Privacy Commissioner Welcomes Government’s Proposal to Amend the Privacy Law to Combat Doxxing

On 4 February 2021, the Chief Executive Mrs Carrie Lam made an announcement concerning amending the Personal Data (Privacy) Ordinance (the Ordinance) to combat doxxing, which was described as a “more pressing problem of intrusion of privacy”. On the same date, Privacy Commissioner Ms Ada CHUNG Lai-ling issued a media statement welcoming the proposal.

Evidently, the impact of doxxing on victims is severe and long-lasting. A survey released by the Office of the Privacy Commissioner for Personal Data (PCPD) on 28 January 2021 shows that at least two-thirds of the respondents supported giving the PCPD the power to request the removal of contents relating to doxxing from social media platforms or websites, carry out and institute prosecution. The amended legislation will enable the PCPD to combat doxxing more effectively in order to stop the harm caused by doxxing activities.

The PCPD has been actively working with the Government in the formulation of concrete proposals to amend the Ordinance. The PCPD will make practicable legislative amendment proposals in areas such as the definition of the offence of doxxing, penalties, evidential threshold and the PCPD’s statutory powers to demand the removal of doxxing contents from social media platforms or websites, and empowering the PCPD to carry out criminal investigation and institute prosecution. The PCPD will also make reference to relevant laws in other jurisdictions as appropriate. The legislative amendment exercise is a key priority of the PCPD’s work in 2021. The PCPD will continue to provide the necessary input to the Government in the exercise.

PRIVACY 101

What is PMP and why does my organisation need it?

Organisations handle vast amount of personal data, e.g. personal data of customers and employees, in the course of business operation. With the rising public expectations for privacy protection, organisations should go further than merely treating personal data protection as a compliance issue.

Having a Privacy Management Programme (PMP) helps organisations embrace personal data protection as part of their corporate governance responsibilities and apply them as a business imperative throughout the organisation starting from the boardroom. Not only can it build trust with clients, but also enhance the organisation’s reputation as well as competitiveness.

A PMP consists of the following three components:

To learn more about PMP, check out this Best Practice Guide published by the PCPD:

PRIVACY COMMISSIONER'S FINDINGS

Dental Clinic Staff Displayed Another Patient’s Medical Record to a Patient and Requested Medical Record to be Sent by Mobile Phone

The complaint

The complainant went to a dental clinic for medical consultation. To illustrate his explanation when discussing the treatment plan with the complainant, the dentist showed an X-ray film of another patient’s dental exostosis with the patient’s name clearly shown. Moreover, as the complainant needed to provide the dentist with his earlier blood test results, the dentist’s assistant requested the complainant to send the results through a mobile instant messaging app. The complainant considered that the two incidents showed the clinic’s inadequate personal data protection for patients and made a complaint with the PCPD.

Outcome

Regarding personal data protection, the PCPD considered that the clinic as a data user was obliged to ensure its staff’s compliance with Data Protection Principle 4 of Schedule 1 to the Personal Data (Privacy) Ordinance (“the Ordinance”) when using or handling personal data (especially when sensitive personal data was involved, e.g. medical records, laboratory test results, etc). Staff must adopt all the practicable steps to ensure the personal data was protected against unauthorised or accidental access, processing, erasure, loss or use.

Undoubtedly, the use of mobile communication apps in transmitting documents is becoming more common. But data users should exercise vigilance when transmitting sensitive personal data. The PCPD recommended the clinic adopt transmission means with higher security, e.g. encrypted email or delivery by hand. As a good practice, the clinic staff should explain the risk to the patient when requesting the patient to submit his personal data through mobile communication apps and allow the patient to choose the means of submission. Moreover, the clinic should also remind its staff that forwarding of patients’ personal data received by mobile communication apps was not allowed, and the personal data must be deleted once the purposes of using the documents were achieved.

Besides, in this case, it appeared to be goodwill of the dentist to refer to a similar X-ray film to help the patient understand the treatment plan. However, if another patient’s personal data was inadvertently disclosed, the relevant requirements of the Ordinance might be contravened. The PCPD requested the clinic to urge its staff to be more careful when encountering similar situation in future.

