“Protecting Privacy in the Internet Era”- Privacy Awareness Week 2021 

Jointly supported by members (including the PCPD) of the Asia Pacific Privacy Authorities (APPA), Privacy Awareness Week (PAW) is an annual promotion campaign which aims at raising public awareness of the importance of protection of personal data privacy through educational and promotional activities. This year, PAW was held from 21 to 27 June in Hong Kong under the theme of “Protecting Privacy in the Internet Era”. 

As the kick-off event and one of the key highlights of the PAW 2021, on 22 June, Privacy Commissioner Ms Ada CHUNG Lai-ling hosted the webinar on “Social Media and You”, with Professor Wong Kam Fai, the Associate Dean (External Affairs), Faculty of Engineering of The Chinese University of Hong Kong (CUHK), as the guest speaker. Professor Wong is also the Professor of the Department of Systems Engineering & Engineering Management and Director of Centre of Innovation and Technology of the CUHK. The webinar sought to provide practical guidance to users of social media and instant messaging apps on how to protect personal data privacy. It also explained the latest development of social media and its impact on society.  The webinar was held with great success, attracting more than 300 users of social media, marketing and PR practitioners, SMEs, teachers, parents and teenagers to attend.

Another webinar on “Data Protection in the Age of Big Data” was held on 25 June.   The webinar was hosted by Ms Christine CHAN, Senior Personal Data Officer (Acting) of the PCPD, and featuring Dr KH SHUM, Director of Applied Cryptosystems, Technology Division of Cybersecurity, Cryptography and Trusted Technology, the Hong Kong Applied Science and Technology Research Institute, as the guest speaker. The webinar elaborated on the relevant requirements under the Personal Data (Privacy) Ordinance (PDPO) with regard to the use of big data or artificial intelligence by organisations, and discussed issues relating to enhancing cybersecurity, etc.

During the PAW 2021, the PCPD has also produced an e-poster on the smart use of social media for members of the public to download.

To reach out to wider audience in the community, the PCPD also promotes the the messages of “Protecting Children Privacy” and “Say ‘No’ to Doxxing” on the bodies of a number of double-decker buses during PAW 2021.

Visit  more about PAW’s activities at:

https://www.pcpd.org.hk/english/news_events/events_programmes/privacy_awareness_week/paw2021.html

PRIVACY 101

Data Processor Management  

Outsourcing and entrusting personal data processing work by organisations to their agents is increasingly common. Organisations should note however that as the data users, they are responsible for the improper handling of personal data by their agents (e.g. failed to take security measures resulting to leakage of personal data entrusted to it) pursuant to the PDPO.  Organisations should take into account the following areas when considering to engage data processors:

Organisations are advised to implement a Privacy Management Programme, and hence proper management of data processors, when engaging them.  More details of Privacy Management Programme can be found at:

https://www.pcpd.org.hk//english/resources_centre/publications/files/PMP_guide_e.pdf

TECH TALK

Tips for Using Fintech 

Fintech, being the short form of “financial technology”, refers to the information and communication technology used for the provision of financial services. While Fintech may provide many benefits to both the Fintech operators and customers, there are privacy risks associated with such applications:

1. Collection and use of personal data without notice or meaningful consent of the users;
2. Use of personal data in unfair or discriminatory ways;
3. Lack of effective means to erase or rectify obsolete or inaccurate personal data;
4. Data security risks; and
5. Obscurity of the identities of data users and data processors.

The tips serve as reminders to users in protecting personal data privacy in the use of Fintech:

PRIVACY COMMISSIONER'S FINDINGS

Disputes over Data Accuracy Arising from the Disagreement Between Former Employee And Employer about Reason for Leaving Employment

A former employee considered the description of his reason of leaving as “termination of employment contract” maintained by the company was inaccurate.  He claimed that he tendered his resignation to the company of his own accord before he left, and thought that the company should have recorded his reason of leaving as “resignation”. He thus lodged a complaint against the company for failing to ensure the accuracy of his personal data.

The company explained that a termination notice was served on the former employee after it decided to terminate his contract. It had also paid the former employee a payment in lieu of notice according to its standard procedures. The company therefore considered its record (i.e. termination of employment contract) to be accurate.

The PCPD found that the company had processed the former employee’s cessation of employment in accordance with its contract termination procedures, including making a payment in lieu of notice. In this circumstances, there was a basis for the company to regard it as a case of contract termination. Therefore, the PCPD did not find that the company had maintained an inaccurate record.

Points to Note

When handling a complaint, the PCPD would carefully examine the nature of the dispute concerned, whether primary subject matter relates to personal data privacy, or it in fact concerns other issues such as consumer, employment or contractual disputes. In this case, the complaint mainly aroused from employment disputes between the complainant and his former employer, including whether the former employer might terminate the complainant’s contract after receiving his resignation notice, and how the former employer processed the complainant’s resignation. Employment disputes as such are irrelevant to personal data privacy, and fall outside the jurisdiction of the PDPO. 

