PCPD e-NEWSLETTER
ISSUE Oct 2021
|
|
|
|
PCPD e-NEWSLETTER
ISSUE Oct 2021
|
|
|
|
The Personal Data (Privacy) (Amendment) Ordinance 2021 - A New Regulatory Regime
|
Effective from 8 October, the Personal Data (Privacy) (Amendment) Ordinance 2021 (Amendment Ordinance) has introduced a targeted and robust regime to enable the Privacy Commissioner and the PCPD, to combat doxxing behaviour in Hong Kong more effectively.
The main objectives of the Amendment Ordinance are to amend the PDPO to (a) create a two-tier offence for disclosing personal data without consent; (b) empower the Privacy Commissioner to carry out criminal investigations and institute prosecutions for doxxing-related offences; and (c) confer on the Privacy Commissioner the statutory power to issue cessation notices to request the removal of doxxing messages.
Specific offences created to curb doxxing acts
Under the Amendment Ordinance, new doxxing offences have been introduced under a two-tier structure. The first-tier offence is a summary offence for disclosing personal data without the data subject’s consent, and the discloser has an intent or is being reckless as to the causing of any specified harm by that disclosure to the data subject or any family member of the data subject (new section 64(3A) of the PDPO). The second-tier offence is an indictable offence which is committed if, in addition to satisfying the requisite elements of the new offence under section 64(3A) above, specified harm is caused to the data subject or his or her family member as a result of the disclosure (new section 64(3C)). To properly cover the range of sufferings or damages caused to the victims of doxxing, the term “specified harm” is widely defined to cover (a) harassment, molestation, pestering, threat or intimidation; (b) bodily harm or psychological harm; (c) harm causing concern about safety or well-being; or (d) damage to the property (new section 64(6)).
The indictable offence carries a heavier penalty under the two-tier structure. Any person who commits the second-tier doxxing offence (new section 64(3C)) is liable on conviction on indictment to a fine of HK$1,000,000 and to imprisonment for 5 years. Any person who commits the first-tier offence (new section 64(3A)) is liable on summary conviction to a fine at level 6 (namely $100,000) and to imprisonment for 2 years.
Below is a summary table of the two-tier structure of the doxxing offence:
|
Criminal Investigation and Prosecution Powers
Before the legislative amendments, the PCPD did not have criminal investigation and prosecution powers in respect of offences under the PDPO. As a consequence, we have to refer doxxing cases which apparently involve the commission of any offence under the PDPO to the Police for further investigation, and in turn to the Department of Justice for consideration of prosecution. To step up enforcement actions against doxxing and to streamline the entire process, under the Amendment Ordinance, the Privacy Commissioner is empowered to carry out criminal investigation and institute prosecution for doxxing and related offences (covering any contravention of section 64(1) or (3A), 66E(1) or (5), 66I(1) or 66O(1)) triable summarily in the Magistrates’ Courts (new section 64C).
On criminal investigation powers, under the Amendment Ordinance, the Privacy Commissioner may request relevant documents, information or things from any person, or require any person to answer relevant questions in an investigation into doxxing-related offences (referred to as “specified investigation”) (new section 66D).
The Privacy Commissioner or a person authorized by the Privacy Commissioner will be able to stop, search and arrest a person without warrant, if the person is reasonably suspected to have committed doxxing-related offences (new section 66H). Providing the Privacy Commissioner with such powers of criminal investigation and arrest would effectively expedite the handling of doxxing-related cases by the PCPD.
In addition, the Privacy Commissioner is empowered to apply for a warrant to enter and search premises and seize materials for the purposes of a specified investigation (new sections 66G(1) and (2)). The Privacy Commissioner may also apply for a warrant to access, search and decrypt information stored in an electronic device, such as a mobile phone (new sections 66G(1) and (3)). Under urgent circumstances where it is not reasonably practicable to obtain such a warrant, the Privacy Commissioner may access an electronic device without a warrant (new section 66G(8)).
