PCPD e-NEWSLETTER
ISSUE Dec 2021
|
|
|
|
PCPD e-NEWSLETTER
ISSUE Dec 2021
|
|
|
|
The PCPD Made the First Arrest For a Suspected Doxxing Offence
|
The Personal Data (Privacy) (Amendment) Ordinance 2021 (Amendment Ordinance) came into effect on 8 October to more effectively combat doxxing acts that are intrusive to personal data privacy, and the Privacy Commissioner was empowered under the Amendment Ordinance to carry out criminal investigations and institute prosecutions. On 13 December 2021, the PCPD arrested a Chinese male aged 31 in the West Kowloon region for a suspected contravention of section 64(3A) of the Personal Data (Privacy) Ordinance (PDPO) relating to “disclosing personal data without consent”. The act originated from a money dispute. The PCPD seized one smartphone during the operation. The arrested person was released on Police bail. The PCPD will continue its investigation into the case. This is the first arrest made by the PCPD under the Amendment Ordinance. The PCPD reminds members of the public that contravening section 64(3A) of the PDPO is a serious crime. An offender is liable on conviction to a fine up to $100,000 and imprisonment for 2 years. Members of the public are reminded not to break the law. The Amendment Ordinance also applies to the online world. To avoid breaking the law, members of the public should think twice before publishing or re-posting any message that appears to be a doxxing message on the internet or social media. Relevant provisions under the PDPO: Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject—
- with an intent to cause any specified harm to the data subject or any family member of the data subject; or
- being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject.
A person who commits an offence under section 64(3A) is liable on conviction to a fine of $100,000 and imprisonment for 2 years. According to section 64(6) of the PDPO, specified harm in relation to a person means—
- harassment, molestation, pestering, threat or intimidation to the person;
- bodily harm or psychological harm to the person;
- harm causing the person reasonably to be concerned for the person’s safety or well-being; or
- damage to the property of the person.
|
|
|
PRIVACY COMMISSIONER'S FINDINGS
|
PRIVACY COMMISSIONER'S FINDINGS
|
Disclosure of a Customer’s Payment Information to a Third Party by a Travel Agency
|
|
Internal Policies on Personal Data Handling
|
|
Privacy Settings in Facebook Mobile App
|
|
|
RECOMMENDED ONLINE TRAININGS
|
Online Professional Workshops
|
Free Online Seminar: Introduction to the PDPO
|
Arrange an In-house Seminar for Your Organisation
|
RENEWAL OF DPOC's MEMBERSHIP
|
|
Privacy Commissioner Advocated Ethical Development and Use of Artificial Intelligence at the 56th Asia Pacific Privacy Authorities Forum
|
Privacy Commissioner Shared Insights on Geoprivacy at the Webinar on “Ethical Issues of Using Geospatial Data in Health Research or Policies During the COVID-19 Pandemic and Beyond”
|
PCPD Re-run the Webinar on “Combat Doxxing – Personal Data (Privacy) (Amendment) Ordinance 2021”
|
Privacy Commissioner Publishes an Article on “Cross-border Transfer of Data under the Personal Information Protection Law of the Mainland” in Hong Kong Lawyer and Local Newspapers
|
Reaching out to Enterprises – PCPD Advocated the Ethical Development and Use of Artificial Intelligence at the SmartBiz Expo
|
Former Privacy Commissioner Mr Stephen LAU Ka-men, MBE, JP, visited the PCPD
|
|
Highlights of the Draft Regulation on the Management of Data Security (《網絡數據安全管理條例(徵求意見稿)》)的重點
|
International: UK and US Issue Joint Statement on Deepening their Data Partnership
|
EU: Commission Publishes Results of Open Public Consultation on Data Act
|
Russia: Ministry of Economic Development Proposes Draft Law to Establish National Data Management System
|
|
|
PRIVACY COMMISSIONER'S FINDINGS
|
Disclosure of a Customer’s Payment Information to a Third Party by a Travel Agency
Miss A, a regular customer of a travel agency, recommended Mr B to purchase a flight ticket from that travel agency. Mr B failed to pay the balance and the agency was unable to get in touch with him. The travel agency then sent an email to Miss A, asking for the address of Mr B but the email disclosed the details of his overdue payment. Mr B considered that the travel agency should not have disclosed his payment information to Miss A and the purpose of such disclosure was to exert pressure on him. Hence, Mr B made a complaint with the PCPD.
