Gazettal of Personal Data (Privacy) (Amendment) Bill

The Government gazetted the Personal Data (Privacy) (Amendment) Bill 2021 (the Bill) on 16 July, and submitted the Legislative Council (LegCo) Brief on the Bill to the LegCo on 14 July. 

The Bill aims to combat doxxing acts that are intrusive to personal data privacy, through the criminalisation of doxxing acts, and conferring on the Privacy Commissioner for Personal Data (the Privacy Commissioner) statutory powers to issue cessation notices demanding the cessation or restriction of disclosure of doxxing content.  The Bill also confers on the Privacy Commissioner power to conduct criminal investigation and institute prosecution for doxxing cases, so as to strengthen enforcement against doxxing cases.

The Bill was introduced into the LegCo for first and second reading on 21 July.

PRIVACY 101

What is Periodic Risk Assessment? 

Organisations should conduct periodic risk assessments, usually annually, to ensure that their privacy policies and practices comply with the PDPO. Large organisations, which have various departments, may select a particular department for conducting periodic risk assessments, while small organisations may invite all departments to conduct the same. Organisations may make reference to the following steps of conducting a periodic risk assessment:

Organisations are advised to implement a Privacy Management Programme, and adopt Periodic Risk Assessment to ensure compliance with the PDPO.  More details of Privacy Management Programme can be found at:

https://www.pcpd.org.hk//english/resources_centre/publications/files/PMP_guide_e.pdf

TECH TALK

Know your website cookies

A cookie is a file stored in your computer by the website you have visited. It may contain your viewing preferences, shopping cart choices, and/or your browsing history. There are many types of cookies. Some are necessary for accessing websites while some are just used to track your web behaviour. You should have basic knowledge of cookie to decide whether to "Accept" or "Decline" cookies.

Session cookies are required for many websites that require a log-in, so that you do not have to enter usernames and passwords for every page you intend to visit. Session cookies are deleted by your browser as soon as you close it. You should consider allowing session cookies; otherwise, you will be denied access by many websites that require you to log in.

First-party persistent cookies remain on your computer even after you have closed the browser. They contain your viewing preferences or browsing activities related to the website you have visited. Denying them may render you unable to access certain websites or parts of them.

Third-party persistent cookies are often placed by online advertising companies who have purchased space on the websites you are visiting. If you do not wish to be tracked by a third party, you should deny third-party cookies. This should not affect your browsing experience. You should check your browser on how to configure the various cookie settings.

Flash cookies are deployed by some websites. They ignore the browser settings and remain on your computer. If you have the latest version of Acrobat Flash installed, you can deny Flash cookies by configuring the Flash Player in the Control Panel. Techniques to create such super/zombie cookies (cookies that ignore user settings and are difficult to remove) are evolving all the time. If you are concerned about having your web behaviour tracked, you should keep an eye on the latest developments on cookies.

Many browsers offer a privacy/safe-browsing mode which leaves no traces after you close the browser (that is, there is no retention of any browsing, form-filling or download history; cached files and stored password, etc.) and cookies are disabled. The level of privacy protection, however, varies from browser to browser. You should familiarise yourself with the level of protection before relying on their protection. Using the privacy mode may slow down your browsing experience, as the browser does not remember any pages you have visited or your viewing preferences.

PRIVACY COMMISSIONER'S FINDINGS

A company commissioning the intermediary will be held liable for the intermediary’s negligence

The complainant intended to purchase a car insurance policy and sought a quotation via a car dealer. The car dealer requested the complainant to submit an insurance application form together with his identification documents. The complainant considered that the car dealer and the insurance company had collected excessive personal data from him for the purposes of preparing a quotation.

The car dealer explained to the PCPD that this was the requirement of the insurance company to provide a quotation.  However, the insurance company stated that only basic information of the vehicle was required for preparing a quotation and believed that the car dealer had mistakenly handled a request for quotation as an application for insurance.

The PCPD considered that for the purpose of providing an insurance policy quotation, it was unnecessary for the insurance company to obtain a completed application form and identification documents from the complainant. Although the insurance company attributed the incident to the car dealer’s failure to adhere to its policy in handling a request for quotation, the insurance company, being the principal, did not extricate its liability in relation to the car dealer’s acts in this case.

After the PCPD’s intervention, the insurance company undertook to enhance its communications with the car dealer and provide regular training to its staff, so as to ensure that quotation enquiries were properly handled. The car dealer also confirmed that it had made clarification with the insurance company on the procedures for seeking quotations and the insurance company had provided written guidelines to its staff to follow.

