Newsletters

Keep Making Efforts

Last year, the Audit Department spent more than six months carrying out a value-for-money audit of the PCPD's work and subsequently published a "Value-for-money" Audit Report ("the Audit Report"). In February this year, the Public Accounts Committee (PAC) submitted a report ("the PAC Report") in respect of the Audit Report to the Legislative Council, making numerous recommendations to the Constitutional and Mainland Affairs Bureau and the PCPD. I agree with the recommendations and have spent much time on the implementation of improvement measures.

You may have come across some negative media reports on the PCPD earlier. Nevertheless, many positive affirmations were made in the Audit Report and the PAC Report.

In its report, the only area where the PAC expressed "dismay and serious concern" was that the PCPD could not comply with the "45-day requirement" under section 39(3) of the Personal Data (Privacy) Ordinance ("the Ordinance"). As pointed out in the PAC Report, the reasons for the situation have to do with the unique stringent time limit specified in the Ordinance and the manpower shortage of the PCPD.

Let me briefly explain what the "45-day requirement" refers to. In short, if the Privacy Commissioner refuses to carry out or continue an investigation initiated by a complaint, the "45-day requirement" requires him to notify the complainant no later than 45 days after receiving the complaint.

In practice, the PCPD consistently encounters difficulties in complying with the "45-day requirement". On the one hand, the complainants may be late in providing the necessary information, such as contact data, identity proof, consent to identity disclosure or clarification of the complaint, which may hinder the speed of the investigation. On the other hand, the data users complained against may not be able to respond to the PCPD's enquiries in time due to various reasons.

In reality, other local regulatory bodies, such as the Ombudsman and the Equal Opportunities Commission, as well as overseas privacy regulators are not subject to such statutory time limit for notifying the complainant of refusal to carry out or continue an investigation.

In its report, the PAC noted that the PCPD had informed the Administration of its practical difficulties in meeting the "45-day requirement" as early as 1998, and that the Administration had agreed to amend the requirement. However, the Administration has not acted on this so far and thus the problem goes on.

The problem of manpower shortage at the PCPD is a serious one. For a long period of time, the PCPD had on average only 13 officers to handle personal data privacy complaints from the public in a city of over seven million people. It is fortunate that the Constitutional and Mainland Affairs Bureau, at the PAC's public hearing, promptly undertook to allocate additional resources to assist the PCPD.

Though the process of increasing manpower cannot be accomplished in one step, the PCPD will continue its efforts to rectify the problem relating to the "45-day requirement".

Lastly, I thank the Audit Department and the PAC for the affirmations of the Privacy Commissioner's efforts to reduce the expenditure of the PCPD. Such positive comments are rarely made in reports of this kind. I am confident that PCPD staff will continue to utilize public funds in a prudent, effective and responsible manner when they perform their duties under the Ordinance.

Roderick Woo Privacy Commissioner for Personal Data
April 2010

Privacy Awareness Week 2010

The PCPD will join hands with other members of the Asia Pacific Privacy Authorities, such as privacy agencies of Australia, New Zealand and Canada, in organizing the Privacy Awareness Week (PAW), an annual promotional initiative scheduled to be held this year from 2 to 8 May 2010. The PAW aims to convey the importance of protecting, as well as having respect for, privacy in the region.

A wide range of promotional activities organized by the PCPD for different sectors of the community will be held during PAW. PCPD will announce the results of an opinion survey on "Senior Citizens' Attitudes and Perceptions towards Personal Data Privacy", as well as the launch of two new television Announcements of Public Interest.

To kick off PAW, an inauguration ceremony cum Seminar on "Personal Data Protection for Senior Citizens"will be held on 4 May, during which a booklet titled "Personal Data is Essential – for the Elderly" and which provides tips on the protection of personal data will be distributed to the audience. Copies will also be made available at elderly centres.

On 6 May, the PCPD and the Hong Kong Federation of Insurers will jointly organize the Opening Ceremony of the Privacy Campaign for Insurers cum Seminar on Personal Data (Privacy) Ordinance cum Seminar on Personal Data (Privacy) Ordinance to raise the insurance practitioners' awareness of personal data privacy risk in their daily operation.

On 7 May, a seminar on "Protection of Online Personal Data" will be held for members of the Data Protection Officers' Club. Mr. Joe Chan, Senior Inspector of Police, Technology Crime Division, Commercial Crime Bureau, Hong Kong Police Force, and Chief Privacy Compliance Officer of the PCPD, Mr. Allen Ting will talk about the identity theft and handling of personal data leakage cases.