The PCPD found that even though the travel agency was unable to reach Mr B and had to ask his referee for his contact address, it was unnecessary for the travel agency to disclose details of the overdue payment to the referee. After the PCPD’s intervention, the travel agency undertook not to disclose unnecessary information of customers to third parties in similar circumstances. Regarding the incident, the PCPD issued a warning to the travel agency, requesting it to regularly remind its staff members of the relevant requirements under the PDPO and implement measures to ensure compliance.
Lesson Learnt
Data Protection Principle (DPP) 3 under the PDPO requires that personal data shall only be used for a purpose that is the same as or directly related to the original collection purpose. The financial status of a customer, such as default in payment, is commonly considered sensitive data. Such data should be handled with extra care and only be disclosed to a third party when there is a genuine need. If a referee is contacted to locate a customer, only the minimum data for identification should be shared. Excessive disclosure of personal data (e.g. payment details) to a referee may contravene the requirements under DPP 3.
|
|
|
Internal Policies on Personal Data Handling
|
Organisations should develop internal policies to ensure that their handling of personal data complies with the PDPO. These policies should be made available to employees who should be reminded of these policies periodically and any updates immediately. In general, the internal policies on personal data handling should cover the entire life-cycle of personal data handling (i.e. the six DPPs under the PDPO).
Organisations may make reference to the below example:
|
|
|
Privacy Settings in Facebook Mobile App
Facebook has recently changed the privacy setting interface of its mobile app. You may follow the below step-by-step guide to change your Facebook in-app privacy settings:
|
- To adjust the public visibility of your profile information (such as education, contact details)
|
|
|
Step 1:
Go to ‘Settings and Privacy’
|
Step 3:
Select ‘Profile Information’ in ‘Audience and Visibility’ section to make changes
|
|
Step 2:
Select ‘Settings’
|
|
|
Step 1:
Go to ‘Settings and Privacy’
|
Step 3:
Select ‘Off-Facebook activity’ in ‘Permissions’ section
|
|
Step 2:
Select ‘Settings’
|
Step 4:
Select ‘Manage Future Activity’ to make changes
|
|
|
Step 1:
Go to ‘Settings and Privacy’
|
Step 3:
Select ‘Profile and tagging’ in ‘Audience and visibility’ section to make changes
|
|
Step 2:
Select ‘Settings’
|
|
|
The PCPD has issued “Guidance on Protecting Personal Data Privacy in the Use of Social Media and Instant Messaging Apps” (Guidance), which provides the public with some practical advice to mitigate the privacy risks involved in the use of social media. Please click here to download the Guidance.
|
|
|
Privacy Commissioner Advocated Ethical Development and Use of Artificial Intelligence at the 56th Asia Pacific Privacy Authorities Forum
|
Privacy Commissioner Ms Ada CHUNG Lai-ling attended the 56th Asia Pacific Privacy Authorities (APPA) Forum hosted by the Office of the Information and Privacy Commissioner for British Columbia, Canada from 1 to 3 December 2021.
The Privacy Commissioner delivered a presentation in the topical session to advocate the principles and good practices recommended in the “Guidance on the Ethical Development and Use of Artificial Intelligence” issued by the PCPD in August 2021. She also explained the scope of the Personal Data (Privacy) (Amendment) Ordinance 2021 to APPA members in the discussion session on legislative developments, including the two-tier structure of doxxing offences, the new criminal investigation and prosecution powers of the Privacy Commissioner and the Privacy Commissioner’s power to issue cessation notices to request the removal of doxxing messages.
|
Privacy Commissioner Shared Insights on Geoprivacy at the Webinar on “Ethical Issues of Using Geospatial Data in Health Research or Policies During the COVID-19 Pandemic and Beyond”
|
Privacy Commissioner Ms Ada CHUNG Lai-ling was invited to share her insights on geoprivacy at the webinar on “Ethical Issues of Using Geospatial Data in Health Research or Policies During the COVID-19 Pandemic and Beyond” held on 2 December 2021. The webinar was co-hosted by the Institute of Space and Earth Information Science of The Chinese University of Hong Kong and the American Association of Geographers.
In the webinar, the Privacy Commissioner discussed the geoprivacy concerns for different COVID-19 control measures, and the need to strike a reasonable balance between safeguarding public health and protecting individual geoprivacy with a number of renowned scholars and experts in relevant fields across the globe.
|
PCPD Re-run the Webinar on “Combat Doxxing – Personal Data (Privacy) (Amendment) Ordinance 2021”
|
The PCPD re-organised the public webinar on “Combat Doxxing – Personal Data (Privacy) (Amendment) Ordinance 2021” on 8 December 2021 owing to the overwhelming response to the first webinar held last month. In the webinar, Privacy Commissioner Ms Ada CHUNG Lai-ling, together with Mr Dennis NG, Senior Legal Counsel of the PCPD, explained the scope of the Personal Data (Privacy) (Amendment) Ordinance 2021 (Amendment Ordinance) to the participants, including the two-tier structure of the new doxxing offences, the new criminal investigation and prosecution powers of the Privacy Commissioner and the Privacy Commissioner’s power to issue cessation notices to request the removal of doxxing messages.
