(26 January 2016) The Office of the Privacy Commissioner for Personal Data ("PCPD") received a record number of complaints in 2015. There was a rising trend in the number of enquiries and complaints in relation to the use of information and communications technology (“ICT”). A number of data leakage incidents occurred during the year amounting to a contravention of data security principle.
2. Mr Stephen Kai-yi Wong, Privacy Commissioner for Personal Data ("Commissioner") briefed today (26 January 2016) the major work accomplished by the PCPD in 2015, “Privacy complaints reach a record high in 2015, indicating an increase in public awareness on personal data privacy protection. The rapid development of ICT, the use of big data and cloud computing will further change the ways that individuals’ personal data is collected, retained and used. The recent data leakage incidents involve voluminous personal data and are largely attributed to the internet security issues. I appeal to all businesses and organisations to ensure the proper handling and disposal of personal data collected, and to take all practical steps to safeguard personal data from unauthorised or accidental access, processing, erasure, loss or use.”
3. Mr Wong continued, “Hong Kong was the first jurisdiction in Asia to have a dedicated piece of legislation on personal data privacy 20 years ago. To maintain as an international business centre with free flow of information, Hong Kong should keep up with the development and changes in the privacy landscape with a view to bringing our data protection policies and regulations up to date, as well as striking the right balance. Comparative researches and analyses will be our priorities in 2016 considering also the fact that the European Commission has agreed on a comprehensive data protection reform on 15 December 2015 to introduce the General Data Protection Regulation for strengthening the online privacy rights in the digital age. We will closely monitor the progress, and maintain close liaison with overseas privacy enforcement authorities.”
4. The highlights of the PCPD's achievements in 2015 are outlined as follows:
Enquiries
5. In 2015, the PCPD received a total of 18,456 enquiries, representing an increase of 7% as compared with 17,328 enquiries in 2014. They were mainly concerned with data access requests (14%), employment (12.7%), use of personal data in direct marketing (11.9%), and collection / use of Hong Kong identity card numbers or copies (6.5%).
6. There was an increase of 18.8% in internet related enquiries from 611 cases in 2014 to 726 cases in 2015, mainly relating to cyber-profiling, mobile apps and cyber-bullying.
Complaints
7. During the same year, the PCPD received a record high of 1,971 complaints, which represented an increase of 16% as compared with 1,702 complaints in 2014.
8. Of the complaints received, 74% were made against the private sector (1,461 cases), 11% against the public sector / government departments (210 cases) and 15% against individuals (300 cases).
9. Among the private sector organisations, the financial sector received the most complaints (390 cases), followed by property management (156 cases) and telecommunications (115 cases).
10. Regarding the nature of the complaints, 40% related to the use of personal data without the consent of data subjects (786 cases), 37% to the purpose and manner of data collection (722 cases), 13% to data security (252 cases) and 8% to data access/correction requests (156 cases).
Use of Information and Communications Technology ("ICT")
11. Over the past few years, the PCPD has seen an upward trend in ICT-related privacy complaints, and received a record high of 241 complaints in 2015, representing an increase of 17%, as compared with 206 cases in 2014.
12. Common privacy disputes arose from the use of mobile apps and social networking websites (161 cases), the disclosure or leakage of personal data on the Internet (85 cases), and cyber-bullying (22 cases).
Electioneering
13. A total of 115 electioneering-related complaints were received, the majority (106 cases) of which related to the 2015 District Councils Election registered in the fourth quarter of 2015. Most of the complainants objected to their personal data having been used in electioneering activities without their consent.
14. The PCPD updated its Guidance Note on Electioneering Activities in August 2015 to provide candidates and their election agents with practical guidance on compliance with the requirements under the Personal Data (Privacy) Ordinance ("the Ordinance").
Compliance Checks and Self-initiated Investigations
15. 98 data breach incidents affecting 871,000 Hong Kong individuals were reported to the PCPD in 2015, as compared with 70 incidents involving 47,000 individuals in 2014. These incidents involved the loss of documents, hacking, inadvertent disclosure of personal data by fax, email or post, and system failure.
16. The PCPD completed 284 compliance checks and 76 self-initiated investigations in 2015, as compared with 217 checks and 102 investigations in 2014.
Inspection
17. During the year, the PCPD conducted an inspection of a travel operator in view of the vast amount of travellers’ personal data it collected and retained. The purpose of the inspection was to assist the Commissioner in making recommendations to the travel industry with a view to promoting compliance with the provisions of the Ordinance.
Investigation Reports
18. The Commissioner published two investigation reports in 2015 (five in 2014). These reports covered:-
Enforcement Action
20. In 2015, the PCPD issued 17 warnings and 67 enforcement notices to organisations as compared with 20 warnings and 90 enforcement notices in 2014. The number of the enforcement notices served in connection with the investigation of Blind Ads had dropped from 69 in 2014 to 57 in 2015.
Prosecution
21. During the same period, 30 cases were referred to Police for criminal investigation and prosecution (20 in 2014), of which 28 cases related to contraventions involving the use of personal data in direct marketing (17 in 2014).
22. The total number of prosecutions in 2015 was six (one in 2014). A case relating to contraventions involving the use of personal data in direct marketing, as well as another one relating to the disclosure of personal data of a data subject which was obtained from a data user without the data user’s consent, are now under trial.
