PCPD e-NEWSLETTER
ISSUE Nov 2022
|
|
|
|
PCPD e-NEWSLETTER
ISSUE Nov 2022
|
|
|
|
Privacy Commissioner’s Office Publishes Two Investigation Reports
|
Privacy Commissioner Ms Ada CHUNG Lai-ling (centre), Chief Personal Data Officer (Complaints) Ms Amy CHAN Mei-yee (left) and Acting Chief Personal Data Officer (Compliance & Enquiries) Mr Brad KWOK Ching-hei (right) elaborated on the two investigation reports.
|
The PCPD published two investigation reports on 14 November 2022, namely (1) EC Healthcare’s Sharing of Clients’ Personal Data among its Various Brands through an Integrated System and (2) Ransomware Attack on the Database of Fotomax (F.E.) Limited (Fotomax).
|
1. Investigation Report: EC Healthcare’s Sharing of Clients’ Personal Data among its Various Brands through an Integrated System The investigation arose from two complaint cases received by the PCPD, involving four brands under EC Healthcare:
- Primecare Paediatric Wellness Centre (Primecare) and Dr Reborn: the complainant took her daughter to consult a doctor of Primecare. She was later told by Dr Reborn that after the said doctor joined Dr Reborn, the personal data of his clients (including the complainant’s daughter) was transferred to Dr Reborn; and
- New York Medical Group (NYMG) and re:HEALTH: the complainant contacted re:HEALTH to follow up on a complaint lodged by a member of his family against re:HEALTH. When re:HEALTH replied to the complainant, it accessed and used the personal data provided by the complainant to NYMG when he received treatment there.
After conducting investigations into the above cases, Privacy Commissioner Ms Ada CHUNG Lai-ling finds that after acquiring Primecare and NYMG, EC Healthcare stored the clients’ personal data of these two brands (including those of the two complainants) in an integrated system (the System), and shared parts of their personal data among the 28 brands of EC Healthcare using the System, so that the relevant personal data were accessible by the frontline staff of various brands. In the two complaint cases, the personal data originally provided by the complainants to a single brand was disclosed and transferred, without their knowledge, to the staff of some other brands. The Privacy Commissioner finds that the above arrangement was plainly inconsistent with the original purpose of the collection of the complainants’ personal data, and also fell short of their reasonable expectation for personal data privacy. In the circumstances, the Privacy Commissioner is of the opinion that EC Healthcare has contravened the requirements of Data Protection Principle (DPP) 3(1) in Schedule 1 to the Personal Data (Privacy) Ordinance (PDPO) on the use (including disclosure and transfer) of personal data. The Privacy Commissioner considers that the two complaint cases reveal that in undertaking mergers and acquisitions for market consolidation, and in collating clients’ personal data of its various brands through an integrated system, EC Healthcare disregarded the requirements under the PDPO on the use (including disclosure and transfer) of personal data and failed to properly consider how the operation of the System may affect its clients’ personal data privacy. The Privacy Commissioner expresses regret at the above shortcomings and has served an Enforcement Notice on EC Healthcare, directing it to remedy and prevent recurrence of the relevant contraventions. The Privacy Commissioner also makes six recommendations to other organisations which operate multiple brands. They are recommended to:
- Provide clients with clear and concise Personal Information Collection Statement to facilitate their understanding of the purpose of data collection and the classes of transferees to whom the data may be transferred;
- Obtain customers' consents before using (including disclosing and transferring) their personal data for a new purpose;
- Assign appropriately staff’s rights of access to and retrieval of clients’ personal data, by taking into account the scope of business and staff authority;
- Carry out a Privacy Impact Assessment before the implementation of any plans that involve the handling of a considerable amount of personal data, and adopt adequate measures to address the identified impacts and risks for the protection of personal data privacy;
- Implement a Personal Data Privacy Management Programme to include the protection of personal data privacy as part of their governance responsibilities; and
- Appoint Data Protection Officer(s) to ensure the organisation’s compliance with the requirements under the PDPO and implementation of a Privacy Management Programme, with a view to developing a culture of respecting personal data privacy.
Please click here for the Executive Summary of “Investigation Report: EC Healthcare’s Sharing of Clients’ Personal Data among its Various Brands through an Integrated System”.