This webinar also received great response and attracted around 480 attendees from various sectors including banking and finance, public sector organisations, education, legal and social service, etc.
Please click here to download the presentation deck (Chinese Only).
|
Privacy Commissioner Publishes an Article on “Cross-border Transfer of Data under the Personal Information Protection Law of the Mainland” in Hong Kong Lawyer and Local Newspapers
|
Privacy Commissioner Ms Ada CHUNG Lai-ling published an article to provide an overview of the requirements on the transfer of personal information from the Mainland to other jurisdictions under the Personal Information Protection Law of the Mainland. The article was published in Hong Kong Lawyer as well as several local newspapers, including HK01, Hong Kong Economic Journal, Hong Kong Economic Times, Ming Pao, Sing Tao Daily and Ta Kung Pao.
Please click here to read the article.
|
Reaching out to Enterprises – PCPD Advocated the Ethical Development and Use of Artificial Intelligence at the SmartBiz Expo
|
Deputy Privacy Commissioner Mr. T.Y. LEE spoke on 3 December 2021 in the “Know Your Shoppers – Use of Artificial Intelligence in RetailTech” virtual session at the Fifth SmartBiz Expo organised by the Hong Kong Trade Development Council.
In his presentation, the Deputy Privacy Commissioner introduced the “Guidance on the Ethical Development and Use of Artificial Intelligence” (Guidance) published by the Office of the Privacy Commissioner for Personal Data in August 2021 and elaborated on the relevant requirements of the PDPO with regard to the development and use of artificial intelligence (AI). He also shared the practice guide and good practices in the Guidance, with a view to assisting SMEs in applying the data stewardship values and ethical principles in the development and use of AI.
Please click here for the Deputy Privacy Commissioner’s presentation deck. (Chinese version only).
|
Former Privacy Commissioner Mr Stephen LAU Ka-men, MBE, JP, visited the PCPD
|
The PDPO has come into operation since 20 December 1996. In celebration of the 25th anniversary of the PCPD, Privacy Commissioner Ms Ada CHUNG Lai-ling was very pleased to invite the first Privacy Commissioner, Mr Stephen LAU Ka-men, MBE, JP, to visit the PCPD, during which Mr LAU shared the history of establishment of the PCPD and exchanged views with PCPD colleagues.
|
Privacy Commissioner Ms Ada CHUNG (right) pictured with the first Privacy Commissioner Mr Stephen LAU Ka-men, MBE, JP (left).
|
|
|
Highlights of the Draft Regulation on the Management of Data Security (《網絡數據安全管理條例(徵求意見稿)》)的重點
|
On 14 November 2021, the CAC published the Draft Regulation on the Management of Data Security (Draft Regulation). The Draft Regulation seeks to provide more clarity with regard to compliance with the Personal Information Protection Law, which went into effect on 1 November 2021, and other pieces of data protection legislations in the Mainland. This article highlights some of the requirements relevant to the processing of personal information under the Draft Regulation.
