Skip to content

PCPD e-Newsletter

Facebook Youtube

Privacy Commissioner Mr Stephen Wong welcomes a delegation of senior judges from the mainland of China, looking forward to closer connection between Hong Kong and the mainland on privacy protection to create a culture of respect (16 October 2019)

Read more
 

Seminar “Watch Out Your Online Profile – Personal Cyber Credibility and Solutions" (15 October 2019)

On 15 October, PCPD organised a DPOC seminar “Watch Out Your Online Profile – Personal Cyber Credibility and Solutions". Over 60 DPOC members participated.

Our guest speakers, Mr Leonard Chan and Mr Leo Tong, the Chairman and Vice President (Professional Development) of Hong Kong Innovative Technology Development Association illustrated some technology risks and common cyberattacks that threaten safety of personal digital identity, and practical solutions to tackle these privacy challenges.

Privacy Commissioner’s Response on Whether the CCTV Footage of a Tertiary Institution Should Be Disclosed (15 October 2019)


  

Read media statement
 

District Council Election Upcoming: Doxxing, Cyber-bullying Will Break the Law; Privacy Commissioner Reminds Candidates, Government Departments and Public Opinion Research Organisations to Comply with the Privacy Ordinance (15 October 2019)

Read media statement
 

PCPD’s Updates on Doxxing and Cyberbullying; Such Acts are Criminal Offences with Serious Consequences Subject to Fine or Imprisonment (14 and 8 October 2019)

Read 14 October's media statement
Read 8 October's media statement
 

PCPD Responds to the Upcoming Prohibition on Face Covering Regulation; Personal Data Privacy Right Should Not Override the Overall Interest of the Society (4 October 2019)

Read media statement
 

PCPD Responds to Doxxing of Staff of a Media Organisation and Other Individuals and Posting of Their Personal Data in Public Places (3 October 2019)

Read media statement
 

PCPD Responds to Suspected Loss of Application Forms for Caring and Sharing Scheme by Working Family Allowance Office (2 October 2019)

Read media statement
 

PCPD's Updates on Doxxing and Cyberbullying; Such Acts are Criminal Offences Subject to Fine or Imprisonment (30 September 2019)

Read media statement

Common Challenges for Data Protection Officers and How to Handle Them

A lot of articles have been written contemplating about the obligation to appoint a data protection officer since the EU General Data Protection Regulation was approved. But there are still a lot of misunderstandings related to the role of Data Protection Officer in daily practice. This article provides guidance to data protection professionals in enhancing their competencies so as to perform their job functions effectively in an organisation. 

Read more
 

Mainland China Has Released Its Version of Children's Online Privacy Protection Act

On 1 October 2019, the “Measures on Online Protection of Children’s Personal Data” - a new regulation to protect children's privacy in mainland China came into effect. It provides further clarity on how to protect children’s personal data online under the framework of mainland China's Cyber Security Law.

Read more
 

New Guide Could Help Improving Patients' Privacy

The Office of the Australian Information Commissioner has released a new privacy guide to to health privacy to help keep patients’ personal information safe. It is designed to help health service providers understand their privacy obligations and embed good privacy principles throughout their practice.

Read more
 

New California Law Highlights Privacy in the Cyber Age

Reported by Axios, a new California law gives residents more control over their personal information. Starting from 1 January 2020, Californians will be able to stand up to companies storing their private information online. Cyber-era privacy is often uncharted territory.

Read more

 

 

Professional Workshops on Data Protection (October - December 2019) are now open for enrolment!

The Professional Workshops organised by the PCPD are specifically designed for various practitioners to get up to speed on how to comply with the requirements under the Personal Data (Privacy) Ordinance in handling personal data.

Course details Enrol now!
 

Recent Court and Administrative Appeals Board Decisions
(22 October 2019)

This workshop (to be conducted by experienced lawyers of the PCPD) examines some recent decisions of the Hong Kong Court and Administrative Appeals Board in relation to Personal Data (Privacy) Ordinance. There will be in-depth discussion and up-to-date knowledge on the interpretation of commonly used provisions of the Ordinance.

Enrol now!
 

Professional Workshop on Privacy Management Programme
(1 November 2019)

Privacy and data protection cannot be managed effectively if they are merely treated as a legal compliance issue. Instead, organisational data users should embrace personal data privacy protection as part of their corporate governance responsibilities and apply them as a business imperative throughout the organisation. To this end, the formulation and maintenance of a comprehensive Privacy Management Programme (PMP) is of paramount importance.

Highlights of Course Outline:

- Baseline fundamentals of a PMP
- Ongoing assessment and revision
- How to develop your own PMP

Enrol now!

Hong Kong Lawyer  October 2019 issue: Be Prepared for the Privacy Challenges of 5G

In this article, the Privacy Commissioner Mr Stephen WONG identifies the possible challenges and risks to data privacy arising from the use of the 5G technology. He also provides suggestions to stakeholders including lawyers, engineers and service providers e.t.c. with advice on good data protection practice so as to tackle the 5G data privacy challenges.

Read the article

Guidance on Election Activities for Candidates, Government Departments, Public Opinion Research Organisations and Members of the Public

This Guidance Note aims at reminding stakeholders involved in election activities to comply with the requirements under Personal Data (Privacy) Ordinance in handling personal data at different stages of election activities so as to avoid data leakage.

