Privacy Commissioner Responds to Doxxing of Staff of a Media Organisation and Other Individuals  (18 September 2019)

Privacy Commissioner Responds to Doxxing of Staff of a Media Organisation (16 September 2019)

Direct Marketing Offence Admitted: Telecommunications Company Fined HK$84,000 (12 September 2019)

Privacy Commissioner Responds to Media Enquiries regarding Disclosure of Personal Data for Doxxing Purposes on Websites or Instant Messaging Platforms Registered Outside Hong Kong (4 September 2019)

Privacy Commissioner Responds to Interviewee's Comments in TVB News Programme "On the Record" (講清講楚) in Relation to PCPD's Follow-up Actions on Online Disclosure of Personal Data in Recent Months (1 September 2019)

Upward Trend of Doxxing Cases Related to Protesters, etc. Privacy Commissioner Again Strongly Condemns Doxxing and Bullying; and Emphasises Impartial Enforcement of the Law  (30 August 2019)

South Wales Police use of facial recognition ruled lawful

Australia's police have used facial recognition in public spaces since June 2015. Automated facial recognition technology maps faces in a crowd by measuring the distance between features, then compares results with a "watch list" of images - which can include suspects, missing people and persons of interest. However, the citizens stated that facial recognition is a highly intrusive surveillance technology that allows the police to monitor and track them all.

Artificial intelligence first: voice-mimicking software reportedly used in a major theft

Thieves managed to use voice-mimicking software to convince the managing director of a company to wire hundreds of thousands of dollars to a secret account. The request was strange, but the voice seemed so legitimate that the staff felt no choice but to comply. This synthetic audio is sparking growing anxieties over privacy, security and the potential for cyber criminals to exploit this kind of computerised manipulative software.

That pill is watching you - privacy and hackability of ingestible electronic sensors

Ingestible electronic sensor may help to transform healthcare. These sensors can then give a medical care team direct information about their patient, from whether they are taking the medicines correctly to their physical or mental state. However, whenever there is a digital aspect involved, there is also the potential from hacking to privacy issues.

Researchers use Big Data and AI to remove legal confidentiality

By using a combination of artificial intelligence and big data, researchers could find public legal records and then use an algorithm to identify connections between them. Described as "linkage," this process enabled  researchers to identify anonymous parties mentioned in public records, simply by linking anonymous records to those where various pieces of information was given.

PCPD e-Newsletter readers' survey
Let us know your thoughts and feedback on the contents of the e-newsletter so that we can do better. Please take a few minutes to answer the questions by clicking the button below and email the completed form to corpcomm@pcpd.org.hk. We look forward to receiving your valuable feedback  for continuous improvement.

Professional Workshops on Data Protection (October - December 2019) are now open for enrolment!

The Professional Workshops organised by the PCPD are specifically designed for various practitioners to get up to speed on how to comply with the requirements under the Personal Data (Privacy) Ordinance in handling personal data.

Recent Court and Administrative Appeals Board Decisions (22 October 2019)

This workshop (to be conducted by experienced lawyers of the PCPD) examines some recent decisions of the Hong Kong Court and Administrative Appeals Board in relation to the Personal Data (Privacy) Ordinance. There will be in-depth discussion and up-to-date knowledge on the interpretation of commonly used provisions of the Ordinance.

Guidance on CCTV Surveillance and Use of Drones

The use of CCTV covering public places or common areas of a building for security reasons or for monitoring illegal acts has become increasingly common. The unmanned aircraft systems (also known as “drones”) are becoming more popular in photography, surveying and surveillance. The use of CCTV and drones may capture extensive images of individuals or information relating to individuals, which should be properly controlled to avoid intrusion into the privacy of individuals.

The Guidance provides practical tips to data users on using CCTV and drones from the perspective of protecting personal data privacy.

Q: Must an employer obtain consent from an employee or ex-employee before giving an employment reference to another employer?

