PCPD e-NEWSLETTER
ISSUE Nov 2021
|
|
|
|
PCPD e-NEWSLETTER
ISSUE Nov 2021
|
|
|
|
Privacy Commissioner Published Booklet on the Personal Information Protection Law of the Mainland
|
The Personal Information Protection Law (PIPL) was passed by the Standing Committee of the National People’s Congress on 20 August 2021 and it has come into operation in the Mainland since 1 November 2021. To help the general public and businesses in Hong Kong to better understand the personal information protection regime in the Mainland, the PCPD published a booklet entitled “Introduction to the Personal Information Protection Law of the Mainland” (the Introduction) recently.
The PIPL is the first piece of legislation in the Mainland dedicated to the protection of personal information. In the light of the national development strategy as set out in the Outline Development Plan for the Guangdong-Hong Kong-Macao Greater Bay Area, there will be more social and commercial interactions as well as flows of data between Hong Kong and the Mainland. The Introduction will help the general public and businesses in Hong Kong to better understand the regulatory regime on the protection of personal information in the Mainland, thereby enabling them to seize, and prosper from, the opportunities arising from development in the Mainland.
The Introduction is divided into three parts. The first two parts introduced the background and major requirements of the PIPL, respectively. Relevant requirements under other regulations and relevant cases were added in order to assist readers to better grasp the PIPL requirements. The third part of the Introduction gives an account of related regulations, such as those relating to data security, consumer rights, e-commerce, mobile applications, online platforms and the financial sector. A comparison between Hong Kong’s Personal Data (Privacy) Ordinance (PDPO) and the PIPL is also included in the Introduction to provide a quick overview of the similarities and differences between the two pieces of legislation.
The Introduction (Chinese version only) can be downloaded here.
|
|
|
Striving for Enhancing Public Awareness and Understanding of the Personal Data (Privacy) (Amendment) Ordinance 2021
|
|
Establishment of Data Protection Office in Your Organisation
|
|
How Encryption Can Help to Protect Information?
|
|
|
Two PCPD Officers Receive the Ombudsman's Awards
|
Privacy Commissioner Received Nearly 50 Complaint Cases about the Handling of Registration Data of Visitors
|
RECOMMENDED ONLINE TRAININGS
|
Webinar on “Personal Data (Privacy) (Amendment) Ordinance 2021” [Re-run]
|
Online Professional Workshops
|
Free Online Seminar: Introduction to the PDPO
|
Arrange an In-house Seminar for Your Organisation
|
RENEWAL OF DPOC's MEMBERSHIP
|
|
Privacy Commissioner Delivered the Keynote Speech at a Roundtable on “Artificial Intelligence in Finance: Data Ethics and Beyond”
|
Privacy Commissioner Spoke at Launching Ceremony of Media Education Programme
|
Privacy Commissioner Spoke at the Webinar on “Regulators’ Perspectives on AI, Technology and Personal Data Protection” Organised by the Asian Institute of International Finance Law
|
PCPD Supports the "Hong Kong Cyber Security New Generation Capture the Flag (CTF) Challenge 2021" Webinar cum Award Presentation Ceremony
|
|
Cross-border Transfer of Data under the Personal Information Protection Law of the Mainland
|
International: IAB Europe Guide to In-Gaming Calls for Protection of Children's Data
|
Dispatch from Brussels: Some Clarification for EU Data Transfers on the Horizon
|
Privacy as Code: A New Taxonomy for Privacy
|
|
|
The Personal Data (Privacy) (Amendment) Ordinance 2021 (Amendment Ordinance) was gazetted and came into effect on 8 October 2021 to combat doxxing acts that are intrusive to personal data privacy. To enhance public awareness and understanding of the Amendment Ordinance, the PCPD has spared no effort to introduce the requirements of the Amendment Ordinance to members of the public through various promotional and educational activities.
Introductory Video
The PCPD has launched a short video on social media platforms to briefly introduce the Amendment Ordinance. In the video, Privacy Commissioner Ms Ada CHUNG Lai-ling explained the requirements of the Amendment Ordinance to members of the public and re-iterated that the Amendment Ordinance will not affect the freedom of speech and free flow of information that members of the public currently enjoy. Please click below for watching the video:
|
Article Contribution
The Privacy Commissioner published an article titled “The Personal Data (Privacy) (Amendment) Ordinance 2021 - A New Regulatory Regime” at the Nov 2021 issue of Hong Kong Lawyer, the official journal of the Law Society of Hong Kong, to elaborate on the key provisions of the Amendment Ordinance to legal practitioners. Please click here to read the article.
