Newsletters

Allan Chiang,
Privacy Commissioner for Personal Data

While most with a long and illustrious career in government would typically opt to go down the well-trodden path of a placid retirement, Mr. Allan Chiang still insists on a piece of the action after 33 years as a public servant. Taking office as Privacy Commissioner for Personal Data (PCPD) in August 2010 when public concern was brewing fervently over the privacy intrusion under the "Octopus Rewards" program, Mr. Chiang couldn't have stepped into the role at a more exciting time for the PCPD.

While the PCPD has been working steadfastly over the years to raise awareness of the importance of personal data privacy, things took a climactic turn in July 2010 when the former Commissioner initiated a formal investigation into the use of customers' personal data for direct marketing in the "Octopus Rewards" program. The case put the PCPD in the glare of the public spotlight with unprecedented media coverage and interest in its work.

"It may be the case that people had not accorded priority to the issue of personal data privacy many years ago. But as the economy developed and we started moving towards a knowledge-based society, the issue has progressively gained importance amongst individuals and different organizations," he notes.

"The Octopus case was a wake-up call to those who had neglected the issue of personal data privacy in the past. Corporations and organizations have many issues on the agenda to deal with, such as those relating to profitability and human resources, and data privacy issues were normally low on their agenda. It was a rare opportunity for privacy issues to grab the attention of the top management of companies," Mr. Chiang says.

"While the business norm nowadays is to champion 'Customer is king', I am appalled to find that many organizations are not customer-centric at all in the areas of personal data privacy. When it comes to collection and use of customers' personal data, organizations tend to exercise their discretion as widely as possible, at the expense of customers' right of self-determination. They seem satisfied to do the least possible to meet minimum legal requirements, and focus on how to defend their position when challenged in the grey areas," Mr. Chiang adds.

"Today's business competition is no longer concerned with just price and service quality. To achieve enduring and higher level of success, organizations have to compete in new areas like environmental friendliness, corporate social responsibility and protection of human rights. A paradigm shift is called for and new thinking on the part of CEOs and top management is required," Mr. Chiang emphasizes.

The right to personal data privacy is a "fundamental human right" and public awareness of the issue has grown over the years along with the advancing society and economy, Mr. Chiang adds. But for the PCPD to administer the Personal Data (Privacy) Ordinance ("the Ordinance") effectively, it needs to constantly keep up with evolving commercial practices and the ever-changing use of technology.

The need to strengthen Hong Kong's data privacy laws has risen to the top of the government's agenda in recent years, as seen in the release of the Consultation Document on Review of the Personal Data (Privacy) Ordinance on 28 August 2009 in which 43 amendment proposals were set out for public consultation, most of which were initiated by the PCPD. Amongst the many amendments proposed by the PCPD were new criminal offences for any person who knowingly or recklessly obtains or discloses personal data without consent of the data user, and sells the personal data for profits.

"At the time when the Ordinance was drafted, technologies such as Internet and social networking that have become pervasive today were fledgling. Further, more and more technology users have been integrating online technology into the fabric of their daily lives in the past few years. Against this backdrop and as corporations and the government gain enhanced abilities to collect and process vast quantities of personal data, privacy protection have never been more relevant and important than it is today. The fundamental principles of the existing legislation have stood the test of time. Concepts such as fairness, transparency, lawful justification for processing, appropriate security arrangements and reasonable access to information remain the cornerstones of regulation in this area," Mr. Chiang says.

"However, in view of the general community consensus on tightening controls over personal data protection, I am happy to see that the Government will pursue proposals to provide greater privacy protection and impose heavier sanctions. There are proposals initiated by the PCPD which the Government has indicated not to follow up, including (a) the adoption of an "opt-in" regime for collection and use of customers' personal data for direct marketing, (b) direct regulation of data processors, (c) providing for greater protection for sensitive personal data, (d) empowering PCPD to award compensation to aggrieved data subject and to fine data users for serious privacy contraventions. I shall endeavour to re-activate these proposals through public engagement and consultation with interest groups," he adds.

