PCPD e-NEWSLETTER
ISSUE Feb 2022
|
|
|
|
PCPD e-NEWSLETTER
ISSUE Feb 2022
|
|
|
|
PCPD Reported on its Work in 2021
|
The Office of the Privacy Commissioner for Personal Data (PCPD) reported on its work in 2021.
Complaints Cases
The PCPD received 3,151 complaint cases in 2021, which represented a drop of 35% when compared to 4,862 cases in 2020. This was mainly attributable to the decrease of doxxing cases and the number of complaints cases arising from a single incident. Of these complaint cases, 93% involved complaints against private organisations or individuals, while the remaining 7% were against public organisations or government departments.
Data breach incidents
In 2021, the PCPD received 140 personal data breach notifications from organisations, representing an increase of 36% year-on-year. The data breach incidents involved hacking, system misconfiguration, unauthorised access to personal data by employees, loss of documents or portable devices, inadvertent disclosure of personal data by emails or post, and accidental erasure of personal data, etc.
The PCPD initiated 377 compliance checks in 2021, representing a 10% increase as compared to 344 compliance checks in 2020.
Amending the Personal Data (Privacy) Ordinance to combat doxxing acts
To combat doxxing acts that are intrusive to personal data privacy, the Personal Data (Privacy) (Amendment) Ordinance 2021 (Amendment Ordinance) came into operation on 8 October 2021. The Amendment Ordinance criminalises doxxing acts, and empowers the Privacy Commissioner to carry out criminal investigations and institute prosecutions in respect of doxxing -related offences.
On 13 December 2021, the PCPD made the first arrest for a suspected contravention of section 64(3A) of the Amendment Ordinance relating to “disclosing personal data without consent”.
In 2021, the PCPD handled a total of 842 doxxing cases, including complaints received or cases discovered proactively by the PCPD. The number of cases in 2021 dropped by 19% when compared to 1,036 cases in 2020. Under the Amendment Ordinance, the Privacy Commissioner is given statutory powers to demand the cessation of disclosure of doxxing messages. From the commencement of operation of the Amendment Ordinance until 31 January 2022, the PCPD has issued more than 350 cessation notices to 12 platforms, involving over 1,700 doxxing messages.
Apart from enforcement, the PCPD has also launched a series of publicity and educational campaigns to enhance the public awareness of and compliance with the Amendment Ordinance, including broadcasting videos, TV and radio announcements, distributing promotional leaflets and posters, organising webinars, and promoting the new provisions on social media platforms. As of 31 January 2022, the Privacy Commissioner and colleagues of the PCPD have conducted 16 webinars/seminars on the Amendment Ordinance with a total of 2,668 participants.
|
|
|
PRIVACY COMMISSIONNER'S FINDINGS
|
PRIVACY COMMISSIONER'S FINDINGS
|
A Hacker’s Intrusion into the Email System of a Company
|
|
Data Breach Information Sheet
|
|
Designing Monitoring Policies and Data Management Procedures
|
|
|
Privacy Commissioner Commenced Investigation into a Data Breach Incident Involving a Local Hotel Group
|
A Webinar on “the Ethical Development and Use of Artificial Intelligence”
|
RENEWAL OF DPOC's MEMBERSHIP
|
|
Privacy Commissioner Published an Article on “Vaccine Pass - Let’s Unite to Fight the Pandemic”
|
Secretary for Constitutional and Mainland Affairs and Privacy Commissioner Attended Meeting of Legislative Council Panel on Constitutional Affairs
|
PCPD Promotes Say ‘NO’ to Cyberbullying for Children
|
PCPD Established Anti-Pandemic Volunteer Team
|
|
Highlights of the Regulations on the Management of Algorithm Recommendations for Internet Information Services《互聯網信息服務算法推薦管理規定》的重點
|
EU: Commission Publishes New Study Monitoring Data Flows in Europe
|
Post-'Schrems II': Can EU Regulators Set Aside a Risk-Based Approach for Conducting Transfer Impact Assessments?
|
Why US-based Companies Should Care About the Norway DPA's Interpretation of GDPR Consent
|
|
|
PRIVACY COMMISSIONER'S FINDINGS
|
A Hacker’s Intrusion into the Email System of a Company
The PCPD completed its investigation into an incident which involved a hacker’s intrusion into the email system of Nikkei China (Hong Kong) Limited (Nikkei), and published an investigation report. The investigation arose from a data breach notification lodged by Nikkei with the PCPD on 17 March 2021, which reported that a hacker had intruded into six staff email accounts, forwarding the emails that had been sent to those email accounts to two unknown email addresses. The incident led to the leakage of the personal data of over 1,600 customers.