An article which gave the highlights of the Amendment Ordinance was also published in various news media on 9 November 2021, which included HK01, Hong Kong Economic Journal, Hong Kong Economic Times, Ming Pao, SCMP, Sing Tao Daily, Wen Wei Po and Oriental Daily News. The full version of the article can be viewed from the below links: 1. Chinese article; 2. English article.
|
Webinars/ Seminars
1. Public Webinar
The PCPD organised a public webinar on “Combat Doxxing – Personal Data (Privacy) (Amendment) Ordinance 2021” on 10 November 2021. In the webinar, the Privacy Commissioner, together with Mr Dennis NG, Senior Legal Counsel of the PCPD, explained the scope of the Amendment Ordinance to the participants. Please click here to download the presentation deck (Chinese Only).
|
The webinar received overwhelming response and attracted around 900 attendees from various sectors including banking and finance, government departments and public sector organisations, education, legal, social service and insurance, etc. In the light of this, the webinar will be re-run on 8 December 2021 (Wednesday), 3:00pm to 4:00pm. For details and enrolment, please click here.
2. Talk for University
The Privacy Commissioner spoke at the seminar on "Personal Data Protection and Internet Security", an event for the “Personal Data Protection and Information Security Awareness Week 2021” organised by the University of Hong Kong (HKU) on 3 November 2021. In the seminar, the Privacy Commissioner explained the requirements of the Amendment Ordinance to HKU staff and students. Please click here for the Privacy Commissioner's presentation deck.
|
3. Talks for Enterprises
At the events organised by the Hong Kong General Chamber of Commerce, the British Chamber of Commerce in Hong Kong (BritCham) and Hong Kong Association of Banks (HKAB) on 8, 25 and 26 November 2021 respectively, the Privacy Commissioner explained the requirements of the Amendment Ordinance to the participants. The Privacy Commissioner emphasised that the Amendment Ordinance will not affect normal and lawful business activities in Hong Kong, neither will it affect the freedom of speech and free flow of information that members of the public currently enjoy.
Please click the links below for the Privacy Commissioner's presentation decks: 1. BritCham; 2. HKAB.
Other Publicity and Educational Campaigns
The PCPD has also launched a series of publicity and educational campaigns, including broadcasting TV and radio announcements, distributing promotional leaflets and posters, and promoting the provisions on social media platforms. For relevant details, please visit the PCPD’s “Doxxing Offences Webpage".
|
|
|
Anti-doxxing posters are being displayed at various government buildings and public areas
|
|
|
Establishment of Data Protection Office in Your Organisation
|
Organisations should appoint a designated officer (i.e. Data Protection Officer) to oversee the organisations' compliance with the PDPO and implementation of Personal Data Privacy Management Programme (PMP). A Data Protection Officer is usually the one responsible for structuring, designing and managing the PMP, including all procedures, training, monitoring/auditing, documenting, evaluating, and follow-up. It is recommended to assign a departmental coordinator to support the Data Protection Officer. Resources should be channeled to train and develop the Data Protection Officer and/or his/her team as a professional in personal data privacy protection. The structure of the Data Protection Office and duties of its officers are listed below for reference:
Structure of Data Protection Office
|
Duties of Data Protection Officer
(i) Establishing and implementing the PMP programme controls, in particular –
keeping a record of the organisation's personal data inventory; initiating and monitoring the annual personal data inventory review exercise;
- initiating the commencement of periodic risk assessment to all departments and monitoring, reviewing and providing advice on the completed risk assessment report;
- monitoring, reviewing and providing advice on conducting privacy impact assessment;
- carrying out training and education and promoting staff awareness on privacy protection by circulating updates on data privacy policies, guidelines and other privacy-related information;
- coordinating and monitoring the handling of data breach incidents; providing advice to departments on conducting investigations;
- providing advice to and conducting review on departments' data processor management; and
- monitoring, reviewing and providing advice on the preparation of Personal Information Collection Statement.
(ii) Reviewing the effectiveness of the PMP, including preparing an oversight and review plan for the PMP, and revising the programme controls where necessary.
(iii) Reporting to the top management periodically on the organisation's compliance issues, problems encountered and complaints received in relation to personal data privacy.
Duties of Personal Data Privacy Officer
- Assisting the Data Protection Officer to implement the PMP;
- Handling personal data privacy complaints and enquiries; and
- Handling data access and correction requests made to the organisation.
