PCPD e-NEWSLETTER
ISSUE Mar 2022
|
|
|
|
PCPD e-NEWSLETTER
ISSUE Mar 2022
|
|
|
|
PCPD Issued Guidance for Employers on Collection and Use of Personal Data of Employees during the Fifth Wave
|
Since the onset of the fifth wave in early 2022, organisations in Hong Kong have been deploying epidemic prevention and control measures in the workplace to ensure the health and safety of employees. Health data of employees is normally collected by employers with a view to introducing effective anti-epidemic measures to reduce the risk of transmission of coronavirus variants in the workplace. From 1 January to 18 March this year, the Office of the Privacy Commissioner for Personal Data (PCPD) received 157 enquiries relating to the collection of employees’ health data. Against this background, the PCPD has recently issued the “Guidance for Employers on Collection and Use of Personal Data of Employees during COVID-19 Pandemic” (Guidance) to help employers and employees to understand the employers’ obligations under the Personal Data (Privacy) Ordinance (PDPO) when it comes to the collection and use of employees’ health data in the context of the pandemic. The Guidance provides the following recommendations:
- Necessity: Employers should only collect health data that is necessary for and directly related to the purpose(s) of data collection. Personal data irrelevant to or not strictly necessary for the prevention or control of COVID-19 in the workplace should not be collected. Under most circumstances, collection of the health data of an employee’s family member(s), such as their vaccination records, will not be considered necessary or proportionate.
- Data minimisation: The data collected by employers should be adequate but not excessive in relation to the purpose(s) for which it is collected. The least privacy intrusive measures should be adopted.
- Transparency: Employers should clearly convey all the requisite information to employees, such as by presenting a Personal Information Collection Statement.
- Retention and erasure: Employers should not retain the health data of employees for a period longer than is necessary. When the purpose of collection is fulfilled, the employer should permanently destroy that data.
- Accuracy: Employers should ensure that policies and systems be in place to maintain accurate and up-to-date vaccination information and test results of employees, if such information is collected.
- Security: Employers should take all practicable steps to protect the health data collected against unauthorised or accidental access, processing, erasure, loss or use, such as by locking paper records, encrypting electronic records, and limiting data access to authorised personnel on a need-to-know basis.
Please click here to download the Guidance.
|
|
|
Together, We Fight the Virus – PCPD Anti-Epidemic Volunteer Team Donated Medical Supplies to Social Welfare Organisations
|
Privacy Commissioner Ms Ada Chung Lai-ling (4th from right) and the Volunteer Team donate medical supplies to social welfare organisations
The Anti-Epidemic Volunteer Team of the PCPD donated anti-epidemic medical supplies to social welfare organisations, namely, St. James’ Settlement, Hong Chi Association and Chung Sing Benevolent Society on 28 March 2022. The medical supplies included approximately 800 sets of rapid test kits, 300 hand sanitizers, 700 face masks and 200 pieces of protective gowns.
The PCPD set up the Volunteer Team to contribute to the fight against the pandemic on 24 February 2022. The Volunteer Team was formed to provide assistance or resources to those in need. Apart from providing support to affected staff members, the Volunteer Team also organises volunteer activities, including appealing for donations to help those in need in the society.
The PCPD is dedicated to the fight against the pandemic. We appeal to everyone to join hands to fight the virus. We believe that if we stand united, we will ride out the storm.
|
Privacy Commissioner Ms Ada CHUNG Lai-ling thanks medical staff, frontline workers and volunteers for their great contributions to the fight against the pandemic (Chinese Only)
|
|
|
Monitor Your Data Processor by Using Review Checklist
|
|
PRIVACY COMMISSIONER'S FINDINGS
|
PRIVACY COMMISSIONER'S FINDINGS
|
Unfair Audio-Recording of Conversations with a Subordinate by His Supervisor
|
|
Protect Your Digital Identity
|
|
|
Protecting Personal Data Privacy: Guideline on Property Management
|
RENEWAL OF DPOC's MEMBERSHIP
|
|
Together, We Fight the Virus
– Privacy Commissioner Appealed to University Students to Join Hands to Fight the Pandemic and Say “No” To Doxxing
|
Privacy Commissioner Published an Article on “Vaccine Pass – Striking a Reasonable Balance Between Protecting Privacy and Public Health” at Hong Kong Lawyer
|
|
Highlights of the Draft Regulations on the Protection of Minors on the Internet《未成年人網絡保護條例(徵求意見稿)》的重點
|
EU: EDPB Publishes Finalised Guidelines on Codes of Conduct as Data Transfer Tools
|
UK: DCMS Announces Proposal for Legislation on Digital Identities
|
British Columbia: OIPC Issues Public Sector Guidance on Personal Information Disclosures Outside Canada
|
|
|
Monitor Your Data Processor by Using Review Checklist
|
Outsourcing and entrusting personal data processing work by organisations to their agents is increasingly common. If organisations engage data processors to process personal data on their behalf, the organisations should review whether their management of data processor is adequate and comprehensive on an annual basis. Organisations can devise a Data Processor Review Checklist for conducting the annual review.