Cessation Notice
Under the Amendment Ordinance, the Privacy Commissioner may serve a cessation notice where (a) there is a disclosure of personal data of a data subject without consent; (b) the discloser has an intent or is being reckless as to the causing of any specified harm to the data subject or any family member of the data subject by that disclosure; and (c) the data subject is a Hong Kong resident or is present in Hong Kong when the disclosure is made (new section 66K(1)).
Given that the cyber world has no borders, a provision on extra-territorial effect is also introduced in such a way that a cessation notice can be served by the Privacy Commissioner regardless of whether the disclosure is made in Hong Kong or not (new section 66K).
Non-compliance of a cessation notice is an offence, and the offender is liable to a fine of HK$50,000 and 2-year imprisonment on first conviction; and a daily fine of HK$1,000 if the offence continues; and a fine of HK$100,000 and 2-year imprisonment on each subsequent conviction; and a daily fine of HK$2,000 if the offence continues (new section 66O(1)).
An appeal mechanism against the cessation notice is available for the person on whom a cessation notice is served and any other person who is affected by the notice. They may lodge an appeal to the Administrative Appeals Board within 14 days after the date on which a cessation notice is served (new section 66N).
Further, to effectively prevent large scale or repeated commissions of doxxing offences in the society, the Privacy Commissioner is also empowered under the Amendment Ordinance to apply for an injunction from the Court of First Instance, and the Court may grant an injunction if it is satisfied that a person (or any person falling within a category or description of persons) has engaged, is engaging or is likely to engage, in a doxxing offence (new section 66Q).
Combat Doxxing Behaviour More Effectively through Education
To assist the public to understand the Amendment Ordinance, the PCPD published “Personal Data (Privacy) (Amendment) Ordinance 2021 Implementation Guideline” in the gazette on 8 October 2021 for public information. The ranks of officers authorised to carry out the relevant criminal investigation and prosecution functions were also published. The PCPD has also set up a hotline (3423 6666) to handle enquiries or complaints relating to doxxing.
Besides, the PCPD has launched a series of publicity and educational initiatives to enhance the public awareness of and compliance with the Amendment Ordinance. Relevant promotional materials can be found at the PCPD’s “Doxxing Offences” Webpage and below:
TV Announcement:
|
Radio Announcement
Promotional leaflet
Poster
The PCPD will organise a Webinar on “Personal Data (Privacy) (Amendment) Ordinance 2021” on 10 November 2021 (Wednesday), 3:00pm to 4:00pm. Privacy Commissioner Ms Ada CHUNG Lai-ling, and Mr Dennis NG, Senior Legal Counsel of the PCPD will explain the requirements under the Amendment Ordinance to participants.
The webinar is free. Please click here for enrolment.
|
|
|
Ongoing Assessment and Revision of Privacy Management Policies and Measures
|
|
PRIVACY COMMISSIONER'S FINDINGS
|
PRIVACY COMMISSIONER'S FINDINGS
|
Data Access Request – Failure to Provide Clarification of the Personal Data Requested
|
|
Understand What Precautions to Take Before Handing Over a Device for Repair/Sale/Disposal
|
|
|
PCPD, together with Five Data Protection Authorities, Issues A Joint Statement on Global Privacy Expectations of Video Teleconferencing Companies
|
Ransomware Attack on Digital Marketing Agency’s Computer System Privacy Commissioner Commenced Investigation
|
RECOMMENDED ONLINE TRAININGS
|
Webinar on “Personal Data (Privacy) (Amendment) Ordinance 2021”
|
Online Professional Workshops
|
Free Online Seminar: Introduction to the PDPO
|
Arrange an In-house Seminar for Your Organisation
|
RENEWAL OF DPOC's MEMBERSHIP
|
|
PCPD 2020-21 Annual Report
|
PCPD Publishes Investigation Report on Security Measures Taken by 14 Restaurants to Protect Customers’ Registration Data
|
Privacy Commissioner Appealed for Greater International Collaboration at the 43rd Global Privacy Assembly
|
Privacy Commissioner Delivered a Speech as the Guest of Honour at the Hong Kong Chartered Governance Institute Annual Convocation 2021
|
Event Organised in Celebration of PCPD’s 25th Anniversary – Webinar on “The Personal Information Protection Law of the Mainland”
|
Reaching out to Enterprises – Hong Kong Productivity Council
|
Privacy Commissioner Delivered a Presentation at the "Law and Regulations" Online Seminar Organised by the Property Management Services Authority
|
|
Protection of Children’s Personal Information in the Mainland
|
Australia: OAIC Releases Findings from GPEN Sweep Examining Global Involvement of Data Protection Authorities in COVID-19 Solutions
|