Duties of Departmental Coordinator
- Managing the PMP of his/her department, and representing the department to communicate with the Data Protection Officer for matters relating to PMP;
- Updating personal data inventory of his/her department annually;
- Carrying out periodic risk assessments within his/her department and submitting the assessment report to the Data Protection Officer for review;
- Conducting data processors management review for his/her department and submitting the review report to the Data Protection Officer for further review;
- Ensuring the Personal Information Collection Statement prepared by his/her department is consistent with the requirements under the PDPO, and submitting the Personal Information Collection Statement to the Data Protection Officer for review before it is presented to an individual for collecting his/her personal data; and
- Assisting the Data Protection Officer in carrying out the ongoing assessment and revision of PMP.
More details of PMP can be found here.
|
|
|
How Encryption Can Help to Protect Information?
|
Encryption is an effective way to prevent data from being understood when your computer is hacked or when your portable storage devices are lost. You should safeguard the encryption password and do not store it in the computer or devices, or do not record it in a manner which makes its association with the equipment apparent.
There are many methods you can use, both paid or free, to encrypt files stored in your computers and portable storage devices. For example, for the encryption of individual files, you can install 7-Zip (www.7-zip.org), a free, open-source and multi-platform software programme that compresses files and folders, and supports encryption.
Use a strong encryption algorithm such as "AES", and make sure you have chosen this or similarly strong algorithm.
If you need to send personal data by email, you should store the personal data in a file and encrypt it before sending it. In addition to securing the personal data during transmission, encryption protects the data from possible data leakage at the recipient end (for example, if the receiving computer is hacked).
You should not send the encryption password in the same email with the file you have encrypted so as to prevent both the file and password from falling into the wrong hands (e.g. as a result of a typo in the recipient address).
|
|
|
Privacy Commissioner Delivered the Keynote Speech at a Roundtable on “Artificial Intelligence in Finance: Data Ethics and Beyond”
|
Privacy Commissioner Ms Ada CHUNG Lai-ling gave a keynote speech on 2 November 2021 at a roundtable on the topic of “Artificial Intelligence in Finance: Data Ethics and Beyond”. The roundtable was co-organised by the Financial Services Committee and the Innovation & Technology Committee of the American Chamber of Commerce in Hong Kong.
In her speech, the Privacy Commissioner discussed the privacy risks and the regulatory environment of artificial intelligence and appealed for the collaboration of all stakeholders to mitigate the privacy and ethical risks arising from the use of artificial intelligence. The Privacy Commissioner also introduced the “Guidance on the Ethical Development and Use of Artificial Intelligence” published by her office in August this year. Please click here for the Privacy Commissioner's keynote speech.
|
The Privacy Commissioner (top left) gave the keynote speech at the roundtable on “Artificial Intelligence in Finance: Data Ethics and Beyond”.
|
Privacy Commissioner Spoke at Launching Ceremony of Media Education Programme
|
Privacy Commissioner Ms Ada CHUNG Lai-ling officiated the launching ceremony of the media education programme organised by the Hong Kong Press Council for secondary school students and teachers on 6 November 2021. The Privacy Commissioner delivered an opening address on media education and protection of personal data privacy.
Please click here for the Privacy Commissioner’s address (Chinese only).
|
The Privacy Commissioner (4th from right) officiated the launching ceremony of the media education programme organised by the Hong Kong Press Council for secondary school students and teachers.
|
Privacy Commissioner Spoke at the Webinar on “Regulators’ Perspectives on AI, Technology and Personal Data Protection” Organised by the Asian Institute of International Finance Law
|
Privacy Commissioner Ms Ada CHUNG Lai-ling, spoke on the ethical development and use of Artificial Intelligence (AI) on 22 November at the webinar on “Regulators’ Perspectives on AI, Technology and Personal Data Protection” organised by the Asian Institute of International Financial Law of the University of Hong Kong.
In her presentation, the Privacy Commissioner explained and elaborated on the privacy and ethical risks of using AI, the ethical principles for the use of AI as well as the good practices recommended in the “Guidance on the Ethical Development and Use of Artificial Intelligence” published by her office. The webinar attracted over 230 professionals from banking and finance, legal and other sectors, as well as students from various tertiary institutions.
Please click here for the Privacy Commissioner's presentation deck.
|
The Privacy Commissioner (left top) together with Mr Arthur YUEN, JP, Deputy Chief Executive of Hong Kong Monetary Authority (right top) and Mr Zee-Kin YEONG, Deputy Commissioner of Personal Data Protection Commission, Singapore (left bottom) spoke at the webinar hosted by Dr Emily LEE, Director of Asian Institute of International Financial Law (right bottom).
|
|
|
Cross-border Transfer of Data under the Personal Information Protection Law of the Mainland
|
The Personal Information Protection Law of the Mainland imposes restrictions on the transfer of personal information from the Mainland to other jurisdictions. On 29 October 2021, the Cyberspace Administration of China (CAC) published the Draft Measures on Security Assessment of Cross-border Data Transfer (Draft Measures) to provide more details on the possible rules involved. Furthermore, on 14 November 2021, the CAC published the Draft Regulation on the Management of Data Security (Draft Regulation) which seeks to impose additional requirements on data processors listed or planning to list in other jurisdictions. This article gives you an overview of the Draft Measures and Draft Regulation.
