PCPD e-NEWSLETTER
ISSUE Jul 2022
|
|
|
|
PCPD e-NEWSLETTER
ISSUE Jul 2022
|
|
|
|
Privacy Awareness Week 2022
PCPD Hosted the 57th Asia Pacific Privacy Authorities Forum as a Celebratory Event of the 25th Anniversary of the Establishment of the HKSAR
|
The Office of the Privacy Commissioner for Personal Data (PCPD) hosted the 57th Asia Pacific Privacy Authorities (APPA) Forum virtually from 12 to 13 July 2022. Over 110 representatives from different data protection authorities across the Asia Pacific region gathered together at the APPA Forum to discuss a wide array of global privacy issues and shared regulatory and enforcement experiences.
|
In the opening session, Mr Erick TSANG Kwok-wai, IDSM, JP, Secretary for Constitutional and Mainland Affairs (SCMA), officiated at the APPA Forum and welcomed APPA members to the APPA Forum, which was being held as one of the celebratory events of the 25th anniversary of the establishment of the Hong Kong Special Administrative Region (click here for the full speech by SCMA).
Privacy Commissioner Ms Ada CHUNG Lai-ling appealed for greater and closer collaboration among data protection authorities in the Asia Pacific region. In her welcoming message, she said that the APPA Forum would offer excellent opportunities for APPA members to share knowledge, experiences and promote best practices in the privacy landscape.
The PCPD also showcased its work at the APPA Forum. On the first day of the APPA Forum, the Assistant Privacy Commissioner for Personal Data (Complaints and Criminal Investigation) Mr Cliff IP Wai-kee gave an update on the PCPD’s enforcement actions on doxxing. The Acting Chief Personal Data Officer (Compliance and Enquiries) Mr Brad KWOK Ching-hei shared the PCPD’s recent findings in the report on “Comparison of Privacy Settings of Social Media”, which holistically reviewed the performance of the top 10 most commonly used social media platforms in Hong Kong in terms of their privacy functions. On the second day of the APPA Forum, the Privacy Commissioner led a panel discussion entitled “Privacy Issues Arising from Emerging Technologies and the Regulatory Roadmaps”, with privacy/information commissioners or senior representatives from Australia, Canada, Japan and the United Kingdom joining as panellists. Other major topics of the APPA Forum included the following:
- Enforcement and legislative development;
- Guidance and outreach; and
- Cross-border data flows.
Founded in 1992, APPA is the principal forum for privacy and data protection authorities in the Asia Pacific region to strengthen cooperation, discuss best practices and share information on privacy regulations, new technologies and the handling of enquiries and complaints related to privacy. The 57th APPA Forum was one of the highlights of the Privacy Awareness Week (PAW) 2022, the theme of which is “Privacy Protection in Digital Era”. Other than the 57th APPA Forum, the PCPD and the Hong Kong Association for Computer Education jointly organised a webinar on “Learning and Educating Privacy on Social Media” on 15 July (see the second item under What’s On). The PCPD also launched other promotional activities during the PAW.
|
|
|
What is a Privacy Policy Statement?
|
|
PRIVACY COMMISSIONER’S FINDINGS
|
PRIVACY COMMISSIONER’S FINDINGS
|
An Employer Disclosed the Personal Data of a Staff Member who was Considered for Promotion
|
|
Tips for Using Cloud Services
|
|
|
PCPD Made an Arrest for a Suspected Doxxing Offence
|
Hong Kong and Singapore Authorities Renewed MOU to Maintain Close Ties and Foster Closer Collaboration in Personal Data Protection
|
RECOMMENDED ONLINE TRAININGS
|
Online Professional Workshops
|
Free Online Seminar: Introduction to the PDPO
|
Arrange an In-house Seminar for Your Organisation
|
RENEWAL OF DPOC’s MEMBERSHIP
|
|
PCPD Organised a Webinar on “Protection of Personal Data Privacy for Property Management Sector”
|
Privacy Commissioner Published an Article on “Cross-border transfers of personal data” at the CGj, the journal of the Hong Kong Chartered Governance Institute
|
Showcasing Hong Kong – Privacy Commissioner Spoke at the Closing General Session of the International Association of Privacy Professionals’ Asia Pacific Forum in Singapore
|
Reaching Out to Schools – PCPD Organised the “Learning and Teaching Privacy on Social Media” Online Forum
|
Reaching Out to the Community – Privacy Commissioner Met with Representatives of RainLily
|
Appointment of New SCTD Member
|
|
Latest Development of Rules and Regulations in Relation to Cross-border Transfers of Personal Information in the Mainland 內地個人信息出境相關法規的最新發展
|
International: UK and South Korea Reach Data Adequacy Agreement in Principle
|
EU: EDPB Publishes EDPB-EDPS Joint Opinion on Proposal for a Regulation on European Health Data Space
|
France: CNIL Addresses GDPR Compliance Within Proposed DGA and Data Act
|
Sanctions under EU GDPR and Recent Data Regulations: A Case of Double Jeopardy?
|
|
|
What is a Privacy Policy Statement?
