PCPD launches an anti-doxxing webpage – Say “No” to Doxxing

The PCPD has launched a new webpage to provide a one-stop portal to help the general public better understand the adverse impact of doxxing on both the victims and the doxxers and, more importantly, to urge them not to flout the law. Useful information on this webpage includes:

• An explanation of what doxxing is; 
• The law;
• Examples of the victims’ difficult situations;
• How PCPD combats doxxing acts;
• Court decisions; and
• Channels to seek assistance.

Watch the promotional video

PRIVACY 101

Time for a data clean-up!

2021 is coming! It is time for companies and organisations to perform safe and secure data clean-up to maintain good data governance.

You may wonder: how long can your organisation retain personal data it has collected? In fact, the Personal Data (Privacy) Ordinance (PDPO) does not stipulate a fixed period of retention of personal data. However, organisations have an obligation to take all practicable steps to:

1. ensure that the personal data is not kept longer than is necessary for the fulfilment of the purpose for which the data is or is to be used (Data Protection Principle 2(2)); and
2. erase personal data held when the data is no longer required for the purpose for which it was used, unless any such erasure is prohibited under any law or it is in the public interest not to have the data erased (section 26 of the PDPO).

Are you ready to perform data clean-up? Consider the 3 steps below:

1. Identify what kind of personal data you are holding;
2. Familiarise yourself with the retention periods to determine which personal data you can delete in the next phase;
3. Delete personal data which is no longer necessary to keep or store it properly according to the retention period.

Here are some useful tips on data retention:

1. Have a data retention schedule and conduct regular reviews of personal data to help determine whether data is still required
2. Conduct regular review to help identify if specific personal data is still required. Erase the personal data that is no longer required
3. Set maximum and minimum retention periods for personal data, taking into account any legal requirements or restrictions

Act now!

PRIVACY COMMISSIONER'S FINDINGS

Monastery unfairly collected and disclosed personal information of its resident by stealing her monthly telephone statement – Data Protection Principles (DPP) 1, 3 & 4

Background

The complainant resided in a monastery hall and used a landline telephone number registered at the monastery for personal use. In February 2018, the complainant found that the monastery had terminated the telephone service on her behalf without her consent. Upon checking with the telecommunications service provider, the termination request was made by a monastery representative who could provide the complainant’s personal information including her name, Hong Kong Identity Card number and telephone service account number.

The Complaint

The complainant thus lodged the following complaint to the Privacy Commissioner:

1. The monastery collected her personal information unfairly by stealing her monthly telephone statement (allegedly contravening DPP 1(2));
2. The monastery used her personal data for the purpose of transferring the contract of the telephone number or applying for termination of service without her consent (allegedly contravening DPP 3); and
3. The telecommunications service provider failed to take any practicable measures to verify the identity of the caller leading to the termination of the landline telephone service without her consent, as well as disclosing the details of the landline telephone service contract to a third party (allegedly contravening DPPs 3 and 4).

The Commissioner’s Decision

Upon investigation, the Privacy Commissioner took the view that it was unreasonable for the monastery to open the complainant’s private letter without her consent and this amounted to collection of personal data by unfair means, in contravention of DPP 1(2). Further, it was a contravention of DPP 3 when the monastery used the complainant’s personal data and the monthly telephone statement to terminate the complainant’s telephone service without her consent. As a result, the Privacy Commissioner issued a warning letter to the monastery.

The Privacy Commissioner also agreed that the telecommunications service provider had failed to take all reasonable and practicable steps to verify the identity of the caller leading to the termination of the landline telephone service. Its employees also failed to follow the procedures of handling termination of service requests made by non-registrants. Owing to the fact that two employees of the service provider acted negligently, the telecommunications service provider failed to take adequate measures to ensure that personal data held by it was protected against unauthorised or accidental access and processing. This was in contravention of DPP 4. As a result, the Privacy Commissioner issued a warning letter to the telecommunications service provider.

The Privacy Commissioner decided not to pursue the complainant’s complaint further under section 39(2)(d) of the Personal Data (Privacy) Ordinance and paragraph 8(h) of the Complaint Handling Policy. The reason was that the monastery and the telecommunication service provider had respectively taken remedial measures, and continuing the investigation would thus not reasonably yield a better result. The Privacy Commissioner took the view that the complaint lodged by the complainant had been resolved.

TECH TALK

Interim Joint Statement on Global Privacy Expectations of Video Teleconferencing Companies

A joint open letter was issued to companies providing video teleconferencing services by six data protection authorities (the Office of the Privacy Commissioner for Personal Data, Hong Kong, Information Commissioner’s Office of the United Kingdom, the Office of the Australian Information Commissioner, the Office of the Privacy Commissioner of Canada, the Gibraltar Regulatory Authority and the Federal Data Protection and Information Commissioner of Switzerland) (“the joint signatories”) on 21 July 2020, reminding them of their obligations to comply with the relevant privacy laws and handle people’s personal data responsibly.

Four of the video teleconferencing companies responded to the open letter positively and highlighted various privacy and security best practices, measures and tools implemented by the companies. The PCPD, together with the other signatory authorities, will undertake further engagement with these companies.  

A public statement providing an interim update of the open letter was issued on 23 December 2020 by the PCPD and the other five joint signatories.

WHAT'S ON

The 54th Asia Pacific Privacy Authorities (APPA) Forum (8 to 10 December 2020)

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the conference of the 54th APPA Forum held virtually from 8 to 10 December 2020. Ms CHUNG delivered a presentation on “Online disclosure of personal data for doxxing purposes in Hong Kong”, illustrating the emergence and surge of doxxing in Hong Kong since June 2019, the follow-up actions taken by the PCPD and the importance of international collaboration in tackling the issue.

Deputy Privacy Commissioner Mr Tony LAM Chik-ting also attended the conference and delivered a presentation on “Future of remote work and learning: Privacy and cybersecurity challenges with remote working ‘Remote Working Symbiosis of Technology, Privacy and Security?”.

Working from Home: Safeguarding Personal Data Privacy (2 December 2020)

Deputy Privacy Commissioner Mr Tony LAM Chik-ting delivered a presentation titled “Working from Home: Safeguarding Personal Data Privacy” at the virtual meeting of the Hong Kong General Chamber of Commerce (HKGCC) Manpower Committee Meeting, providing advice on data security under the work-from-home arrangements.

JOIN THE DATA PROTECTION OFFICERS' CLUB

How can you accomplish a profession in data privacy protection? A crucial step along the path of the data privacy profession is to be part of the Data Protection Officers’ Club (DPOC) organised by the PCPD. The DPOC can advance your knowledge in data management and privacy professionalism through experience sharing and training.

Join the DPOC today to get the welcome gifts (while stock lasts):

• "From Principles to Practice – SME Personal Data Protection Toolkit"
• “A Brief Summary on the Regulations in the Mainland of China Concerning Personal Information and Cybersecurity Involved in Civil and Commercial Affairs” (Chinese version)

Contact Us

Address: Room 1303, 13/F, Sunlight Tower, 248 Queen's Road East, Wanchai, Hong Kong

Tel: 2827 2827

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
 

Copyright

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.