Privacy Commissioner’s Office Sets up Fraud Prevention Hotline 3423 6611 

Public Urged to Guard Against Personal Data Fraud

The PCPD noted that numerous fraud cases in various forms were reported recently, involving the use of phishing calls, emails or SMS messages by swindlers who impersonated officers of different organisations, such as the Department of Health, the Social Welfare Department, the Consumer Council and banks. The calls, etc. were made with a view to obtaining sensitive personal data from the public. The personal data involved included the victims’ names, phone numbers, Hong Kong Identity (HKID) card numbers, bank account numbers and passwords, credit card information, health records, etc., the disclosure of which caused monetary losses to the victims or their friends or relatives.

From January to August 2022, the PCPD received 386 enquiries and 17 complaints in relation to the use of personal data for fraudulent purposes, examples of which include: 

•  Impersonating an officer of the Centre for Health Protection: The fraudster claimed that the victim had been infected with COVID-19, or had become a close contact owing to contacts with a confirmed patient and had to be quarantined, thereby seeking to obtain the victim’s personal data.

•  Impersonating a law enforcement officer of the Mainland: The fraudster was able to provide the name and HKID card number of the victim. The fruadster claimed that the victim had smuggled vaccines or was involved in money laundering. The call was then transferred to another fraudster impersonating another law enforcement officer in order to obtain the personal data of the victim.

•  Impersonating an employee of a courier company: The fraudster provided a link similar to that of the courier company’s website, asking the victim to provide his or her address for mail delivery and pay for the postage. The fraudster then sought to obtain personal data such as the victim’s credit card number and name.

In view of the recent increase in the number of fraud cases involving phishing calls, emails or SMS messages, the PCPD has set up a “Personal Data Fraud Prevention Hotline” 3423 6611 to handle enquiries or complaints from members of the public in relation to suspected data fraud cases. In cases of identity thefts involving the commission of criminal offences, members of the public should also report the case to the Police.
 
In addition, Privacy Commissioner Ms Ada CHUNG Lai-ling offered eight tips to safeguard personal data:
 
On Receipt of Suspicious Calls, Emails or SMS Messages

1. Calls with “+852”: Beware of caller numbers with a “+” sign as a prefix displayed on mobile phones, which indicates that the calls originate from a place outside Hong Kong. If an unfamiliar call with the prefix “+852” is received, the caller should have masqueraded as a local caller;

2. Verify authenticity: Even if a stranger possesses your personal data, such as your full name, HKID card number or date of birth, be wary of the true identity of the stranger. Contact the relevant organisations to verify the authenticity of the caller;

3. Be vigilant: Do not disclose any personal data, including HKID card number, bank account number and password, and credit card information etc., to others arbitrarily; and

4. Be careful with links: Avoid opening attachments or clicking links in suspicious emails or SMS messages.

Use of Online Personal Accounts

5. Keep an eye on your accounts: Monitor transactions in online personal accounts from time to time and watch out for any unusual log-in records of the accounts and personal emails; and

6. Password protection: Change the passwords of online personal accounts from time to time and activate the two-factor authentication feature (if any).

 
Keeping Abreast of the Latest News

7. Fraud prevention information: Pay attention to fraud prevention messages by the Police or relevant organisations to avoid phishing websites or fraudulent calls; and

8. Reminding friends and relatives: Share information relating to fraudulent cases with friends and relatives (especially the elderlies and youngsters) to enhance their awareness to guard against fraud.

PRIVACY 101

Data Erasure is Crucial for Every Organisation

Under the Personal Data (Privacy) Ordinance (PDPO), an organisation, as a data user who is engaged in the collection, holding, processing or use of personal data, is required to erase such personal data when it is no longer required for the purpose for which it was used. When disposing of personal data, the organisation must take practicable steps to ensure that the personal data is erased and cannot be retrieved as a result of the disposal.

How Long Can Your Organisation Keep the Personal Data?

The PDPO does not stipulate a fixed retention period of personal data. However, an organisation has its obligation to take all practicable steps to:

• Ensure that the personal data is not kept longer than is necessary for the fulfilment of the purpose (including any directly related purpose) for which the data is or is to be used (Data Protection Principle 2(2)); 
• Erase personal data held when the data is no longer required for the purpose (including any directly related purpose) for which it was used, unless any such erasure is prohibited under any law or it is in the public interest not to have the data erased (section 26 of the PDPO); and
• Adopt contractual or other means to prevent any personal data transferred to the data processor from being kept longer than is necessary for processing of the data, if an organisation engages a data processor (whether within or outside Hong Kong) to process personal data on the data user’s behalf.