《個人信息保護法》列明,個人信息處理者如需向境外提供個人信息,須先自行作出個人信息保護影響評估,取得當事人的單獨同意,以及具備一項指定條件,當中包括︰
- 通過國家網信部門組織的安全評估;
- 按照國家網信部門制定的標準合同與境外接收方訂立合同;或
- 按照國家網信部門的規定經專業機構進行個人信息保護認證[1]。
國家互聯網信息辦公室於2021年10月29日發佈《數據出境安全評估辦法(徵求意見稿)》[2](徵求意見稿),就如何落實《個人信息保護法》和其他法規中有關數據出境的規定提供指引。
根據徵求意見稿,數據處理者自行作出風險評估時須考慮一系列的因素,當中包括︰
- 境外接收方處理數據的目的、範圍、方式等的合法性、正當性、必要性;
- 數據出境可能對國家安全、公共利益、個人或組織合法權益帶來的風險;
- 數據處理者在數據轉移期間的管理和安全措施、能力;
- 境外接收方承諾承擔的責任義務,以及履行責任義務的管理和技術措施、能力等;
- 數據出境和再轉移後遭洩露、毀損、篡改、濫用等的風險,和個人維護個人信息權益的渠道是否通暢;及
- 與境外接收方訂立的數據出境相關合同是否充分約定了數據安全保護責任義務[3]。
與境外接收方訂立的合同方面,徵求意見稿要求須充分約定雙方的數據安全保護責任和義務,並包括以下事項︰
- 數據出境的目的、方式和數據範圍,和境外接收方處理數據的用途、方式;
- 數據在境外的保存地點、期限,及完成約定目的後的數據處理措施;
- 限制境外接收方將數據轉移給其他組織、個人;
- 當境外接收方的實際控制權或經營範圍發生實質性變化時,或其所在地法律環境發生變化導致難以保障數據安全時,須採取的安全措施;
- 違反數據安全保護義務的違約責任和具有約束力且可執行的爭議解决條款;及
- 發生數據洩漏等風險時的應急處置及維護個人信息權益的渠道等[4]。
關鍵信息基礎設施運營者和一些指明類別的數據處理者(例如處理達到一百萬人的個人信息的個人信息處理者,和累計向境外提供超過十萬人以上個人信息或一萬人以上敏感個人信息的數據處理者),在向境外提供個人信息前須向國家網信部門提交數據出境安全評估的申請[5]。國家網信部門在進行安全評估時會重點評估數據出境活動可能對國家安全、公共利益、個人或組織合法權益所帶來的風險,當中考慮的事項包括︰
- 數據出境是否合法、正當、必要;
- 境外接收方所在地的數據安全保護法規和水平;
- 出境數據的數量、範圍、種類和敏感程度;及
- 數據安全和個人信息權益能否得到充分和有效的保障等[6]。
於境外上市或正計劃到境外上市的數據處理者須留意由國家互聯網信息辦公室於2021年11月14日發布的《網絡數據安全管理條例(徵求意見稿》)》(條例草案)。條例草案訂明,(i) 處理一百萬人以上個人信息的數據處理者赴國外上市;及 (ii) 數據處理者赴香港上市,並影響或可能影響國家安全,均須申報網絡安全審查[7]。此外,條例草案要求赴境外上市的數據處理者,須每年開展一次數據安全評估,並於每年1月31日前向網信部門提交報告[8]。
徵求意見稿的徵求意見期於2021年11月28日結束,而條例草案的諮詢期將於2021年12月13日結束,正式版本預料將於不久將來公佈並實施。
[1] 《個人信息保護法》第三十八至三十九條
[2] 《數據出境安全評估辦法(徵求意見稿)》全文︰http://www.cac.gov.cn/2021-10/29/c_1637102874600858.htm
[3] 《數據出境安全評估辦法(徵求意見稿)》第五條
[4] 《數據出境安全評估辦法(徵求意見稿)》第九條
[5] 《數據出境安全評估辦法(徵求意見稿)》第四條
[6] 《數據出境安全評估辦法(徵求意見稿)》第八條
[7] 《網絡數據安全管理條例(徵求意見稿》)》第十三條
[8] 《網絡數據安全管理條例(徵求意見稿》)》第三十二條
|
|
|
RECOMMENDED ONLINE TRAININGS
|
Webinar on “Personal Data (Privacy) (Amendment) Ordinance 2021”
[Re-run]
|
The Personal Data (Privacy) (Amendment) Ordinance 2021 (Amendment Ordinance) was published in the gazette and came into effect on 8 October 2021 to combat doxxing acts that are intrusive to personal data privacy. What are “doxxing” offences under the Amendment Ordinance? How to avoid breaking the law inadvertently? How can the Privacy Commissioner help you? What criminal investigation and prosecution powers have been conferred on the Privacy Commissioner?
