PCPD e-NEWSLETTER
ISSUE Jan 2022
|
|
|
|
PCPD e-NEWSLETTER
ISSUE Jan 2022
|
|
|
|
Feature Interview with the Privacy Commissioner by Biz@HKUST, the HKUST Business School Magazine – Personal Data Privacy Matters
|
Privacy Commissioner Ms Ada CHUNG Lai-ling, was interviewed by Biz@HKUST, the HKUST Business School Magazine, to talk about the importance of protecting personal data privacy in the digital era, and the work of her office in administering the Personal Data (Privacy) Ordinance (PDPO) and promoting the culture of protecting and respecting personal data privacy.
You can read the interview article in full below:
When it comes to developing a culture of privacy, protection and respect for personal data, Ada Chung, the Privacy Commissioner for Personal Data (Privacy Commissioner) in Hong Kong, has a massive job on her hands. As an independent watchdog, the Office of the Privacy Commissioner for Personal Data (PCPD) is designed to monitor, supervise, promote and enforce compliance in relation to the Personal Data (Privacy) Ordinance (PDPO), which came into effect in 1996.
Aside from supervising and enforcing protection of personal data privacy, the PCPD provides guidance, public education and best practice notes on the lawful and responsible use of personal data. In today’s digital world, this is no easy task. The rise of technology and the growing use of social media and apps are driving a proliferation of data, and online activities have increased dramatically, especially during the pandemic. Consequently, the PCPD has its hands full putting out fires while trying its best to educate the public and businesses about respecting and safeguarding personal data.
According to the results of a survey released by the PCPD in January 2021, over 85 per cent of Hong Kong citizens are active users of social media, and share personal information online, Chung says. This information often includes their date of birth, residential address, and health information.
Ominously, most online users are unaware that they are sharing these details. “This is dangerous,” Chung says. “If personal data is leaked, it can be misused, and that can lead to the perpetration of crimes or fraud. In Hong Kong, in the past two years, doxxing has become rampant, which has caused serious and long-lasting effects on its victims.”
Doxxing is the act of disclosing the personal data of a data subject without the relevant consent of the data subject, and the discloser is being reckless or has an intent to cause harm to the data subject or any family member of the data subject. There has been a notable rise in doxxing in Hong Kong in recent years. The privacy watchdog noted that over 5,800 doxxing cases were handled between June 2019 and June 2021.
Data breaches are also becoming more frequent worldwide. The number of high-profile data breaches which have affected a huge number of individuals has been increasing. One recent example occurred in April 2021, when networking data associated with 500 million LinkedIn users was posted on a forum on the Dark Web. Hong Kong citizens were certainly among those affected. “In the past few years, the scale of this has been unprecedented,” Chung says, noting that things may get worse.
Fundamental Human Rights
For this reason, the PCPD plays an increasingly important role when it comes to protection of personal data privacy. Hong Kong recently made amendments to its privacy laws which gave significant powers to the Privacy Commissioner to remove doxxing messages. This legislation also carries extra-territorial powers, so the Privacy Commissioner can serve cessation notice to internet service providers having a place of business in Hong Kong, or operators of overseas social media platforms which are outside of Hong Kong, to take down any information that is deemed to be doxxing, within a designated timeframe.
“Privacy is a fundamental human right. Protection of personal data is indispensable in protecting individuals’ privacy,” Chung says. “Protection of personal data is particularly important in a digital era where anyone’s personal data can be widely shared in a split second.”
Given the boundless nature of the internet, and the global increase in digitalization, the PCPD will not be able to achieve its mission alone. Chung says that everyone must play a part to protect personal data privacy. This is the key message that the PCPD has been promoting to the public.
Chung emphasizes that the development of mobile applications and data-driven technology mean that businesses and individuals who are data users have an equal responsibility to meet the legal requirements that are set out in the PDPO. They are required to comply with the six Data Protection Principles when collecting, holding, processing and using personal data, Chung says.
Part of the PCPD’s job is to ensure that everyone is familiar with the PDPO and knows how to apply them. That includes both organizations and individuals. Promotion and publicity work have to take place in order to raise the awareness of how to protect personal data, especially for the more vulnerable segments of society such as the youth and the elderly. “A lot of people are simply not aware of these issues,” says Chung in an urgent tone. “They need to be aware that their personal data is a valuable asset and that they shouldn’t be giving it away too easily, and in arbitrary manner,” she says. The watchdog has also been visiting schools to educate students about personal data protection, and to increase the general awareness of scams and fraud. Chung also wants to teach students to be wary of online communications from unknown sources.