What are the Major Steps for an Organisation to Start the Data Clean-up?

• Have a data retention schedule and conduct regular reviews of personal data to help determine whether data is still required;
• Conduct regular reviews to help identify if specific personal data is still required. Erase the personal data that is no longer required; and
• Set maximum and minimum retention periods for personal data, taking into account any legal requirements or restrictions.

Please view the PCPD’s guidance below to learn more about personal data erasure:  

• Guidance on Personal Data Erasure and Anonymisation

PRIVACY COMMISSIONER’S FINDINGS

A Bank Recorded Phone Conversation Without Sufficiently Informing Customers

The Complaint

The complainant was a customer of a bank. After the complainant called the bank's customer service hotline, his feedback was referred to a back-end department of the bank for follow-up. When the department called the complainant, it recorded the telephone conversation without informing him. He thus lodged a complaint against the bank.

The bank explained that it had informed the complainant of its recording arrangement via the recorded message played to him during his call to the customer service hotline. The same was also stated in the terms of service provided to him upon account opening. At the time of the incident, the back-end department did not require its staff to inform customers of the recording arrangement.

Outcome

The bank failed to adopt measures to sufficiently and effectively notify its customers of its recording arrangements. Upon PCPD’s interference, the back-end department amended its policy so that during their first contact with customers, they would explain to customers that relevant conversation would be audio-recorded.

Lessons Learnt

PCPD understands that organisations may need to record phone conversations between staff and customers for operational needs. As the conversations may contain personal data, for protection of personal data privacy, customers should be informed of the audio recording arrangement as far as practicable. To this end, simply stating the practice in the account opening documents is not sufficient. Organisations are recommended to step up its efforts to enhance the transparency of their audio recording arrangement. It would not only help avoid misunderstanding and complaints, but also help manifest a high regard for privacy.

TECH TALK

Personal Data Security in the Cyber World – Recommended Technical and Operational Security Measures to Consider 

The increased digitisation of data and interconnection of information and communications technology (ICT), together with the prevalent use of ICT and increasing value of personal data, have exacerbated personal data security risks. With this in mind, it is pivotal for your organisation to develop sound data security measures to prevent malicious attacks. Check out our recommended technical and operational security measures below to ensure the safety of the personal data that you keep:

Securing Computer Networks

• Adopt physical access controls to limit access to premises, rooms and physical ICT assets such as server rooms and system devices;
• Use regularly updated firewalls and anti-malware applications such as firewalls and/or antimalware applications to protect computer networks;
• Conduct vulnerability scan at regular intervals; and
• Log system activities for detecting and investigating security incidents.

Database Management

• Separate database servers from web servers by firewalls;
• Keep up-to-date inventory of personal data;
• Adopt dataset partitioning into smaller data sub-sets; and
• Apply digital watermarking to data files.
  

Access Control

• Adopt “least privilege” principle in granting access rights to users;
• Adopt multi-factor authentication or other enhanced access control for high-risk activities;
• Set account lockout threshold policy to limit failed log-ins; and
• Regular review of access rights and timely removal of unnecessary accounts.

Firewalls and Anti-malware

• Implement DNS firewalls to prevent connections to malicious websites;
• Conduct vulnerability assessments and penetration tests regularly; and
• Use anti-malware software to provide real-time protection.

Protecting Online Applications

• Ensure no unnecessary personal data is stored online; and
• Disconnect obsolete systems containing personal data from the internet. 

Encryption

• Encrypt data in transit and storage, and effective management and protect encryption keys;
• Tokenisation – replace identifiers and attributes with a different value known only to authorised users; and
• Hashing – replace sensitive values with algorithmically derived value intended to be irreversible.

Emails and File Transfers

• Use “bcc” to distribute emails to hide recipients’ information;
• Install tools to ensure senders double-check emails before sending;
• Filter spams or emails with malicious attachments or links; and
• Use end-point security software to prevent transfer of data.
  

Backup, Destruction and Anonymisation

• Back-up systems and ensure recovery mechanisms is effective;
• Erase data securely and render data recovery impossible; and
• Timely destruction or anonymisation of unnecessary or expired data. 

