Privacy Commissioner’s Response to Concerns Over the “PopVote Systems”
and Strongly Requests to Stop Unfair Personal Data Collection and Use of the related Telegram
(13 February 2017) The Privacy Commissioner for Personal Data (“
PCPD”) noted the recent media reports and discussions on the issues of personal data privacy and data security arising from the “Chief Executive Election Civil Referendum 2017” (“
the activities”) organised by Public Opinion Programme at The University of Hong Kong and Centre for Social Policy Studies at the Hong Kong Polytechnic University, as commissioned by the “Citizens United in Action”, and was asked for clarification and views. Based on the public information of the activities, views of data security experts as quoted in media reports, and other facts gathered by PCPD so far, PCPD has the following preliminary observations to make.
The activities involve the collection of personal data of individuals, and there is a lack of transparency in setting out the details and objectives. It does not, in particular, state the differences in mechanism and procedures between the activities and what have been stipulated in existing laws, thereby misleading members of the public and prejudicing the public interest. The Privacy Commissioner for Personal Data, Hong Kong, Mr Stephen Kai-yi WONG, pointed out that, “Any person or organisation, who collects personal data based on the nature of a lawful practice or established mechanism, in particular one of significant interest to and impact on members of the public, but through means which are not in line with the law or mechanism without explaining the lawful basis for them, as a result of which participants may be misled, or that the data collected may lead to misuse or abuse, may contravene the Principle of
Fair Collection under the Personal Data (Privacy) Ordinance (“
Ordinance”).
1 ”
Meanwhile, it is pointed out by some information technology organisations and experts that the “de-identification” technology adopted by PopVote on the personal data it collects can be easily interpreted and re-identified. The use of the related Telegram, the instant messaging programme, to verify a participant’s identity for voting is also questioned by some computer security experts. The existing privacy risks may not only result in irrecoverable fatal consequences, but also contravene the Data Security Principle under the Ordinance.
2
The PCPD strongly requests the relevant
organisations to stop collecting personal data unfairly and the use of the related Telegram in the activities.
Individuals should fully understand the privacy risks involved and consequences before participating. The PCPD has initiated compliance check for the case.
Note 1: Data Protection Principle 1 (Data Collection Principle) - Personal data must be collected in a lawful and fair way, for a purpose directly related to a function /activity of the data user. Data collected should be necessary but not excessive. Data subjects must be notified of the purpose and the classes of persons to whom the data may be transferred.
Note 2: Data Protection Principle 4 (Data Security Principle) - A data user needs to take practical steps to safeguard personal data from unauthorised or accidental access, processing, erasure, loss or use.
-END-