Regulations Set to Increase
As technology such as artificial intelligence (AI) becomes more commonplace, the PCPD will continue to have a greater role to play in safeguarding personal data. So looking to the future, Chung says that regulations will likely become more common, and there will be a greater focus on automated technology like AI.
The PCPD recognizes that AI is developing rapidly, and is aware of the many privacy concerns and risks to fundamental human values that could arise. That’s why the PCPD has been working hard to create ethical frameworks. In August 2021, the PCPD issued the “Guidance on the Ethical Development and Use of Artificial Intelligence” to help organisations understand and comply with the relevant requirements of the PDPO when they develop or use AI. “The next ten years will be the era of AI, and it will bring fundamental changes to the way people behave, and to our daily lives,” Chung says. “The effect of AI on human beings will be tremendous.” It is for these reasons that Chung thinks frameworks and guidelines must be put in place to regulate how data is being used.
“I believe that in the years to come, there will be more emphasis on accountability and what businesses should do to comply with the law,” Chung says. Such developments will include the development and implementation of Personal Data Privacy Management Programme (PMP) by organizations, to gain trust from customers and other stakeholders, as well as the appointment of Data Protection Officers to oversee organisations’ compliance with the PDPO. Cybersecurity will also become a hot issue in the boardroom in the coming years.
|
"Privacy is a fundamental human right. Protection of personal data is particularly important in a digital era."
Ada Chung
Privacy Commissioner for Personal Data
|
The Ethics of AI
The PCPD proposes seven ethical principles for the ethical development and use of AI
- Accountability - Organisations should be responsible for what they do, and provide justification for their actions.
- Transparency & Interpretability - Organisations should disclose how they use AI, and the relevant policies, to stakeholders while improving the interpretability of automated AI decisions.
- Fairness - Bias and discrimination should be avoided.
- Reliability, Robustness & Security - AI systems should operate reliably, be free of errors, and be protected against attacks.
- Human Oversight - The level of human involvement should be proportionate to the risks and impact of using AI.
- Data Privacy - Effective data governance should be put in place to protect an individual’s personal data privacy during both the development and use of AI.
- Beneficial AI - The use of AI should provide benefits and minimise harm to stakeholders.
|
|
|
PRIVACY COMMISSIONER'S FINDINGS
|
PRIVACY COMMISSIONER'S FINDINGS
|
A Hospital Collected the Time Spent by a Doctor on Wards Rounds and the Number of Patients He Attended to, Without Prior Notification
|
|
Personal Data Privacy Management Tool: Periodic Risk Assessment Questionnaire
|
|
Working from Home: 9 Tips to Safeguard Personal Data
|
|
|
To Protect Oneself and Others, PCPD to Introduce “Vaccine Bubble” Arrangement
|
RECOMMENDED ONLINE TRAININGS
|
Online Professional Workshops
|
Free Online Seminar: Introduction to the PDPO
|
Public Webinar on “Combat Doxxing – Personal Data (Privacy) (Amendment) Ordinance 2021”
|
RENEWAL OF DPOC's MEMBERSHIP
|
|
Appointment of Two New Members to the Standing Committee on Technological Developments of the PCPD
|
Reaching Out to Lawyers – Privacy Commissioner Spoke at Webinar on “Personal Data (Privacy) (Amendment) Ordinance 2021 – Criminalisation of Doxxing Acts” organised by the Hong Kong Academy of Law
|
Reaching Out to Schools – Privacy Commissioner Explained the Application of the PDPO to School Principals
|
Privacy Commissioner Published an Article entitled "Hong Kong: Amendments to Hong Kong privacy law to combat doxxing" at OneTrust DataGuidance
|
|
Highlights of the Measures for Cybersecurity Review《網絡安全審查辦法》的重點
|
US: FCC Publishes Proposal for New Data Breach Reporting Requirements
|
EU: EDPB Publishes Guidelines on Examples of Data Breach Notifications
|
CNIL's ePrivacy Fines Reveal Potential Enforcement Trend
|
Privacy and responsible AI
|
|
|
PRIVACY COMMISSIONER'S FINDINGS
|
A Hospital Collected the Time Spent by a Doctor on Wards Rounds and the Number of Patients He Attended to, Without Prior Notification
The Complainant was a doctor at a public hospital. He was dissatisfied that the hospital management collected statistical data concerning him, such as the time he spent on ward rounds and the number of patients he attended to, without any prior notification.