Lesson learnt

Intermediary services bring business opportunities by bridging communications between companies and their clients. When an intermediary wrongfully handles customers’ personal data, however, the company commissioning the intermediary is also held liable for the intermediary’s negligence.

Companies can take this case as an example and establish an effective monitoring system, to ensure that their privacy policies are followed by the intermediaries commissioned. Otherwise, negligence of the intermediaries may indirectly damage the companies’ hard-earned reputation.

WHAT'S ON

Privacy Commissioner Meets with Internet Groups on Proposed Amendments to the PDPO

Privacy Commissioner Ms Ada CHUNG Lai-ling met with representatives of the Asia Internet Coalition (AIC) on 9 July 2021 vide video conference to exchange views on the proposed amendments to the PDPO to combat doxxing. At the meeting, the Privacy Commissioner reiterated that the proposed amendments only concern unlawful doxxing acts and the related enforcement powers of the PCPD. She also noted that the AIC had clarified that its members remain committed to Hong Kong and that representatives of the AIC also reaffirmed that doxxing is a matter of serious concern and that it is necessary to combat doxxing in order to protect personal data privacy.

PCPD Strives to Promote Children Privacy Protection

The PCPD strives to promote the protection of children’s personal data privacy through various means, such as a series of related publications recently issued, producing short animated videos, organising webinars, etc. The PCPD has also revamped the “Children Privacy” thematic website to provide a one-stop online resource center for teachers, parents and children.

1. Educational leaflets

In view of the increasing risks to children privacy brought by the Internet, the PCPD has recently published two lively and interesting educational leaflets with the themes of "Protect My Personal Data, Starts With Me” and “Respect Others’ Privacy, I Can Do It” for children, and distributed the leaflets to primary schools and non-government organisations on children and youth services for disseminating to their members. Teachers and parents can use the information to provide guidance to their students and children.

2. Educational animated videos

To arouse children's attention to personal data privacy issues, the PCPD has produced three educational animated videos based on the award-winning works of the Comic Strip Competition created by primary school students.  The three animations, titled “Ask Before Sharing Photos Online”, “Stay Vigilant and Disciplined Online to Protect Your Personal Data” and “Data Protection in Your Hands, Yeah!”, are now available on PCPD website and YouTube:

3. “Children Privacy” thematic website

The PCPD has also revamped “Children Privacy” thematic website, which offers a one-stop portal of online resources for children to learn and understand knowledges in relation to personal data privacy, and for teachers and parents to help those under their care on how to safeguard their personal data privacy. 

4. Webinars

In addition, the PCPD delivered two webinars on “Learning to Protect and Respect Personal Data Privacy” to students of Sai Kung Sung Tsun Catholic School (Primary Section and Fukien Secondary School Affiliated School on 30 June and 5 July 2021 respectively.  The webinars sought to explain the importance of protecting personal data online and provide relevant practical guidance to the students.  The PCPD would continue to organise webinars for primary schools. Interested parties please contact 2877 7152 (Mr Pheng) for more details.

The PCPD has also recently launched the “Student Ambassador for Privacy Protection Programme - Partnering Schools Recognition Scheme 2021”, co-organised by the Business-School Partnership Programme of the Education Bureau, which will be held till the end of 2021, to encourage all secondary schools to join the programme to foster a culture of respecting and protecting personal data privacy in campus.  Details of the programme can be found at the “Children Privacy” thematic website.  

Reaching out to Enterprises - Hang Seng Bank

Privacy Commissioner Ms Ada CHUNG Lai-ling delivered a presentation at the Symposium on Commercial and Legal Considerations for Data Protection in the Digital Era organised by Hang Seng Bank for its staff on 15 July 2021. The Privacy Commissioner talked about the significant impact of data breach incidents and elaborated on the requirements of the six Data Protection Principles and the importance of implementing a Privacy Management Programme to the participants.

The Privacy Commissioner, together with Assistant Privacy Commissioner for Personal Data (Acting), Ms Joyce LAI Chi-man, joined the panel discussion after the presentation to share their insights on various privacy issues such as the regulation of artificial intelligence, use of biometric data and the personal data risks in relation to open banking, and answered questions from the participants.