Please view the PCPD's Guidance Note below for a detailed outline of the recommended security measures:

• Guidance Note on Data Security Measures for Information and Communications Technology

WHAT’S ON

Understanding Mainland Laws – Privacy Commissioner’s Office organises a Webinar on “The Mainland’s Security Assessment Measures on Cross-border Transfers of Data”

The PCPD organised a webinar on “The Mainland’s Security Assessment Measures on Cross-border Transfers of Data” on 29 September 2022. Professor HONG Yan-qing of the School of Law of the Beijing Institute of Technology was invited to speak as one of the guest speakers. Professor Hong highlighted the salient features of the Mainland’s Security Assessment Measures on Cross-border Transfers of Data (Measures) at the webinar.

Another guest speaker, Ms Clarice YUE, Counsel and Head of Data Protection Group for China and Hong Kong of Bird & Bird, shared her insights on how enterprises can prepare themselves to comply with the requirements under the Measures.

At the last session of the webinar, Privacy Commissioner Ms Ada CHUNG Lai-ling gave an overview of the “Guidance on Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data” published by the PCPD in May this year.

The webinar attracted more than 170 attendees from various sectors including the banking, government, public bodies, legal, education and insurance sectors.

Please click here to download Professor Hong’s presentation deck (Simplified Chinese Only).

Please click here to download Ms Yue’s presentation deck. (Chinese Only)

Please click here to download the Privacy Commissioner’s presentation deck. (Chinese Only)

Enhancing Cybersecurity – Privacy Commissioner’s Office Organises a Webinar on Cybersecurity  

The PCPD organised a webinar on “Data Security Management in the Cyber World – Practical Tips on Personal Data Security and Incident Response” on 26 September 2022. The event was supported by the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) and the Hong Kong Computer Society. 

At the webinar, Acting Head of Compliance of the PCPD Mr Brad KWOK gave an overview of the “Guidance Note on Data Security Measures for Information and Communications Technology” recently issued by the PCPD. Mr NG Yu On, Security Consultant of the HKCERT, spoke as a guest speaker on the “Incident Response Guidelines for SMEs” recently published by the HKCERT.

Please click here to download Mr Kwok’s presentation deck (Chinese Only).

Please click here to download Mr Ng’s presentation deck (Chinese Only).

Reaching Out to Governance Professionals – Interview with Privacy Commissioner by CGj, journal of The Hong Kong Chartered Governance Institute

Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by CGj, journal of The Hong Kong Chartered Governance Institute, to share her views on ensuring best practice is followed in the handling of personal data, which she considers to be a crucial part of the governance professional’s role. Entitled “Data governance – the privacy considerations”, the interview was published in the September issue of CGj. The article can be viewed here.

Reaching Out to Legal Professionals – Assistant Privacy Commissioner Spoke at Webinar on “Personal Data (Privacy) (Amendment) Ordinance 2021” organised by The Small and Medium Law Firms Association of Hong Kong

Acting Assistant Privacy Commissioner for Personal Data (Legal, Global Affairs and Research) Mr Dennis NG made a presentation on 21 September at the webinar on “Personal Data (Privacy) (Amendment) Ordinance 2021” organised by The Small and Medium Law Firms Association of Hong Kong. Mr Ng explained the scope of the Personal Data (Privacy) (Amendment) Ordinance 2021 to the participants, including the two-tier structure of the new doxxing offences, the new criminal investigation and prosecution powers of the Privacy Commissioner for Personal Data and Privacy Commissioner’s power to issue cessation notices to request the removal of doxxing messages.
 
Please click here to download the presentation file (Chinese only).

PCPD Reruns the Public Webinar on “Protection of Personal Data Privacy for Property Management Sector”

The PCPD re-organised the public webinar on “Protection of Personal Data Privacy for Property Management Sector” on 20 September owing to the overwhelming response to the first webinar held in July this year. The webinar attracted more than 650 participants from the property management sector and the general public.
 

The webinar was once again supported by the Property Management Services Authority. Privacy Commissioner Ms Ada CHUNG Lai-ling introduced to the participants the key findings of the recent investigation report on the improper handling of the personal data of residents and visitors by four property management companies, while Ms Amy CHAN Mei-yee, Head of Complaints of PCPD, elaborated on the new edition of the Guidance for the Property Management Sector issued by the PCPD recently. Dr Johnnie CHAN Chi-kau, SBS, BBS, JP, Immediate Past President of the Hong Kong Association of Property Management Companies and Chief Executive Officer of Savills Services Group, was invited as the guest speaker to share the sector’s best practices in data management with the participants.
 
