Work-from-home (WFH) arrangements have been made from time to time during the COVID-19 pandemic. Under WFH arrangements, organisations may have to access or transfer data and documents through employees’ home networks and employees’ own devices, which are less secure than the professionally managed corporate networks and devices. This inevitably increases risks to data security and personal data privacy.  Meanwhile, video conferencing has fast become more popular. The increasingly prevalent use of video conferencing software creates new risks to data security and personal data privacy.

As WFH arrangements may have become a new normal for many people, the PCPD calls on employers, employees as well as users of video conferencing software, including teachers and students, to step up guard against the new risks posed to data security and personal data privacy as a result of WFH arrangements.  In this regard, the PCPD has recently issued three Guidance Notes under the series “Protecting Personal Data under Work-from-Home Arrangements” to provide practical advice to (1) organisations; (2) employees; and (3) users of video conferencing software to enhance data security and the protection of personal data privacy.

In particular, the PCPD recommends that organisations should:

• set out clear policies on the handling of data (including personal data) during WFH arrangements;
• take all reasonably practicable steps to ensure the security of data, in particular when information and communications technology is used to facilitate WFH arrangements, or when data and documents are transferred to employees to work from home;
• provide sufficient training and support to their employees under WFH arrangements to ensure data security; and
• ensure the security of the data stored in the electronic devices provided to employees. 

The PCPD recommends that employees should:

• adhere to their employers’ policies on the handling of data;
• use only corporate electronic devices for work as far as practicable;
• enhance the security of Wi-Fi connections and electronic communications (including emails and instant messages);
• avoid working in public places to prevent accidental disclosure of personal data or restricted information to third parties; and
• ensure proper handling of data when it is necessary to take paper documents out of office premises. 

On the use of video conferencing software, the PCPD recommends that users should:

• review and assess the policies and measures on the security and protection of personal data privacy of different video conferencing software in order to choose the ones that meet their needs;
• safeguard their user accounts by setting up strong passwords, changing the passwords regularly, and activating multi-factor authentication; and
• verify the identities of the participants of video conferences to prevent unauthorised access.

PROFESSIONAL WORKSHOPS IN DECEMBER

PRIVACY 101

PRIVACY COMMISSIONER'S FINDINGS

An employee made a data access request to his employer with an intention to find out whether he was considered having potential for promotion – Data Protection Principle (DPP) 6

DPP 6 – Access and Correction Requests

DPP6 provides data subjects with the right to request access to and correction of their own personal data. A data user should give reasons when refusing a data subject’s request to access to or correction of his/her personal data.

The Complaint

A classified list of staff having potential to be promoted in the future was compiled and passed to the organisation’s management for consideration. The complainant submitted a data access request to the organisation requesting it to confirm if his name was on the list. As the list was a classified document of the organisation, no reply was given to the complainant. The complainant then complained against the organisation for failing to comply with his data access request.

Outcome

In this case, the complainant’s purpose for making the data access request was not to access his employment-related data held by the organisation (e.g. his resume, performance appraisals, training records or applications for leave/staff benefits records, etc.), but to find out whether he was considered as a staff member having potential for promotion. PCPD considered that the complainant’s request was not related to his personal data.

Under the PDPO, the complainant had the right to access his personal data held by the organisation to ascertain if it was accurate, and if it was inaccurate, he could request his employer to correct it. The organisation had no duty under the PDPO to confirm to the complainant “whether his name was on the list of staff having potential”.

Lesson Learnt

The PDPO provides an important right to employees to access their personal data, and employers as data users are obligated to handle data access requests in accordance with the PDPO. However, employees may misunderstand that the said right is an absolute right to information and they can use it to fish for answers in employment-related matters, or to obtain reports or letters in specified format (e.g. requesting employers to provide reference letters). In fact, the right to making data access requests is to provide a channel to a data subject to access his or her personal data held by a data user, and to request correction when inaccuracy is noted. Employees should not expect to obtain information for checking the employer’s administrative arrangements or management decisions, or for resolving employment disputes by exercising their right of data access request.

TECH TALK

Global Privacy Assembly Adopted a Resolution to Encourage Accountability in the Development and Use of AI

The social and economic value of artificial intelligence (AI) is huge. It improves efficiency and drives innovation in a wide range of fields, from manufacturing, transportation, finance to healthcare and education, etc. However, the use of AI is still largely unregulated worldwide. The application of AI systems usually involves the profiling of individuals and the making of automated decisions on them, and hence posing risks to personal data privacy and other human rights.

The Working Group on Ethics and Data Protection in Artificial Intelligence, of which Privacy Commissioner of Hong Kong is a co-chair, under the Global Privacy Assembly, proposed the Resolution on Accountability in the Development and Use of AI (the Resolution). For organisations that utilise AI systems, they are urged to implement accountability measures, as well as identifying an accountable human actor to constantly monitor and evaluate the performance of the AI.

The Resolution represents an ethical framework to ensure the responsible use of AI and it is premised on the principle that AI should serve humans, not the other way around.