Most organisations collect personal data from their clients, customers and employees. To fulfil the requirements of openness and transparency under the Data Protection Principle (DPP) 5, a Privacy Policy Statement (PPS) is required at all times if an organisation controls the collection, holding, processing or use of personal data. It is a good practice to have a PPS in written form to effectively communicate your organisation’s data management policies and practices.
A PPS is a general statement about an organisation’s privacy policies and practices in relation to the personal data it handles. Typically, it covers a wider scope and, in addition to some core elements of the Personal Information Collection Statement, includes other privacy-related policies and practices such as data retention policy, data security measures, data breach handling, the use of special tools such as cookies on websites.
What goes into a PPS?
- Statement of policy: this is to express an organisation’s overall commitment in protecting the privacy interests of the individuals who provide information about themselves to the organisation.
- Statement of practices: this includes the kind of personal data held by the organisation and the purposes for which it uses the data. The kind of personal data collected should depend on the organisation’s actual operational needs, which may include identification information, contact details, financial details, interests, preferences, location information of mobile devices, browser details and IP addresses. Common purposes for which these types of personal data are used may include the delivery of goods/services, the management of accounts, the processing of orders, the facilitation of website access, the compilation of aggregate statistics on website usage.
How to build an effective PPS?
To effectively communicate your organisation’s privacy policies and practices with your clients, customers and employees, you may review your own PPS by making reference to the recommended good practices below:
- Use proper heading and adopt a layered approach in presentation in case the privacy policies and practices are complex and lengthy.
- State clearly:
- whether the website allows access by individuals who do not accept cookies, and what loss of functionality may result from not accepting cookies;
- how long the personal data will be retained;
- how to make a deletion request;
- how sensitive personal data will be used, processed, handled and transferred;
- that personal data would be disclosed to specified parties with the data subject’s express and voluntary consent, if that is the case;
- how your organisation ensures the security and confidentiality of the personal data collected;
- what personal data will be transferred to specified service providers and how the service providers will ensure protection of the personal data collected;
- your policy on handling individuals’ requests to access and to correct individuals’ personal data held; and
- the contact details (e.g. office and email addresses) of the officer in your organisation who will answer enquiries.
|
|
|
PRIVACY COMMISSIONER’S FINDINGS
|
An Employer Disclosed the Personal Data of a Staff Member who was Considered for Promotion
The Complaint
The complainant was considered for promotion by his employer. In addition to setting up a selection board for considering the suitability of the complainant, the employer also consulted all staff about the work performance of the complainant and disclosed his full resume and date of birth to them for reference.
The complainant was dissatisfied that his employer recklessly disclosed his personal data without obtaining his prior consent. Hence, he made a complaint to the PCPD.
Outcome
The employer claimed that the disclosure of the complainant’s personal data to all staff was to seek their comments on the complainant’s work performance for consideration of promotion. However, the employer could have only consulted staff members directly related to the post of the complainant (e.g. the complainant’s supervisor and teammates) to achieve such purpose. There was no actual need to disclose the complainant’s full resume and date of birth to all staff. The PCPD therefore considered that such act as a contravention of the DPP 3.
After the PCPD’s intervention, the employer amended the procedure for reviewing staff promotion and undertook that it would disclose the full resume and date of birth of staff being considered for promotion only to the selection board in future. Moreover, the employer apologised to the complainant and requested other staff members to destroy the complainant’s personal data.
Lessons Learnt
According to the PCPD’s Code of Practice on Human Resource Management (Code of Practice), an employer should not disclose employment-related data of employees to a third party without first obtaining the employees’ express and voluntary consent unless the disclosure is for purposes directly related to the employment, or such disclosure is required by law or by statutory authorities. Moreover, when employment-related data is transferred or disclosed to a third party, an employer should avoid disclosure of data in excess of what is necessary for the purpose of use by the third party.