2. Investigation Report: Ransomware Attack on the Database of Fotomax The investigation arose from a data breach notification lodged by Fotomax with the PCPD on 1 November 2021, which reported that the database of its online store (the Database) had been attacked by ransomware and maliciously encrypted on 26 October 2021. A total of 544,862 members and 73,957 customers who had ordered products and/or accepted services from its online store between 16 November 2020 and 26 October 2021 were affected in the incident. From the evidence collected in the investigation, the Privacy Commissioner finds that Fotomax had the following serious deficiencies which contributed to the avoidable exploitation of a vulnerability and access to personal data in the Database by the hacker:
- Misevaluation of security vulnerability risk;
- Deficiencies in information system management; and
- Procrastinated implementation of multi-factor authentication.
The Privacy Commissioner finds that Fotomax had serious deficiencies in risk awareness and personal data security measures which led to the ransomware attack on the Database. The Privacy Commissioner considers that Fotomax had not taken all practicable steps to ensure that the personal data involved was protected from unauthorised or accidental access, processing, erasure, loss or use, thereby contravening DPP 4(1) concerning the security of personal data under the PDPO. The Privacy Commissioner has issued an Enforcement Notice to Fotomax, directing Fotomax to remedy and prevent recurrence of the contravention. The Privacy Commissioner also wishes to remind organisations that handle customers’ personal data to pay particular attention to the following areas:
- Stay vigilant to prevent hacker attacks by conducting regular risk assessments to review the potential impact of hacking on their systems;
- Establish a Personal Data Privacy Management Programme to handle personal data in compliance with the PDPO, and to effectively handle personal data in its entire lifecycle;
- Appoint a designated officer as Data Protection Officer to monitor compliance with the PDPO;
- Enhance information systems management, including developing effective patch management procedures to patch security vulnerabilities as early as possible; and
- Maintain proper documentation of internal communications for reference in future reviews.
Please click here for “Investigation Report: Ransomware Attack on the Database of Fotomax (F.E.) Limited”.
|
|
|
What is Privacy Impact Assessment?
|
|
PRIVACY COMMISSIONER’S FINDINGS
|
PRIVACY COMMISSIONER’S FINDINGS
|
A Telecommunications Company Accepted a Hong Kong Identity Card that had been Declared Lost by a Customer
|
|
Data Privacy Protection with the Use of Drones
|
|
|
A 48-year-old Chinese Male Arrested for a Suspected Doxxing Offence Relating to Part-time Worker Dispute
|
RECOMMENDED ONLINE TRAININGS
|
Online Professional Workshops
|
Free Online Seminar: Introduction to the PDPO
|
Arrange an In-house Seminar for Your Organisation
|
RENEWAL OF DPOC’S MEMBERSHIP
|
|
Interview with Privacy Commissioner by RTHK Radio 1’s “Accountability”
|
Reaching Out to Schools – Privacy Commissioner Asks Primary School Students to Say “No” to Doxxing and Cyberbullying
|
Reaching Out to Businesses – Privacy Commissioner Attends Meeting of the Business Facilitation Advisory Committee
|
Two PCPD Officers Receive the Ombudsman’s Awards
|
PCPD Publishes 2021–22 Annual Report
|
Reaching Out to Governance Professionals – Assistant Privacy Commissioner Speaks at the Practising Governance Annual Conference 2022
|
|
Key Amendments under the “Draft Practical Guidance of Cybersecurity Standards – Technical Specifications for Certification of Cross-border Processing of Personal Information” (Version 2.0) 《網絡安全標準實踐指南—個人信息跨境處理活動安全認證規範V2.0(徵求意見稿)》的主要修訂
|
EU: Commission Adopts Proposal for Regulation on Data Collection and Sharing for Short-term Accommodation Rentals
|
EU: EDPS Releases Opinion on EU Media Freedom Act, Calls for Improvement of Data Protection Safeguards
|
Argentina: AAIP Publishes Draft Bill to Update Personal Data Protection Act
|
Home Stretch: Finalisation of CPRA Regulations Draws Closer
|
|
|
What is Privacy Impact Assessment?