Privacy Commissioner Publishes an Article on Companies Register’s New Inspection Regime at Hong Kong Lawyer

Privacy Commissioner Ms Ada CHUNG Lai-ling published an article at Hong Kong Lawyer on Companies Register’s new inspection regime, stating that limiting disclosure of personal data in the Companies Register will help curb doxxing. The article was published as the feature of the July 2021 issue of Hong Kong Lawyer. 

Privacy Commissioner Publishes an Article on “Safeguarding Personal Data Privacy When Citizens Participate in Lucky Draw Activities”

Privacy Commissioner Ms Ada CHUNG Lai-ling published an article on safeguarding personal data privacy when citizens participate in lucky draw activities. The article was published in Sing Tao Daily, Hong Kong Economic Times, Hong Kong Economic Journal, Ming Pao, HK01 and Oriental Daily (a contributed article for reporting) on 8 July 2021.

PCPD supports The Hong Kong Institute of Bankers Annual Banking Conference 2021

The Hong Kong Institute of Bankers (HKIB) Annual Banking Conference 2021 is now open for registration.  The PCPD is pleased to be one of the supporting organisations of this event.

With the theme "Re-Globalisation, Sustainability and Transformation under the New Normal", this year's HKIB Annual Banking Conference will focus on the profound changes in the industry as a result of the pandemic and the key strategic goals that are high on the financial services agenda for the new normal.

CHINA CORNER

Introduction to the Shenzhen Special Economic Zone Data Regulations (《深圳經濟特區數據條例》)

The Shenzhen Special Economic Zone Data Regulations was passed in June 2021 by the Standing Committee of the People's Congress of Shenzhen Municipality, and will come into effect on 1 January 2022. This article gives you an overview of the Regulations and some points to note when carrying out data processing activities in Shenzhen.

《深圳經濟特區數據條例》（下稱《條例》）於2021年6月經由深圳市人大常委會通過，並將於2022年1月1日起實施。在條例下，「數據」是指任何以電子或者其他方式對信息的記錄; 此外，有別於內地法規常用的「個人信息」，《條例》將「載有可識別特定自然人信息的數據」統稱為「個人數據」。

《條例》以數據的保護和運用為基礎，主要分為四大部份︰（1）保護個人數據；（2）建立公共數據共享；（3）促進數據交易市場；以及（4）保障數據安全，是「國內數據領域首部基礎性、綜合性立法[1]」。

《條例》的制定源於 2020年10月國務院發出的《深圳建設中國特色社會主義先行示範區綜合改革試點實施方案（2020-2025年）》[2]，該方案賦予深圳在重點領域和關鍵環節改革上有更多自主權。其中，深圳在數據產權制度、數據隱私保護制度、政府數據共享開放以及數據交易等方面的法律制度構建將實行先行先試，為全國提供示範。

《條例》中有關保護個人數據和數據安全的內容參考了《個人信息保護法（草案）》、《個人信息安全規範》及《數據安全法》。違反《條例》中個人數據處理和數據安全的規定，會按照國內的個人信息和數據安全法規處罰。

整體而言，《條例》中個人數據保護的原則和部份規定與《個人信息保護法（草案）》以及國際通用的保障資料原則一致，例如︰

處理個人數據應當具有明確、合理的目的，並遵循最小必要和合理期限原則[3]；

告知個人有關數據處理的種類、範圍、目的、方式等，並取得個人同意[4]；

處理個人數據應當保證個人數據的準確性和必要的完整性，以免為當事人造成損害[5]；

個人數據存儲期限應當為實現處理目的所必需的最短時間[6]；

確保數據安全[7]；及

數據處理者在處理目的已經不再必要、自然人撤回同意或約定的存儲期限屆滿等情況下應當及時刪除個人數據[8]。

此外，相比《個人信息保護法（草案）》，《條例》在不同方面加強了對個人數據和權益的保護，其中包括︰

在處理生物識別數據時，除了須取得個人明示同意，還須在可行情況下向個人提供其他替代方案[9]；

當個人向數據處理者要求查閱和複製其個人數據時，數據處理者不得收費[10]；

加強對無民事行為能力人士的保障，要求在處理其個人數據前須取得監護人的明示同意[11]；

不得向未滿十四歲的未成年人推薦個性化產品或服務[12]；以及

禁止利用數據分析向交易條件相同的個人實施差別待遇以侵害其消費者合法權益（即俗稱的「殺熟」）的行為，違者最高可被罰款人民幣五千萬元[13]。

因此，在深圳開展數據處理活動的個人和組織，除了須遵守適用於全國的相關法規外，亦要留意《條例》的額外要求。此外，因應《條例》為全國提供示範的性質，箇中的要求日後亦有可能會納入國家法規。