Please click here to download the presentation file of this webinar (Chinese only).

Showcasing Hong Kong – Assistant Privacy Commissioner Spoke at the World Congress on Innovation & Technology 2022

Acting Assistant Privacy Commissioner for Personal Data (Legal, Global Affairs and Research) Mr Dennis NG Hoi-fung spoke through video recording at the World Congress on Innovation & Technology 2022 (WCIT 2022) held in Penang, Malaysia on 13 September 2022.

In his presentation entitled “Ethical Development and Use of Artificial Intelligence”, Mr Ng discussed the privacy and ethical risks of using artificial intelligence (AI), and highlighted the ethical principles for the use of AI as well as the good practices recommended in the “Guidance on the Ethical Development and Use of Artificial Intelligence” published by the PCPD.

The WCIT 2022 is the 26th edition of the World Congress on Innovation & Technology; and is one of the world’s largest annual events of the information and communications technology industry. It features discussions with visionaries, captains of industry, government leaders, innovators and academics from over 80 countries.

Reaching Out to Information Security Sector – Head of Compliance attended the Information Security Summit 2022 

Acting Chief Personal Data Officer (Compliance & Enquiries) Mr Brad KWOK attended the Information Security Summit 2022 held on 6 and 7 September 2022, and spoke at a plenary session entitled “Cyber Security: New Challenges to Data Protection and Data breaches”.

My Kwok highlighted the data security requirements under the data protection principles of the PDPO and discussed some common causes of data breach incidents in Hong Kong. Mr Kwok also shared with the audience some practical tips on how to prevent data breaches.

The Summit was jointly organised by the Hong Kong Productivity Council and leading information security organisations in Hong Kong. The theme of this year was “Security Transformation for the Next Normal – Evolution of Risk Management and Data Protection in a Post Pandemic World”.

Reaching Out to Legal Professionals – Privacy Commissioner Spoke at the 2022 Annual Conference of In-House Lawyers

Privacy Commissioner Ms Ada CHUNG Lai-ling spoke as a panellist at the panel discussion entitled “Balancing Data-driven Marketing and Sales with Data Privacy” held on 6 September 2022 at the “2022 Annual Conference of In-House Lawyers”.

The Privacy Commissioner gave an overview of the direct marketing regime under the PDPO and discussed some common direct marketing pitfalls and court cases with practitioners. The Privacy Commissioner emphasised that companies and organisations must comply with their customers’ requests to opt out from direct marketing communications to ensure that they do not fall foul of the privacy law.

The Conference was organised by the In-House Lawyers Committee of the Law Society of Hong Kong and the theme of this year was “The Corporate Connector”.

Please click here for the Privacy Commissioner’s presentation deck.

Nurturing Young Talents – Privacy Commissioner Presented the Privacy Commissioner Prizes in Privacy and Data Protection Law 2020-21 and 2021-22

Privacy Commissioner Ms Ada CHUNG Lai-ling presented the 2020-21 and 2021-22 Privacy Commissioner Prizes in Privacy and Data Protection Law to recognise the best research papers submitted in the respective years in the study of privacy and data protection laws.

The Prizes were presented at the Faculty of Law, the University of Hong Kong (HKU), on 1 September 2022 to Ms Phoebe Woo Chor Kiu, who has obtained her Bachelor of Laws and PCLL at the HKU, and Ms Annie Man Sum Yi, who has obtained her Juris Doctor at the HKU and is now pursuing PCLL at the HKU. The winning essays are respectively entitled ‘Doxxing in Hong Kong – Way Forward’ and ‘Privacy and data protection challenges posed by the increasing use of Big Data and critically examine how Hong Kong laws can meet these challenges’.

Please click here to view the winning essays.

Reaching out to Healthcare Sector – Privacy Commissioner Spoke at the AI and Big Data Research for Health Improvement Symposium

Privacy Commissioner Ms Ada CHUNG Lai-ling spoke as a panellist at the panel discussion entitled “Future of Big Data Application for Public Health in Hong Kong” held on 31 August 2022 at the “AI and Big Data Research for Health Improvement Symposium”.

The Privacy Commissioner discussed the personal data privacy issues faced by the healthcare sector and shared her views on how big data can be used to facilitate research in healthcare while safeguarding patients’ privacy.  The Privacy Commissioner highlighted that since medical records are sensitive personal data, the healthcare sector should, aside from building trust with patients, also adopt particularly stringent measures in handling patients’ medical records.

