Date: 8 August 2019
Response to media enquiry on Cathay Pacific Airways’s installation or using CCTV monitoring system on planes
Thank you very much for your enquiry. Our response is as follows:
-
The Personal Data (Privacy) Ordinance (Ordinance) does not prohibit installing or using CCTV monitoring system.
-
In general, if it is not possible for one to ascertain the identity of a person in a video footage, or if it is only a real-time monitoring without recording involved, then the CCTV monitoring would not amount to “collection of personal data” as defined under the Ordinance and the matter concerned will fall outside the jurisdiction of the Ordinance.
-
If the purpose of the installation is to collect or compile information about identified persons, the airline (as data user) must comply with the provisions of the Ordinance and the Data Protection Principles (DPPs), in particular:-
-
Data users should only collect personal data where it is necessary for a lawful purpose directly related to the function or activity of the data users, and that the data collected shall be adequate but not excessive. Data users should also take all practical steps to notify the data subjects (including the passengers) of the fact that the recording function of the on board cameras has been activated, the purpose of data collection (e.g. for security or to monitor any illegal act(s) committed on board), and the classes of persons to whom the data may be transferred, etc.[1];
-
Personal data collected should not be kept longer than is necessary to fulfil the related purpose[2], and should be deleted as soon as practicable once the purpose of collection is fulfilled[3] (e.g. the recorded images captured by the CCTV for security purpose should be securely deleted regularly if no incident of security concern is discovered or reported);
-
Data users need to take practicable steps to safeguard personal data from unauthorised or accidental access, processing, erasure, loss or use[4]; and
-
Personal data collected shall only be used (including disclosure and transfer) for the purposes for which it was collected or for a directly related purpose (e.g. security), unless voluntary and explicit consent with a new purpose is obtained from the data subjects[5], or when any applicable exemptions under the Ordinance apply (e.g. the use of the data is for crime prevention or detection).
-
The Privacy Commissioner has earlier published “Guidance on CCTV Surveillance and Use of Drones”, offering advices to organisations on whether CCTV should be used and how to use CCTV responsibly.
-
Regarding your enquiry on whether Cathay’s updated privacy policy has fulfilled the requirement stated in the Enforcement Notice (EN) issued on 6 June 2019, we would draw your attention to some of the directions which the Privacy Commissioner had made in the EN, as depicted under paragraph 100 of the Data Breach Incident Investigation Report (R19-15281), that:
-
The EN directed Cathay to provide documentary proof within six months from the date of the EN, or forthwith where remedial actions had been taken earlier, showing that a clear data retention policy has been devised to specify the retention period(s) of passengers’ data stored in each and every system, which is no longer than is necessary for the fulfilment of the purpose.
-
We would closely monitor Cathay’s compliance with the EN and would refrain from commenting further at this stage.
[1] DPP1 – Data Collection Principle
[2] DPP2(2) – Retention Principle
[3] Section 26 of the Ordinance
[4] DPP4 – Data Security Principle
[5] DPP3 – Data Use Principle