From the evidence collected in the investigation, the Privacy Commissioner found that the following four deficiencies existed in the security of Nikkei’s email system at all material times:
- Weak password management
- Retention of obsolete email accounts
- Lack of security controls for remote access to the email system
- Inadequate security controls on information system
The Privacy Commissioner considered, upon conclusion of the investigation, that Nikkei failed to take all practicable steps to ensure that its customers’ personal data was protected against unauthorised or accidental access, processing or use, thereby contravening Data Protection Principle 4(1) as regards the security of personal data under the Personal Data (Privacy) Ordinance (PDPO). The Privacy Commissioner had issued an enforcement notice to Nikkei, directing Nikkei to remedy and prevent recurrence of the contravention.
Through the report, the Privacy Commissioner also wished to remind organisations that have an email system which handles customers’ personal data to be vigilant of cyberattacks targeting their email systems. Adequate policies, measures and procedures covering system security should be put in place, and should cover the following areas:
- Establish a Personal Data Privacy Management Programme;
- Appoint Data Protection Officer(s);
- Devise policy on email communications;
- Adequate security measures; and
- Instil a privacy-friendly culture in the workplace.
Download the Investigation Report “Hacker’s Intrusion into the Email System of Nikkei China (Hong Kong) Limited” here.
|
|
|
Data Breach Information Sheet
|
Organisations should develop procedures in relation to the handling of breach incidents and appoint designated officer(s) to handle breach incidents. When there is a data breach, the subject department of the organisation may fill in the Data Breach Information Sheet as below to consolidate the information relating to the breach, take remedial actions promptly and conduct post-incident review:
|
|
|
Designing Monitoring Policies and Data Management Procedures
|
Employers may take measures to monitor their employees working from home, such as tracking employees' email activities and implementing time tracking software, etc. Responsible employers are expected to give careful consideration to the data privacy rights of employees when formulating monitoring policies and data management practices.
In designing monitoring policies and data management procedures, employers are encouraged to adopt a systematic process conveniently referred to as the 3Cs – Clarity, Communication and Control, or some similar approach, that gives comparable coverage to the personal data privacy issues raised by employee monitoring. The three components of the process are as follows:
Clarity
An effective means of achieving transparency would be for employers to implement a comprehensive written privacy policy that governs personal data management practices relating to employee monitoring, i.e. an Employee Monitoring Policy, which should explicitly refer to the following matters:
- the business purpose(s) that employee monitoring seeks to fulfil;
- the circumstances under which monitoring may take place;
- the manner in which monitoring may be conducted;
- the kinds of personal data that may be collected in the course of monitoring;
- the purpose(s) for which the personal data collected may be used.
It would be good practice for employers to consult employees in the process of developing an Employee Monitoring Policy. The consultation provides an opportunity for employees to clarify any potential misunderstanding of the issues so that there is no prospect of any unpleasant surprise when the policy is put into force.
Communication
Employees must be informed of the nature of, and reasons for, the monitoring of their activities at work prior to undertaking employee monitoring. Employers should take practicable steps to ensure employees to be notified of the policy. This could be done in a number of ways, for example:
- incorporate the policy into personnel training or orientation programmes;
- publish the policy in the employee handbook or manual;
- post the policy on notice boards;
- include the policy as part of an employment agreement;
- link the policy to a network login screen that requires affirmative acknowledgement before being allowed access to the network.
Control
Control measures over the holding, processing and use of monitoring records must be taken to safeguard the protection of employees’ personal data contained in them. Personal data contained in monitoring records should not be kept any longer than is necessary for fulfilling the stipulated purpose for which the records are to be used. Employers should also implement security and access control measures to safeguard the protection of personal data collected in monitoring records against unauthorised and accidental access, or wrongful use.
