operators is disclosed to the Government (or the relevant law enforcement agencies), the latter shall become a data user, and is therefore required to comply with the requirements under the Ordinance. It is important to ensure that the data collected shall not be further aggregated or used for purposes that are not directly related to the original collection purpose.
3. Please refer to the last two paragraphs in Answer 1.
The PCPD has revised the “Privacy Guidelines: Monitoring and Personal Data Privacy at Work” in April 2016 that provide guidance to employers on the steps they can take in assessing whether employee monitoring is appropriate for their business, and where it is deemed appropriate, how they can develop privacy compliant practices in the management of personal data obtained from employee monitoring.
The “Best Practice Guide for Mobile App Development” was also issued in November 2014 that aims to provide comprehensive step-by-step practical guidance to those who are in the mobile applications development business. It also outlines what areas to pay attention to when developing apps in order to earn trust from customers through respecting their personal data privacy.
For further information, please visit our website at www.PCPD.org.hk.
(The above reply can be attributed to Mr Stephen Kai-yi Wong, Privacy Commissioner for Personal Data, Hong Kong)