Secretary for Constitutional and Mainland Affairs and Privacy Commissioner Attended Meeting of the Legislative Council Panel on Constitutional Affairs on Proposed Amendments to the Personal Data (Privacy) Ordinance 

The Secretary for Constitutional and Mainland Affairs, Mr Erick TSANG Kwok-wai, IDSM, JP, and the Privacy Commissioner for Personal Data, Hong Kong (Privacy Commissioner), Ms Ada CHUNG Lai-ling, attended the meeting of the Legislative Council Panel on Constitutional Affairs on 17 May 2021 on the Government’s proposed amendments to the Personal Data (Privacy) Ordinance and answered questions from the Legislative Council Members.

With an aim to combat doxxing, the proposed amendments include adding an offence to curb doxxing acts, empowering the Privacy Commissioner to carry out criminal investigation and institute prosecution, and conferring on the Privacy Commissioner statutory powers to demand the rectification of doxxing contents etc.

PRIVACY 101

Securing Data on Your Smartphone 

Smartphones are indispensable in our daily lives. It often stores a lot of personal data about ourselves and our contacts. Here are some tips to secure the data stored on your smartphone:

• Phonebook is for contact information only: Many apps would upload and share your phonebook, so do not store sensitive information (such as PIN, building accessing code, account name/number/password) in phone books.
• Don't use untrusted Wi-Fi: Public Wi-Fi hotspots could be faked for capturing your communications. If you are not sure, use the data access plan of your mobile service or do not visit any websites or use any apps that require logging on when using public Wi-Fi.
• Use encryption: If you need to store sensitive information in the smartphone, make sure it is protected by encryption offered by the smartphone or a third-party.
• Clear browser history: Consider the need to regularly clear the browsing history in the browser (through the browser settings) to avoid them from being assessed by others.

For more tips to protect your personal data privacy in the use of smartphones, check out the newly updated step-by-step guide for privacy settings for iPhones and Android smartphones:

TECH TALK

Privacy Commissioner Welcomes WhatsApp’s Acceptance of Suggestions to Provide Alternatives to Users  

Privacy Commissioner Ms Ada CHUNG Lai-ling welcomes WhatsApp’s acceptance of suggestions to provide practical alternatives to users who do not agree to the new Terms of Service and Privacy Policy (New Terms and Privacy Policy), which took effect on 15 May 2021.

Since January 2021, the PCPD has been communicating with the representatives of the headquarters of WhatsApp to relay users’ concerns on the New Terms and Privacy Policy. The PCPD has received WhatsApp’s latest response in late May and noted WhatsApp’s announcement that no one will have their accounts deleted or lose functionality of WhatsApp because of their non-acceptance of the New Terms and Privacy Policy. According to WhatsApp, they will remind users who have not accepted the New Terms and Privacy Policy of the update, but they have no plans to limit the functionality of WhatsApp for those users.

The Privacy Commissioner is pleased to note that WhatsApp adjusts its policies to address users’ concerns. The Privacy Commissioner encourages WhatsApp to continue with their efforts to provide sufficient information and explanations to users about the New Terms and Privacy Policy.

For more information on how to mitigate the privacy risks in the use of social media and instant messaging apps, please read the PCPD’s “Guidance on Protecting Personal Data Privacy in the Use of Social Media and Instant Messaging Apps”:

PRIVACY COMMISSIONER'S FINDINGS

Can employers install CCTV at home to monitor domestic helpers?

If an employer conducts video monitoring of a domestic helper’s work, this constitutes collection of the domestic helper’s personal data. In such circumstances, the employer as a data user must comply with the requirements of the Personal Data (Privacy) Ordinance, including Data Protection Principle 1 upon collection of personal data.

Before monitoring domestic helper’s work, employers should make reference to the PCPD’s leaflet, “Monitoring and Personal Data Privacy at Work: Points to Note for Employers of Domestic Helpers”. The indiscriminate use of video cameras at home to monitor a domestic helper’s activities is by its nature an intrusion to privacy. An employer must seriously consider whether it is indeed necessary to undertake such monitoring before embarking upon such an exercise. For an employer who has, after considering all factors, nevertheless resolved to undertake video monitoring at home, he should consider the “reasonableness” of the manner in which the monitoring is carried out, the “openness” by which his domestic helper is informed about it and the proper handling of the resultant video records. In principle, no cameras, whether hidden or not, should capture images showing activities inside a toilet, bathroom or the private area where a domestic helper rests after work. Where an employer intends to undertake video monitoring, it is important that his domestic helper is informed of the presence of any video monitoring system on the premises where she works.