While organisations need to use personal data for human resource management, they should comply with the Personal Data (Privacy) Ordinance (PDPO) and the Code of Practice. Apart from customers’ personal data, organisations are also responsible for the protection of employees’ personal data in order to create a working environment and operational model conducive to personal data privacy protection.
|
Tips for Using Cloud Services
In order to reduce the costs of IT equipment, increase operational efficiency and improve agility, cloud-computing adoption in organisations has been expanding rapidly. Some organisations have migrated their data storage systems from on-premise servers to cloud platforms under the pandemic to ensure business continuity. However, transferring personal data to cloud platforms might pose privacy risks. Here are some of the practical tips that an organisation may adopt to mitigate such risks and manage its responsibilities under the PDPO when using cloud services:
- Carefully evaluate the standard services and contract terms provided by the Cloud Service Provider (CSP) to see if they meet the requirements of the PDPO and commonly accepted data security standards, and ask for ‘customised’ contract terms if necessary;
- Require the CSP to notify the organisation of data breaches so that speedy remedial action may be taken;
- Obtain formal, contractual assurance from the CSP that the same level of protection and compliance controls are equally applicable to their sub-contractors;
- Scrutinise the audit reports on data security and privacy compliance of the CSP, if it is not possible to audit the operation of the CSP; and
- Implement encryption for personal data in transit to and from cloud and in cloud storage.
|
|
|
PCPD Organised a Webinar on “Protection of Personal Data Privacy for Property Management Sector”
|
The PCPD organised a webinar on “Protection of Personal Data Privacy for Property Management Sector” on 27 July 2022. The event attracted more than 700 participants from the property management sector and the general public.
At the webinar, which was supported by the Property Management Services Authority, Privacy Commissioner Ms Ada CHUNG Lai-ling introduced to the participants the key findings of the recent investigation report on the improper handling of the personal data of residents and visitors by property management companies, while Ms Amy CHAN Mei-yee, Chief Personal Data Officer (Complaints) of PCPD, elaborated on the new edition of the Guidance for the Property Management Sector issued by the PCPD last month. Dr Johnnie CHAN Chi-kau, SBS, BBS, JP, Immediate Past President of the Hong Kong Association of Property Management Companies and Chief Executive Officer of Savills Services Group, spoke as the guest speaker and was invited to share the property management sector’s best practices in data management with the participants.
|
Privacy Commissioner Ms Ada CHUNG Lai-ling (top left), Immediate Past President of the Hong Kong Association of Property Management Companies and Chief Executive Officer of Savills Services Group Dr Johnnie CHAN Chi-kau, SBS, BBS, JP (top right), and Chief Personal Data Officer (Complaints) of PCPD Ms Amy CHAN Mei-yee (bottom), spoke at a webinar on “Protection of Personal Data Privacy for Property Management Sector”.
|
Privacy Commissioner Published an Article on “Cross-border transfers of personal data” at the CGj, the Journal of the Hong Kong Chartered Governance Institute
|
Privacy Commissioner Ms Ada CHUNG Lai-ling published an article at the CGj, the journal of the Hong Kong Chartered Governance Institute, to discuss the “Guidance on Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data” (Guidance) and the compliance requirements for transfers of personal data from Hong Kong to other jurisdictions. Please click here to read the article. The PCPD issued the Guidance in May and introduced two sets of Recommended Model Contractual Clauses for cross-border transfers of personal data, which may be adopted by small and medium-sized enterprises in order to comply with the requirements of the PDPO (Cap. 486) and good data ethics.
Please click here to download the Guidance.
|
Showcasing Hong Kong – Privacy Commissioner Spoke at the Closing General Session of the International Association of Privacy Professionals’ Asia Pacific Forum in Singapore
|
Privacy Commissioner Ms Ada CHUNG Lai-ling delivered a speech virtually at the Closing General session themed “Regional Regulatory Update from Hong Kong Privacy Commissioner Ada Chung” at IAPP’s Asia Pacific Forum held in Singapore on 19 July 2022.
In the session, the Privacy Commissioner gave an update on the work of the PCPD in some key areas, such as the PCPD’s enforcement actions against doxxing, responding to the privacy concerns relating to the fight against the pandemic and enhancing collaboration with regulators in other jurisdictions. The Privacy Commissioner also discussed the privacy challenges arising from the digitalisation of our society and how organisations can build better relationships with their regulators.
|
Reaching Out to Schools – PCPD Organised the “Learning and Teaching Privacy on Social Media” Online Forum
|
The PCPD and the Hong Kong Association for Computer Education (HKACE) jointly organised the “Learning and Teaching Privacy on Social Media” Online Forum on 15 July 2022, which attracted over 300 participants from the education sector. The event, which was tailored for principals, teachers and social workers of primary and secondary schools, was supported by the Education Bureau.