Direct Marketing
23. In 2015, the PCPD received a total of 2,201 direct marketing related enquiries (2,385 in 2014). On the other hand, 322 direct marketing related complaints were received last year, which represented an increase of 16% as compared with 277 cases in 2014.
24. Since the penalty level of the offence was raised under the revised direct marketing regulatory regime which took effect on 1 April 2013 under the Personal Data (Privacy) (Amendment) Ordinance, as of 31 December 2015, a total of 53 cases were referred to Police for criminal investigation and prosecution. There were four convictions in 2015:
|
September 2015 First conviction case |
A telecommunications service provider failed to comply with customer’s opt out request to cease using his personal data in direct marketing | Fined HK$30,000 |
|
September 2015 Second conviction case |
A storage service provider used the personal data of a customer in direct marketing without taking specified actions and obtaining his consent | Fined HK$10,000 |
|
November 2015 Third conviction case |
A body check service company failed to comply with customer’s opt out request to cease using his personal data in direct marketing | Fined HK$10,000 |
|
December 2015 Fourth conviction case |
A person provided personal data, which was obtained in a social function, to a third party for use in direct marketing without taking specified actions and obtaining consent. | Fined HK$5,000 |
Legal Assistance Scheme
25. The Legal Assistance Scheme commenced on 1 April 2013. Under the scheme, the PCPD may provide assistance to a person who has suffered damage by reason of a contravention under the Ordinance by a data user and intends to institute proceedings to seek compensation from the relevant data user. The PCPD received 16 new applications for legal assistance in 2015. Together with three applications brought forward from 2014, the PCPD handled 19 applications in 2015. Of these applications, nine were rejected, four were withdrawn by the applicants and six are being considered. Legal proceedings are expected to commence in respect of one approved case brought forward from 2014.
Promotion and Public Education
26. During the year, a total of 20 large-scale promotional and education activities were organised to cater for the various needs of the individuals (including students) and organisations, reaching over 260,000 participants, and representing an increase of more than 80% as compared with 2014’s figure. 276 workshops, seminars and talks on specialised topics were conducted engaging a broad range of stakeholders, with a total of 18,700 participants (increased by 26% from 2014) from over 450 organisations.
27. The PCPD also made use of the online training platform to help stakeholders be familiar with how to interpret and apply the Ordinance in a cost-effective manner. Apart from a module dedicated for the small and medium sized enterprises, three ICT-related courses were also launched in the fourth quarter of 2015.
28. A major strategic focus of the PCPD in 2015 was promoting and ensuring the compliance with the provisions of the Ordinance by stakeholders in the mobile apps industry. In January 2015, the PCPD launched a privacy awareness campaign with the theme “Developing Mobile Apps: Privacy Matters”. The campaign was co-organised by 10 leading trade associations and supported by 10 professional and academic institutions in the field of ICT. 13 activities were held in 2015 reaching more than 2,400 participants. In addition, the PCPD organised the International Conference on Big Data from a Privacy Perspective in June 2015, attracting over 250 professionals across the globe to attend.
29. A survey of public attitudes on personal data privacy revealed that awareness of privacy rights of individuals and public trust in the PCPD were generally high. A new TV Announcement in the Public Interest entitled “Stay Smart. Mind Your Digital Footprint” was launched in the end of November, calling on members of the public to go online vigilantly, with intent to nourish a culture of protecting their own and respecting others’ personal data. The website pcpd.org.hk has become an important channel for the PCPD to reach out to the community with its growing wealth of data protection information. The website won the Silver Award (Website Stream) in the Web Accessibility Recognition Scheme 2015 and the “Government Standard of Excellence” in 2015 Web Awards for Outstanding Achievement in Web Development.
30. The PCPD issued 18 guidance notes and information leaflets in 2015 covering a wide range of topics such as children’s online privacy, mobile apps development, using social networking and smartphone, and cloud computing.
Major Incidents in 2015
Data Leakage Incidents
The PCPD initiated investigations into some major data leakage incidents in 2015, including:
31. Contactless Credit Cards
The PCPD initiated investigations into the possible personal data leakage involving the contactless credit cards issued by a number of banks in November 2015.
32. Websites and Computer Networks
Children’s Privacy
33. In 2015, the PCPD expressed concerns about the incident of the alleged unconsented uploading of video clips of secondary school students online, as it involved youngsters and their rights to privacy in the cyber world. The PCPD undertook a formal investigation into the complaints and is in the process of screening and drafting of the report.
34. Results of a study, which was published in May 2015, revealed a lack of knowledge and awareness on children’s privacy among parents and teachers. The PCPD published the “Children Online Privacy – Practical Tips for Parents and Teachers” leaflet, and revamped the “Children Privacy” thematic website (www.pcpd.org.hk/childrenprivacy) in December.
35. In December 2015, the PCPD announced the results of the study of 45 local website and mobile applications targeting at children, and published a Guidance Note on “Collection and Use of Personal Data through the Internet – Points to Note for Data Users Targeting at Children for organisations”.
Telephone Deception
36. Last year, the PCPD received over 300 enquires and complaints in relation to telephone deception. The most common ways were found to collect personal data through:
Strategic Focus for 2016
38. The Hong Kong privacy landscape has been evolving rapidly in the past years. In 2016, the PCPD will keep pace with the global developments in the protection of personal data, take proactive steps to strike the balance between privacy protection and free flow of information, and respond positively to meet the challenges ahead. Strategic focus will be placed on:
- End -