The hospital management explained that, due to changes in clinical service model, it collected data including doctors’ consultation time and number of patients attended to for calculating the service cost for different types of patients.
After the PCPD’s intervention, the organisation managing the hospital promised to amend its internal guidelines to ensure that they covered the situations in which the employees’ personal data were collected, and clearly stated the purpose and use of such collection. Moreover, the organisation sent emails to its employees, reminding them to inform colleagues of the purpose of collection before collecting the personal data from them. Regarding the incident, the PCPD issued a warning to the organisation, requesting it to closely monitor its employees’ compliance with the said guidelines.
Lesson Learnt
The hospital management collected data for administrative and statistical purposes, which were directly related to its function of managing the hospital. However, the management collected the data without informing the doctors of the collection purposes. Hence, when the doctors learnt that the management had collected such data without prior notification, inevitably they speculated or were worried that the data was used to evaluate their work performance. Trust was hence damaged. Organisations are therefore advised to ensure the transparency of personal data collection to avoid suspicion and build trust with its employees.
|
|
|
Personal Data Privacy Management Tool: Periodic Risk Assessment Questionnaire
|
Data privacy risks evolve over time. Organisations should conduct periodic risk assessments to ensure that their privacy policies and practices comply with the PDPO. An organisation may evaluate its data privacy risks by providing each department with a periodic risk assessment questionnaire for completion. If there are any non-compliant issues identified, the organisation should draw up mitigation measures for all identified risks.
Below is a sample of periodic risk assessment questionnaire for reference:
|
For more details of Personal Data Privacy Management Programme, please click here.
|
|
|
Working from Home: 9 Tips to Safeguard Personal Data
Since the pandemic, a number of organisations and schools have experiences in implementing WFH arrangements or online learning. Nevertheless, the transfer of electronic or physical data in such arrangements inevitably leads to a higher risk of data breaches. In addition, cybersecurity threats, such as hacking and malware, remain an issue. Organisations and schools should be vigilant and pay special attention to and ensure data security when implementing WFH arrangements or online learning. They should provide adequate guidance and support to their employees, teachers or students, in order to reduce the risks of breaches of personal data privacy.
In this connection, the PCPD offers 9 tips for organisations, employees and users of video conferencing software (including teachers and students) to safeguard their personal data:
Organisations
- assess the risks to data security and personal data privacy relating to WFH arrangements in order to devise appropriate protection measures;
- ensure the security of the data stored in the electronic devices provided to employees, including the adoption of appropriate security settings for virtual private networks (VPNs); and
- provide sufficient data security training and support to employees for WFH arrangements, including password management, encryption of data, etc.
Employees
- adhere to employers’ policies on the handling of data, such as using only corporate electronic devices and email accounts for work;
- ensure the security of Wi-Fi connections at home, such as updating the firmware of the Wi-Fi routers in a timely manner, and avoid using public Wi-Fi for work; and
- if it is necessary to bring paper documents out of office premises, ensure the proper handling of data to avoid loss.
Users of video conferencing software (including teachers and students)
- choose the appropriate video conferencing software, such as the ones with end-to-end encryption;
- safeguard their user accounts by setting up strong passwords, changing the passwords regularly and activating multi-factor authentication; and
- validate participants’ identities before allowing them to join the video conferences, and avoid sharing personal data or sensitive data during the conferences and in chatboxes.
For details of the practical advice, please refer to the three Guidance Notes published by the PCPD earlier, which is available here.
To enhance the public’s understanding of the relevant data security measures, the PCPD has also published a leaflet entitled “Protecting Personal Data under Work-from-Home Arrangements”. Please click here for the leaflet.
|
|
|
Appointment of Two New Members to the Standing Committee on Technological Developments of the PCPD
|
Prof WONG Kam Fai and Prof YIU Siu Ming are appointed as the members of the Standing Committee on Technological Developments (SCTD) for a two-year term from 1 January 2022 to 31 December 2023.
Prof WONG is the Associate Dean (External Affairs) of the Faculty of Engineering of the Chinese University of Hong Kong (CUHK), the Director of the Centre for Innovation and Technology of CUHK, and Professor at the Department of Systems Engineering and Engineering Management of the CUHK. His research interests focus on Chinese computing, database and information retrieval.
Prof YIU is currently a Professor and an Associate Head of the Department of Computer Science at the University of Hong Kong (HKU). He is also the Deputy Executive Director of HKU-SCF (Standard-Chartered Foundation) FinTech Academy. His research areas include cyber security, cryptography, privacy enhancing technologies, fintech and bioinformatics.