Moreover, employers should implement employee monitoring policies by explicitly stating the management of personal data obtained from employee monitoring and the purposes for which personal data obtained from monitoring records may be used, and communicating the policies to the affected domestic helpers. As good practices, employers should inform their domestic helpers of the location of the monitoring equipment, retention period of the monitoring records, measures for safeguarding the data, etc.

WHAT'S ON

Privacy Commissioner Contributed Article Entitled “Implementing a Privacy Management Programme to Gain Customers’ Trust”  

Privacy Commissioner Ms Ada CHUNG Lai-ling contributed an article to "The 21st Century Director", a monthly magazine published by The Hong Kong Institute of Directors, in May 2021.

Interview with Privacy Commissioner by CSj, the monthly journal of The Hong Kong Institute of Chartered Secretaries

In an interview with CSj, the monthly journal of The Hong Kong Institute of Chartered Secretaries, Privacy Commissioner Ms Ada Chung Lai-ling highlights some key regulatory and corporate governance issues relevant to governance professionals.

PCPD Organised Webinar on “Social Media and You” to provide practical guidance on protecting personal data privacy (3 May) 

The PCPD organised a webinar on “Social Media and You” on 3 May 2021 in celebration of its 25th Anniversary. During the webinar, Privacy Commissioner Ms Ada CHUNG Lai-ling, and Professor WONG Kam Fai, Associate Dean (External Affairs) of the Faculty of Engineering at The Chinese University of Hong Kong, shared the latest developments of social media and the risks posed to personal data privacy in the use of social media. Practical tips on safeguarding personal data were also provided to raise the awareness of the participants in protecting their personal data privacy in the use of social media and instant messaging apps. The webinar received an overwhelming response with nearly 250 participants.

There will be a re-run of the webinar on 22 June 2021. Please see "Recommended Online Training" section below for details.

Watch the highlights of the 3 May webinar at:

Privacy Commissioner Delivered an Opening Keynote at the Data Privacy Forum 

Privacy Commissioner Ms Ada CHUNG Lai-ling delivered an opening keynote as the Guest of Honour at the inaugural Data Privacy Forum on 22 April 2021.

The Privacy Commissioner stressed that with the accelerated development of information and communications technologies, organisations, as data users, should protect and respect their customers’ personal data in order to garner the trust of their customers and remain competitive in the market. She also appealed for the support of Data Protection Officers to ensure compliance with the privacy law and the proper implementation of a Privacy Management Programme.

"Say 'NO' to Doxxing"—Tram Body Advertising Campaign 

To promote the message against doxxing, a “Say ‘NO’ to Doxxing”-themed tramcar has been running up and down the tramway tracks since 12 May.

"Personal Data (Privacy) Law in Hong Kong – A Practical Guide on Compliance"  – Order the Second Edition 

The second edition of "Personal Data (Privacy) Law in Hong Kong – A Practical Guide on Compliance" has been published. Riding on the success of the Frist Edition, the Second Edition includes updated laws and regulations as well as information about recently decided cases, which are all presented in a reader-friendly manner.

Order the book by 30 June 2021 to enjoy a 20% discount!

CHINA CORNER

Introduction to the Draft Personal Information Protection Law of China

Currently, the regulations on the protection of personal information in the Mainland are relatively scattered. The Personal Information Protection Law is expected to become the first piece of legislation in the Mainland dedicated to the protection of personal information.The first version of the Draft Personal Information Protection Law (“the Draft”) was released for public consultation in October 2020.

The National People’s Congress Standing Committee deliberated the second version of the Draft in April 2021, and released the full text for another round of public consultation. For highlights of the second version of the Draft, please visit the PCPD’s recently created thematic webpage:

RECOMMENDED ONLINE TRAINING

Privacy-Friendly Awardees' Sharing Session 

In this online sharing session exclusively for DPOC members, four award-winning organisations of Privacy-Friendly Award 2021 from different sectors will share their success stories in building a good organisational culture of respecting and protecting personal data privacy, as well as their practical experience in personal data management. The details are as follows: 

Date: 29 June 2021 (Tuesday)

Time: 3:00 pm – 4:15 pm

Mode: Webinar

Fee: Free of charge (for Data Protection Officers' Club members only)

Speakers: Representatives from:

• Equal Opportunities Commission

• Livi Bank Limited

• Octopus Cards Limited

• Union Hospital

Language: Cantonese

Webinar on "Social Media and You” (re-run)

While most of the social media and instant messaging apps provide their services for free, is there really free lunch when users’ information is collected and shared? Without proper managing the privacy risks involved, personal data can be stolen and misused for doxxing, or perpetrating frauds.