A: Yes, an employer should obtain the prescribed consent (i.e. express consent given voluntarily) from an employee or ex-employee (preferably in writing) before giving an employment reference as disclosure of the employee’s or ex-employee’s employment records (including performance assessment) to another person would constitute a change in the purpose of use of the data, i.e. not directly related to the original employment purpose.

Q: How long should an employer keep the personal data of ex-employees and unsuccessful job applicants?

A: Data Protection Principle 2(2) requires that all practical steps must be taken to ensure that personal data is not kept longer than is necessary to fulfil the purpose for which the data is to be used, or a directly related purpose. In addition, section 26 of the Personal Data (Privacy) Ordinance makes similar provision on erasure of personal data unless it is prohibited under a law or it is in the public interest (including historical interest) for the data not to be erased. In general, an employer should not retain the personal data of a former employee for more than seven years.

However, there may be exceptions that justify a longer period of retention, e.g. for managing any remaining duties in respect of ex-employees under a pension, supernumeration or mandatory provident fund scheme or to defend any legal action brought under the Employees’ Compensation Ordinance.

With regard to an unsuccessful job applicant, his personal data should not be retained for more than two years from the date of rejecting his application, bearing in mind the possible discrimination claims or complaints that may be made by an aggrieved applicant. The retention period may go beyond two years if there is a subsisting reason that obligates the employer to do so, or the applicant has given the prescribed consent (i.e. express consent given voluntarily) for the data to be retained beyond two years.

Q: Who is liable for a contravention of the Personal Data (Privacy) Ordinance in relation to employment-related personal data: the employer or the human resource manager?

A: The employer, being the legal person, is generally taken to be the one who has control over the collection, holding, processing and use of the personal data. Hence, the employer shall comply with the Personal Data (Privacy) Ordinance. The Privacy Commissioner may issue an enforcement notice against the employer requiring it to take necessary actions to remedy the breach.

Extended Reading:

• Code of Practice on Human Resource Management
• Human Resource Management: Some Common Questions

Data Protection Principle 1 - Purpose and manner of collection of personal data

Excessive collection of copies of Hong Kong Identity Card (“HKID Card”) of parents by a kindergarten

The Complaint

The complainant applied for admission to a kindergarten for her son. Apart from the application form, the complainant was requested to provide a copy of her HKID Card. The complainant queried the purpose of the kindergarten to collect a copy of her HKID Card.

The kindergarten explained to the Commissioner that a copy of the complainant’s HKID Card was needed for verifying the relationship between the applicant (the student) and the complainant who submitted the application. The copy of the complainant’s HKID Card also facilitated the kindergarten to issue the “student pick-up card” for the parent/ guardian designated to pick up the student from school.

Outcome

Given that HKID Card number is sensitive personal data, data user should not collect a copy of HKID Card lightly without genuine need or justification.

For the purpose of simply verifying the relationship between the applicant and his parent/ guardian, the kindergarten could ask the parent/ guardian to present his HKID Card when submitting the application in person or when attending the school interview. The kindergarten could then verify the name on the HKID Card against the names of the parents recorded on the birth certificate of the applicant or any other relevant legal document. Based on the verification result, the kindergarten could issue the “student pick-up card” accordingly. If the kindergarten doubted the identity of the person who came to pick up a student, it might ask that person to present his HKID Card and verify his name against the record.

The Commissioner was of the view that the collection of copies of HKID Card of the parents/ guardians was excessive and in breach of DPP1(1).

After our intervention, the kindergarten agreed to stop collecting copies of HKID card of the parents/ guardians, and to destroy all copies of HKID Card previously collected.

Tips on Search Engines

Change your SafeSearch settings to block vulgar content from being displayed in search results and protect yourself from phishing websites.

Tips for Social Networking Safety

Understand what precautions to take to minimise the privacy risks and help protect yourself when you use social networks.

For enquiry, please contact us.
Address: Room 1303, 13/F, Sunlight Tower, 248 Queen's Road East, Wan Chai, Hong Kong         Tel: (852) 2877 7179

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.

Copyright

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.