This webinar will provide answers to all the above questions! Privacy Commissioner Ms Ada CHUNG Lai-ling and Mr Dennis NG, Senior Legal Counsel of PCPD will explain the requirements under the Amendment Ordinance to participants.
Date: 8 December 2021 (Wednesday) (Re-Run)
Time: 3:00 pm – 4:00pm
Fee: Free of charge
Language: Cantonese
Accreditation: CPD accreditation of the Law Society of Hong Kong is being applied for
Who should attend: Legal professionals, management of organisation, compliance officers, Data Protection Officers, users of social media platforms and instant messaging apps, principals, parents, teachers, social workers and teenagers etc.
|
Online Professional Workshop on Data Protection in Property Management Practices
|
This workshop takes a holistic approach to the handling of personal data in property management. Relevant case examples and practical solutions will be shared with the participants to help them address the challenges when they engage in property management practices involving the handling of personal data of flat owners, residents, visitors and car park users, etc.
Date: 8 December 2021 (Wednesday)
Time: 2:15pm – 4:15pm
Fee: $750/$600*
(*Members of the Data Protection Officers' Club and the supporting organisations may enjoy the discounted fee)
Language: Cantonese
Who should attend: Property Management Personnel, Data Protection Officers, Compliance Officers, Solicitors, members of Owner’s Corporation
|
Online Professional Workshop on Privacy Management Programme
|
Organisations should develop a Personal Data Privacy Management Programme (PMP) to institutionalise a proper system for the responsible use of personal data so as to gain trust from customers and other stakeholders. In this workshop, participants can learn the baseline fundamentals and components of a PMP and how to maintain and improve it on an ongoing basis.
Date: 15 December 2021 (Wednesday)
Time: 2:15pm – 4:15pm
Fee: $750/$600*
(*Members of the Data Protection Officers' Club and the supporting organisations may enjoy the discounted fee)
Language: Cantonese
Who should attend: Data protection officers, compliance professionals, company secretaries, solicitors, executives from business and public sectors, and those who are interested in keeping abreast of the data protection trend and best practices
|
Online Free Seminar - Introduction to the PDPO Seminar
|
The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. The details of the upcoming sessions are as follows:
|
Seminar Outline:
- A general introduction to the PDPO
- The six Data Protection Principles (illustrated with industry-related examples)
- Offences and compensation
- Direct marketing
- Q&A session
|
Arrange an In-house Seminar for Your Organisation
|
Teaching employees how to protect the privacy of personal data is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and protecting the privacy of personal data, you can make a request for an in-house seminar via our online form. The outline of this seminar is provided below.
Seminar Outline:
- A general introduction to the PDPO
- The six data protection principles (industry-related cases will be illustrated)
- Direct Marketing
- Offences & Compensation
- Q&A Session
Duration: 1.5 hour
|
RENEWAL OF DPOC's MEMBERSHIP
|
Renew your DPOC membership today and continue to enjoy privileged access to course enrolments throughout the year!
Special offer for organisational renewals:
Organisations can join the 2-for-1 scheme, which enables them to receive two memberships for the price of one annual fee (HK$350).
Renew your membership now to keep up-to-date with the latest news and legal developments!
|
PCPD Supports the "Hong Kong Cyber Security New Generation Capture the Flag (CTF) Challenge 2021" Webinar cum Award Presentation Ceremony
Jointly organised by Hong Kong Computer Emergency Response Team Coordination Centre and Hong Kong Productivity Council, the “Hong Kong Cyber Security New Generation Capture the Flag (CTF) Challenge 2021”, which aims to enhance the cybersecurity’s knowledge of practitioners and students via a fun game, has come to an end. The CTF Challenge award presentation ceremony cum a webinar on cybersecurity will be held on 10 December 2021. For more details of the event and enrollment, please click here.
|
|
|
Contact Us
Address: Room 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong
Tel: 2827 2827
If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
|
Copyright
Disclaimer
The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.
The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.
If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.
|
|
|
|