For more details about employees' monitoring, please refer to "Privacy Guidelines: Monitoring and Personal Data Privacy At Work".
|
|
|
Privacy Commissioner Published an Article on “Vaccine Pass - Let’s Unite to Fight the Pandemic”
Privacy Commissioner Ms Ada CHUNG Lai-ling published an article to discuss the Vaccine Pass (which took effect from 24 February 2022) from the perspective of the protection of personal data privacy on 25 February 2022. The Privacy Commissioner highlights that the introduction of the Hong Kong Vaccine Pass is in line with similar measures taken in the Mainland and other parts of the world, and the Vaccine Pass does not fall afoul of any requirement of the PDPO.
The article was published in HK01, Hong Kong Economic Journal, Hong Kong Economic Times, Ming Pao, Oriental Daily (contributed article for reporting), Sing Tao Daily, South China Morning Post, Ta Kung Pao and Wen Wei Po on 25 February 2022. Please click here to read the full version of the article.
|
Secretary for Constitutional and Mainland Affairs and Privacy Commissioner Attended Meeting of Legislative Council Panel on Constitutional Affairs
|
Mr Erick TSANG Kwok-wai, IDSM, JP, Secretary for Constitutional and Mainland Affairs, attended the Policy Briefing meeting of the Legislative Council Panel on Constitutional Affairs on 10 February 2022. Privacy Commissioner Ms Ada CHUNG Lai-ling also attended the meeting to answer questions raised by Legislative Councillors on privacy issues and the work of the PCPD. In responding to a question raised by a Member on whether the inclusion of the location tracking function in the “LeaveHomeSafe” mobile app is in compliance with the provisions of the PDPO, the Privacy Commissioner pointed out that the PDPO is principle-based and does not prohibit the collection, holding, processing or use of personal data for the prevention of the spread of the COVID-19 coronavirus and protection of public health, including the inclusion of contact tracking function in the “LeaveHomeSafe” app. She said that relevant government departments have to ensure compliance with the requirements of the PDPO in the collection of personal data, which include the requirements that the data collected is adequate, necessary but not excessive in relation to the purpose of collection, data must be collected in a lawful and fair way; and the data subject must be duly informed of the data collected, the purpose(s) of use of the data and classes of possible transferee. In addition, section 59 of the PDPO provides an exemption from the restrictions on the use of personal data relating to the health, identity or location of a data subject in situations concerning the protection of public health. Regarding the enforcement of the Personal Data (Privacy) (Amendment) Ordinance 2021 after its commencement of operation in October 2021, the Privacy Commissioner pointed out that the enforcement actions had started to bear fruit, and the PCPD made the first arrest for a suspected doxxing offence on 13 December 2021. Please click here for the paper submitted by the Constitutional and Mainland Affairs Bureau to the Legislative Council Panel on Constitutional Affairs. Please click here for the opening remarks of the Secretary for Constitutional and Mainland Affairs at the Policy Briefing meeting of Legislative Council Panel on Constitutional Affairs (in Chinese only).
|
PCPD Promotes Say ‘NO’ to Cyberbullying for Children
In order to let children understand what “cyberbullying” is and the proper attitude on using the Internet, the PCPD has recently published an educational leaflet entitled “New Digital Era, Say “No” to Cyberbullying” for children, and will distribute the leaflet to primary schools and non-government organisations on children. Teachers, social workers and parents can provide guidance on protection of personal data to their students and children by using this leaflet.
Please click here to download the leaflet (Chinese Only).
|
PCPD Established Anti-Pandemic Volunteer Team
In light of the deteriorating COVID-19 pandemic situation in Hong Kong, PCPD has recently established the Anti-Pandemic Volunteer Team (Team) to contribute to the fight against the pandemic.
The Team was formed to contribute to the community’s efforts to combat the pandemic, and to provide assistance or resources to those in need.
Among its work, the Team will provide support to staff members who are infected with COVID-19 or who have infected family members, and those staff members who need to undergo mandatory testing. The Team will also organise volunteer activities, for example, by appealing for donations, donating and distributing masks, hand sanitizers, face masks, woollen caps, etc. to those in need.
Together, let’s unite to fight the pandemic!
|
|
|
Highlights of the Regulations on the Management of Algorithm Recommendations for Internet Information Services《互聯網信息服務算法推薦管理規定》的重點
|
On 31 December 2021, the Cyberspace Administration of China (CAC), together with three other authorities, jointly published the Regulations on the Management of Algorithm Recommendations for Internet Information Services (Regulations). The Regulations, which will take effect on 1 March 2022, aim to regulate the use of algorithm recommendations for internet information services to enhance protection of users’ rights. This article highlights some of the requirements relevant to the internet service providers that use algorithm recommendations.