International: G7 Publishes Public Policy Principles for Retail CBDC, Include Privacy and Cybersecurity
|
UK: ICO Launches Consultation on Second Chapter of Its Draft Anonymisation, Pseudonymisation, and PET Guidance
|
Study: Consumers Are Taking More Active Role in Protecting Their Privacy
|
|
|
Ongoing Assessment and Revision of Privacy Management Policies and Measures
|
Personal Data Privacy Management Programme (PMP) is an ongoing process which needs continuous monitoring and assessment of the measures, policies and procedures of the programme, and making necessary amendments to ensure its effectiveness. Data Protection Officers should develop an oversight and review plan, and assess and revise programme controls annually. The review plan must:
- cover the implementation of all programme controls;
- cover all policies and procedures related to personal data privacy;
- state when and how to conduct the assessment by whom, and set the assessment criteria;
- include periodic assessment (at least once a year); and
- be endorsed by the top management.
The following is a sample of an oversight and review plan:
|
For more details of PMP, please click here.
|
|
|
PRIVACY COMMISSIONER'S FINDINGS
|
Data Access Request – Failure to Provide Clarification of the Personal Data Requested
|
An employee (Employee) previously made a data access request (DAR) to his employer (Employer) requesting all relevant investigation reports, documents and correspondence associated with the disciplinary proceedings instituted by the Employer against him (1st DAR). The Employer thus provided the Employee with documents in response to his 1st DAR. The Employee subsequently made another data access request (2nd DAR) to the Employer requesting all relevant documents, records or materials with reference made to five different paragraphs of the Employer’s procedural guidelines for the aforesaid disciplinary proceedings. The Employer requested the Employee to clarify the personal data as requested in the 2nd DAR, but the Employee did not provide any further clarification. The Employer did not comply with the Employee’s 2nd DAR.
The Privacy Commissioner’s Decision
There was no dispute in relation to the 1st DAR. With regard to the 2nd DAR, the Privacy Commissioner agreed that the description of the requested documents was unclear. Given that the Employee did not respond to the Employer’s reasonable request for clarification, there was no valid DAR in this instance. In other words, the Employer was not required to comply with the 2nd DAR. Besides, there were reasons for the Privacy Commissioner to believe that the Employee’s 2nd DAR did not appear to be made for the purpose of ascertaining the kinds of personal data held by the Employer, but was made for other purposes irrelevant to personal data privacy.
According to the principles established in Wu Kit Ping v Administrative Appeals Board [2007] 4 HKLRD 849, the purpose of lodging a data access request is not to supplement rights of discovery in legal proceedings or to enable a data subject to locate information for other purposes. The Privacy Commissioner considered that such principles should equally apply to the disciplinary proceedings that the Employee was facing. Hence, the Privacy Commissioner exercised the discretion under the PDPO not to carry out any further investigation into the Employee’s complaint.
Being dissatisfied with the Privacy Commissioner’s decision, the Employee lodged an appeal to the Administrative Appeals Board (AAB).
The Appeal
The AAB confirmed the Privacy Commissioner’s decision and dismissed the appeal on the following grounds:
The 2nd DAR was far too vague and general and hence was not a valid DAR. The description of the said request was only related to certain references to the paragraphs in the Employer’s procedural guidelines for disciplinary proceedings, but the Employee failed to specify the nature and type of documents requested therein so as to enable the Employer to comply with the 2nd DAR.
It is not the legislative intent of the PDPO to facilitate data subjects to gain access to documents or information for other purposes, especially when discovery of documents in litigation and disciplinary proceedings is governed by other legal principles and procedures. Though the disciplinary proceedings in the present case were not legal proceedings, the Privacy Commissioner had duly applied the same principle in the Wu Kit Ping case in respect of such disciplinary proceedings.
|
|
|
Understand What Precautions to Take Before Handing Over a Device for Repair/Sale/Disposal
|
Many people may not realise how much personal data they have stored in their computers or personal storage devices. As you may not be able to remove the data storage device or erase the data in such equipment, disposing, selling or sending the equipment to a third party without due precautionary measures means you are potentially giving your personal data away.