Survey on "Senior Citizens' Attitudes and Perceptions towards Personal Data Privacy"

Announcement of survey results on "Senior Citizens' Attitudes and Perceptions towards Personal Data Privacy" Launch of two new TV Announcements produced by the PCPD
	Online Self-Assessment Tool for Senior Citizens

Booklet "Personal Data is Essential – for the Elderly"	Privacy Awareness Week 2010 Inauguration Ceremony cum Seminar on "Personal Data Protection for Senior Citizens" Venue : Hall, 4/F., St. James' Settlement, 85 Stone Hullah Lane, Wanchai, Hong Kong     Time : Time : 2:30pm - 3:15pm     Launch of the online self-assessment tool for senior citizens     Members of the public are welcome to attend. For registration, please call our hotline on 2827 2827

Opening Ceremony of the Privacy Campaign for Insurers cum Seminar on Personal Data (Privacy) Ordinance Officiated by: Mr. Roderick Woo, Privacy Commissioner for Personal Data, Hong Kong A representative from Hong Kong Federation of Insurers Ms Annie Choi, Commissioner of Insurance

Magnetic Bookmark for DPOC members

Plenary Meeting for Data Protection Officers' Club members - "Protection of Online Personal Data" Identity theft PCPD's regulatory experience in handling data leakage incidents Speaker : Mr. Joe Chan, Senior Inspector of Police, Technology Crime Division, Commercial Crime Bureau, Hong Kong Police Force       Mr. Allen Ting, Chief Privacy Compliance Officer, Office of the Privacy Commissioner for Personal Data     For more information on PAW 2010 events, please visit the PCPD website at http://www.pcpd.org.hk, or the PAW 2010 website at http://www.privacyawarenessweek.org

Security tips for online payment

In the Internet era, online payment is a common consumer practice, e.g. buying movie tickets, paying at online bookstores or online auction websites, etc. Though online payment is convenient, it comes with a potential problem of identity or payment information theft. In this issue, Dr. K.P. Chow, Associate Professor of Department of Computer Science and the Associate Director of the Center for Information Security and Cryptography at the University of Hong Kong, introduces some practical tips to you to prevent your data from theft. You can rest assured when shopping online!

1 Use a website that runs SSL

When making online payment, you could check if that particular website is secured by looking for a "closed padlock" displayed next to the browser's address bar (see below), or in the case of older versions of browsers, at the bottom right hand corner. If it is "closed", you could assume it is a secure site running SSL (Secure Socket Layer). With SSL running, information transferred from your computer to the online payment website's computer is being encrypted.

2 Check for the reputation of the online merchant

Only make online payments for those merchants with good reputations, i.e. shop with companies you know, or large scale shops or reliable companies with good

3 Use payment methods which you could monitor You could apply for one credit card that you use only for online payments to make it easier to detect suspicions credit card transaction. In the event that something goes wrong, you could stop the payment or stop using that credit card. In addition, if you pay through credit cards, you have the right to dispute unreasonable charges on your credit card. You also have the advantage of withholding payments during an investigation.

4 Check the online merchant's website privacy and security policies

Online merchants usually provide information about how it processes your online payment, their data security practices, and if they will share your personal information with their affiliate companies or with a third party. Read the section(s) about "Privacy Policy" and/or "Security Policy".

5 Provide only minimal information when you make online payment

When making online payments, there is certain information that you must provide to the online merchant such as your name and address. Don't answer any question you feel is not required to process your online payment, such as HKID card number, marital status, etc.

6 Check the online merchant's website address

Do not click on any link embedded within a suspicious email to any site. Instead use your bookmark link if you have bookmarked the site previously, or type the address in the address bar yourselves. If you follow links provided by other means, you may want to double check the address in the address bar to make sure that you are visiting the genuine site.

Additional resources：

Listed below are websites that provide additional information about shopping online.

Introduction to Technology Crime and Prevention Tips

Information and tips about Internet fraud provided by Hong Kong Police (Technology Crime Division) http://www.police.gov.hk/hkp-home/english/tcd/intro.htm

Online shopping tips

Information provided by Visa HK
http://visa-asia.com/ap/hk/en_US/cardholders/ security/online_shopping_tips.shtml

Surfing the Web and e-Shopping

Information provided on InfoSec website (which is produced and managed by the Office of the Government Chief Information Officer of the Government) http://www.infosec.gov.hk/english/yourself/surfing.html

Mass Media Campaign

The PCPD launched a mass media campaign in March 2010 to enhance the community's understanding of the Personal Data (Privacy) Ordinance.