While maintaining his forward-looking stance on the need to strengthen Hong Kong's data protection laws, Mr. Chiang believes that the community would need to "strike a balance" between respect for personal data privacy rights and other rights, including public and social interests. In Mr. Chiang's view, personal data privacy is tantamount to "respect for each other", a philosophy that should be embedded in the corporate culture of companies and the mindsets of individuals. He advocates that respect for personal data privacy has to be integrated into the business processes and operational procedures throughout the organization. He further suggests that for an organization to be truly customer-centric and privacy-friendly, a total organization-wide approach has to be adopted, involving all staff. In particular, a top-down approach with leadership from the top is essential.

Mr. Chiang's work values – those of ethics, trust and integrity – fit neatly with the PCPD's value system. As an organization that strongly emphasizes workplace performance and efficiency and is constantly subject to public scrutiny, the PCPD would do well with Mr. Chiang's strong background in public administration. In his role as Postmaster General of Hongkong Post, he engineered a financial turnaround in 2003-04 and was instrumental in building a corporate culture that emphasizes customer service, market demand and business performance.

The PCPD handles more than 1,000 complaints every year, and its workload is growing as issues relating to personal data protection take on greater importance throughout various sectors of the community, and the challenge lies in finding the right talents. On the other hand, the PCPD will step up its promotional and educational efforts to promote privacy compliance, as seen in the recent release of its guidance note for direct marketers on the collection and use of personal data. "Since the Octopus case, many companies have been eager to obtain guidance from us in terms of their handling of personal data, which is why we issued the guidance note. We hope that by following the recommendations of the Commissioner, companies would be able to enhance their relationships with their customers and thus gain a competitive edge."

Going forward, amongst the PCPD's many promotional campaigns in the pipeline is one relating to liberal studies in secondary schools. Another campaign would aim at universities where the PCPD plans to include a component on personal data privacy in relevant programs, such as human resource management and marketing.

"Our educational and practical guidance programs will be more targeted and industry specific. Additionally, we will also be incorporating personal data privacy programs into secondary schools' curriculum. Through these, we hope that awareness of personal data privacy would become part of the day-to-day protocol of young people. For example, they should be aware of the pitfalls of social networking websites and that they have the responsibility to protect themselves," Mr. Chiang adds.

Further Discussion on Review of Personal Data (Privacy) Ordinance

From left to right: Mr. Arthur Ho (Deputy Secretary for Constitutional and Mainland Affairs), Miss Adeline Wong (Under Secretary for Constitutional and Mainland Affairs), Privacy Commissioner Mr. Allan Chiang and PCPD Chief Legal Counsel Ms. Brenda Kwok at a public forum organized by the Government on 4 November 2010

The Government launched a public consultation on the Review of the Personal Data (Privacy) Ordinance ("the Ordinance") from August to November 2009. The Government then issued the Report on Public Consultation on Review of the Ordinance on 18 October 2010, and invited the public to further discuss the legislative proposals on the Ordinance for strengthening the protection of personal data privacy.

During November and December 2010, the Privacy Commissioner has been meeting with members of the public and relevant stakeholders to express his stance on the legislative proposals and to solicit views from the community. The Commissioner hopes that a consensus can be reached through further discussion to ensure that the amended legislation will meet the public's expectations in relation to the protection of personal data privacy.

The public can submit their comments on the legislative proposals to the Constitutional and Mainland Affairs Bureau (Team 4) by mail (address: Room 364, East Wing, Central Government Offices, Lower Albert Road, Hong Kong), facsimile (fax number: 2523 0565) or e-mail (e-mail address: pdpo_consultation@cmab.gov.hk) on or before 31 December 2010.

Investigation Report – Octopus Rewards Program

The Privacy Commissioner for Personal Data ("the Commissioner") published a report on 18 October 2010 on the results of the investigations carried out pursuant to section 38(b) of the Personal Data (Privacy) Ordinance ("the Ordinance") regarding the collection and use of customers' personal data under the Octopus Rewards Programme ("the Program") run by Octopus Rewards Limited ("ORL"), a company wholly owned by Octopus Holdings Limited ("OHL").