The Symposium was jointly organised by the HKU Musketeers Foundation Institute of Data Science, the Department of Pharmacology and Pharmacy, and the Hong Kong Association of the Pharmaceutical Industry.

MEDIA STATEMENT

Privacy Commissioner’s Office Launches Short Video Competition for Primary School Students under the “Primary School Students Data Protection Campaign 2022”

The PCPD launched a short video competition for primary school students themed “Respecting Privacy Begins with Me” (the Competition) on 19 September 2022, with a view to raising students’ awareness of protecting personal data privacy, and enabling them to understand the importance of respecting others’ personal data privacy and learn more about the potential privacy risks which exist in the online world.
 
The Competition, which is organised for students from Primary 3 to 6, will be held in teams. Participating teams may choose one of the three video themes: “Respect Others’ Personal Data Privacy”, “Say ‘No’ to Cyberbullying” or “Stay Vigilant Online: Be Careful while Disclosing Personal Data”, and produce a short video clip which lasts for less than two minutes. The PCPD hopes that, through producing the video, students will learn how to protect personal data in the cyber world as well as develop a sense of respecting others’ personal data privacy, and say “no” to cyberbullying.
 
To assist the participating teams, the PCPD will provide schools with guidance video on how to protect personal data privacy online and introduce short video production techniques. Deadline for the competition is 6 January 2023. The winning teams will be invited to attend the awards ceremony and will be presented with book coupons and trophies.  
 
For details of the Competition, please click here to visit the website (Chinese version only).
 
Meanwhile, the PCPD has also launched school talks on “Stay Vigilant Online: Say ‘No’ to Cyberbullying” to instil in students the importance of protecting personal data online and respecting the privacy of others. The talks have attracted over 8,000 students from 30 primary schools.

A 46-year-old Chinese Male Arrested for a Suspected Doxxing Offence

The PCPD arrested a Chinese male aged 46 in New Territories South on 15 September 2022. He was suspected to have disclosed the personal data of a data subject without his consent, in contravention of section 64(3A) of the PDPO.

The investigation revealed that the arrested person had been an employee of the victim’s company for over 10 years. Other than this, the parties had formed a partnership to run a manufacturing business. In around September 2021, the two fell out because of some monetary disputes and terminated their partnership. The arrested person then left the victim’s company. Since July 2022, on multiple occasions, the victim found different posters on the walls and in the vicinity of his office building, containing the victim’s personal data, including his Chinese name, photo, the name, address and telephone number of the victim’s company, coupled with allegations against the victim.
 
The arrested person is currently under custody. The PCPD will continue its investigation into the case.

The PCPD reminded members of the public that doxxing is a serious offence. An offender is liable on conviction to a fine up to $1,000,000 and imprisonment for 5 years. To avoid breaking the law, members of the public should think twice before disclosing others’ personal data.

Relevant provisions under the PDPO
 
Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject  – 
 
(a) with an intent to cause any specified harm to the data subject or any family member of the data subject; or

(b) being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject.
 
A person who commits an offence under section 64(3A) is liable on conviction to a fine of $100,000 and imprisonment for 2 years.
 
Pursuant to section 64(3C) of the PDPO, a person commits an offence if – 
 
(a) the person discloses any personal data of a data subject without the relevant consent of the data subject – 

1. with an intent to cause any specified harm to the data subject or any family member of the data subject; or
2. being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family  member of the data subject; and

(b) the disclosure causes any specified harm to the data subject or any family member of the data subject.
 
A person who commits an offence under section 64(3C) is liable on conviction on indictment to a fine of $1,000,000 and imprisonment for 5 years.
 
According to section 64(6) of the PDPO, specified harm in relation to a person means – 
 
(a) harassment, molestation, pestering, threat or intimidation to the person;
(b) bodily harm or psychological harm to the person;
(c) harm causing the person reasonably to be concerned for the person’s safety or well-being; or
(d) damage to the property of the person.

A 31-year-old Chinese Male Arrested for a Suspected Doxxing Offence

The PCPD arrested a Chinese male aged 31 in New Territories North on 2 September 2022. He was suspected to have disclosed the personal data of a data subject (the complainant) without his consent, in contravention of section 64(3A) of the PDPO.