A Privacy Impact Assessment (PIA) is generally regarded as a systemic risk assessment tool that evaluates an initiative or a project, in terms of its impact upon personal data privacy with the objective of avoiding or minimising adverse impacts. By conducting a PIA, an organisation, as a data user, can identify and detect potential privacy risks associated with the project before its implementation, and assist the organisation to come up with effective solutions to mitigate privacy risks. A PIA generally includes the following key components:
1. Data Processing Cycle Analysis
Critically examine the purpose and rationale behind the project, and whether it is necessary to collect the kinds, amount and extent of personal data.
2. Privacy Risks Analysis
Identify and address the key areas of privacy concerns.
3. Avoiding or Mitigating Privacy Risk
Privacy risks should be avoided or mitigated to protect data against unauthorised access, processing, erasure, lost or use.
4. PIA Reporting
The PIA report records the due process undertaken by a data user to manage privacy risks proactively.
Why is a PIA useful?
A PIA is useful in:
- Enabling the decision-maker to adequately consider the impact on personal data privacy before undertaking the project;
- Directly addressing the privacy problems identified in the process and providing solutions or safeguards at the design stage;
- Providing benchmarks for future privacy compliance audit and control;
- Being a cost-effective way of reducing privacy risks; and
- Providing a credible source of information to allay any privacy concerns from the public and the stakeholders.
Please view the PCPD’s Guidance below for further information about the PIA process:
|
|
|
PRIVACY COMMISSIONER’S FINDINGS
|
A Telecommunications Company Accepted a Hong Kong Identity Card that had been Declared Lost by a Customer
|
The Complaint
The Complainant had his belongings and Hong Kong Identity Card (HKID Card) stolen. He then called and visited his telephone service provider to report the theft and asked its staff to record the theft in its computer system, so that the thief could not assume his identity. Subsequently, a person (the Person) visited a branch of the telecommunications company, successfully deactivated the Complainant’s telephone number and signed two new contracts by using the HKID Card stolen from the Complainant as proof of identity. Meanwhile, the Person also changed the Complainant’s email address from which the latter received his bills from the telecommunications company.
Dissatisfied with the handling of the case by the telecommunications company, the Complainant reported the incident to the Police and lodged a complaint with the PCPD.
Outcome
The telecommunications company confirmed that the Complainant had notified them of the theft of his HKID Card. However, at the time of the incident, the telecommunications company had not established proper practices to record the loss of customers’ HKID Cards. As a result, its branch staff was not aware of the theft of the Complainant’s HKID Card when processing the Person’s application. The staff conducted the normal procedure of checking the customer’s proof of identity (i.e. asking the customer to produce the original identity document and checking the information on the document) to process the Person’s request.
In response to this case, the telecommunications company implemented a series of measures to deal with the loss of a customer’s HKID Card, which included requiring the customer who reported the loss of his HKID Card to present his recognisance form or other identity documents to its staff for verification of identity and to complete a “Declaration of Loss of HKID Card”. The staff would then suitably make a remark in the computer system, noting that the lost HKID Card could no longer be accepted as the customer’s identity proof. On the other hand, when a customer wished to apply for or change a service, and that customer had previously reported a loss of his HKID Card, its staff must check and ensure that the HKID Card presented was issued after the date of the report. When in doubt about the customer’s identity, the staff must request other identity documents from the customer. The telecommunications company also required that all such cases must be approved by a supervisor before it could be proceeded with.
The PCPD issued a warning to the telecommunications company regarding the incident. It was required to urge its staff to strictly follow its policies on protecting customers’ personal data (including the abovementioned measures in relation to the reporting of loss of customers’ HKID Cards). It was also required to strengthen the training for its staff and remind its staff to handle customers’ personal data with prudence in order to comply with the relevant requirements of the PDPO.
Lessons Learnt
With identity theft being a common occurrence nowadays, data users are faced with an unprecedented challenge to effectively protect their customers’ personal data. In the face of the multifariousness of crimes, it is important for data users to formulate proper identity verification mechanisms to avoid loopholes which unscrupulous individuals may exploit. In this case, if the telecommunications company had a proper recording and verification mechanism in place, it would have been able to effectively identify the suspected case. The telecommunications company would then have had the opportunity to bring the thief to justice.
|
Data Privacy Protection with the Use of Drones
Drones are increasingly used in commercial operations and for recreational purposes in recent years. When these portable mini-flying drones are equipped with cameras, they can perform as persistent, surreptitious, agile and efficient surveillance tools which may present risks to personal privacy. Therefore, drone operators should be mindful of the need to respect the affected individuals’ personal data privacy.
