Media Statements

Privacy Commissioner for Personal Data, Hong Kong 2018-19 Annual Report:
Public Authorities Were More Willing Than Private Enterprises
to Give Data Breach Notifications

The 2018-19 Annual Report of the Privacy Commissioner for Personal Data, Hong Kong (Privacy Commissioner) was today tabled in the Legislative Council.  The annual report summarised key statistics and reports on his work during the reporting year. 

Mr Stephen Kai-yi WONG, Privacy Commissioner for Personal Data, Hong Kong reported, “Last year, my office received 113 data breach notifications. While the figure was comparable to that of the preceding year and did not seem to show any alarming trend, it did not reflect the complexity and severity of the nature of the incidents, or the large number of individuals affected, not to mention the substantive technical and legal issues advanced in defence by the professional teams. As always, we worked hand in hand with the relevant organisations and engaged them to take immediate remedial actions to contain the possible damage to the attacked individuals. We also put forward steps to re-establish their consumers’ trust with a view to reducing their defection.”  

The theme of the report is Data Stewardship in Action. In this data-driven economy that keeps growing in parallel with Big Data and Information and Communication Technology (ICT) developments, we see the tremendous benefits brought about by scientific advancement, economic and social interactions.  It is vital to strike a balance between data protection and a variety of competing interests and rights. In addition, a number of large-scale data breach incidents took place both in Hong Kong and international arena, indicating that enhancing data security has now become a pressing task for organisations. Public concerns about data governance were also significantly heightened.

The idea of good data stewardship and governance, or accountability, has in many ways been reflected in the new laws and regulations of many jurisdictions. In times of change, complementing compliance with the law by adopting data ethics will form the bedrock for nurturing and flourishing data protection. 

During the reporting year, the office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) received 17,168 enquiries and 1,878 complaints, as compared with 15,737 enquiries and 1,619 complaints in the last reporting year 2017-18. 
 

Complaints

The number of complaints related to information technology (504 cases¹) has significantly increased by 102% as compared with 2017-18, many of them concerning the disclosure or leakage of personal data on the internet. (Figure 1)

(*One complaint may be related to more than one subject.)

Among the 1,878 complaints in the reporting year, the types of parties being complained against are shown in Figure 2:


A total of 2,554 breaches of the requirements under the Personal Data (Privacy) Ordinance were alleged in the 1,878 complaints received. (Figure 3)

(#One complaint may be related to more than one breach.)

Enquiries

17,168 enquiries were received in the reporting year.  A number of large-scale data breach incidents happened during the reporting year, and the number of enquiries related to data breach incidents and European Union General Data Protection Regulation has increased as compared with 2017-18. (Figure 4)

Compliance actions

During the reporting year, the Privacy Commissioner carried out more compliance checks and compliance investigations than in 2017-18. (Figure 5)

A total of 113 Data Breach Notifications (DBN) were received. The PCPD conducted compliance check in each of these 113 incidents. (Figure 6) 

The Personal Data (Privacy) Ordinance does not require data users to give DBN. But the statistics show that public organisations gave more DBNs in the reporting year, with a 65% increase as compared with 2017-18. Further, public were more willing than private enterprises to give DBNs. The number of DBNs given by private enterprises decreased by 34% as compared with 2017-18. But it is noteworthy that those DBNs included a major data breach by an airline company involving 9.4 million passengers.

The PCPD spared no efforts in promotion and education. In the reporting year, over 35,000 people attended our lectures, talks, seminars, symposiums, customised training courses, and training programmes on data protection, representing a 30% year-on-year increase. An average of 106,445 visits to PCPD website per month were recorded, representing a 20% increase. More than 60,000 secondary school students participated in the annual Student Ambassador for Privacy Protection Programme to learn the importance of protecting and respecting personal data privacy.

“A Year in Numbers” summarising key statistics during the reporting year is at Annex.

Looking ahead, the Privacy Commissioner said, “One of the challenges that regulators have to continue to meet will be how they could help unlock and share personal data within the legal and ethical frameworks with a view to maximising the benefits of data in a sustainable way, minimising the risks and harms, creating healthy synergy with economic growth, identifying and securing the innovative use of personal data in a post-data-driven economy. I look forward to continuing to work with all stakeholders, public and private, local and inter-regional, as well as committee members and colleagues in embracing further challenges and opportunities.”

The 2018-19 Annual Report is now available for download on PCPD website (https://www.pcpd.org.hk/english/resources_centre/publications/annual_report/files/anreport19_full.pdf)

¹ 143 complaints were about Cathay Pacific Airways Limited data leakage incident.

Annex

Privacy Commissioner for Personal Data, Hong Kong 2018-19
A Year in Numbers