Read the article contributed by Privacy Commissioner Ms Ada Chung Lai-ling to "Hong Kong Lawyer" (issue of November 2020) to learn more about the Resolution.

WHAT'S ON

Since June 2019, we have witnessed unprecedented weaponisation of personal data in the form of doxxing activities causing not only psychological harm but also intimidation of individuals and incitement against public order. 

Doxxing involves the gathering of the personal data of a target or even his/her family members from different sources and the subsequent disclosure of such personal data on the internet, social media platforms or other open platforms without the consent of the relevant data subject.   The victims of doxxing found themselves exposed to intimidation calls or, equally worse, cyberbullying or identity thefts.

Doxxing behaviour can bring serious legal consequences.  In particular, doxxing may constitute a contravention of section 64(2) of the Personal Data (Privacy) Ordinance (PDPO), which stipulates that a person commits an offence if the person discloses any personal data of a data subject that was obtained from a data user without the data user’s consent and the disclosure causes psychological harm to the data subject. The offence is punishable by a fine of up to HK$1 million and imprisonment for 5 years. 

In early November, a former telecommunications technician who obtained the personal data of a family member of a police officer for doxxing by using his office computer was charged with, among others, an offence under section 64(2) of the PDPO. The defendant was sentenced to imprisonment for 18 months. Together with other convictions, he was sentenced to imprisonment for 24 months.

In combatting doxxing, the PCPD has handled more than 4,700 doxxing-related complaints and cases found proactively by ourselves through online patrols.  The PCPD has referred over 1,400 cases to the Police for criminal investigation and consideration of prosecution, and has also referred 45 cases that involved possible violation of the Court’s interim injunction orders to the Department of Justice for follow-up.  In addition to enforcement actions, the PCPD carries out promotion and public education through different channels in order to tackle the problem at its roots.  The PCPD is developing a dedicated webpage to provide a one-stop portal with information and short videos to help the general public better understand the adverse impact of doxxing on both the victims and the doxxers and, more importantly, to urge them not to flout the law. Please stay tuned.

Privacy Commissioner's Updates

PROFESSIONAL WORKSHOPS IN DECEMBER

Data Protection in Human Resource Management (Online workshop)

This online workshop will take participants to deep dive into some common questions and good practices in handling personal data in human resources management. It is particularly suitable for human resources practitioners.

This workshop will cover how employers may deal with questions including collecting health-related data of their employees during the COVID-19 pandemic while at the same time complying with personal data privacy law.

Date: 2 December 2020 (Wednesday)

Time: 2:15pm – 5:15pm

Key takeaways:

• A thorough understanding of the requirements of the Personal Data (Privacy) Ordinance when handling personal data in the entire employment process from cradle to grave. For example, can an employer collect a photocopy of a job applicant's Hong Kong Identity Card? How long should a company keep the personal data of former employees? Can an employee obtain all the comments in his/her appraisal report?
• How to properly handle Data Access Requests?
• How to tackle employees’ personal data privacy issues arising from COVID-19?

Recent Court and Administrative Appeals Board Decisions (Online workshop) 

Legal practitioners and compliance officers often find themselves in practical need of keeping abreast of the latest decisions and the legal arguments of the court and the Administrative Appeals Board in relation to data privacy.  Hosted by a PCPD lawyer, this workshop will let you take a deep-dive into the crunch issues in those cases and the commonly deployed provisions of the Personal Data (Privacy) Ordinance.

Date: 9 December 2020 (Wednesday)

Time: 2:15pm – 5:15pm

Key takeaways:

• Thorough understanding of major data privacy issues raised in recent decisions of the Hong Kong Court and the Administrative Appeals Board, including:
  • An appeal case of a Legislative Council member
  • Cases in relation to injunctions on doxxing
  • Privacy implications of a Court of Appeal judgment on Police’s power to search the digital contents of mobile devices
  • Other decisions made by the court and the Board
• In-depth discussion and interpretation of commonly deployed provisions of the Personal Data (Privacy) Ordinance
• Familiarisation of recent decisions that can serve as legal authorities and practical examples for solving problems encountered in compliance work

Data Protection in Insurance (Online workshop) 

Insurance practitioners handle a large amount of customers’ personal data in their daily work. This Workshop is designed for insurance practitioners who wish to acquire the knowledge to protect customers’ personal data in providing insurance services to the public.

Date: 16 December 2020 (Wednesday)

Time: 2:15pm – 5:15pm

Key takeaways:

• An overview of the data protection provisions
• Recent topical issues on data privacy
• Liabilities of insurance companies and insurance practitioners
• Useful pointers on Personal Information Collection Statement
• Collection of customers’ medical data
• Collection of Hong Kong identity card number and copy
• Engagement of private investigators in insurance claims
• Retention of customers’ personal data
• Use of customers’ data for internal training
• Security of customers’ personal data handled by staff and agents
• Handling of data access requests from customers
• Data Ethics

Contact Us

Address: Room 1303, 13/F, Sunlight Tower, 248 Queen's Road East, Wanchai, Hong Kong

Tel: 2827 2827

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
 

Copyright

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.