The SCTD was established to advise the Privacy Commissioner on, among other things, the impacts of the developments in the processing of data and information technology on the privacy of individuals in relation to personal data.
|
|
|
Reaching Out to Lawyers – Privacy Commissioner Spoke at Webinar on “Personal Data (Privacy) (Amendment) Ordinance 2021 – Criminalisation of Doxxing Acts” organised by the Hong Kong Academy of Law
|
Privacy Commissioner Ms Ada CHUNG Lai-ling, together with Mr Dennis NG, Senior Legal Counsel of the PCPD, made a presentation on 11 January 2022 at the webinar entitled “Personal Data (Privacy) (Amendment) Ordinance 2021 – Criminalisation of Doxxing Acts” organised by the Hong Kong Academy of Law. In the webinar, the Privacy Commissioner and Mr Ng explained the requirements of the Personal Data (Privacy) (Amendment) Ordinance 2021 (Amendment Ordinance) to around 140 participants.
The Privacy Commissioner emphasised that the Amendment Ordinance aims to combat unlawful doxxing acts that are intrusive to personal data privacy. The speakers also explained similar regulatory framework of other jurisdictions, such as Australia, New Zealand and Singapore.
Please click here for the Privacy Commissioner’s presentation deck.
|
Reaching Out to Schools – Privacy Commissioner Explained the Application of the PDPO to School Principals
|
Privacy Commissioner Ms Ada CHUNG Lai-ling and Acting Senior Personal Data Officer of the PCPD, Ms Belinda PUI, delivered a talk on the “Application of the Personal Data (Privacy) Ordinance in Schools” to over 100 newly appointed principals from primary, secondary and special schools at the Professional Development Programme for Newly Appointed Principals (2021/22) organised by the Education Bureau on 19 January 2022.
With the commencement of operation of the Personal Data (Privacy) (Amendment) Ordinance 2021 (Amendment Ordinance) since October 2021, the Privacy Commissioner explained to the school principals the contents of the Amendment Ordinance, which aims to step up the PCPD’s capability in combating doxxing acts. The Privacy Commissioner highlighted the severity of doxxing offences to the principals at the talk.
The Privacy Commissioner and Ms Pui also elaborated on how to comply with the requirements of the PDPO in the context of school management, and gave advice on the collection of personal data of teachers, staff and students during the COVID-19 Pandemic and the protection of children’s privacy online.
Please click here for the presentation deck (Chinese only).
|
Privacy Commissioner Published an Article entitled "Hong Kong: Amendments to Hong Kong privacy law to combat doxxing" at OneTrust DataGuidance
|
Privacy Commissioner Ms Ada CHUNG Lai-ling published an article at OneTrust DataGuidance to give an overview of the requirements of the Personal Data (Privacy) (Amendment) Ordinance 2021 (Amendment Ordinance) which aims to combat doxxing acts. The Privacy Commissioner points out that the implementation of the Amendment Ordinance heralds a new era in the regulatory regime for the protection of personal data in Hong Kong, and the Amendment Ordinance does not affect normal and lawful business activities in Hong Kong, neither does it affect the freedom of speech and free flow of information that members of the public used to enjoy. Social media platforms should, as a matter of law and social responsibility, ensure that unlawful contents are removed from their platforms.
Please click here to read the article.
|
|
|
Highlights of the Measures for Cybersecurity Review《網絡安全審查辦法》的重點
|
On 4 January 2022, the Cyberspace Administration of China (CAC), together with twelve other authorities, published the amended Measures for Cybersecurity Review (Amended Measures). The Amended Measures, which will come into force on 15 February 2022, will supersede the original version which had been in effect since June 2020. This article highlights some of the requirements relevant to the internet platform operators that process personal information under the Amended Measures.