Lesson learnt

Since public expectation on personal data privacy protection is rising and medical records are sensitive personal data, medical practitioners should be more vigilant in handling patients’ data and be aware of personal data security. Medical institutions should also adopt proper and proportionate data security measures in accordance with the sensitivity of the data, in order to fulfil the reasonable expectation of the public and the duty of data ethics.

TECH TALK

Be Smart in Using Smartphone

Smartphones have become indispensable in our daily lives. Check out these tips and be smart in protecting your personal data while using mobile apps!

Is it a genuine app?

Not all smartphone application stores verify their apps and it is a well-known fact that there are fake apps around. Make sure you know what apps you are downloading before installing them. Don't download or use preload software from unofficial channels.

What information on your phone could an app access?

Before installing an app, you should study its terms of service and privacy policy carefully to learn what information it will access, upload and/or share from your smartphone and decide if it is worthwhile to exchange your privacy for the use of the app.

Review your apps

You should regularly review what apps you have installed on your smartphone and uninstall those that you no longer use to avoid information from being accessed/shared/uploaded by apps unnecessarily or inadvertently.

Find out more tips on the “Be SMART Online” thematic website:

WHAT'S ON

Back to School – Online Seminar on Schools’ Collection and Use of Personal Data during COVID-19 Pandemic (26 Feb 2021)

As schools started to resume classes in phases after the Lunar New Year, the PCPD held an online seminar on 26 February to provide guidance to schools on the collection and use of personal data as they implement appropriate preventive measures to combat the COVID-19 pandemic. The seminar served to remind schools to strike a reasonable balance between safeguarding public health and protecting personal data privacy.

For more on this topic, please refer to the “Guidance for Schools on the Collection and Use of Personal Data of Teachers, Staff and Students during COVID-19 Pandemic” issued by the PCPD in September 2020.

Updates on Privacy Friendly Awards 2021

The PCPD received 130 entries for the Privacy-Friendly Awards 2021. Depending on the number of “Privacy Protection Measures” already put in place or completed by an organisation, a Gold, Silver, or Bronze Privacy-Friendly Certificate will be awarded to the organisation in recognition of its efforts in promoting the protection of personal data privacy. The full list of awardees will be announced at the Awards Presentation Ceremony to be held on 4 March.

RECOMMENDED ONLINE TRAINING

Online Seminar on Protecting Personal Data under Work-from-home Arrangements

Date: 19 March 2021 (Fri)

Time: 4:00pm – 5:00pm

Language: Cantonese

Fee: $250

Key takeaways:

• Data Protection Principles applicable to WFH arrangements
• WFH arrangements
• Data security risks under WFH arrangements
• Practical advice for organisations and employees in protecting personal data under WFH arrangements
• Guidance on security and personal data privacy protection measures while using video conferencing software
• Q & A session

Online Professional Workshop on Data Protection in Banking/Financial Services

This workshop is designed for banking and financial personnel who wish to acquire knowledge on the requirements under the Personal Data (Privacy) Ordinance (“the Ordinance”) in different aspects of the banking and financial services and the practical ways to deal with them effectively in their daily operation.

Who should attend: Data protection officers, compliance officers, company secretaries, solicitors, advisers and other personnel undertaking work relating to the banking/financial industry.

Date: 31 March 2021 (Wed)

Time: 2:15pm - 5:15pm

Language: Cantonese

Fee: $750/$600*

(*Members of the PCPD Data Protection Officers' Club and the supporting organisations may enjoy the discounted fee)

Workshop outline:

• An overview of the relevant requirements under the Ordinance
• Privacy and ethical implications of new technologies
• How to comply with the requirements of the Ordinance in daily operations of the banking industry
• Code of Practice on Consumer Credit Data
• Recent topical issues on data privacy

Free Online Seminar: Introduction to the Personal Data (Privacy) Ordinance

Check out our FREE public online seminars to deepen your understanding of the Ordinance.

Date: 25 March 2021 (Thu)

Time: 3:00pm - 4:30pm

Key Takeaways:

• A general introduction to the PDPO
• The six Data Protection Principles
• Offences & compensation
• Direct marketing
• Q & A session

Contact Us

Address: Room 1303, 13/F, Sunlight Tower, 248 Queen's Road East, Wanchai, Hong Kong

Tel: 2827 2827

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
 

Copyright

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.