To be a responsible drone user, check out the advice on the use of drones from the perspective of personal data privacy protection below:
1. Before using a drone equipped with a camera, drone users should:
-
Plan carefully the flight paths to avoid flying close to other people or their properties;
-
Pre-define what, where and when to record to avoid collecting unnecessary personal data; and
-
Develop a data retention and destruction policy to erase irrelevant recordings timely.
2. When using a drone equipped with a camera, drone users should:
-
Encrypt the images transmitted wirelessly to avoid interception by unrelated parties;
-
Implement access control to prevent the recording from falling into the wrong hands if the drone is lost;
-
Inform affected people clearly of the operation of the drones, such as making prior public announcements to indicate the coverage of upcoming drone operations, using flashing lights to indicate that recording is taking place, putting your corporate logo and contact details on the drone.
Please view the PCPD’s Guidance Note below for the responsible use of drones:
|
|
|
Interview with Privacy Commissioner by RTHK Radio 1’s “Accountability”
|
Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by RTHK Radio 1’s “Accountability” on 19 November to talk about the two investigation reports recently published by the PCPD, namely, the reports on (1) EC Healthcare’s Sharing of Clients’ Personal Data among its Various Brands through an Integrated System and (2) A Ransomware Attack on the Database of Fotomax (F.E.) Limited. The interview also touched upon the PCPD’s enforcement actions to combat doxxing offences, as well as the personal data privacy issues related to public registers.
|
Reaching Out to Schools – Privacy Commissioner Asks Primary School Students to Say “No” to Doxxing and Cyberbullying
|
The PCPD organised a talk on “Protecting and Respecting Personal Data Privacy Online” at S.K.H. St. James’ Primary School on 17 November 2022. During the event, Privacy Commissioner Ms Ada CHUNG Lai-ling emphasised the importance of protecting and respecting personal data privacy to more than 200 primary five and six students. The Privacy Commissioner asked the students to say “No” to doxxing and cyberbullying.
The talk is one of the primary school activities organised by the PCPD under the theme of “Stay Vigilant Online: Say ‘No’ to Cyberbullying”. So far, over 8,000 students from 30 primary schools have participated in the activities. Separately, the PCPD has launched a short video competition for primary school students with the theme of “Respecting Privacy Begins with Me” (the Competition), with a view to raising students’ awareness of personal data protection and interest to learn more about the potential privacy risks which exist in the online world. For details of the Competition, please click here to visit the website (Chinese only).
Please click here for the presentation deck (Chinese only).
|
Reaching Out to Businesses – Privacy Commissioner Attends Meeting of the Business Facilitation Advisory Committee
|
Privacy Commissioner Ms Ada CHUNG Lai-ling and the Chief Personal Data Officer of the PCPD Ms Amy CHAN Mei-yee attended the 49th meeting of the Business Facilitation Advisory Committee (BFAC) on 9 November 2022 to introduce to its members the PCPD’s role in assisting businesses and companies to enhance data governance.
Among other things, the Privacy Commissioner introduced the rising trend of data breach incidents in recent years, as well as various Guidance Notes issued by the PCPD, including the “Guidance Note on Data Security Measures for Information and Communications Technology” and the “Guidance on the Ethical Development and Use of Artificial Intelligence”. To assist companies in establishing a comprehensive privacy management system, the PCPD has issued the “Privacy Management Programme: A Best Practice Guide” and established the Data Protection Officers’ Club. The Privacy Commissioner advocated that companies should embrace personal data protection as part of their data governance and develop their Personal Data Privacy Management Programme and appoint a Data Protection Officer so as to ensure compliance with the requirements of the PDPO.
Please click here for the paper submitted by the PCPD to the BFAC.
Please click here for the presentation deck (Chinese only).