Read publication

Q: Which of the following is correct when an organisation uses CCTV in its shops for monitoring?

A. A prominent notice should be placed at the shop entrance and in the surveillance area.
B. All staff members can be allowed to access the CCTV records.
C. If CCTV cameras are installed in changing rooms, customers and staff members must be reminded to take extra care when using the rooms.

The correct answer is A. A prominent notice should be placed at the shop entrance and in the surveillance area reminding customers and staff that they will be monitored and stating the specific purpose of the monitoring. Security measures should be in place to prevent unauthorised access to the CCTV records. No CCTV cameras should be installed in places where customers and staff members expect a relatively high degree of privacy, such as in rest rooms or changing rooms.

Q: What should a shop do if it is required by the Police to provide its CCTV records?

A. Provide them immediately without asking for the reason.
B. Ask the Police why they need the records and how they will be used before making a decision.
C. Refuse to provide the records as they belong to the organisation.

The correct answer is B. Before transferring CCTV records to a third party (including the Police), the shop should exercise due care to consider if the grounds for disclosing the personal data are lawful. The shop may disclose its CCTV records to a third party only if it is provided with sufficient information to ensure the use of the data is exempted under Personal Data (Privacy) Ordinance (e.g. for the prevention or detection of crime).

Extended Reading:

Guidance on CCTV Surveillance and Use of Drones

High Court Magistracy Appeal (HCMA 624 / 2015) - Direct marketing offence under section 35G of Personal Data (Privacy) Ordinance

Background

A customer (Mr X) had subscribed to a telecommunications service provider's (Company A)  service in December 2011 for a term of 24 months. In April 2013, Mr X emailed an opt-out request requiring Company A to cease using his personal data in direct marketing. Company A acknowledged the request in writing. 

In May 2013, Mr X received a voice message via his mobile phone from a telemarketing staff member of Company A (the Staff) reminding him that his service contract was due to expire. The Staff also mentioned that the service charge would be revised in June, but Mr X would be granted a concessionary rate to pay the current service charge if he chose to renew his contract by May. The Staff also left her surname and phone number for Mr X to revert.

Company A was charged with the offence under section 35G of the Personal Data (Privacy) Ordinance for failing to comply with a data subject’s request to cease using his personal data in direct marketing. Company A was convicted after trial and fined $30,000. Company A appealed against the conviction.

The Appeal

At the appeal, Company A argued that the purpose of the voice message was only a reminder to Mr X of his expiring contract and that the prosecution must prove that Company A had the mens rea to conduct direct marketing. The Judge clarified that the language of Personal Data (Privacy) Ordinance and the defence provided therein indicated that the legislature intends the proof of mens rea is unnecessary. The prosecution must prove beyond all reasonable doubt the following elements of the offence:

(1) a data subject required a data user to cease using his personal data in direct marketing;
(2) the data user received such requirement from the data subject; and
(3) the data user failed to comply with the requirement.

In this case, the prosecution had proved all the above necessary elements of the offence beyond doubt, and was not required to prove the mens rea. 

Company A went on to argue that the voice message was only a demonstration of good after-sales customer service which did not constitute a "new purpose" as stipulated in Data Protection Principle 3. The interpretation of the term "direct marketing" in section 35G, the word "offering" should also be given its meaning in contract law, and "advertising" refers to the sending of information to the public.

In reliance of section 19 of the Interpretation and General Clauses Ordinance, the Judge adopted a purposive interpretation of the relevant provision, clarifying that "offering" and "advertising" must not be narrowly interpreted. The Judge rejected Company A's ground of appeal by agreeing with the Magistrate's ruling that the Staff’s reminder of the expiry of contract was just a pretext to start the dialogue to offer other services. The voice message was not a simple reminder. Hence, it constituted a "new purpose" and direct marketing. 

Regarding the statutory defence invoked by Company A, it argued that when the Magistrate made the adverse finding of facts against Company A, she had considered those parts of the testimony relating to the offences not charged against it which included the number of times the staff members of Company A had called Mr X, whether Company A had used other means to contact customers, and why the staff members of Company A had not sent letters to customers, etc. Company A argued that the Staff departed from the standard script provided by Company A. However, the Judge found that the standard script itself included words that introduced the renewal of service plans and therefore constituted direct marketing. Audio recordings of telephone calls were also held to be insufficient measures to prevent the staff members of Company A from violating the law. As a result, the Judge considered that Company A could hardly be said to have taken all reasonable precautions and exercised all due diligence to avoid non-compliance with Mr X’s request to cease using his personal data in direct marketing. 

The judge therefore considered the conviction was safe and dismissed the appeal.

Extended Reading:

New Guidance on Direct Marketing

Data Breach Notification

An online page with relevant guidance notes and functions for submitting data breach notification to the PCPD.

More
 

PCPD Youtube Channel

You can find a series of educational videos here promoting awareness of data privacy protection.

More

For enquiry, please contact us.
Address: Room 1303, 13/F, Sunlight Tower, 248 Queen's Road East, Wan Chai, Hong Kong         Tel: (852) 2877 7179

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.


Copyright

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.