At the event, Acting Chief Personal Data Officer (Compliance & Enquiries) Mr Brad KWOK shared the findings of the PCPD’s Report on “Comparison of Privacy Settings of Social Media” and explained the key points of the doxxing offences under the Personal Data (Privacy) (Amendment) Ordinance 2021. Vice Principal of Hong Kong True Light College and HKACE Chairman Mr CHU Ka-tim, together with STEM Education & e-Learning Coordinator of St. Edward’s Catholic Primary School and HKACE Publications Officer Ms CHENG Yuen-ting, also shared their experience in teaching social media etiquette with the participants.
Please click here for the presentation deck (Chinese only).
|
Reaching Out to the Community – Privacy Commissioner Met with Representatives of RainLily
|
Privacy Commissioner Ms Ada CHUNG Lai-ling, Assistant Privacy Commissioner for Personal Data (Complaints and Criminal Investigation) Mr Cliff IP Wai-kee, and Chief Personal Data Officer (Complaints) Ms Amy CHAN Mei-yee, met, upon invitation, with the Executive Director of RainLily Ms Linda WONG and other representatives of RainLily on 14 July 2022 by videoconferencing to exchange views on their concerns. The Privacy Commissioner explained to the attendees the new doxxing offences under the Personal Data (Privacy) (Amendment) Ordinance 2021, the related statutory powers conferred on the Privacy Commissioner, as well as the procedures on how the Privacy Commissioner’s office handles and follows up on doxxing cases and complaints involving intimate images.
|
Appointment of New SCTD member
|
Privacy Commissioner Ms Ada CHUNG Lai-ling announced the appointment of Ir Alex Chan to the Standing Committee on Technological Developments (SCTD) of the PCPD. He is appointed for a tenure of two years from 1 July 2022 to 30 June 2024. Ir Alex Chan is the General Manager of the Digital Transformation Division at the Hong Kong Productivity Council (HKPC). He is a seasoned IT consultancy professional with more than 20 years of experience in the consultancy, utilities and telecommunication industries. He currently leads the units of industry consulting, digital enablement and cybersecurity in HKPC, including the Hong Kong Computer Emergency Response Team. He is a fellow member of The Hong Kong Computer Society and a corporate member of The Hong Kong Institution of Engineers. The Privacy Commissioner would also like to take the opportunity to thank the outgoing member, Prof Y B Yeung, for his invaluable contributions and advice to the SCTD over the years. The current membership of the SCTD is as follows:
- Ms Ada CHUNG Lai-ling (Privacy Commissioner) (Co-chairperson)
- Mr Dennis NG (Acting Assistant Privacy Commissioner for Personal Data (Legal, Global Affairs & Research)) (Co-chairperson)
- Ir Alex CHAN (new member)
- Mr Francis FONG
- Prof Jason LAU
- Mr Mark PARSONS
- Prof K F WONG
- Prof S M YIU
The SCTD was established to advise the Privacy Commissioner on, among other things, the impacts of the developments in the processing of data and information technology on the privacy of individuals in relation to personal data.
|
|
|
PCPD Made an Arrest for a Suspected Doxxing Offence
|
The PCPD arrested a Chinese female aged 35 in New Territories East on 26 July 2022. She was suspected to have disclosed the personal data of a data subject (the complainant) without her consent, in contravention of section 64(3A) of the PDPO.
The investigation reveals that the arrested person and the complainant, both online traders, had had a business relationship which later turned sour because of a monetary dispute. In December 2021, the personal data of the complainant and her husband was disclosed in about 14 groups on a social media platform, which also contained allegations about fraudulent behaviour. The personal data disclosed included the Chinese names, phone number and photos of the complaint and her husband. The arrested person is granted bail. The PCPD will continue its investigation into the case.
The PCPD reminds members of the public that doxxing is a serious offence. An offender is liable on conviction to a fine up to $1,000,000 and imprisonment for 5 years. The PDPO applies equally to the online world. To avoid breaking the law, members of the public should think twice before publishing or forwarding any doxxing messages on the internet or social media. Relevant provisions under the PDPO Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject –
(a) with an intent to cause any specified harm to the data subject or any family member of the data subject; or (b) being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject.
A person who commits an offence under section 64(3A) is liable on conviction to a fine of $100,000 and imprisonment for 2 years. Pursuant to section 64(3C) of the PDPO, a person commits an offence if –
(a) the person discloses any personal data of a data subject without the relevant consent of the data subject –
- with an intent to cause any specified harm to the data subject or any family member of the data subject; or
- being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject; and
(b) the disclosure causes any specified harm to the data subject or any family member of the data subject.