Please click here for the media statement issued by the BFAC Secretariat.
|
Two PCPD Officers Receive the Ombudsman’s Awards
|
Two officers of the PCPD received The Ombudsman’s Awards 2022 (the Awards) for Officers of Public Organisations in recognition of their professionalism and exemplary performance in handling complaints and enquiries. The two PCPD awardees are Assistant Personal Data Officer of the Complaints Division Ms Kit LEE Wai-kit and Acting Assistant Personal Data Officer of the Compliance and Enquiries Division Ms Vicky YUN Hiu-ying. Privacy Commissioner Ms Ada CHUNG Lai-ling attended the award presentation ceremony on 16 November and congratulated the two award-winning officers. Ms Kit Lee has demonstrated great competency in the handling of public complaints. She is well aware of the need to handle complaints from members of the public skilfully, rectify breaches of statutory requirements and resolve the matter amicably between the relevant parties. To handle cases in a fair way and with empathy, she always puts herself into the shoes of the parties in order to consider and analyse their positions. Ms Vicky Yun believes that excellent attitude, professional knowledge and careful skills are the essential components of high-quality service, which enables her to handle public enquiries effectively. She has been assigned to handle public enquiries since she joined the PCPD in 2019. She is always willing to sacrifice her lunch time and non-office hours to communicate with enquirers. She believes that her patience in listening to their requests would help build mutual trust and respect.
|
PCPD Publishes 2021–22 Annual Report
|
The 2021–22 Annual Report of the PCPD was tabled in the Legislative Council on 9 November 2022.
The theme of our Annual Report, “A New Era in the Regulatory Regime for the Protection of Personal Data”, reflects an important regulatory milestone driven by the passage and implementation of the Personal Data (Privacy) Amendment Ordinance 2021.
The Annual Report also highlights other work of the PCPD during 2021–22, including the promotion of the smart use of social media, the ethical development and use of artificial intelligence, the provision of advisories and the issuance of guidance notes in relation to the COVID-19 pandemic and the promotion of understanding of developments in the privacy landscape.
Please click here to download the Annual Report.
|
Reaching Out to Governance Professionals – Assistant Privacy Commissioner Speaks at the Practising Governance Annual Conference 2022
|
Acting Assistant Privacy Commissioner for Personal Data (Legal, Global Affairs and Research) Mr Dennis NG attended the Practising Governance Annual Conference 2022 (the Conference) on 28 October and made a presentation entitled “Managing Privacy Risks, Adopting Best Practices and Way Forward”.
Mr Ng pointed out that in the era of information digitalisation which is accelerated by COVID-19 pandemic and work-from-home arrangements, organisations are confronted with considerable challenges relating to data security. He appealed to organisations to adopt Personal Data Privacy Management Programme (PMP) as part of their corporate policies and culture, with a view to minimising the risk of data security incidents and demonstrating the organisations’ commitment to the protection of personal data privacy.
In addition, the PCPD set up a booth at the Conference for promoting PMP to participants.
Please click here for the presentation deck.
|
|
|
A 48-year-old Chinese Male Arrested for a Suspected Doxxing Offence Relating to Part-time Worker Dispute
|
The PCPD arrested a Chinese male aged 48 in New Territories North on 24 November 2022. He was suspected to have disclosed the personal data of a data subject without her consent, in contravention of section 64(3A) of the PDPO. The investigation revealed that the victim is a part-time worker and the arrested person is a sourcing agent of part-time workers for different employers. The arrested person used to arrange part-time jobs for the victim at different restaurants. In October 2022, a dispute arose between the victim and the arrested person in relation to her salary payment and job allocation. Thereafter, messages containing the personal data of the victim were disclosed to others using an instant messaging application, with a remark stating that the victim would never be hired again. The personal data disclosed included the victim’s Chinese name, English name and mobile phone number. A partly redacted copy of the victim’s Hong Kong Identity Card showing particulars including her Chinese name, English name, Hong Kong Identity Card number, gender and photo were also disclosed. The PCPD reminds members of the public that doxxing is a serious offence. In particular, identity cards contain sensitive personal data. Disclosing or forwarding copies of identity cards on the internet or social media platforms without the consent of the data subject concerned, either arbitrarily or maliciously, may constitute a doxxing offence. An offender is liable on conviction to a fine up to $1,000,000 and imprisonment for 5 years. Relevant provisions under the PDPO Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject –
(a) with an intent to cause any specified harm to the data subject or any family member of the data subject; or
(b) being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject.
A person who commits an offence under section 64(3A) is liable on conviction to a fine of $100,000 and imprisonment for 2 years. Pursuant to section 64(3C) of the PDPO, a person commits an offence if –
(a) the person discloses any personal data of a data subject without the relevant consent of the data subject –
- with an intent to cause any specified harm to the data subject or any family member of the data subject; or
- being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject; and
(b) the disclosure causes any specified harm to the data subject or any family member of the data subject.