The investigation reveals that the arrested person and the complainant were former co-workers of a company, whose relationship subsequently turned sour because of performance at work, which ultimately led to the dismissal of the arrested person by the company. Later in mid-October 2021, personal data of the complainant, including his Chinese name, mobile phone number, name of his residential estate, name of employer, along with information on the past deeds of the complainant, were posted on a social media platform.
 
The arrested person is granted bail. The PCPD will continue its investigation into the case.

The PCPD reminded members of the public that doxxing is a serious offence. An offender is liable on conviction to a fine up to $1,000,000 and imprisonment for 5 years. The PDPO applies equally to the online world. To avoid breaking the law, members of the public should think twice before publishing or forwarding any doxxing messages on the internet or social media.

Relevant Provisions under the PDPO
 
Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject – 
 
(a) with an intent to cause any specified harm to the data subject or any family member of the data subject; or

(b) being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject.
 
A person who commits an offence under section 64(3A) is liable on conviction to a fine of $100,000 and imprisonment for 2 years.
 
Pursuant to section 64(3C) of the PDPO, a person commits an offence if – 
 
(a) the person discloses any personal data of a data subject without the relevant consent of the data subject – 

1. with an intent to cause any specified harm to the data subject or any family member of the data subject; or
2. being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family  member of the data subject; and

(b) the disclosure causes any specified harm to the data subject or any family member of the data subject.
 
A person who commits an offence under section 64(3C) is liable on conviction on indictment to a fine of $1,000,000 and imprisonment for 5 years.
 
According to section 64(6) of the PDPO, specified harm in relation to a person means – 
 
(a) harassment, molestation, pestering, threat or intimidation to the person;
(b) bodily harm or psychological harm to the person;
(c) harm causing the person reasonably to be concerned for the person’s safety or well-being; or
(d) damage to the property of the person.

The Mainland’s Security Assessment Measures on Cross-border Transfers of Data Take Effect on 1 September 2022

The PCPD noted that the Security Assessment Measures on Cross-border Transfers of Data (the Measures) promulgated by the Cyberspace Administration of China (CAC) came into operation on 1 September 2022.

The PCPD reminded local enterprises, such as banks, insurance companies and securities companies, which conduct businesses on the Mainland that if the conditions prescribed in the Measures are met, they may need to report their security assessments on cross-border transfers of data to the CAC in accordance with the relevant regulations. 

According to the Measures, data processors (including enterprises or organisations) which effect cross-border transfers of data shall, in any of the following situations, carry out their own security assessments and report such security assessments to the CAC through local cyberspace administration authorities at the provincial level:

• where the data processor transfers important data across the border;
• where the data processor which transfers personal information across the border is an operator of Critical Information Infrastructure;
• where the data processor which transfers personal information across the border processes personal information of over 1 million persons;
• where the data processor which transfers personal information across the border has cumulatively made outbound transfers of personal information of over 100,000 persons, or sensitive personal information of over 10,000 persons since 1 January of the preceding year; and
• in other situations as prescribed by the CAC where a report on security assessment is required.

The term “important data” in this context refers to any data which, if tampered, damaged, leaked, or illegally acquired or used, may endanger national security, the operation of the economy, social stability, public health and security, etc.

The self-assessment shall address, among others, the following key factors:

• the legality, propriety and necessity of (a) the cross-border transfer and (b) the purpose, scope and manner of processing of the data by the recipient outside the jurisdiction;
• the quantity, scope, category and sensitivity of the outbound data, and the risks that cross-border transfer of data might pose to national security, public interests, and the lawful rights and interests of individuals or organisations;
• whether the responsibilities and obligations undertaken by the recipient outside the jurisdiction and the management and technical measures and capabilities of such recipient to perform the aforesaid responsibilities and obligations can ensure the security of the outbound data;
• the risks of the outbound data suffering from alteration, destruction, leakage, loss, transfer, illegal acquisition or illegal use, etc., during and after the cross-border transfer, and whether or not channels are available to uphold personal information rights and interests, etc.;
• whether data security protection responsibilities and obligations are sufficiently stipulated in the contract, or other documents with legal effect, intended to be concluded with the recipient outside the jurisdiction regarding the cross-border data transfer; and
• other matters that may affect the security of the cross-border data transfer.

To help relevant enterprises or organisations understand the latest developments of the legal requirements on the Mainland with regard to cross-border transfers of personal information, the PCPD will organise a webinar on the subject. It has also updated its thematic webpage on the Personal Information Protection Law of the Mainland, which includes a brief on the Measures (updates in English would be available soon).