WHAT'S ON

Privacy Commissioner Delivered a Presentation on Data Protection for Governance Professionals at the 22nd Annual Corporate and Regulatory Update organised by the Hong Kong Institute of Chartered Secretaries

At the 22nd Annual Corporate and Regulatory Update held by the Hong Kong Institute of Chartered Secretaries on 11 June, Privacy Commissioner Ms Ada CHUNG Lai-ling explained the six Data Protection Principles to governance professionals and elaborated on the importance of implementing a Privacy Management Programme in companies. Ms Joyce LAI Chi-man, Assistant Privacy Commissioner for Personal Data (Enforcement and Public Affairs) (Acting) also spoke on the handling of data breaches with case examples.

The Privacy Commissioner Reported on the Proposed Amendments to the PDPO to Combat Doxxing at the 55th Asia Pacific Privacy Authorities Forum

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the 55th Asia Pacific Privacy Authorities (APPA) Forum, hosted by the Personal Information Protection Commission of Republic of Korea virtually, from 16 to 18 June 2021.  The Privacy Commissioner updated APPA members on the Government’s proposals to amend the PDPO to curb doxxing activities. The Privacy Commissioner explained to APPA members the elements of the new doxxing offence, and her new criminal investigation, prosecution and enforcement powers under the Government’s proposals.  

During the discussion session on the privacy issues relating to COVID-19, Ms Diana PANG, the Assistant Privacy Commissioner for Personal Data (IT Complaints, Policy & Research), also introduced the functions of the “LeaveHomeSafe” app and its privacy-friendly designs to APPA members.

International Networks of Privacy and Consumer Protection Regulators Issued a Joint Media Statement on the Transparency Measures Recently Announced by Google

The International Consumer Protection and Enforcement Network (ICPEN) and the Global Privacy Enforcement Network (GPEN) issued a joint media statement on 27 May 2021 to recognise the international collaborative efforts which have led to a recent announcement by Google to improve its transparency practices on Google Play Store.  The PCPD, being a Committee Member of GPEN, is supportive of ICPEN’s initiative, which highlights the importance of international collaboration to ensure the protection of personal data in a world where data sees no border, and consumers are spending an increasing amount of time online where they usually interact with multiple apps daily.

PCPD Launches the New “Be Smart Online” Thematic Website

The PCPD has launched the New “Be Smart Online” Thematic Website to provide a one-stop portal to give useful information and tips on protection of personal data privacy while getting online via computers and smartphones, as well as to mitigate the risks involved such as misuse of personal data, identity theft, etc.

PCPD Supports the “Director Of The Year Awards 2021” 

The “Directors Of The Year Awards 2021”, championed by The Hong Kong Institute of Directors (HKIoD), is now open for nominations.  The PCPD is pleased to be one of the supporting organisations of this prestigious awards.

The Awards is a signature event of the HKIoD to promote good corporate governance and director professionalism. “Leading in New Normal” is the theme of the Awards this year, aiming to promote a positive attitude and mindset among directors in navigating the complex global environment in 2021.

CHINA CORNER

Introduction to the Data Security Law of China （《數據安全法》）

The Data Security Law of China was passed in June 2021 by the Standing Committee of the National People’s Congress, and will come into effect on 1 September 2021. This article gives you an overview of the Data Security Law and its potential impact on personal information protection in the Mainland.

內地《數據安全法》簡介

《數據安全法》於2021年6月舉行的人大常委會會議中通過，並將於2021年9月1日正式實施。《數據安全法》的立法目的¹分別為︰

• 規範數據處理活動；
• 保障數據安全；
• 促進數據開發利用；
• 保護個人、組織的合法權益；以及
• 維護國家主權、安全和發展利益。

《數據安全法》適用於在中國境內開展的數據處理活動²，因此亦適用於個人信息的處理。然而，《個人信息保護法（草案）》在個人信息保護方面的要求更具體和全面。各機構於內地進行個人信息處理活動時，除了要注意與個人信息保護相關的法規外，亦須同時遵守《數據安全法》的相關規定。以下是《數據安全法》的一些重點。

1. 《數據安全法》針對包括個人信息在內的所有數據

《數據安全法》當中的數據是指「任何以電子或者其他方式對信息的記錄」，有關定義沒有對個人信息作出豁免。此外，第五十三條訂明，「開展涉及個人信息的數據處理活動，還應當遵守有關法律、行政法規的規定」。因此，《數據安全法》可理解為適用於個人信息的處理活動。

2. 《數據安全法》的部份規定與《個人信息保護法（草案）》相似

《數據安全法》有關境外效力、數據處理、處理者問責、安全措施及跨境資料轉移的規定都與《個人信息保護法（草案）》相似，例如 (1)規定任何組織、個人收集數據，應當採取合法、正當的方式，不得竊取或者以其他非法方式獲取數據³；以及 (2) 重要數據的處理者應當明確數據安全負責人和管理機構，落實數據安全保護責任⁴。然而，《個人信息保護法（草案）》的規定更具體和嚴格。