A person who commits an offence under section 64(3C) is liable on conviction on indictment to a fine of $1,000,000 and imprisonment for 5 years. According to section 64(6) of the PDPO, specified harm in relation to a person means –
(a) harassment, molestation, pestering, threat or intimidation to the person; (b) bodily harm or psychological harm to the person; (c) harm causing the person reasonably to be concerned for the person’s safety or well-being; or (d) damage to the property of the person.
|
Key Amendments Under the “Draft Practical Guidance of Cybersecurity Standards – Technical Specifications for Certification of Cross-border Processing of Personal Information” (version 2.0)
《網絡安全標準實踐指南—個人信息跨境處理活動安全認證規範V2.0(徵求意見稿)》的主要修訂
|
On 8 November 2022, the National Information Security Standardisation Technical Committee of the Mainland published a revised draft of the “Practical Guidance of Cybersecurity Standards – Technical Specifications for Certification of Cross-border Processing of Personal Information” (Draft Guidance) for public consultation. This article provides an overview of the Draft Guidance, particularly the proposed amendments to the existing version.
為落實《個人信息保護法》第三十八(二)條下關於建立個人信息保護認證制度的相關要求及指導個人信息處理者規範開展個人信息跨境處理活動,全國信息安全標準化技術委員會(信安標委)於2022年6月24日發布《網絡安全標準實踐指南—個人信息跨境處理活動安全認證規範》(《規範》)1,提供標準化實踐指引(本欄曾於2022年7月作出介紹,另可參考私隱專員公署的內地《個人信息保護法》專題網頁)。信安標委近日對《規範》作出建議修訂,並於2022年11月8日發布《網絡安全標準實踐指南—個人信息跨境處理活動安全認證規範V2.0(徵求意見稿)》(《徵求意見稿》)2,相關的徵求意見期已於2022年11月15日結束3。下文將簡述《徵求意見稿》所提出的主要修訂。
首先,《徵求意見稿》新增了「術語定義」的部分4,並作出以下定義:
- 個人信息主體:個人信息所標識或者關聯的自然人;
- 個人信息處理者:在個人信息處理活動中自主决定處理目的、處理方式的組織、個人;
- 境外接收者:位於中華人民共和國境外並自個人信息處理者處接收個人信息的組織或個人。
當中,《徵求意見稿》沿用了《個人信息保護法》對「個人信息處理者」的定義5。
除新增定義外,與原有版本相比,《徵求意見稿》分別在基本原則、基本要求及權利與責任義務等範疇提高了對個人信息處理者和境外接收方的要求。
基本原則
在「合法、正當、必要和誠信原則」6之上,原有版本只訂明個人信息處理者須「在跨境處理個人信息時應當滿足法律法規的規定」,而《徵求意見稿》則將此要求延伸至境外接收方,要求境外接收方一併滿足相關規定。
在「公開、透明原則」7之上,原有版本只訂明個人信息處理者有責任向個人信息主體告知有關個人信息出境的相關事項。《徵求意見稿》除將此要求延伸至境外接收方外,亦規定雙方須向個人信息主體告知「境外接收方的名稱、聯絡方式」及「行使權利的方式和程序」等額外事項。
基本要求
為進行安全認證,《規範》規定個人信息處理者和境外接收方須簽訂「具有法律約束力的協議」,以保障個人信息主體權益。而《徵求意見稿》就協議內容制訂了更詳盡的要求8,包括至少涵蓋:
- 個人信息處理者及境外接收方的基本信息,包括但不限於名稱、地址、聯繫人姓名、聯繫方式等9;
- 個人信息跨境處理的目的、範圍、類型、敏感程度、數量、方式、保存期限、存儲地點等10 ;
- 個人信息處理者和境外接收方保護個人信息的責任與義務,以及爲防範個人信息跨境處理可能帶來安全風險所採取的技術和管理措施等;
- 個人信息主體的權利,以及保障個人信息主體權利的途徑和方式;
- 救濟、合同解除、違約責任、爭議解决等。
當中,後三項均為新增的協議內容,取代原有版本中的「個人信息主體權益保護措施」。
此外,《規範》規定個人信息處理者和境外接收方須設立「個人信息保護機構」,以履行個人信息保護義務。在這基礎上,《徵求意見稿》對個人信息保護機構提出三項額外職責11,分別是:
- 採取有效措施保證按照約定的處理目的、範圍、方式處理跨境個人信息,履行個人信息保護義務,保障個人信息安全;
- 定期就處理個人信息遵守中華人民共和國法律、行政法規的情況進行合規審計;
- 接受認證機構對個人信息跨境處理活動的監督,包括答覆詢問、配合檢查等。
最後,《規範》要求個人信息處理者在開展個人信息跨境活動前開展「個人信息保護影響評估」。《徵求意見稿》同樣就此提出額外的要求12(包括評估報告須至少保存3年),以及更詳細的評估項目(例如境外接收方所在地的個人信息保護政策法規帶來的影響13)。經修訂後,《徵求意見稿》就「個人信息保護影響評估」的要求,與《數據出境安全評估辦法》14及《個人信息出境標準合同規定(徵求意見稿)》 15的相關規定相若。
個人信息主體權益保障