Starting from 29 March, 10 episodes of the infomercial series "What is Personal Data Privacy?" were broadcast on TVB Jade from Monday to Friday over a fortnight. Lasting one-minute each, the airtime was designed to raise the public's awareness of its basic personal data privacy rights. The content of the 10 episodes included introduction of the Personal Data (Privacy) Ordinance, collection of identity card numbers and copies, online personal data security, collection of personal data during job application, use of personal data for direct marketing, collection of biometrics data, installation of CCTVs, how to protect personal data, right of access to personal data, and posting of personal data publicly.

In addition, broadview banners were displayed in MTR train compartments (Island Line, Kwun Tong Line, Tsuen Wan Line, Tseung Kwan O Line) from 15 to 28 April to serve as reminders to the public to stay alert to the risk of personal data leakage.

The PCPD has also produced two 30-second television Announcements of Public Interest (APIs) that are intended to introduce the rights of citizens and the responsibility of organizations under the Ordinance. The APIs will be launched during the inauguration ceremony of the Privacy Awareness Week 2010 and then broadcast in television, MTR train compartments (East Rail Line, West Rail Line, Ma On Shan Line), shopping arcades as well as on the PCPD's website.

Infomercial Series" What is Personal Data Privacy?"

30-second TV APIs

Broadview Banners in MTR Train Compartments

Number of Enquiry Cases：10,265

（1 Jul - 31 Dec 2009)

Number of Complaint Cases：588

（1 Jul - 31 Dec 2009)

Former Insurance Agent Convicted for Failing to Erase Personal Data that were No Longer Required

A former insurance agent who had not erased personal data that were no longer required was convicted of breaching section 26(1) of the Personal Data (Privacy) Ordinance ("the Ordinance") and fined.

Mr. Adrian Tse ("Mr. Tse"), Misc Enq Sub-Unit Commander (Tseung Kwan O Div) of Hong Kong Police Force who handled the case, recalled, "One day in November 2008, someone found three boxes of documents abandoned at the staircase of a housing estate in Tseung Kwan O and filed a police report. Police officers of the Tseung Kwan O Division then brought the three boxes back to the police station for further investigation. The police found out that the data were held by a former insurance agent believed to be living in the estate. He had worked for several insurance companies and a telecommunications company, and kept personal data copies of over 2,000 clients. Though his insurance agent licence had been suspended, he continued to keep the documents and claimed that the documents would be used for liaison with clients in future."

Once informed by the police, the Privacy Commissioner immediately assigned staff of the Compliance Division to Tseung Kwan O Police Station to assist the police in examining the documents and handling the case. Upon investigation and prosecution, the former insurance agent was summonsed for contravention of section 26 of the Ordinance. The case was subsequently brought to the Magistrate's Court and the former insurance agent pleaded guilty to the summons and was imposed a fine of $1,500.

Mr. Vincent Ng ("Mr. Ng"), Personal Data Officer of the PCPD who dealt with the case said, "This is the first conviction case under section 26 since the enactment of the Ordinance. Under section 26(1) of the Ordinance, a data user, after fulfilling the purpose of collection (including any directly related purpose), should not continue to hold the data for the same purpose and should erase the data. Under section 64(10) of the Ordinance, a data user who, without reasonable excuse, contravenes section 64 of the Ordinance commits an offence. Therefore, data users must be prudent and careful when retaining personal data. The data must be erased after the fulfillment of the purpose of use in order to avoid contravening section 26 of the Ordinance."

Mr. Adrian Tse, Misc Enq Sub-Unit Commander (Tseung Kwan O Div) of Hong Kong Police Force (left) and Mr. Vincent Ng, Personal Data Officer of the PCPD

Mr. Tse believes that close cooperation between the police and the PCPD was key to successful prosecution of the defendant in this case. He added, "From the initial investigations to prosecution, the PCPD had provided the police with valuable advice in respect of the requirement of the Ordinance so the police had clear directions in the investigation. As the case involved substantial amounts of documents containing personal data of individuals, officers of Tseung Kwan O Police Station had to spend considerable time and resources analyzing and dealing with these exhibits. In the end, the police sought legal advice from the Department of Justice ("DoJ") and the defendant was successfully prosecuted and convicted. This case showed the fruitful investigation result of the police with joint efforts of the PCPD and DoJ."

Mr. Tse elaborated, "The case proves that citizens are aware that the abandonment of personal data on the street is a serious incident and that they will take steps to lodge complaints. This shows that the level of public awareness of personal data privacy protection has been raised."