Since late March 2010, some members of the Program expressed concerns about their personal data being transferred to third parties for direct marketing purposes without their knowledge or consent. Subsequently, an individual claiming to be a former employee of one of the business partners of the Program reported to the press and the PCPD that ORL had sold its customers' personal data of the Program to the business partner for direct marketing purposes.

In view of the seriousness of the allegations, the Commissioner commenced investigations against OHL and ORL on 22 July 2010 to ascertain whether there had been contraventions of the requirements under the Ordinance.

Upon completion of the investigations, the Commissioner found that ORL had, in the processes of collection and use of members' personal data, contravened Data Protection Principles ("DPP") 1 (1), DPP1(3) and DPP3.

Firstly, ORL collected excessive personal data, namely, Hong Kong identity card number / passport number / birth certificate number as well as month and year of birth, for the purpose of customer authentication. In fact, ORL could have achieved the same purpose by using other less privacy-intrusive data (such as telephone numbers and home addresses) which it had also collected. ORL therefore contravened DPP1(1).

Secondly, ORL failed to take all reasonably practicable steps to ensure that the applicants applying for enrolment in the Program were explicitly informed of the classes of persons to whom the data may be transferred. The Personal Information Collection Statement ("PICS") was printed in unreasonably small fonts. The classes of data transferees were so loosely defined that it was entirely up to ORL to decide to whom the member's personal data could be transferred. ORL thus contravened DPP1(3).

Thirdly, ORL shared customers' personal data with five business partners for monetary gains without customers' prescribed consent. The transactions involved were in essence sale of personal data. Although sale of personal data by ORL is not prohibited by the Ordinance, it cannot be regarded as the original purpose of data collection or as a directly related purpose. The sale of personal data for profit is not stated in the PICS of the Program as a purpose of data collection. ORL therefore contravened DPP3.

Pursuant to Section 50(1) of the Ordinance, the Commissioner may serve an enforcement notice on ORL and OHL if he is of the opinion that ORL and OHL are contravening or have contravened the requirements in the circumstances that make it likely that the contravention will continue or be repeated. The Commissioner noted that OHL had publicly announced that it would no longer participate in any further activities that require the provision of customer personal data to merchant partners for marketing purposes and it had suspended the registration of new members. The Commissioner had obtained a written undertaking from ORL to the effect that (a) excessive personal data collected would be completely erased and destroyed; (b) customers' personal data transferred to the 5 business partners concerned for monetary gains would be erased and destroyed (c) layout and presentation of the Personal Information Collection Statement would be re-designed to make it easily readable to people with normal eyesight (d) classes of data transferees would be specified by their distinctive features so as to provide a reasonable degree of certainty as to whom the personal data will be transferred (e) express and voluntary consent would be obtained from the existing customers in the event that their personal data were to be transferred to business partners for monetary gains in the future.

Given that the practice giving rise to the contravention had ceased and the written undertaking given by ORL, the Commissioner considered that recurrence of the contravention is unlikely. In the circumstances, enforcement notice was not served on OHL or ORL.

	Privacy Commissioner Mr. Allan Chiang (middle) hold a press conference on 18 October 2010 to publish the investigation report on "Octopus Rewards Program"

Frequently Asked Questions about Collection and Use of Personal Data in Direct Marketing

The PCPD published the "Guidance on the Collection and Use of Personal Data in Direct Marketing" ("the Guidance Note") in October 2010. The Guidance Note provides data users with practical guidance on compliance with the requirements under the Personal Data (Privacy) Ordinance ("the Ordinance") while engaging in the collection and use of personal data for direct marketing.

The following frequently asked questions and answers aim to assist data users in understanding the Guidance Note.