《規範》最後的部分用以保障個人信息主體的權利,並向個人信息處理者和境外接收方施加相應的責任義務。《徵求意見稿》亦就此作出修訂,為雙方分別訂明額外的權利與責任義務。值得注意的是,新增的權利與《個人信息出境標準合同(草案)》16(《標準合同》)的部分條款甚為相似。
在「個人信息主體權利」方面,《徵求意見稿》向個人信息主體賦予兩項新權利17,分別是:
- 個人信息主體行使權利時,個人信息主體可請求個人信息處理者採取適當措施實現,或直接向境外接收方提出請求。個人信息處理者無法實現的,應通知並要求境外接收方協助實現18;
- 個人信息權益受到損害時,個人信息主體有權向個人信息處理者、境外接收方的任何一方提出賠償要求19。
在「個人信息處理者和境外接收方的責任義務」方面,《徵求意見稿》主要新增了四項責任義務20,節略如下:
- 如境外接收方所在的法律或政策發生變化,境外接收方便須通知個人信息處理者及認證機構21;
- 境外接收方承諾不將所接收的個人信息提供給第三方,如確需提供,應滿足相關法規要求22;
- 記錄開展的個人信息跨境活動處理活動並保存紀錄至少3年23;
- 承擔證明相關責任義務已履行的舉證責任24。
除了上述的四項新增責任義務外,《徵求意見稿》亦就原有的個人信息洩露的責任提出更詳盡的要求25,包括要求個人信息處理者及/或境外接收方通知對方、向内地的相關部門作出報告、按照相關法律法規通知個人信息主體、及記錄並留存所有與個人信息泄露、簒改、丢失有關的事實及影響(包括採取的所有補救措施)。同時,《徵求意見稿》亦規定該報告或通知須涵蓋的内容,包括個人信息泄露、簒改、丢失的原因、泄露的個人信息種類和可能造成的危害、及已補救的措施等。
總括而言,信安標委在《徵求意見稿》中在多個方面就個人信息跨境處理活動安全認證提高了對個人信息處理者和境外接收方的要求。至於申請安全認證的實際流程與安排,由於負責提供認證的機構尚待內地當局敲定,有關细節仍有待落實。個人信息處理者宜密切留意內地在這一方面的最新發展,以便日後合規且有序地安排個人信息出境。
1.《規範》作爲認證機構對個人信息跨境處理活動進行個人信息保護認證依據。
2.《徵求意見稿》全文:https://www.tc260.org.cn/upload/2022-11-08/1667901838651062562.pdf
3. 關於《徵求意見稿》公開徵求意見的通知:https://www.tc260.org.cn/front/postDetail.html?id=20221108180519
4.《徵求意見稿》3 術語定義
5.《個人信息保護法》第七十三(一)條
6.《徵求意見稿》4(a) 合法、正當、必要和誠信原則
7.《徵求意見稿》4(b) 公開、透明原則
8.《徵求意見稿》5.1 具有法律約束力的協議
9. 原有版本僅列明「開展個人信息跨境處理活動的個人信息處理者和境外接收方」
10. 原有版本僅列明「跨境處理個人信息的目的以及個人信息的類別、範圍」
11.《徵求意見稿》5.2.2 個人信息保護機構
12.《徵求意見稿》5.4 個人信息保護影響評估
13.《徵求意見稿》5.4(e)
14. 見《數據出境安全評估辦法》第五條
15. 見《個人信息出境標準合同規定(徵求意見稿)》第五條
16. 為《個人信息出境標準合同規定(徵求意見稿)》徵求意見的同時,國家互聯網信息辦公室制定並附上了《個人信息出境標準合同》的草案,關於《個人信息出境標準合同規定(徵求意見稿)》公開徵求意見的通知:http://www.cac.gov.cn/2022-06/30/c_1658205969531631.htm
17.《徵求意見稿》6.1 個人信息主體權利
18.《徵求意見稿》6.1(c);同等權利見於《標準合同》第五(二)條
19.《徵求意見稿》6.1(f);同等權利見於《標準合同》第八(三)條
20.《徵求意見稿》6.2 個人信息處理者和境外接收方的責任義務
21.《徵求意見稿》6.2(b) ;同等義務見於《標準合同》第四(五)條
22.《徵求意見稿》6.2(d) ;同等義務見於《標準合同》第三(七)條
23.《徵求意見稿》6.2(f) ;同等義務見於《標準合同》第三(十一)條
24.《徵求意見稿》6.2(l) ;同等義務見於《標準合同》第二(九)條
25.《徵求意見稿》6.1(h)
|
|
|
RECOMMENDED ONLINE TRAININGS
|
Online Professional Workshop on Recent Court and Administrative Appeals Board Decisions
|
This intermediate workshop, to be conducted by experienced lawyers from the PCPD, will provide legal practitioners and compliance officers with updated knowledge and insight on the legal arguments of the recent Hong Kong Courts decisions and the Administrative Appeals Board cases, which focuses on specific topics in data privacy law. It will examine some recent decisions which serves as legal authorities and practical examples in solving problems frequently encountered in compliance work.
Date: 7 December 2022 (Wednesday)
Time: 2:15pm – 5:15pm
Fee: $950/$760*
(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)
Language: Cantonese
Who should attend: solicitors, barristers, in-house lawyers, data protection officers, compliance officers, company secretaries and administration managers
|
Online Professional Workshop on Data Protection in Direct Marketing Activities
|