A person who commits an offence under section 64(3C) is liable on conviction on indictment to a fine of $1,000,000 and imprisonment for 5 years. According to section 64(6) of the PDPO, specified harm in relation to a person means –
(a) harassment, molestation, pestering, threat or intimidation to the person; (b) bodily harm or psychological harm to the person; (c) harm causing the person reasonably to be concerned for the person’s safety or well-being; or (d) damage to the property of the person.
|
Hong Kong and Singapore Authorities Renewed MOU to Maintain Close Ties and Foster Closer Collaboration in Personal Data Protection
|
The PCPD and Singapore’s Personal Data Protection Commission (PDPC) signed and renewed their Memorandum of Understanding (MOU) to maintain their existing ties and foster closer cooperation with an enhanced scope of collaboration in personal data protection. The MOU was signed virtually on 13 July 2022 on the sidelines of the 57th APPA Forum by Privacy Commissioner Ms Ada CHUNG Lai-ling and Mr YEONG Zee Kin, Deputy Commissioner of Singapore’s PDPC in the respective jurisdictions. Under the MOU, the scope of collaboration between the two data protection authorities includes, among others, the exchange of information and sharing of best practices involving data protection policies and enforcement actions, coordination and provision of mutual assistance in joint investigations into cross-border personal data incidents, and collaboration in education and training. Privacy Commissioner Ms Ada CHUNG Lai-ling believed that the MOU formed a solid basis of the working relationship between the two data protection authorities and established an enhanced framework for collaboration and practicable cooperation, and an effective cooperation mechanism would be beneficial to both authorities on various fronts, ranging from enforcement actions to promotion and public education. Mr YEONG Zee Kin, Deputy Commissioner of the PDPC said that, fostering a closer relationship and maintaining a collaborative effort with its counterparts in Hong Kong and other jurisdictions was needed for advancing data protection in a globalised world. Background
Hong Kong’s PCPD and Singapore’s PDPC continue to enjoy warm working relations in global personal data protection, with both regulatory authorities being active members of international organisations such as APPA and the Global Privacy Enforcement Network. In May 2019, the two authorities signed an MOU to develop bilateral platforms for the advancement of personal data protection. The MOU signed on 13 July 2022 demonstrates both authorities’ commitments to stepping up collaboration and cooperation in the protection of personal data privacy in new and emerging areas such as artificial intelligence and cross border data flows.
|
Hong Kong’s Privacy Commissioner Ms Ada CHUNG Lai-ling (top), and Deputy Commissioner of Singapore’s PDPC Mr YEONG Zee Kin (bottom) signed an MOU on 13 July 2022 at a virtual signing ceremony.