As a final word of advice for data users, both Mr. Tse and Mr. Ng reiterated, "When a data user has fulfilled the purpose of personal data collection and no longer needs the data, he should erase the data. Such act is in compliance with the requirement of the Ordinance, and it also minimizes the risk of data leakage."

Standing Committee on Technological Developments

The Standing Committee on Technological Developments held a meeting on 8 January 2010 to discuss the issue of biometrics data and its impact on personal data privacy.

Section 8(1)(f) of the Personal Data (Privacy) Ordinance provides that the Privacy Commissioner shall undertake research into, and monitor developments in, the processing of data and computer technology in order to take account of any likely adverse effects such developments may have on the privacy of individuals in relation to personal data.

Members of the Committee are as follows:

PCPD's Annual Report Wins International Award

PCPD's 2008-09 Annual Report has won the Silver Prize of the 23rd International Mercury Awards under the category of "Government Organizations and Offices – Overall Presentation".

The theme of this Annual Report, "The Art of Promoting Privacy Rights", highlights the statutory role of the Privacy Commissioner in promoting awareness of personal data privacy and the need to protect such privacy while seeking to balance all legitimate interests in society. It is envisaged that such efforts will help to foster a broad culture of mutual respect for personal data privacy.

The aim of the Mercury Awards is to honor annual reports that are creative, effective and fruitful in communications. All finalists were selected by a professional judging panel and won accolades from the public relations industry.

This marks the third year in a row that the PCPD has won an international award for its Annual Report. Its 2006-07 and 2007-08 Annual Reports had each won a Bronze Prize of the International Astrid Awards in recognition of their outstanding achievement in design communications.

PCPD was awarded the "Web Care Award 2009"

The PCPD was awarded the "Web Care Award 2009 - Silver Award" in recognition of its efforts in maintaining a barrier-free website (www.pcpd.org. hk) and caring for the community. The award was established by the Internet Professional Association to encourage the building of no-barrier websites to provide needy communities with equal opportunities to share the benefits brought about by the development of the Internet in Hong Kong.

Education & Careers Expo 2010

To convey the relevant messages on the protection of personal data privacy to youngsters and job seekers, the PCPD participated in the "Education & Careers Expo 2010" organized by the Hong Kong Trade Development Council from 4 to 7 February. In particular, job seekers, a group seen to be exposed to the risk of personal data leakage, were specially reminded not to provide excessive personal data at the recruitment stage and not to hand their personal data to "blind advertisement" advertisers. A promotional leaflet titled "Personal Data is Essential Protect your Privacy – Job Seeking" was distributed to visitors at the Expo.

Staff of the PCPD also delivered a talk on "Protect job seekers' personal data privacy" during the fair and provided answers to enquiries related to personal data privacy.

New Publications and Investigation Reports

Posters and Leaflets about Protection of Personal Data during Job Seeking

The Privacy Awareness Week 2009 was launched at Wah Yan College Hong Kong on 3 May by distinguished guests.

To remind job seekers, particularly those who are young, of the importance of protection of personal data privacy, the PCPD has produced some posters and leaflets on the issue. The emphatic message sent to job seekers is that they should be prudent in handling their personal data and not give their personal data to anonymous advertisers.

New Matching Procedure Request Form

The Privacy Commissioner for Personal Data, Mr. Roderick Woo, published a new Matching Procedure Request Form ("the new Form") in the Gazette on 12 March 2010. The new Form is effective for use from 1 April 2010.

Investigation Reports

DPOC activities

Briefing on Consultation Document on Review of the Personal Data (Privacy) Ordinance

The PCPD held two briefing sessions on Consultation Document on Review of the Personal Data (Privacy) Ordinance on 6 and 21 October 2009. The speaker, Ms. Sandra Liu, Legal Counsel of the PCPD familiarized the members with the content of the consultation document.

Workshops

In December 2009 and January 2010, a total of eight sessions of workshops on "Code of Practice on Human Resource Management" and "How to handle Data Access Request" were conducted for members in order for them to learn how to comply with the requirements of the Ordinance in relation to human resource management and data access request. The workshops were well attended by about 280 members.

Recruitment of members for the 2010 Membership Year

In addition to obtaining first-hand information from the PCPD, members can participate in different activities, such as workshops, seminars, visits, etc., with Data Protection Officers of various sectors. Members can learn about compliance with the Ordinance and share their practical experience with each other.

Data Protection Officers' Club

2010 Membership Application Form