[1]  深圳市人大常委會法工委《深圳經濟特區數據條例》解讀

[2] http://www.gov.cn/zhengce/2020-10/11/content_5550408.htm

[3] 《深圳經濟特區數據條例》第三條、第十條第(一) 、(二)款，以及第十一條第(一)至(三) 款

[4] 《深圳經濟特區數據條例》第十條第(三) 款，以及第十四條

[5] 《深圳經濟特區數據條例》第十條第(四)款 

[6] 《深圳經濟特區數據條例》第十一條第(四)款

[7] 《深圳經濟特區數據條例》第十條第(五)款，以及第十一條第(五)款

[8] 《深圳經濟特區數據條例》第二十五條 

[9] 《深圳經濟特區數據條例》第十九條

[10] 《深圳經濟特區數據條例》第二十八條 

[11] 《深圳經濟特區數據條例》第二十條 

[12] 《深圳經濟特區數據條例》第三十條 

[13] 《深圳經濟特區數據條例》第六十九條以及第九十五條 

RECOMMENDED ONLINE TRAINING

Online Professional Workshop on Data Protection in Insurance 

This Workshop is designed for insurance practitioners who wish to acquire the knowledge to protect customers’ personal data in providing insurance services to the public. The course will highlight the key features of "Guidance on the Proper Handling of Customers’ Personal Data for the Insurance Industry" and privacy issues specific to insurance institutions and insurance practitioners.

Date: 11 August 2021 (Wednesday)

Time: 2:15pm - 5:15pm

Fee: $750/$600*

(*Members of the Data Protection Officers' Club and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend:  Insurance Practitioners, Data Protection Officers, Compliance Officers, Solicitors, Advisers and other personnel undertaking work relating to the Insurance Industry.

Online Practical Workshop on Data Protection Law 

This workshop, to be conducted by experienced lawyers from the PCPD, is designed for  those who wish to acquire a solid grounding in the application and interpretation of the provisions of the PDPO.

Date: 18 August 2021 (Wednesday)

Time: 2:15pm - 5:15pm

Fee: $950/$760*

(*Members of the Data Protection Officers' Club and the supporting organisations may enjoy the discounted fee)

Language: English

Who should attend: Solicitors, Barristers, In-house Legal Counsels, Data Protection Officers, Compliance Officers

Online Professional Workshop on Data Protection in Human Resource Management

This workshop is designed for human resource practitioners learning how to meet the requirements under the PDPO in handling employees’ personal data in the different phases of employment process.

Date: 25 August 2021 (Wednesday)

Time: 2:15pm - 5:15pm

Fee: $750/$600*

(*Members of the Data Protection Officers' Club and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: Human Resource Officers, Data Protection Officers, Compliance Officers, Solicitors, Administration Managers, Recruitment Agents.

Online Free Seminar - An Overview of PDPO

The PCPD organises free introductory seminar to raise public awareness and their understanding of the PDPO.

Date: 19 August 2021 (Thursday) 

Time: 3:00pm - 4:30pm

Fee:  Free of charge

Language: Cantonese

Arrange In-house Seminar for Your Organisation 

Protection of personal data privacy is gaining its importance in employee training. If you would like to arrange for your organisation to learn more about the PDPO and protection of personal data privacy, you can make a request for an in-house seminar via our online form.

Seminar outline:

• A general introduction to the PDPO
• The six data protection principles (industry-related cases will be illustrated)
• Direct Marketing
• Offences & Compensation
• Q&A Session

Duration: 1.5 hour

READER SURVEY

Let us know your thoughts and feedback on the contents of the e-newsletter so that we can do better.

Please take a few minutes to answer the questions by clicking the button below and email the completed form to dpoc@pcpd.org.hk. We look forward to receiving your valuable feedback for continuous improvement.

RENEWAL OF DPOC's MEMBERSHIP

Renew your membership today and continue to enjoy privileges in course enrolments throughout the year!

Special offer for organisational renewal:

Organisation are entitled to the 2-for-1 scheme, i.e. two memberships for the annual membership fee of HK$350. Act now for the renewal!

Contact Us

Address: Room 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong

Tel: 2827 2827

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
 

Copyright

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.