3. 《數據安全法》強調建立全國數據分級制度和保護重要數據

《數據安全法》有關建立全國制度和數據分級的規定比《個人信息保護法（草案）》更為深入。其中，國家將按數據在經濟上的重要性以及對國家安全、組織和個人的影響實行分級分類管理⁵。重要數據的處理者須承擔更多數據安全責任，但條文未有說明何謂重要數據，有待相關部門稍後公佈數據目錄以作說明。《數據安全法》亦訂明「關係國家安全、國民經濟命脈、重要民生、重大公共利益等數據屬國家核心數據，實行更加嚴格的管理制度」⁶。如個別類別的個人信息被列為重要數據或國家核心數據，相信會增加有關個人信息處理者在數據安全方面的法律責任。

¹ 《數據安全法》第一條

² 《數據安全法》第二條

³ 《數據安全法》第三十二條

⁴ 《數據安全法》第二十七條

⁵ 《數據安全法》第二十一條

⁶ 《數據安全法》第二十一條

RECOMMENDED ONLINE TRAINING

Online Professional Workshop on Privacy Management Programme

Protection of personal data privacy cannot be managed effectively if they are merely treated as a legal compliance issue. Instead, organisations should develop their own Privacy Management Programme (PMP) and appoint a Data Protection Officer in order to institutionalise a proper system for the responsible use of personal data.  To this end, the formulation and maintenance of a comprehensive PMP is of paramount importance. A PMP can help companies gain trust from customers and other stakeholders. With trust garnered, companies will be rewarded with loyalty from their customers and business partners, which is all the more important in a fast-changing business environment.

This workshop will highlight the key features of “Privacy Management Programme – A Best Practice Guide”.  Participants will be able to understand the baseline fundamentals and components of a PMP and how to maintain and improve it on an ongoing basis.

Date: 14 July 2021 (Wednesday)

Time: 2:15pm - 4:15pm

Fee: $750/$600*

(*Members of the Data Protection Officers' Club and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: Data protection officers, compliance professionals, company secretaries, solicitors, executives from business and public sectors, and those who are interested in keeping abreast of the data protection trend and best practices.

Course outline:

• What is PMP
• Baseline Fundamentals of a PMP
• Appointment of Data Protection Officer
• Ongoing Assessment and Revision
• How to develop your own PMP
• Data Ethics

Online Professional Workshop on Data Protection in Direct Marketing Activities 

Direct marketing is widely adopted by different organisations in promoting their products and services. In Hong Kong, the use of personal data in direct marketing activities is governed by the PDPO. Since the direct marketing regime took effect in 2013, some companies from different industries and sectors have been convicted for failing to comply with the requirements, bringing negative impact on their reputation and trust of their customers.

This workshop provides a practical approach to the compliance of the requirements under the PDPO in direct marketing activities and provides hands-on solutions to problems that marketers face in devising such programmes. Related conviction cases will also be shared with the participants.

Date: 21 July 2021 (Wednesday)

Time: 2:15pm - 5:15pm

Fee: $750/$600*

(*Members of the Data Protection Officers' Club and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: Data Protection Officers, Compliance Officers, Company Secretaries, Administration Managers, IT Managers, Solicitors (in house or private practice), Database Managers, Marketing professionals

Course outline:

• Statutory requirements for collecting and using personal data 
• Statutory requirements for carrying out direct marketing activities
• The handling of an “opt-out” request
• Practical tips on handling Direct Marketing related queries
• Conviction cases

 Online Professional Workshop on Recent Court and Administrative Appeals Board

 Decisions

This workshop focuses on specific topics in data privacy law raised in recent decisions of the Hong Kong Court and Administrative Appeals Board (the Board), and aims at providing in-depth discussion and updated knowledge to legal practitioners and compliance officers on the interpretation of commonly used provisions of the PDPO.  This intermediate level course is for participants who would like to gain more insights on the legal arguments of court decisions and the Board cases.
 
The workshop, to be conducted by experienced lawyers from the PCPD, will examine some recent decisions which serve as legal authorities and practical examples in solving problems frequently encountered in compliance work.

Date: 28 July 2021 (Wednesday)

Time: 2:15pm - 5:15pm

Fee: $950/$760*  

(*Members of the Data Protection Officers' Club and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: Solicitors, Barristers, In-house Lawyers, Data Protection Officers, Compliance Officers, Company Secretaries and Administration Managers.
 

Arrange In-house Seminar for Your Organisation 

Protection of personal data privacy is gaining its importance in employee training. If you would like to arrange for your organisation to learn more about the PDPO and protection of personal data privacy, you can make a request for an in-house seminar via our online form.

Seminar outline:

• A general introduction to the PDPO
• The six data protection principles (industry-related cases will be illustrated)
• Direct Marketing
• Offences & Compensation
• Q&A Session

Duration: 1.5 hour

RENEWAL OF DPOC's MEMBERSHIP

Renew your membership today and continue to enjoy privileges in course enrolments throughout the year!

Special offer for organisational renewal:

Organisation are entitled to the 2-for-1 scheme, i.e. two memberships for the annual membership fee of HK$350. Act now for the renewal!

Contact Us

Address: Room 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong

Tel: 2827 2827

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
 

Copyright

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.