|
Latest Development of Rules and Regulations in Relation to Cross-border Transfers of Personal Information in the Mainland 內地個人信息出境相關法規的最新發展
|
In recent months, authorities in the Mainland have published a number of rules and regulations in relation to cross-border transfers of personal information, namely the Practical Guidance of Cybersecurity Standards – Technical Specifications for Certification of Cross-border Handling of Personal Information; the Draft Rule on the Standard Contractual Clauses for Cross-border Transfers of Personal Information; and the Measures on Security Assessment of Cross-border Data Transfer. This article gives you an overview of these rules and regulations.
近月,全國信息安全標準化技術委員會(信安標委)和國家互聯網信息辦公室(網信辦)相繼發布幾項與內地個人信息出境相關法規的徵求意見稿或最終版本,涉及安全認證、標準合同和安全評估三方面。以下將逐一簡介法規的主要内容。
1.《網絡安全標準實踐指南—個人信息跨境處理活動安全認證規範》1
信安標委於2022年4月發布《網絡安全標準實踐指南—個人信息跨境處理活動安全認證規範》(《規範》)的徵求意見稿(本欄曾於2022年5月作出介紹),並於2022年6月24日發布《規範》的最終版本。
《規範》作為認證機構對個人信息跨境處理活動進行個人信息保護認證的基本要求,並適用於2:
- 跨國公司或同一經濟、事業實體下屬子公司或關聯公司之間的個人信息跨境處理活動;
- 《個人信息保護法》第三條第二款適用的個人信息處理活動3。
《規範》列明多項跨境處理個人信息的基本原則4,同時要求個人信息處理者和境外接收方簽訂有法律約束力的協議、指定個人信息保護負責人、及於事前進行個人信息保護影響評估等5。此外,《規範》亦包括對個人信息主體的保障6,包括撤回同意、查閱和删除其個人信息的權利等。
與徵求意見稿比較,《規範》的最終版本內容未見有太大改動。部份主要修訂包括︰
- 新增要求個人信息處理者申請個人信息保護認證和開展跨境處理活動須同時符合《信息安全技術 個人信息安全規範》7及《規範》的要求8;
- 徵求意見稿中所使用的「參與個人信息跨境處理活動的相關方」,在《規範》的最終版本一律改為較清晰的「開展個人信息跨境處理活動的個人信息處理者和境外接收方」;
- 刪去要求處理者在開展個人信息保護影響評估時須參照《信息安全技術 個人信息安全影響評估指南》9最新版本的規定10;
- 加入個人信息主體撤回對其個人信息跨境處理所給予的同意的權利;及
- 加入個人信息處理者和境外接收方於發生或可能發生個人信息洩露、篡改、丟失時須立即採取補救措施和作出通知的責任11。
《規範》未有提及施行日期,因此可理解為於發布當日(即2022年6月24日)起生效。
2.《個人信息出境標準合同規定(徵求意見稿)》12
網信辦於2022年6月30日發布《個人信息出境標準合同規定(徵求意見稿)》(《規定(徵求意見稿)》),徵求意見期已於7月29日結束。《規定(徵求意見稿)》共有十三條規定,並附有個人信息出境標準合同的範本。
《規定(徵求意見稿)》根據《個人信息保護法》而制定13。個人信息處理者如根據《個人信息保護法》第三十八條第一款第(三)項14,透過與境外接收方訂立合同以向境外提供個人信息,須按照《規定(徵求意見稿)》規定簽訂個人信息出境標準合同15(標準合同)。此外,《規定(徵求意見稿)》亦訂明個人信息處理者與境外接收方簽訂與個人信息出境活動相關的其他合同,不能與標準合同有所衝突16。
《規定(徵求意見稿)》列明個人信息處理者如同時符合下列情況,可以通過簽訂標準合同的方式向境外提供個人信息17:
- 非關鍵信息基礎設施運營者;
- 處理個人信息未滿100萬人的;
- 自上年1月1日起累計向境外提供少於10萬人的個人信息;及
- 自上年1月1日起累計向境外提供少於1萬人敏感個人信息。
根據《規定(徵求意見稿)》,個人信息處理者須於事前開展個人信息保護影響評估18
,並將評估報告連同標準合同於合同生效日起計10個工作天內向網信部門備案19。如向境外提供個人信息的目的、類型、敏感程度等有改變,或接收方所在地的法規變動可能影響個人信息權益,個人信息處理者須重新簽訂標準合同和備案20。
就個人信息保護影響評估,《規定(徵求意見稿)》亦有列明須重點評估的內容21,當中包括︰
- 個人信息處理者和境外接收方處理個人信息的目的、範圍、方式等的合法性、正當性和必要性;
- 出境個人信息的數量、範圍、類型、敏感程度,及個人信息出境可能對個人信息權益帶來的風險;
- 境外接收方承諾承擔的責任義務,以及履行責任義務的管理和技術措施、能力等能否保障出境個人信息的安全;
- 個人信息出境後泄露、損毀、篡改、濫用等的風險,個人維護個人信息權益的渠道是否通暢等;及
- 境外接收方所在地的個人信息保護政策法規對標準合同履行的影響。
值得一提的是,《個人信息保護法》同樣要求個人信息處理者在向境外提供個人信息前須事先進行個人信息保護影響評估22,但《規定(徵求意見稿)》所列明的評估內容較《個人信息保護法》相關規定23更為具體。
至於標準合同方面,內容則涵蓋個人信息處理者和境外接收方的義務24、境外接收方所在地的相關政策法規對遵守合同條款的影響25、個人信息主體的權利26、個人信息主體尋求救濟的方式27等。合同的附錄二亦容許個人信息處理者和境外接收方加入其他條款。
3.《數據出境安全評估辦法》28
網信辦繼去年10月發布《數據出境安全評估辦法(徵求意見稿)》(本欄曾於2021年11月作出介紹)後,於2022年7月7日發布《數據出境安全評估辦法》(《辦法》)的最終版本。《辦法》將於今年9月1日起實施29。
《辦法》適用於數據處理者向境外提供在境內運營中收集和産生的重要數據和個人信息的安全評估30,而「重要數據」是指「一旦遭到篡改、破壞、洩露或者非法獲取、非法利用等,可能危害國家安全、經濟運行、社會穩定、公共健康和安全等的數據。31」值得注意的是,信安標委於2022年1月7日發布的《信息安全技術 重要數據識別指南》(徵求意見稿)提到,「重要數據不包括國家秘密和個人信息,但基於海量個人信息形成的統計數據、衍生數據有可能屬於重要數據。32」