You should ensure that you choose a reputable repair provider. Make sure that you are happy with its pledge on the protection of personal data before entrusting them with the data.
If the items to be repaired do not involve the removable storage device in your equipment, you should remove it before sending the items to repair. If you must send the storage device away for repair, try to erase all personal data whenever possible using a secure, permanent method (such as DBAN from www.dban.org for hard disks or FileShredder from www.fileshredder.org for files).
Similarly, if you are going to sell or dispose of any device that has memory or storage, do not forget to erase all the data stored in it. Some device manufacturers (such as those of mobile phones) provide steps to erase all stored data on their phones. These steps should be followed. Do not forget to remove the removable memory cards or old SIM cards installed in these devices, or to erase the data.
|
|
|
PCPD 2020-21 Annual Report
|
The 2020-21 Annual Report of the PCPD was tabled in the Legislative Council on 20 October 2021.
As 2021 marks the 25th Anniversary of the PCPD, the theme of the Annual Report is “Guardian · Privacy · 25 Years”. The Annual Report showcases some notable milestones and achievements of the PCPD in the past 25 years.
The Annual Report also highlights the work of the PCPD during 2020-21, including the taking of a multi-pronged approach to combat doxxing; the provision of advisories and issuance of guidance notes in relation to the protection of personal data amid the COVID-19 pandemic; the carrying out of a survey on the attitudes of the public and data users on the protection of personal data privacy and the holding of the inaugural “Privacy-Friendly Awards”.
Please click here to download the Annual Report.
|
PCPD Publishes Investigation Report on Security Measures Taken by 14 Restaurants to Protect Customers’ Registration Data
|
In response to the COVID-19 pandemic, the Government imposed requirements under the Prevention and Control of Disease (Requirement and Directions) (Business and Premises) Regulation (Cap. 599F) on responsible persons of restaurants to ensure that customers either scan the venue QR code with the “LeaveHomeSafe” mobile app or register their names, contact numbers and dates and times of their visits, before entering the premises, and for restaurants to keep such written or electronic records for 31 days (“the Restaurant Entry Requirement”).
Since the implementation of the Restaurant Entry Requirement on 18 February 2021, Privacy Commissioner Ms Ada CHUNG Lai-ling has launched investigations into 14 complaints about the failure of restaurants to properly handle the registration data of customers.
The Privacy Commissioner found that the retention periods set by the 14 restaurants concerned for keeping the registration data of customers did not exceed 31 days. In other words, the restaurants kept the data in accordance with the data retention period as specified in the Restaurant Entry Requirement, in such a way that the relevant personal data was not kept longer than necessary for the fulfilment of the original purpose. The Privacy Commissioner found that such practice is commendable, as it is in compliance with the requirements of Data Protection Principle (“DPP”) 2(2) under the PDPO.
Meanwhile, the Privacy Commissioner also found that 11 restaurants (namely, Triple O’s in Pacific Place of Admiralty, Spicy and Sour Noodle at Portland Street of Mongkok, Zaks in D’Deck of Discovery Bay, The Grill Room in the L. Square of Causeway Bay, Corner Kitchen at Tso Kung Square of Tsuen Wan, Bond at Tung Lo Wan Road of Tai Hang, Carnival Seafood Restaurant in Leung King Plaza of Tuen Mun, American Seafood & Grill in Fortune City One of Shatin, TW Yummy at Nathan Road of Yaumatei, Beef Noodle Box at Kam Ping Street of North Point and Ming Kee Cheung Fun at San Hong Street in Sheung Shui) used common registration forms or books, 1 restaurant (TamJai Yunnan Mixian at Kwai Yi Road in Kwai Fong) did not set up any collection box for the forms, 1 restaurant (House of Canton Restaurant in Cityplaza) failed to cover the collection box at all times, and 1 restaurant (Gyuugoku at Tai Tsun Street in Tai Kok Tsui) used uncut sheets of paper as common forms. The above practices had exposed the registered personal data to unauthorized or accidental access or use, and contravened DPP 4(1) of the PDPO as regards the security of personal data.