Direct marketing is widely adopted by different types of organisations in promoting their products and services. In Hong Kong, the use of personal data in direct marketing activities is governed by the PDPO. This workshop provides a practical approach to the compliance of the requirements under the PDPO in direct marketing activities, and illustrate relevant conviction cases and provides practical solutions to problems that marketers may face in devising direct marketing activities.
Date: 14 December 2022 (Wednesday)
Time: 2:15pm – 5:15pm
Fee: $750/$600*
(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)
Language: Cantonese
Who should attend: data protection officers, compliance officers, company secretaries, administration managers, IT Managers, solicitors, database managers and marketing professionals
|
Other Professional Workshops on Data Protection from Jan to Mar 2023:
|
Online Free Seminar – Introduction to the PDPO Seminar
|
The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. Details of the upcoming sessions are as below:
|
Seminar Outline:
- A general introduction to the PDPO;
- The six Data Protection Principles;
- Offences and compensation;
- Direct marketing; and
- Q&A session.
|
Arrange an In-house Seminar for Your Organisation
|
Teaching employees how to protect personal data privacy is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and data privacy protection, you can make a request for an in-house seminar via our online form.
The seminar outline is as follows:
- A general introduction to the PDPO;
- The six Data Protection Principles (industry-related cases will be illustrated);
- Handling of data breach incidents;
- Direct marketing;
- Offences and compensation; and
- Q&A session.
Duration: 1.5 hours
|
Renewal of DPOC’s Membership
|
Renew your DPOC membership today and continue to enjoy privileged access to course enrolments throughout the year!
Special offer for organisational renewals:
Organisations can join the 2-for-1 scheme, which enables you to receive two memberships for the price of one annual fee (HK$350).
Renew your membership now to keep up-to-date with the latest news and legal developments!
|
The PCPD values the opinions of all our DPOC members. We love to hear your ideas and suggestions on what privacy topics you would like to learn more about. Email your thoughts to us at dpoc@pcpd.org.hk and we shall include the most popular topics in our future e-newsletters.
|
|
|
Contact Us
Address: Unit 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong
Tel: 2827 2827
If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
|
Copyright
Disclaimer
The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.
The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.
If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.
|
|
|
|