1	What kinds of personal data may a data user collect from customers for direct marketing purpose?
	Generally, the name and contact information of a customer should suffice for the purpose of direct marketing. If a data user needs to collect more information from the customers to carry out customer profiling and segmentation for enhancing the cost-effectiveness of direct marketing calls, it should inform its customers that the provision of such additional information is entirely voluntary. Sensitive personal data such as Hong Kong Identity Card Number are not normally required for direct marketing purposes.
2	Can Company A market its products in the name of Company B?
	If a customer under such circumstances was misled to believe that it was Company B which was promoting its product/service through direct marketing and it was based on such reliance that the customer's relevant personal data were provided in the course of the transaction, Company A might have contravened Data Protection Principle ("DPP") 1(2) of the Ordinance, which requires that personal data shall be collected by means which are lawful and fair.
3	Can a data user incorporate both the terms and conditions of provision of its services as well as statements relating to the use of the data collected for marketing products or services that are not directly related to the service that was originally sought in the service application form, whereas its customers are only provided with one column to sign on the form?
	If the data user does so, the customer has to choose between (i) giving up the application for the service and (ii) giving his "bundled consent" agreeing to the terms and conditions for the provision of the service originally sought as well as the use of his data as prescribed by the data user when in fact he finds such prescribed use objectionable. In such circumstances, the data user is advised to design its service application form in a manner that the part on customer's agreement to the terms and conditions for the provision of the service be separated from the customer's consent to the use of his personal data for marketing any products or services not relating directly to the services he seeks. Recommended ways to achieve this end include inviting the customer to "tick" a box or to sign separately, indicating whether the customer agrees to the prescribed use of his personal data.
4	How does one design an effective Personal Information Collection Statement ("PICS")?
	Firstly, the layout and presentation of the PICS should be easily readable to customers with normal eyesight. Secondly, the PICS should be a standalone section and its contents are not buried among the terms and conditions for the provision of the data user's services. Third, the language used in the PICS should be easily understandable and the use of legal terms or convoluted phrases should be avoided. Fourthly, further assistance from the company such as help desk or enquiry service may be provided to enable its customers to understand the contents of the PICS. Moreover, data users should strive to enhance the effectiveness of communicating the PICS to customers by taking into account the actual circumstances in which personal data are collected such as the characteristics of the targeted customers (in terms of age, educational level, etc).
5	Can a data user use terms such as "such other purposes as the Company may from time to time prescribe" to define the purpose of use of customers' personal data in the PICS?
	The data user should refrain from using liberal and vague terms to cover direct marketing as a purpose of collection. It is a recommended good practice for the types of direct marketing activities (e.g. marketing financial or insurance products) to be clearly stated.
6	Can a data user define the class of data transferees by terms such as "selected companies which will provide information of services that customers may be interested" or "all business partners" in the PICS?
	The data user should not use such liberal and vague terms that would not be practicable for customers to ascertain with a reasonable degree of certainty the class of data transferees. The company should define the class of data transferees by its distinctive features, such as "financial services companies", "telecommunications service providers", etc.
7	Can a data user use the personal data obtained from records in the public domain (e.g. public registers) for direct marketing?
	If there is a specific prohibition against the use of the personal data for direct marketing in the public register, then the data user should not use personal data in the public register for direct marketing; otherwise it may not only contravene DPP3 but also breach the provisions of the relevant ordinances establishing the public register. Where the public register does not specify the purpose for which the personal data may be used, the data user needs to consider the background leading to the creation of the public register, and the reasonable expectation of the data subjects in deciding whether to use the personal data for direct marketing purposes.
8	Does a data user need to inform its customers when transferring customers' personal data to a Partner Company for cross-marketing activities?
	The data user should consider taking steps to make prior announcement of a cross-marketing scheme to its customers, e.g. by mailing to its customers information leaflets describing the nature and subject of the scheme, the identity and contact details of the Partner Company, whether any personal data of the customers will be transferred, the type of data to be transferred, and any measures to prevent data disclosed from being misused by the Partner Company. As an alternative to transferring customers' personal data to the Partner Company, the Transferor Company may consider the option of obtaining the marketing materials from the Partner Company and having the marketing activities carried out by its own staff.
9	Can a data user transfer customers' personal data to third parties for monetary gains?
	Although sale of personal data by a data user is not prohibited under the Ordinance, it would not normally be regarded as the original purpose of data collection or a directly related purpose. In the circumstances, explicit and voluntary consent from the customer has to be sought for the sale of the data, or else the data user runs the risk of contravening DPP3. The consent may be indicated by a signature to that effect or by ticking a box.