相對徵求意見稿版本,《辦法》就部份安全評估的要求和程序作出了修改,但整體而言內容變動不大。其中一項主要修訂為須申報數據出境安全評估的情形。數據處理者向境外提供數據,如有以下情形之一,須通過所在地省級網信部門向國家網信部門申報數據出境安全評估33:
- 數據處理者向境外提供重要數據;
- 關鍵信息基礎設施運營者和處理100萬人以上個人信息的數據處理者向境外提供個人信息;
- 自上年1月1日起累計向境外提供10萬人個人信息或1萬人敏感個人信息的數據處理者向境外提供個人信息;
- 國家網信部門規定的其他需要申報數據出境安全評估的情形。
以上情形與前文第2部份有關《規定(徵求意見稿)》所訂明可通過簽訂標準合同向境外提供個人信息的情形正好相反。
另一項主要修訂是數據出境安全評估的事項。《辦法》要求數據處理者在申報數據出境安全評估前,須開展數據出境風險自評估,重點評估以下事項34:
- 數據出境和境外接收方處理數據的目的、範圍、方式等的合法性、正當性、必要性;
- 出境數據的規模、範圍、種類、敏感程度,數據出境可能對國家安全、公共利益、個人或者組織合法權益帶來的風險;
- 境外接收方承諾承擔的責任義務,以及履行責任義務的管理和技術措施、能力等能否保障出境數據的安全;
- 數據出境中和出境後遭到篡改、破壞、洩露、丟失、轉移或者被非法獲取、非法利用等的風險,個人信息權益維護的渠道是否通暢等;
- 與境外接收方擬訂立的數據出境相關合同或者其他具有法律效力的文件等(統稱法律文件)是否充分約定了數據安全保護責任義務;及
- 其他可能影響數據出境安全的事項。
上述評估事項與前文第2部份《規定(徵求意見稿)》有關個人信息保護影響評估的內容相似但不盡相同,因此不應理解為同一項評估。
就申報數據出境安全評估的程序上,《辦法》作出了不少修訂。數據處理者須先向省級網信部門提交申報材料。省級網信部門須於收到申報材料當日起5個工作日內完成查驗,並將申報材料齊全的申請報送國家網信部門36。國家網信部門須於收到申報材料當日起7個工作日內,確定是否受理並透過書面通知數據處理者37,以及在發出書面受理通知書當日起45個工作日內完成數據出境安全評估38。情况複雜或需要補充、更正材料的申請,國家網信部門可以適當延長並告知數據處理者預計延長的時間39。《辦法》同時加入申請複評的機制,讓對評估結果有異議的數據處理者可在收到結果後15個工作日內申請複評,惟複評結果會是最終結論40。《辦法》亦新增有關部門可對故意提交虛假材料的數據處理者依法追究法律責任的條文41。
通過數據出境安全評估的結果有效期為2年,《辦法》釐清了有關期限由評估結果發出當日起計算。《辦法》亦對數據處理者在有效期內須重新申報評估的情形作出了一些修改,有關情形如下42:
- 如向境外提供數據的目的、方式、範圍、種類和境外接收方處理數據的用途、方式發生變化影響出境數據安全,或者延長個人信息和重要數據境外保存期限;
- 境外接收方所在地的數據安全保護政策法規和網絡安全環境發生變化以及發生其他不可抗力情形、數據處理者或境外接收方實際控制權發生變化、數據處理者與境外接收方法律文件變更等影響出境數據安全;
- 出現影響出境數據安全的其他情形。
《辦法》同樣要求數據處理者須在有效期屆滿前60個工作日重新申報評估,以繼續開展數據出境活動43。然而,徵求意見稿版本中有關未按規定重新申報評估須停止數據出境活動的要求44,在《辦法》中則未有明文規定。
最後,《辦法》要求在2022年9月1日前(即《辦法》實施前)已經開展的數據出境活動如未符合《辦法》規定,須由9月1日起計6個月內完成整改45。
1. 關於發布《網絡安全標準實踐指南 – 個人信息跨境處理活動安全認證規範》的通知︰https://www.tc260.org.cn/front/postDetail.html?id=20220624175016
2.《規範》1 適用情形
3. 即在境外處理境內自然人個人信息的活動,並以向境內自然人提供産品或者服務為目的;分析、評估境內自然人的行為;或法律、行政法規規定的其他情形。
4.《規範》3 基本原則
5.《規範》4 基本要求
6.《規範》5 個人信息主體權益保障
7. GB/T35273
8.《規範》摘要
9. GB/T39335
10.《規範》4.4 個人信息保護影響評估
11.《規範》5.2 個人信息處理者和境外接收方的責任義務
12. 網信辦關於《個人信息出境標準合同規定(徵求意見稿)》公開徵求意見的通知︰http://www.cac.gov.cn/2022-06/30/c_1658205969531631.htm
13.《規定(徵求意見稿)》第一條
14. 即個人信息處理者因業務等需要,確需向境外提供個人信息,須按照國家網信部門制定的標準合同與境外接收方訂立合同,約定雙方的權利和義務。
15.《規定(徵求意見稿)》第二條
16.《規定(徵求意見稿)》第二條
17.《規定(徵求意見稿)》第四條
18.《規定(徵求意見稿)》第五條
19.《規定(徵求意見稿)》第七條
20.《規定(徵求意見稿)》第八條
21.《規定(徵求意見稿)》第五條
22.《個人信息保護法》第五十五(四)條
23.《個人信息保護法》第五十六條
24. 標準合同第二及第三條
25. 標準合同第四條
26. 標準合同第五條
27. 標準合同第六條
28. 全文︰http://www.cac.gov.cn/2022-07/07/c_1658811536396503.htm
29.《辦法》第二十條
30.《辦法》第二條
31.《辦法》第十九條
32.《信息安全技術 重要數據識別指南》(徵求意見稿)3.1重要數據
33.《辦法》第四條
34.《辦法》第五條
35.《數據出境安全評估辦法(徵求意見稿)》第五條
36.《辦法》第七條
37.《辦法》第七條
38.《辦法》第十二條
39.《辦法》第十二條
40.《辦法》第十三條
41.《辦法》第十一條
42.《辦法》第十四條
43.《辦法》第十四條
44.《數據出境安全評估辦法(徵求意見稿)》第十二條
45.《辦法》第二十條
|
|
|
RECOMMENDED ONLINE TRAININGS
|
Online Professional Workshop on Data Protection in Insurance
|
This Workshop is designed for insurance practitioners who wish to acquire the knowledge to protect customers’ personal data in providing insurance services to the public. It will highlight the key features of the “Guidance on the Proper Handling of Customers’ Personal Data for the Insurance Industry”, examine core concepts of data protection compliance illustrated by different scenarios in the industry operations to highlight and provide relevant solutions to potential problems or risks which the insurance practitioners may encounter.