Although the 14 restaurants subsequently took remedial actions to prevent recurrence in future, the Privacy Commissioner has decided to issue Enforcement Notices to the restaurants in question to request them to implement appropriate and practicable measures to protect the registration data of customers and specify the steps to be taken by the restaurants for preventing recurrence of the contravention. The measures included providing written policy and guidance to their staff, as well as circulating the guidance regularly and providing training to raise the awareness of their staff to the protection of personal data privacy.
The Privacy Commissioner wishes to make the following reminders and suggestions to all restaurants in Hong Kong through the report: -
- Regardless of the scale of business, mode of operation and availability of resources, all restaurants have responsibility to comply with the requirements of the PDPO in the collection, holding, processing and use of personal data;
- In addition to incorporating privacy protection in the workflow of data processing, restaurants must also provide appropriate training and guidance for their staff;
- Restaurants must adopt measures to provide clear guidelines for their staff on the process and purpose of customer registration, and ensure the proper conduct of their staff, so as to avoid the collection and processing of personal data from being hampered by human negligence or error; and
- In response to anti-epidemic measures, restaurants need to raise the awareness of their staff to personal data privacy protection. By strengthening personal data privacy protection, restaurants would be able to enhance their goodwill, competitive edges, and potential business opportunities.
The Privacy Commissioner also reminds citizens that, “To protect personal data, members of the public should be mindful of the privacy risks inherent in providing personal data for different restaurants. This is particularly true for citizens who frequently dine at different restaurants, if they choose to register personal information rather than using the “LeaveHomeSafe” mobile app, which effectively means that they may need to provide personal data for different restaurants daily. This, when compared with storing visiting records in the “LeaveHomeSafe” app in their own mobile phones, actually carries greater privacy risks.”
Download the executive summary of the Investigation Report “Security Measures Taken by Restaurants to Protect Customers’ Information Collected during the Registration Required under the COVID-19 Anti-pandemic Measures” (in English):
https://www.pcpd.org.hk/english/enforcement/commissioners_findings/files/r21_2485_e.pdf Download the full Investigation Report in Chinese:
https://www.pcpd.org.hk/tc_chi/enforcement/commissioners_findings/files/r21_2485_c.pdf
|
Privacy Commissioner Appealed for Greater International Collaboration at the 43rd Global Privacy Assembly
|
Privacy Commissioner Ms Ada CHUNG Lai-ling attended the virtual conference of the 43rd Global Privacy Assembly (GPA) from 18 to 21 October 2021. The theme of this year’s conference was ‘Privacy and Data Protection: A Human-centric Approach’. The topics of discussions included privacy issues relating to artificial intelligence, facial recognition, smart cities, vaccine passports and cross-regional enforcement.
In the light of the increasing number of personal data breach incidents which involved infringements of privacy laws in different jurisdictions, the Privacy Commissioner joined her counterparts in other jurisdictions in a discussion of the GPA on international enforcement cooperation. The PCPD also took up the co-chairmanship of the GPA’s International Enforcement Cooperation Working Group to contribute to the important work of the Working Group. The other co-chairs of the Working Group comprise the data protection authorities of Canada, Colombia and Norway.
During the conference, The Privacy Commissioner appealed for more collaboration, exchange of information and experience, and possibly joint actions on the international front to enhance the protection of personal data privacy in the digital era.
In a separate discussion in relation to privacy issues arising from the adoption of technological initiatives during the COVID-19 pandemic, the Deputy Privacy Commissioner for Personal Data, Mr TY LEE, presented to GPA members the Compendium of Best Practices in Response to COVID-19 (Part II) compiled by the PCPD. The Compendium contains relevant experience and cases of best practices of privacy protection contributed by 32 GPA members and observers through a survey conducted by the PCPD in June and July 2021.
The GPA is the leading international forum for over 130 data protection authorities from around the globe to discuss and exchange views on privacy issues and the latest international developments.