Workshops on Protection of Customers' Personal Data in Direct Marketing

The PCPD organized five workshops during November and December to strengthen the understanding of data users of the "Guidance on the Collection and Use of Personal Data in Direct Marketing" ("the Guidance Note") as well as the need to comply with the requirements under the Ordinance while engaging in the collection and use of personal data for direct marketing. During the workshops, group discussion sessions were held in which PCPD officers explained in detail the content of the Guidance Note and assisted participants in case studies and discussions. About 500 people attended the workshops, including representatives of direct marketing companies, banks, insurance and telecommunications companies.

Seminar on "Data Breach Notifications"

	A seminar was held on 9 September 2010 to brief members on the PCPD's newly published guidance note, "Data Breach Handling and the Giving of Breach Notifications", and teach members how to make use of the Trainer's Kit on the Personal Data (Privacy) Ordinance.
	Privacy Commissioner Mr. Allan Chiang shared views on data protection issues with DPOC members.

Seminar on "How to conduct a Privacy Impact Assessment"

On 16 June 2010, the PCPD invited Mr. Roger Clarke to speak to members on "How to conduct a Privacy Impact Assessment". Mr. Roger Clarke is a consultant specializing in monitoring and privacy strategy and policy, and a major writer of the Privacy Impact Assessment publications of the Office of the Information Commissioner in the U.K.

A short video about the PCPD and the PD(P)O

The PCPD recently produced a short video featuring the provisions of the Personal Data (Privacy) Ordinance and the work of the PCPD. By featuring a citizen making enquiries at the PCPD, the video introduces the scope of the Ordinance, the Data Protection Principles (DPPs), the organization and functions of the PCPD, complaint handling procedures, etc.

Data Protection Principles in the Personal Data (Privacy) Ordinance – from the Privacy Commissioner's perspective (second edition)

The PCPD recently published the second edition of the book titled "Data Protection Principles in the Personal Data (Privacy) Ordinance – from the Privacy Commissioner's perspective". Since the publication of the first edition in 2006, remarkable technological developments have taken place that have had major impact on individuals' rights to privacy in relation to their personal data. The PCPD therefore decided that it is timely to publish an updated version of the book. The book is the only reference book of its kind and provides in-depth interpretation of the Ordinance.

Information Leaflet on Privacy Impact Assessment

The PCPD published a new Information Leaflet on Privacy Impact Assessment ("PIA") in July. The Information Leaflet explains to data users why and how a PIA should be undertaken and the benefits to be derived from it.

Guidance Notes

The PCPD recently published three guidance notes, namely the "Guidance on Data Breach Handling and the Giving of Breach Notification", "Guidance on CCTV Surveillance Practices" and "Guidance on the Collection and Use of Personal Data in Direct Marketing".

The "Guidance on Data Breach Handling and the Giving of Breach Notifications" assists data users in handling data breaches and taking remedial measures to mitigate the potential loss and damage that may be caused to the data subjects concerned.

The "Guidance on CCTV Surveillance Practices" offers advice to organizations on whether CCTV should be used and how to use CCTV responsibly, and helps them understand some of the requirements under the Personal Data (Privacy) Ordinance relating to the collection and proper handling of personal data.

The "Guidance on the Collection and Use of Personal Data in Direct Marketing" provides data users with practical guidance on the collection and use of personal data for direct marketing.

Amended Data Access Request Form and Explanatory Note

The amended Data Access Request ("DAR") Form was effective on 1 September 2010. To assist the public in making DARs, the PCPD prepared an explanatory note based on a questionand- answer ("Q&A") format to highlight the important points to note in making a DAR.

Investigation Report

On 30 July 2010, the PCPD published an investigation report on a beauty centre transferring a client's personal data to a third party without the client's consent.