What are the latest developments of social media and their impact on our society? How can we manage the privacy settings of social media? How to safeguard our personal data against online scams? How can parents help their children on using social media safely? Find out the answer by signing up for the webinar.

Date: 22 June 2021 (Tuesday)

Time: 3:00 pm - 4:15pm

Mode: Webinar

Fee: Free of charge

Speakers:

• Ms Ada CHUNG Lai-ling, Privacy Commissioner for Personal Data, Hong Kong

• Professor Wong Kam Fai, Associate Dean (External Affairs), Faculty of Engineering;
  Professor, Department of Systems Engineering & Engineering Management and Director of Centre of Innovation and Technology of The Chinese University of Hong Kong

Language: Cantonese

Free Online Seminar: Introduction to the Personal Data (Privacy) Ordinance

Check out our FREE public online seminars to deepen your understanding of the Ordinance.

Date: 22 June 2021 (Tuesday)

Time: 3:00pm - 4:30pm

Language: English

Key Takeaways:

• A general introduction to the PDPO
• The six Data Protection Principles
• Offences & compensation
• Direct marketing
• Q & A session

Online Professional Workshop on Data Protection and Data Access Request

This workshop provides practical guidance on issues relating to compliance with a Data Access Request ("DAR") raised by customers or employees.

There are stringent requirements for compliance with a DAR under the Personal Data (Privacy) Ordinance. Dealing properly and effectively with a DAR is a challenge for many organisations. This workshop will examine in details those requirements and offer guidance on the handling of a DAR.

You may already be dealing with DARs and want to review your handling. Maybe you have never dealt with DARs and want to develop proper processes. In this workshop, you will learn how to deal with DAR and avoid pitfalls. There will also be plenty of opportunities for asking questions and having them answered during the workshop.

Date: 9 June 2021 (Wednesday)

Time: 2:15pm - 5:15pm

Fee: $750/$600*

(*Members of the Data Protection Officers' Club and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: Solicitors, Data Protection Officers, administration managers, human resource officers, customer services personnel.

Course outline:

• What is a DAR
• What is subject to access under a DAR
• Who may make a DAR
• How to make a DAR
• What should a data user do in order to comply with a DAR
• Charges for a DAR
• Grounds for refusing to comply with a DAR
• Steps to take in refusing to comply with a DAR
• Protection for third party data when complying with a DAR
• Consequences of breach of the DAR provisions
• Data Ethics

Online Practical Workshop on Data Protection in Property Management Practices 

Participants will learn how to comply with the requirements under the Personal Data (Privacy) Ordinance when engaging in property management practices that involve the collection and use of personal data. Key features of the “Guidance Note on Property Management Practices” will be clearly explained.

Property management officers face many data protection compliance challenges in their daily operation as many aspects of their work involve the collection and use of personal data from flat owners, residents, visitors, car park users and others. This workshop takes a holistic approach to the handling of personal data in property management and provides practical steps to address the challenges.

Date: 17 June 2021 (Thursday)

Time: 2:15pm - 4:15pm

Fee: $750/$600*

(*Members of the Data Protection Officers' Club and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: Property management personnel, Data Protection Officers, compliance officers, solicitors, members of owner’s corporation.

Course outline:

• Understanding the “Guidance on Property Management Practices”
• Legal requirements for the collection of personal data from flat owners, residents, visitors, car park users and others and how to ensure their accuracy and security
• Collection of personal data in processing building entry pass or smart card
• How to set out the retention period of personal data collected from flat owners, residents, visitors, car park users and others
• What are the requirements for disclosing personal data to third parties, e.g. posting of minutes of meeting and notices that contain personal data?
• What are the privacy issues relating to public surveillance?
• Use of ICT for property management and the relevant data protection issues
• Data Ethics

Arrange In-house Seminar for Your Organisation 

Ongoing and up-to-date training is an essential component of proper management of personal data privacy in organisations. Now you can make a request for an in-house seminar hosted by a speaker from the PCPD.

Seminar outline:

• A general introduction to the Personal Data (Privacy) Ordinance
• The six Data Protection Principles (industry-related cases will be illustrated)
• Direct marketing
• Offences & compensation
• Q&A session

Duration: 1.5 hour

Contact Us

Address: Room 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong

Tel: 2827 2827

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
 

Copyright

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.