For more information on the Measure, please click the hyperlinks below:

• the full text of the Security Assessment Measures on Cross-border Transfers of Data (Chinese only)
• the responses to media enquiries on the Security Assessment Measures on Cross-border Transfers of Data uploaded by the CAC (Chinese only).

Background Information

The Personal Information Protection Law of the Mainland provides that processors of personal information which need to transfer personal information across the border shall carry out their own personal information protection impact assessments, obtain separate consent from the individuals concerned, and meet the specified requirements, one of which is passing the security assessments made by the state cyberspace authorities. The Measures set out the more specific and stringent requirements regarding how to carry out the security assessments (including the matters to consider, the procedure and timeframe, etc.)

The Measures were drafted with reference to relevant laws including the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law of the Mainland, for the purposes of regulating cross-border data transfers, protecting the rights and interests regarding personal information, upholding national security and society’s public interest, and facilitating the safe and free flow of data across the border.

MAINLAND CORNER

Highlights of the Guidelines for Reporting Security Assessment on Cross-border Transfers of Data (First Edition) 《數據出境安全評估申報指南（第一版）》簡介

On 31 August 2022, the Cyberspace Administration of China published the first edition of the Guidelines for Reporting Security Assessment on Cross-border Transfers of Data (Guidelines). The Guidelines serve to guide and assist data processors in reporting security assessments of cross-border transfers of data in a regulated and orderly manner. This article gives you an overview of the Guidelines.

國家互聯網信息辦公室（網信辦）早前發布的《數據出境安全評估辦法》¹（《辦法》）已於2022年9月1日正式實施（本欄曾於2022年7月作出介紹）。為指導和幫助數據處理者在《辦法》下規範並有序申報數據出境安全評估，網信辦於2022年8月31日編製了《數據出境安全評估申報指南（第一版）》²（《申報指南》），以說明數據出境安全評估的申報方式、流程及所需材料等。

根據《辦法》，數據處理者向境外提供數據時，如有以下情形之一，便須通過所在地省級網信部門向國家網信辦申報數據出境安全評估³：

• 數據處理者向境外提供重要數據；
• 關鍵信息基礎設施運營者和處理100萬人以上個人信息的數據處理者向境外提供個人信息；
• 自上年1月1日起累計向境外提供10萬人個人信息或1萬人敏感個人信息的數據處理者向境外提供個人信息；
• 國家網信辦規定的其他需要申報數據出境安全評估的情形。

與《辦法》相比，《申報指南》清晰列出屬於數據出境行為的情形⁴，當中包括：

• 數據處理者將在境內運營中收集和產生的數據傳輸、存儲至境外；
• 數據處理者收集和產生的數據存儲在境內，境外的機構、組織或者個人可以查詢、調取、下載、導出；
• 國家網信辦規定的其他數據出境行為。

《申報指南》同時列明申報數據出境安全評估的所需材料⁵，例如申報方代表的身份證明文件、數據出境安全評估申報書、與境外接收方擬訂立的數據出境合同或其他具法律效力的文件、數據出境風險自評估報告等。針對各項申報材料，《申報指南》亦列出文件格式上的仔細要求⁶，包括要求數據處理者在提交書面材料的同時，一併提交相應的電子版文件。

作為數據出境安全評估的兩大主要申報材料，《申報指南》亦附有數據出境安全評估申報書及數據出境風險自評估報告的模板。參考載於《申報指南》的模板，申報書由承諾書及申報表組成。除數據處理者及境外接收方的基本資料外，數據處理者亦須在申報表中列明數據出境的目的、方式、類型、檔案大小、所涉及人數等資訊。此外，因應《辦法》要求數據處理者在與境外接收方訂立的法律文件中明確約定至少六項數據安全保護責任義務⁷，申報書模板亦要求數據處理者在填寫時標明相關條款所在文件的名稱及頁碼，以證明該六項責任義務均受條款約束⁸。《申報指南》另備有填表說明，就各申報事項提供示例及填寫指引⁹。

根據《辦法》，數據處理者在申報數據出境安全評估前，應開展數據出境風險自評估¹⁰。在這一方面，《申報指南》中的風險自評估報告模板列出了數據處理者須詳細說明並評估的事項，兩大方向分別為「出境活動的整體情況」（如數據處理者及境外接收方的基本情況），以及「擬出境活動的風險評估情況」（如出境數據的規模、敏感程度、境外接收方承諾的責任義務等），後者要求說明的內容與《辦法》的要求一致。