Click here to download the Compendium of Best Practices in Response to COVID-19 (Part II).
|
Privacy Commissioner Delivered a Speech as the Guest of Honour at the Hong Kong Chartered Governance Institute Annual Convocation 2021
|
Privacy Commissioner Ms Ada CHUNG Lai-ling attended the Annual Convocation of the Hong Kong Chartered Governance Institute on 5 October 2021 as the Guest of Honour and gave the Convocation Speech.
In her speech, the Privacy Commissioner encouraged governance professionals to act as the gate-keepers of good governance, as well as help the companies they serve to navigate the evolving business and regulatory environment while meeting rising expectations from the companies’ customers and other stakeholders.
Please click here for the Privacy Commissioner's speech.
|
Event Organised in Celebration of PCPD’s 25th Anniversary – Webinar on “The Personal Information Protection Law of the Mainland”
|
The PCPD organised a webinar on “The Personal Information Protection Law of the Mainland” today (28 October) in celebration of its 25th Anniversary. The webinar was supported by the School of Law of the City University of Hong Kong (CityU). The webinar consisted of two sessions. The first session was hosted by Professor ZHU Guobin of the School of Law of CityU, with Professor WANG Liming of the Renmin Law School of Renmin University of China spoke as the guest speaker on the features and requirements of the Personal Information Protection Law (PIPL).
Privacy Commissioner Ms Ada CHUNG Lai-ling hosted the second session of the webinar, with another guest speaker, Ms Barbara Li, Head of Corporate at Rui Bai Law Firm, Beijing, presented on how local enterprises could prepare themselves to comply with the PIPL.
The webinar was held with great success and attracted more than 330 participants from various sectors including banking, insurance, legal, education, retail and real estate, etc.
Please click here for Professor Wang’s presentation (Chinese Only).
Please click here for Ms Li’s presentation.
|
Left top: Privacy Commissioner Ms Ada CHUNG Lai-ling Right top: Professor ZHU Guobin of the School of Law of CityU Left Bottom: Professor WANG Liming of the Renmin Law School of Renmin University of China Right Bottom: Ms Barbara Li, Head of Corporate at Rui Bai Law Firm, Beijing
|
Left: Professor ZHU Guobin of the School of Law of CityU Right: Privacy Commissioner Ms Ada CHUNG Lai-ling
|
Reaching out to Enterprises – Hong Kong Productivity Council
|
Privacy Commissioner Ms Ada CHUNG Lai-ling visited the Hong Kong Productivity Council (HKPC) on 12 October 2021 to share her insights on “Data Protection in the Digital Era” with the staff of HKPC. In her sharing, the Privacy Commissioner explained and elaborated on the requirements of the six Data Protection Principles under the PDPO, the salient features of Personal Data Privacy Management Programme and the ethical principles of the development and use of Artificial Intelligence.
The Privacy Commissioner also visited the Hong Kong Computer Emergency Response Team Coordination Centre to understand the daily operation of the centre and exchanged her views on IT security with the experts. In addition, the Privacy Commissioner also toured around the thematic exhibition area of the HKPC to learn about the latest developments in the relevant industries.
|
Reaching out to Property Management Sector — “Law and Regulation Series” Seminar of the Property Management Services Authority
|
The PCPD co-organsied the Continuing Professional Development Seminar on “Law and Regulations Series” with the Property Management Services Authority on 25 October 2021. Privacy Commissioner Ms Ada CHUNG Lai-ling presented at the seminar as one of the keynote speakers.
In the seminar, the Privacy Commissioner gave an overview of the six Data Protection Principles under the PDPO to property management practitioners and students of property management courses. She offered practical advice and tips on relevant personal data privacy issues to the attendees to assist them in understanding how to protect the personal data privacy of property owners, residents or visitors.