國家互聯網信息辦公室(網信辦)聯同工業和信息化部及公安部等十二個部門於2022年1月4日聯合發布經修訂的《網絡安全審查辦法》(《辦法》),將於2022年2月15日實施,並取代原有於2020年6月起實施的版本。
《辦法》的目的是確保關鍵信息基礎設施供應鏈安全、保障網絡安全和數據安全、及維護國家安全。《辦法》訂明,關鍵信息基礎設施運營者採購網絡産品和服務,網絡平台運營者開展數據處理活動、影響或可能影響國家安全的,須按照《辦法》進行網絡安全審查。
經修訂的《辦法》重點之一,是要求掌握超過100萬用戶個人信息的網絡平台運營者赴國外上市,必須向網絡安全審查辦公室申報網絡安全審查的規定1。
就以上規定,《辦法》亦相應增加網絡安全審查須提交的資料,及評估的內容。《辦法》列明,申報網絡安全審查,須提交的材料包括關於影響或可能影響國家安全的分析報告及擬提交的首次公開招股(IPO)等上市申請文件2。而網絡安全審查重點評估的國家安全風險因素則包括(甲)核心數據、重要數據或大量個人信息被竊取、洩露、毀損以及非法利用、非法出境的風險;(乙)上市存在關鍵信息基礎設施、核心數據、重要數據或大量個人信息被外國政府影響、控制、惡意利用的風險,以及網絡信息安全風險;及(丙)其他可能危害關鍵信息基礎設施安全、網絡安全和數據安全的因素等3。
另外,由網信辦於2021年11月發布,並於12月13日截止諮詢的《網絡數據安全管理條例(徵求意見稿)》(《條例草案》)亦有類似規定,但箇中細節並不盡相同。
《條例草案》的主要規管對象為數據處理者,而新修訂的《辦法》則主要規管網絡平台運營者的數據處理活動。 根據《條例草案》,處理100萬人以上個人信息的數據處理者赴國外上市的,或數據處理者赴香港上市,而影響或者可能影響國家安全的,都必須申報網絡安全審查4。而《辦法》則規定掌握超過100萬用戶個人信息的網絡平台運營者赴國外上市須申報網絡安全審查5。
值得留意的是,《條例草案》和《辦法》均要求受規管對象申報「網絡安全審查」,預料兩者為相同的審查。然而,《條例草案》並未對有關審查提供細節,因此有關詳情可參考《辦法》的相關規定。
1 《辦法》第七條
2 《辦法》第八條
3 《辦法》第八條
4 《條例草案》第十三條
5 《辦法》第七條
|
|
|
RECOMMENDED ONLINE TRAININGS
|
Online Professional Workshop on Data Protection in Insurance
|
Insurance practitioners, who handle a large amount of customers’ personal data in daily work, should understand and comply with the requirements under the PDPO to ensure a proper handling of personal data in different aspects of insurance work. This workshop will discuss the key features of “Guidance on the Proper Handling of Customers’ Personal Data for the Insurance Industry” and relevant privacy issues specific to insurance institutions and insurance practitioners. It will also examine core concepts of practical data protection compliance illustrated by specific scenarios to highlight the potential problems and their resolutions.
Date: 17 February 2022 (Thursday)
Time: 2:15pm – 5:15pm
Fee: $750/$600*
(*Members of the Data Protection Officers' Club and the supporting organisations may enjoy the discounted fee)
Language: Cantonese
Who should attend: Insurance Practitioners, Data Protection Officers, Compliance Officers, Solicitors, Advisers and other personnel undertaking work relating to the Insurance Industry
|
Online Professional Workshop on Data Protection in Direct Marketing Activities
Direct marketing is widely adopted by different types of organisations in promoting their products and services. Organisations and marketers should understand how to comply with the requirements under the PDPO when practising direct marketing activities. This workshop will provide participants with a practical approach to the compliance of the requirements under the PDPO in direct marketing activities, share hands-on solutions to problems that marketers may face in devising direct marketing activities as well as relevant conviction cases.
Date: 24 February 2022 (Thursday)
Time: 2:15pm – 5:15pm
Fee: $750/$600*
(*Members of the Data Protection Officers' Club and the supporting organisations may enjoy the discounted fee)
Language: Cantonese
Who should attend: Data Protection Officers, Compliance Officers, Company Secretaries, Administration Managers, IT Managers, Solicitors (in house or private practice), Database Managers, Marketing Professionals
|
Other Professional Workshops on Data Protection in March 2022
|
Online Free Seminar - Introduction to the PDPO Seminar
|
The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. The details of the upcoming sessions are as follows:
|
Seminar Outline:
- A general introduction to the PDPO
- The six Data Protection Principles (illustrated with industry-related examples)
- Offences and compensation
- Direct marketing
- Q&A session
|
RENEWAL OF DPOC's MEMBERSHIP
|
Renew your DPOC membership today and continue to enjoy privileged access to course enrolments throughout the year!
Special offer for organisational renewals:
Organisations can join the 2-for-1 scheme, which enables them to receive two memberships for the price of one annual fee (HK$350).
Renew your membership now to keep up-to-date with the latest news and legal developments!
|
|
|
Contact Us
Address: Room 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong
Tel: 2827 2827
If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
|
Copyright
Disclaimer
The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.
The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.
If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.
|
|
|
|