Below is a sample of Data Processor Review Checklist for reference.
|
For more details about outsourcing the processing of personal data to data processors, please click here.
|
|
|
PRIVACY COMMISSIONER'S FINDINGS
|
Unfair Audio-Recording of Conversations with a Subordinate by His Supervisor
|
An employee of a public organisation met with his supervisor twice to discuss the employee's work performance. After the meetings, the employee learned that the meetings were audio-recorded and was dissatisfied with his supervisor’s covert actions. The employee thus lodged a complaint to the PCPD.
PCPD's Findings
The employee’s work performance was the subject of discussion of the meetings. The audio-record of the meetings therefore constituted this personal data. The PCPD considered that the act of audio-recording the meetings was not unlawful. However, the supervisor failed to inform the employee of the audio-recording arrangement prior to the meetings. This amounted to unfair collection of the employee’s personal data and was in breach of Data Protection Principle (DPP) 1(2). In addition, the supervisor also failed to inform the employee of the purpose of collection of his personal data on or before he started to audio-record the meetings, hence violating DPP 1(3).
In response to the PCPD’s advice and to prevent the recurrence of similar incidents, the organisation established written guidelines, instructing all staff collecting personal data by means of audiorecording to make it clear to those present at the time of recording that recording would be made. It also reminded the supervisor that he must follow the said guidelines in future and included this incident in its employee training materials.
Regarding the incident, the PCPD had issued a warning to the organisation, requesting it to review the relevant measures regularly and to closely monitor its employees’ compliance with the said guidelines.
Lesson Learnt
Surreptitiously recording a conversation without the knowledge of the data subject may be considered by the data subject as unwelcome or even intrusive to personal data privacy. To avoid disputes, before audio-recording, the recording party should inform the data subject that the subsequent conversation will be recorded and the purpose of the recording.
|
|
|
Protect Your Digital Identity
|
Digital identity is used to authenticate the identity of users of online services such as social media, instant messaging and mobile apps. Digital identity in general will be bound to users' personal information or devices such as email address, phone number or mobile device.
If the digital identity is stolen, fraudsters could gain access to the victim's online account, leading to breach of personal or sensitive information. If the account involves monetary transaction, it may result in financial loss. Frausters could also send phishing or ransom emails to the victim for extortion of money, as well as impersonate the victim for the purpose of engaging in illegal online activities such as fraud or disseminating disinformation, causing damage to the victim's reputation or making the victim legally liable for such activities.
Here are tips on protecting your digital identity:
- Use two-factor or multi-factor authentication to strengthen the security of the account;
- Set different and strong passwords for different online services;
- Think twice before disclosing personal and sensitive information to guard against phishing attack;
- Do not allow the browser to remember your password if non-personal devices are used;
- Log out the online service account immediately after use;
- Delete accounts no longer in use to avoid any undetected access due to lack of account management; and
- Pay close attention to notifications of suspicious account activities or transactions issued by service providers. If in doubt, promptly seek assistance from service providers.
|
|
|
Together, We Fight the Virus – Privacy Commissioner Appealed to University Students to Join Hands to Fight the Pandemic and Say “No” To Doxxing
|
Privacy Commissioner Ms Ada CHUNG Lai-ling appealed to university students to join hands to fight the pandemic at the webinar entitled “Doxxing is an offence – Personal Privacy and Doxxing in the Digital Era” organised by Hong Kong Baptist University on 8 March 2022.
The Privacy Commissioner started the webinar by urging students to stay vigilant against COVID-19 by keeping personal hygiene and reducing social contact, so as to curb the spread of virus in the community. The Privacy Commissioner then appealed to the students to say “No” to doxxing. Together with Acting Assistant Privacy Commissioner (Legal, Global Affairs and Research), Mr Dennis NG, the Privacy Commissioner gave an overview of the requirements of the Personal Data (Privacy) (Amendment) Ordinance 2021 to the students.
Please click here for the presentation deck.
|
Privacy Commissioner Published an Article on “Vaccine Pass – Striking a Reasonable Balance Between Protecting Privacy and Public Health” at Hong Kong Lawyer
|
Privacy Commissioner Ms Ada CHUNG Lai-ling published an article at Hong Kong Lawyer to discuss the Vaccine Pass from the perspective of the protection of personal data privacy. The Privacy Commissioner highlighted some privacy-protecting features of the Vaccine Pass and stressed that the Vaccine Pass did not fall afoul of any requirement of the PDPO. The Privacy Commissioner also pointed out that the introduction of the Vaccine Pass is in line with similar measures taken in the Mainland and other parts of the world.