Please click here for the Privacy Commissioner's presentation deck (Chinese version only).
|
Vice Chairperson of the Property Management Services Authority, Professor Eddie HUI Chi-man (right), took a photo with Privacy Commissioner Ms Ada CHUNG Lai-ling (center) and Ms Amy CHAN, Head of Complaint (left), and presented a certificate of appreciation.
|
|
|
Protection of Children’s Personal Information in the Mainland
|
As children in the Mainland are spending more time on the Internet, protection of children’s personal information is more important than ever. In recent years, a number of laws and regulations have been passed or amended in the Mainland in order to enhance protection of children and their personal information. This article gives you a glimpse of the relevant rules.
未成年人個人信息的保護於內地備受關注。2019年10月實施的《兒童個人信息網絡保護規定》[1]對處理「兒童」(即未滿十四歲的未成年人[2] )的個人信息有嚴格的規定。當中,網絡運營者在收集、使用、轉移和披露兒童個人信息時,須以顯著及清晰的方式告知兒童監護人有關個人信息的收集和使用目的、儲存的地點和期限、安全保障措施等事宜,並須取得兒童監護人的同意[3]。網絡運營者亦須設置專門的兒童個人信息保護規則和用戶協議,指定專人負責兒童個人信息保護[4],並嚴格控制其工作人員查閱兒童個人信息的權限[5]。
而於2021年6月實施的新修訂《未成年人保護法》[6]亦要求信息處理者如收到未成年人(即未滿十八周歲的公民[7])、其父母或監護人要求更正、刪除未成年人的個人信息,須及時採取措施作出更正、刪除[8]。
作為內地首部專為保護個人信息而訂立的法律,《個人信息保護法》即將於本年11月1日實施,當中亦加入了對未滿十四歲未成年人個人信息的保障。例如,《個人信息保護法》規定個人信息處理者如要處理未滿十四歲未成年人的個人信息,須取得其父母或監護人的同意,以及制定專門的個人信息處理規則[9]。《個人信息保護法》亦將未滿十四歲未成年人的個人信息歸類為敏感個人信息[10],個人信息處理者在處理敏感個人信息前須取得當事人的單獨同意[11],及進行個人信息保護影響評估[12]。
此外,國務院於2021年9月公佈的《中國兒童發展綱要(2021—2030年)》[13]中提到,要在制定法律和政策等方面對兒童作出優先保障,包括加強兒童個人信息和隱私保護。因此,預料未來數年內地或會繼續有針對兒童及未成年人個人信息保護的新措施和規定出台。
[1] 《兒童個人信息網絡保護規定》
全文:http://www.cac.gov.cn/2019-08/23/c_1124913903.htm
[2] 《兒童個人信息網絡保護規定》第二條
[3] 《兒童個人信息網絡保護規定》第九條及第十條
[4] 《兒童個人信息網絡保護規定》第八條
[5] 《兒童個人信息網絡保護規定》第十五條
[6] 《未成年人保護法》
全文:http://npc.people.com.cn/BIG5/n1/2020/1018/c14576-31895854.html
[7] 《未成年人保護法》第二條
[8] 《未成年人保護法》第七十二條
[9] 《個人信息保護法》第三十一條
[10] 《個人信息保護法》第二十八條
[11]《 個人信息保護法》第二十九條
[12]《 個人信息保護法》第五十五條
[13] 《中國兒童發展綱要(2021—2030年)》
全文︰http://www.gov.cn/zhengce/content/2021-09/27/content_5639412.htm
|
|
|
RECOMMENDED ONLINE TRAININGS
|
Webinar on “Personal Data (Privacy) (Amendment) Ordinance 2021”
|
The Personal Data (Privacy) (Amendment) Ordinance 2021 (Amendment Ordinance) was published in the gazette and came into effect on 8 October 2021 to combat doxxing acts that are intrusive to personal data privacy. What are “doxxing” offences under the Amendment Ordinance? How to avoid breaking the law inadvertently? How can the Privacy Commissioner help you? What criminal investigation and prosecution powers have been conferred on the Privacy Commissioner?
This webinar will provide answers to all the above questions! Privacy Commissioner Ms Ada CHUNG Lai-ling, and Mr Dennis NG, Senior Legal Counsel of the PCPD will explain the requirements under the Amendment Ordinance to participants.