由國家互聯網信息辦公室、工業和信息化部、公安部及國家市場監督管理總局於2021年12月31日聯合發布的《互聯網信息服務算法推薦管理規定》(《管理規定》),將於2022年3月1日實施。
《管理規定》根據《個人信息保護法》、《網絡安全法》及《數據安全法》等法規而制定[1],規管於內地應用算法推薦技術提供互聯網信息服務(簡稱「算法推薦服務」)。當中的「應用算法推薦技術」是指「利用生成合成類、個性化推送類、排序精選類、檢索過濾類、調度决策類等算法技術向用戶提供信息」[2]。
《管理規定》訂明,算法推薦服務提供者須建立健全算法機制機理審核、科技倫理審查、用戶注册、信息發布審核、數據安全和個人信息保護、安全評估監測、安全事件應急處置等管理制度和技術措施,制定並公開其算法推薦服務的相關規則[3]。算法推薦服務提供者亦須以顯著方式告知用戶其算法推薦服務的情况,並以適當方式公開展示算法推薦服務的基本原理、目的意圖和主要運行機制等[4]。《管理規定》亦特別要求算法推薦服務提供者須開發適合未成年人使用的模式[5],及在提供服務時保障老年人依法享有的權益[6]。
違反《管理規定》中的指定條款,可被網信部門和電信、公安、市場監管等有關部門依據職責給予警告、責令限期改正等。如屬情節嚴重,可被罰款最高人民幣十萬元[7]。
於內地的算法推薦服務提供者應同時留意《個人信息保護法》對於「自動化决策」[8]的規定。參考最高人民檢察院轉載的評論文章[9],透過算法技術向用戶提供信息可被視為《個人信息保護法》下自動化决策的一種。而《個人信息保護法》和《管理規定》就使用自動化决策和算法方面亦有相似的規定,例如︰
- 須向個人或用戶提供不針對其個人特徵的選項[10] ;
- 通過有關技術作出對個人或用戶權益有重大影響的决定,須予以說明[11];及
- 不得透過有關技術在交易價格等交易條件上對個人或消費者實施不合理的差別待遇[12]。
另一方面,《管理規定》要求具有輿論屬性或社會動員能力的算法推薦服務提供者須按照有關規定開展安全評估[13],但未有提供評估的詳情。《個人信息保護法》則要求個人信息處理者在利用個人信息進行自動化决策前,須進行個人信息保護影響評估[14],評估的項目包括︰(一)個人信息的處理目的、方式等是否合法、正當、必要; (二)對個人權益的影響及安全風險;(三)所採取的保護措施是否合適,而有關的評估報告須至少保存三年[15]。
[1] 《管理規定》第一條
[2] 《管理規定》第二條
[3] 《管理規定》第七條
[4] 《管理規定》第十六條
[5] 《管理規定》第十八條
[6] 《管理規定》第十九條
[7] 《管理規定》第三十一條
[8] 即通過計算機程序自動分析、評估個人的行爲習慣、興趣愛好或經濟、健康、信用狀况等,並進行决策的活動 (《個人信息保護法》第七十三(二)條)
[9] 《規制算法推薦强化個人信息保護合規管理》︰https://www.spp.gov.cn/spp/llyj/202202/t20220209_543869.shtml
[10] 《個人信息保護法》第二十四條;《管理規定》第十七條
[11] 《個人信息保護法》第二十四條;《管理規定》第十七條
[12] 《個人信息保護法》第二十四條;《管理規定》第二十一條
[13] 《管理規定》第二十七條
[14] 《個人信息保護法》第五十五條
[15] 《個人信息保護法》第五十六條
|
|
|
RENEWAL OF DPOC's MEMBERSHIP
|
Renew your DPOC membership today and continue to enjoy privileged access to course enrolments throughout the year!
Special offer for organisational renewals:
Organisations can join the 2-for-1 scheme, which enables them to receive two memberships for the price of one annual fee (HK$350).
Renew your membership now to keep up-to-date with the latest news and legal developments!
|
|
|
Contact Us
Address: Room 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong
Tel: 2827 2827
If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
|
Copyright
Disclaimer
The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.
The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.
If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.
|
|
|
|