Please click here to read the article.
|
|
|
Highlights of the Draft Regulations on the Protection of Minors on the Internet《未成年人網絡保護條例(徵求意見稿)》的重點
|
On 14 March 2022, the Cyberspace Administration of China (CAC) published the Draft Regulations on the Protection of Minors on the Internet (Draft Regulations). The Draft Regulations seek to enhance protection of minors, including their personal information, in the cyberspace. This article highlights some of the proposed requirements relevant to protection of minors’ personal information online.
本欄曾於2021年10月簡介內地《兒童個人信息網絡保護規定》、《未成年人保護法》及《個人信息保護法》中有關處理未成年人個人信息的規定。國家互聯網信息辦公室剛於2022年3月14日發布另一項與保護未成年人個人信息相關的法規 — 《未成年人網絡保護條例(徵求意見稿)》1(簡稱《徵求意見稿》)。《徵求意見稿》正公開徵求意見,徵求意見期將於2022年4月13日結束。
《徵求意見稿》根據《未成年人保護法》、《個人信息保護法》及《網絡安全法》等法規而制定2,當中的規定除保護未成年人的個人信息外,亦涵蓋網絡素養培育及網絡信息內容規範等方面。值得注意的是,《徵求意見稿》未有提供「未成年人」的定義。因此相信,除個別條文另有規定外,《徵求意見稿》中「未成年人」的定義應參考《未成年人保護法》第二條,即「未滿十八周歲的公民」。
在未成年人個人信息的處理方面,《徵求意見稿》的規定與《個人信息保護法》的相關規定大致相同。例如,兩項法規均要求個人信息處理者須在具有特定的目的和充分的必要性、採取嚴格保護措施、在事前進行個人信息保護影響評估、及取得單獨同意的情況下,方可處理未成年人的個人信息3。此外,兩項法規均要求個人信息處理者在處理未滿十四周歲的未成年人個人信息前,須取得其監護人的同意4。
另一方面,《徵求意見稿》參考了《個人信息保護法》中大部份有關個人信息處理規定,並按未成年人的情況作出調整。例如,《個人信息保護法》列明個人信息處理者不能因個人不同意或撤回同意而拒絕提供産品或服務5,《徵求意見稿》同樣規定個人信息處理者不得以未成年人或其監護人拒絕或撤回同意為由拒絕提供基本功能服務6。而當發生個人信息外洩時,《個人信息保護法》要求個人信息處理者須通知個人7,《徵求意見稿》則列明個人信息處理者須通知未成年人及其監護人8。
《徵求意見稿》亦有針對網絡服務提供者及監護人的規定。其中,網絡服務提供者為未成年人提供信息發布、即時通訊等服務,須要求未成年人或其監護人提供未成年人真實身份信息,否則不得為未成年人提供服務9。《徵求意見稿》亦明文規定監護人須履行的職責,包括教育和引導未成年人增強個人信息保護意識和能力、指導未成年人行使各項個人信息權利(例如要求查閱、複製、轉移、更正、補充或删除個人信息等權利),及保護未成年人個人信息權益10。
違反《徵求意見稿》中有關未成年人個人信息保護的規定,如屬情節嚴重,最高可被罰款人民幣五千萬元或上一年度營業額的百分之五11。而違反《徵求意見稿》規定的網絡産品和服務提供者更可被要求關閉其網站及吊銷相關業務許可證,及禁止於五年內重新申請相關許可12。
1 《未成年人網絡保護條例(徵求意見稿)》全文︰http://www.gov.cn/xinwen/2022-03/14/content_5678971.htm
2 《徵求意見稿》第一條
3 《個人信息保護法》第二十八、二十九及五十五條;《徵求意見稿》第三十七條
4 《個人信息保護法》第三十一條;《徵求意見稿》第三十五條
5 《個人信息保護法》第十六條
6 《徵求意見稿》第三十六條
7 《個人信息保護法》第五十七條
8 《徵求意見稿》第四十一條
9 《徵求意見稿》第三十三及五十三條
10 《徵求意見稿》第三十九條
11 《徵求意見稿》第六十二條
12 《徵求意見稿》第六十四條
|
|
|
RENEWAL OF DPOC's MEMBERSHIP
|
Renew your DPOC membership today and continue to enjoy privileged access to course enrolments throughout the year!
Special offer for organisational renewals:
Organisations can join the 2-for-1 scheme, which enables them to receive two memberships for the price of one annual fee (HK$350).
Renew your membership now to keep up-to-date with the latest news and legal developments!
|
|
|
Contact Us
Address: Room 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong
Tel: 2827 2827
If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
|
Copyright
Disclaimer
The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.
The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.
If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.
|
|
|
|