Date: 10 November 2021 (Wednesday)
Time: 3:00 pm – 4:00pm
Fee: Free of charge
Language: Cantonese
Accreditation: Accreditation of the Law Society of Hong Kong is being sought
Who should attend: The public, SMEs, users of social media platforms and instant messaging apps, teachers, parents and teenagers
|
Online Practical Workshop on Data Protection Law
|
Conducted by the PCPD lawyer, this workshop is suitable for participants, who are charged with the responsibility in giving advice on compliance with the data protection law, to acquire solid knowledge in the application and interpretation of the provisions of the PDPO.
Date: 10 November 2021 (Wednesday)
Time: 2:15pm – 5:15pm
Fee: $950/$760*
(*Members of the Data Protection Officers' Club and the supporting organisations may enjoy the discounted fee)
Language: Cantonese
Who should attend: Data Protection Officers, Solicitors, Barristers, In-house Legal Counsels, Compliance Officers
|
Online Professional Workshop on Data Protection in Human Resource Management
|
Human resource practitioners will handle a large amount of employee’s personal data in daily work. This workshop is designed for them to learn how to meet the requirements under the PDPO when they handle employees’ personal data in different phases of employment process.
Date: 17 November 2021 (Wednesday)
Time: 2:15pm – 5:15pm
Fee: $750/$600*
(*Members of the Data Protection Officers' Club and the supporting organisations may enjoy the discounted fee)
Language: Cantonese
Who should attend: Human Resource Officers, Data Protection Officers, Compliance Officers, Solicitors, Administration Managers, Recruitment Agents
|
Online Professional Workshop on Data Protection in Property Management Practices
|
This workshop takes a holistic approach to the handling of personal data in property management. Relevant case examples and practical solutions will be shared with the participants to help them address the challenges when they engage in property management practices involving the handling of personal data of flat owners, residents, visitors and car park users, etc.
Date: 8 December 2021 (Wednesday)
Time: 2:15pm – 4:15pm
Fee: $750/$600*
(*Members of the Data Protection Officers' Club and the supporting organisations may enjoy the discounted fee)
Language: Cantonese
Who should attend: Property Management Personnel, Data Protection Officers, Compliance Officers, Solicitors, members of Owner’s Corporation
|
Online Professional Workshop on Privacy Management Programme
|
Organisations should develop a Personal Data Privacy Management Programme (PMP) to institutionalise a proper system for the responsible use of personal data so as to gain trust from customers and other stakeholders. In this workshop, participants can learn the baseline fundamentals and components of a PMP and how to maintain and improve it on an ongoing basis.
Date: 15 December 2021 (Wednesday)
Time: 2:15pm – 4:15pm
Fee: $750/$600*
(*Members of the Data Protection Officers' Club and the supporting organisations may enjoy the discounted fee)
Language: Cantonese
Who should attend: Data protection officers, compliance professionals, company secretaries, solicitors, executives from business and public sectors, and those who are interested in keeping abreast of the data protection trend and best practices
|
Online Free Seminar - Introduction to the PDPO Seminar
|
The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. The details are as follows:
|
Time: 3:00pm - 4:30pm
Seminar Outline:
- A general introduction to the PDPO
- The six Data Protection Principles (illustrated with industry-related examples)
- Offences and compensation
- Direct marketing
- Q&A session
|
Arrange an In-house Seminar for Your Organisation
|
Teaching employees how to protect the privacy of personal data is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and protecting the privacy of personal data, you can make a request for an in-house seminar via our online form. The outline of this seminar is provided below.
Seminar Outline:
- A general introduction to the PDPO
- The six data protection principles (industry-related cases will be illustrated)
- Direct Marketing
- Offences & Compensation
- Q&A Session
Duration: 1.5 hour
|
RENEWAL OF DPOC's MEMBERSHIP
|
Renew your DPOC membership today and continue to enjoy privileged access to course enrolments throughout the year!
Special offer for organisational renewals:
Organisations can join the 2-for-1 scheme, which enables them to receive two memberships for the price of one annual fee (HK$350).
Renew your membership now to keep up-to-date with the latest news and legal developments!
|
|
|
Contact Us
Address: Room 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong
Tel: 2827 2827
If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
|
Copyright
Disclaimer
The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.
The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.
If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.
|
|
|
|