Date: 10 Aug 2022 (Wednesday)
Time: 2:15pm – 5:15pm
Fee: $750/$600*
(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)
Language: Cantonese
Who should attend: insurance practitioners, data protection officers, compliance officers, solicitors, advisers and other personnel undertaking work relating to the insurance industry.
|
Online Practical Workshop on Data Protection Law
|
With the increasing privacy awareness among the members of the public, protection of personal data privacy has become an important aspect for organisations to gain customers’ trust and confidence. Conducted by experienced lawyers of the PCPD, this workshop aims to assist participants who are charged with the responsibility in advising on compliance with the PDPO to acquire a solid knowledge in the application and interpretation of the provisions of the PDPO.
Date: 17 Aug 2022 (Wednesday)
Time: 2:15pm – 5:15pm
Fee: $950/$760*
(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)
Language: Cantonese
Who should attend: solicitors, barristers, in-house legal counsels, data protection officers, compliance officers
|
Other Professional Workshops on Data Protection in Aug and Sep 2022:
|
Online Free Seminar – Introduction to the PDPO Seminar
|
The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. Details of the upcoming sessions are as below:
|
Seminar Outline:
- A general introduction to the PDPO;
- The six Data Protection Principles;
- Offences and compensation;
- Direct marketing; and
- Q&A session.
|
Arrange an In-house Seminar for Your Organisation
|
Teaching employees how to protect personal data privacy is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and data privacy protection, you can make a request for an in-house seminar via our online form.
The seminar outline is as follows:
- A general introduction to the PDPO;
- The six Data Protection Principles (industry-related cases will be illustrated);
- Handling of data breach incidents;
- Direct marketing;
- Offences and compensation; and
- Q&A session.
Duration: 1.5 hours
|
Renewal of DPOC’s Membership
|
Renew your DPOC membership today and continue to enjoy privileged access to course enrolments throughout the year!
Special offer for organisational renewals:
Organisations can join the 2-for-1 scheme, which enables you to receive two memberships for the price of one annual fee (HK$350).
Renew your membership now to keep up-to-date with the latest news and legal developments!
|
|
|
Contact Us
Address: Room 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong
Tel: 2827 2827
If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
|
Copyright
Disclaimer
The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.
The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.
If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.
|
|
|
|