因應《辦法》與《申報指南》相繼出台，內地各地的網信部門已陸續開設數據出境安全評估諮詢及申報通道，數據處理者可留意當地網信部門發出的指引及資訊，並依從《申報指南》的具體要求進行申報。

1.《辦法》全文：http://www.cac.gov.cn/2022-07/07/c_1658811536396503.htm
2  網信辦發布《數據出境安全評估申報指南（第一版）》：

http://www.cac.gov.cn/2022-08/31/c_1663568169996202.htm
3.《辦法》第四條
4.《申報指南》 一、適用範圍
5.《申報指南》 三、申報材料
6.《申報指南》 附件1 數據出境安全評估申報材料要求
7. 根據《辦法》第九條，數據安全保護責任義務應至少包括：（一）數據出境的目的、方式和數據範圍，境外接收方處理數據的用途、方式等；（二）數據在境外保存地點、期限，以及達到保存期限、完成約定目的或者法律文件終止後出境數據的處理措施；（三）對於境外接收方將出境數據再轉移給其他組織、個人的約束性要求；（四）境外接收方在實際控制權或者經營範圍發生實質性變化，或者所在國家、地區數據安全保護政策法規和網路安全環境發生變化以及發生其他不可抗力情形導致難以保障數據安全時，應當採取的安全措施；（五）違反法律文件約定的數據安全保護義務的補救措施、違約責任和爭議解決方式；（六）出境數據遭到篡改、破壞、洩露、丟失、轉移或者被非法獲取、非法利用等風險時，妥善開展應急處置的要求和保障個人維護其個人信息權益的途徑和方式。
8.《申報指南》 附件3 （數據出境安全評估申報表）
9.《申報指南》 附件3 （填表說明）
10.《辦法》第五條

RECOMMENDED ONLINE TRAININGS

Online Professional Workshop on Data Protection in Banking/Financial Services

This workshop is designed for banking and financial practitioners who wish to acquire knowledge on the requirements under the PDPO in different aspects of the banking and financial services and the practical ways to deal with issues related to personal data privacy effectively in their daily operation.

Date: 19 October 2022 (Wednesday)

Time: 2:15pm – 5:15pm

Fee: $750/$600*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: data protection officers, compliance officers, company secretaries, solicitors, advisers and other personnel undertaking work relating to the banking or financial industry

Online Professional Workshop on Data Protection in Human Resource Management

Human resource practitioners handle a large amount of employee data in the course of their work. This workshop is designed for human resource practitioners learning how to meet the requirements under the PDPO with adopting good practices in handling large amount of employees’ personal data in the different phases of employment process. 

Date: 26 October 2022 (Wednesday)

Time: 2:15pm – 5:15pm

Fee: $750/$600*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: human resource officers, data protection officers, compliance officers, solicitors, administration managers, recruitment agents

Other Professional Workshops on Data Protection in Nov and Dec 2022:

Online Free Seminar – Introduction to the PDPO Seminar

The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. Details of the upcoming sessions are as below:

Seminar Outline:

• A general introduction to the PDPO;
• The six Data Protection Principles;
• Offences and compensation;
• Direct marketing; and
• Q&A session. 

Arrange an In-house Seminar for Your Organisation 

Teaching employees how to protect personal data privacy is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and data privacy protection, you can make a request for an in-house seminar via our online form.

The seminar outline is as follows:

• A general introduction to the PDPO;
• The six Data Protection Principles (industry-related cases will be illustrated);
• Handling of data breach incidents;
• Direct marketing;
• Offences and compensation; and
• Q&A session.

Duration: 1.5 hours

Renewal of DPOC’s Membership

Renew your DPOC membership today and continue to enjoy privileged access to course enrolments throughout the year!

Special offer for organisational renewals:

Organisations can join the 2-for-1 scheme, which enables you to receive two memberships for the price of one annual fee (HK$350).

Renew your membership now to keep up-to-date with the latest news and legal developments!

SUGGESTION BOX

The PCPD values the opinions of all our DPOC members. We love to hear your ideas and suggestions on what privacy topics you would like to learn more about. Email your thoughts to us at dpoc@pcpd.org.hk and we shall include the most popular topics in our future e-newsletters.

Contact Us

Address: Room 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong

Tel: 2827 2827

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
 

Copyright

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.