國家互聯網信息辦公室於2021年11月14日發布《網絡數據安全管理條例(徵求意見稿)》[1](簡稱「《條例草案》」)諮詢文件,《條例草案》根據《網絡安全法》、《數據安全法》及《個人信息保護法》等法規而制定[2],並規管於內地利用網絡開展的數據處理活動[3]。當中的「網絡數據」(簡稱「數據」)是指任何以電子方式對信息的記錄[4]。有關定義沒有對個人信息作出豁免,而《條例草案》亦有與保護個人信息相關的規定,因此《條例草案》所指的數據相信是包括個人信息。
《條例草案》共有七十五條,內容涵蓋重要數據安全、數據跨境安全管理及互聯網平台運營者義務等。其中,《條例草案》就《個人信息保護法》的多項規定提出更多細節和具體的要求,以下將重點簡介部份的要求。
《個人信息保護法》規定個人信息處理者在處理敏感個人信息和向境外提供個人信息等情況下,須取得當事人的單獨同意[5],但未有對「單獨同意」予以說明。而《條例草案》為單獨同意訂出定義,即「數據處理者在開展具體數據處理活動時,對每項個人信息取得個人同意,不包括一次性針對多項個人信息、多種處理活動的同意。[6]」
此外,《個人信息保護法》規定,處理個人信息達到國家網信部門規定數量的個人信息處理者須指定個人信息保護負責人,負責對其個人信息處理活動及採取的保護措施等進行監督[7],但未有對規定數量作出進一步說明。《條例草案》列明處理一百萬人以上個人信息的數據處理者,須明確數據安全負責人,其職責包括對數據安全提出建議、制定數據安全保護計劃及開展風險監測等[8]。
《個人信息保護法》亦規定,當發生或可能發生個人信息洩露、篡改或丟失的情況時,個人信息處理者須立即採取補救措施,並通知相關部門和當事人[9]。《條例草案》提出,當發生十萬人以上個人信息洩露、毀損、丟失等數據安全事件時,數據處理者須在八小時內向網信部門和有關主管部門報告事件,並在事件處置完畢後五個工作日內向上述部門提交調查評估報告[10]。
最後,《個人信息保護法》訂明在指定的情況下(例如處理目的已實現、約定的保存期間已屆滿等),個人信息處理者須主動或根據當事人的要求删除其個人信息[11]。《條例草案》訂明數據處理者當收到當事人要求删除其個人信息或撤回同意,須在十五個工作日內處理和回應[12]。
《條例草案》的諮詢期已於2021年12月13日結束,正式版本預料將於不久將來公佈並實施。
[1] 《條例草案》全文︰http://www.cac.gov.cn/2021-11/14/c_1638501991577898.htm
[2] 《條例草案》第一條
[3] 《條例草案》第二條
[4] 《條例草案》第七十三(一)條
[5] 《個人信息保護法》第二十九及三十九條
[6] 《條例草案》第七十三(八)條
[7] 《個人信息保護法》第五十二條
[8] 《條例草案》第二十六和二十八條
[9] 《個人信息保護法》第五十七條
[10] 《條例草案》第十一條
[11] 《個人信息保護法》第四十七條
[12] 《條例草案》第二十三條
|
|
|
RECOMMENDED ONLINE TRAININGS
|
A new series of Professional Workshops on Data Protection (January - March 2022) is now open for enrolment!
Check out the new schedule of the Professional Workshops below:
|
Online Professional Workshop on Data Protection and Data Access Request
|
This workshop will examine in detail the compliance requirements for handling Data Access Request (DAR) under the PDPO and provide practical guidance to participants on handling DAR.
Date: 20 January 2022 (Thursday)
Time: 2:15pm – 5:15pm
Fee: $750/$600*
(*Members of the Data Protection Officers' Club and the supporting organisations may enjoy the discounted fee)
Language: Cantonese
Who should attend: Solicitors, Data Protection Officers, Administration Managers, Human Resource Officers, Customer Services Personnel
|
Online Professional Workshop on Data Protection in Banking / Financial Services
|
This workshop will examine the personal data privacy issues facing banking and financial personnel in their daily operation and provide practical steps that can be taken to deal with the issues effectively.
Date: 27 January 2022 (Thursday)
Time: 2:15pm – 5:15pm
Fee: $750/$600*
(*Members of the Data Protection Officers' Club and the supporting organisations may enjoy the discounted fee)
Language: Cantonese
Who should attend: Data protection officers, compliance professionals, company secretaries, solicitors, executives from business and public sectors, and those who are interested in keeping abreast of the data protection trend and best practices
|
Online Free Seminar - Introduction to the PDPO Seminar
|
The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. The details of the upcoming sessions are as follows:
|
Seminar Outline:
- A general introduction to the PDPO
- The six Data Protection Principles (illustrated with industry-related examples)
- Offences and compensation
- Direct marketing
- Q&A session
|
Arrange an In-house Seminar for Your Organisation
|
Teaching employees how to protect the privacy of personal data is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and protecting the privacy of personal data, you can make a request for an in-house seminar via our online form. The outline of this seminar is provided below.
Seminar Outline:
- A general introduction to the PDPO
- The six data protection principles (industry-related cases will be illustrated)
- Direct Marketing
- Offences & Compensation
- Q&A Session
Duration: 1.5 hour
|
RENEWAL OF DPOC's MEMBERSHIP
|
Renew your DPOC membership today and continue to enjoy privileged access to course enrolments throughout the year!
Special offer for organisational renewals:
Organisations can join the 2-for-1 scheme, which enables them to receive two memberships for the price of one annual fee (HK$350).
Renew your membership now to keep up-to-date with the latest news and legal developments!
|
|
|
Contact Us
Address: Room 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong
Tel: 2827 2827
If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
|
Copyright
Disclaimer
The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.
The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.
If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.
|
|
|
|