Media Statements

Date: 15 October 2019

District Council Election Upcoming: Doxxing, Cyber-bullying Will Break the Law
Privacy Commissioner Reminds Candidates, Government Departments and Public Opinion Research Organisations to Comply with the Privacy Ordinance

District Council Election (the Election) will be held on 24 November, 2019. In light of recent social situation, the Secretary for Constitutional and Mainland Affairs has said recently that instead of disclosing the Election candidates’  “principal residential address”, the Electoral Affairs Commission will publish their “principal addresses” when publishing their information in the Government Gazette by the end of October. The Privacy Commissioner for Personal Data, Hong Kong (Privacy Commissioner), Mr Stephen Kai-yi WONG fully supports this new measure. 

The Privacy Commissioner said, “There is common misunderstanding among members of the public that personal data of an individual obtainable in the public domain can be further used for whatever purposes and without limitation. Indeed, personal data obtained from the public domain is still subject to the regulation of Personal Data (Privacy) Ordinance (PDPO).” Privacy is a fundamental human right; netizens should respect other individuals’ personal data privacy. The Privacy Commissioner reiterated that any doxxing or cyber-bullying acts that infringe others’ personal data privacy rights may contravene section 64 of PDPO, which are criminal offences with serious consequences. The maximum penalty is a fine of HK$1,000,000 and imprisonment for 5 years.

In recent years, a number of large-scale data breach incidents related to elections have occurred in Hong Kong. The Privacy Commissioner encourages all stakeholders to refer to the Guidance on Election Activities for Candidates, Government Departments, Public Opinion Research Organisations and Members of the Public (the Guidance Note) issued by the PCPD in December 2017 to remind stakeholders to comply with the requirements under PDPO in handling personal data at different stages of election activities so as to avoid data leakage. The Guidance Note provides practical guidance with relevant complaint cases received previously. Highlights of the guidance are as follows:

For candidates and their affiliated political bodies

• Only adequate and necessary personal data for election purposes should be collected; ensure the individuals are informed of the purpose of collection of the data;
• Consent from the electors must be obtained beforehand if the personal data was obtained for non-election purposes;
• Ensure the personal data from published registers of electors is used only for election purposes as prescribed by the relevant election legislation;
• Provide the electors an option to decline receipt of any electioneering communication from the candidates; maintain a list of individuals who find election-related communication objectionable and avoid approaching them to canvass for votes; and
• Should not retain personal data collected for election purposes for a period beyond completion of election activities.

For Government departments 

• When managing the database of electors, other than encrypt the database,
  • Only personal data that is necessary for access or use should be kept in portable storage devices, and effect adequate physical security measures to safeguard devices;
  • Only authorised staff are able to retrieve or access relevant personal data;
• Policies, procedures and practical guidelines relating to security, delivery and access should be devised. They should be reviewed and updated systematically, and also disseminated to all staff effectively.

For public opinion research organisations 

• Avoid providing untrue or misleading information concerning the background and objectives of the personal data collection;
• Clearly state the nature of the activities and identify the data user to the participants;
• Make risk assessment to ensure the personal data collected is appropriately protected when employing the use of computer programmes or software developed by third parties;
• Destroy the personal data collected within a reasonable period of time after completion of activities.

The Privacy Commissioner also reminds members of the public that they should stay smart in protecting their own personal data: get to know the identity and background of those asking for personal data as well as their purposes of collection before giving away their personal information via any channel. The Guideline Note also provides personal data protection advice for members of the public, including:

• Verify senders’ identities of emails or letters in relation to election;
• Report the change of registration particulars to the relevant government department as soon as possible for record update;
• Ascertain if the organisers of opinion or mock polls have clearly stated the nature of the activities, their identities and the purpose of personal data collection, etc.;
• Ascertain whether the data collected by political bodies during their activities will be used in subsequent elections; and
• Convey objection to the candidates and their affiliated political bodies of receiving electioneering communications from them.

The Guidance on Election Activities for Candidates, Government Departments, Public Opinion Research Organisations and Members of the Public and its infographic can be downloaded at the PCPD website.