PCPD e-NEWSLETTER
ISSUE Dec 2022
|
|
|
|
PCPD e-NEWSLETTER
ISSUE Dec 2022
|
|
|
|
First Sentencing Case of the New Doxxing Offence
|
The Shatin Magistrates’ Court earlier on 6 October 2022 convicted a 27-year old male, Mr HO Muk-wah, of seven charges of the new doxxing offence upon his guilty plea. After considering the relevant reports, the court sentenced the defendant to 8 months’ imprisonment on 15 December 2022. Privacy Commissioner Ms Ada CHUNG Lai-ling welcomed the court’s ruling. The defendant and the victim had a short relationship before breaking up. Between 19 and 26 October 2021, the defendant disclosed on four social media platforms the personal data of the victim without her consent, including her name, photos, residential address, private and office telephone numbers, name of her employer and her position. The defendant also impersonated the victim to open accounts on three of the said platforms. The defendant stated in the relevant messages that the victim welcomed others to visit her at her residential address. Many strangers later contacted the victim and tried to get acquainted with her. The PCPD arrested the defendant on 22 June 2022. Upon legal advice of the Department of Justice, a total of seven charges were laid against the defendant on 17 August 2022 in respect of doxxing offences. The defendant pleaded guilty to all charges at the Shatin Magistrates’ Court and was convicted by the Court on 6 October 2022 on his disclosure of the personal data of the victim on four social media platforms between 19 and 26 October 2021 without her consent, with an intent to cause specified harm to her or her family members, or being reckless as to whether specified harm would be (or would likely be) caused to her or her family members, in contravention of section 64(3A) of the Personal Data (Privacy) Ordinance (PDPO). Relevant provisions under the PDPO Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject – (a) with an intent to cause any specified harm to the data subject or any family member of the data subject; or (b) being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject. A person who commits an offence under section 64(3A) is liable on conviction to a fine of $100,000 and imprisonment for 2 years.
According to section 64(6) of the PDPO, specified harm in relation to a person means – (a) harassment, molestation, pestering, threat or intimidation to the person; (b) bodily harm or psychological harm to the person; (c) harm causing the person reasonably to be concerned for the person’s safety or well-being; or (d) damage to the property of the person.
|
Telling the World a Good Hong Kong Story – Privacy Commissioner Attends the
58th Asia Pacific Privacy Authorities Forum
|
Privacy Commissioner Ms Ada CHUNG Lai-ling and senior officers of the PCPD attended the 58th Asia Pacific Privacy Authorities (APPA) Forum from 29 to 30 November 2022. The forum was held in a hybrid mode in Singapore.
During the Forum, the Privacy Commissioner shared with APPA members the enforcement experience of the PCPD as regards doxxing cases and the new crimination investigation and prosecution powers of the PCPD.
Privacy Commissioner Ms Ada CHUNG Lai-ling said “The weaponisation of personal data by doxxing has caused great concern in the community. While our enforcement work has been effective in deterring doxxing activities, given that the cyber world has no borders, enhancing international collaboration on enforcement is vital in combatting doxxing”.
In a session which featured data security measures, Acting Senior Legal Counsel of the PCPD Ms Joyce LIU gave an overview of the “Guidance Note on Data Security Measures for Information and Communications Technology” published by the PCPD. She highlighted the data security measures recommended by the PCPD in the Guidance Note.
Major themes discussed at the APPA Forum included:
- Data security measures and enforcement strategies by regulators;
- Cross-border data transfers;
- Safeguarding children’s online privacy;
- Increasing the use of privacy-enhancing technologies; and
- Development and use of artificial intelligence.
Founded in 1992, APPA is the principal forum for privacy and data protection authorities in the Asia Pacific region to strengthen cooperation, discuss best practices and share information on privacy regulation, emerging technologies and the handling of complaints relating to privacy. The 58th APPA Forum was hosted by the Personal Data Protection Commission of Singapore.
|
|
|
Direct Marketing and Data Privacy Protection
|
|
PRIVACY COMMISSIONER’S FINDINGS
|
PRIVACY COMMISSIONER’S FINDINGS
|
An Individual Used a Customer’s Personal Data in Direct Marketing Without Taking Specified Actions to Notify the Customer and Obtain his Consent, and Failed to Notify the Customer of His Opt-out Right
|
|
Safeguard Your Webcams against Privacy Leakage
|
|
|
Privacy Commissioner’s Office Publishes an Investigation Report on Two Personal Data Breach Incidents of the Registration and Electoral Office
|
Privacy Commissioner’s Office Laid Charge in a Doxxing Case
|
Privacy Commissioner’s Office Publishes an Inspection Report on the Personal Data System of TransUnion
|
A 32-year-old Chinese Male Convicted of Online Doxxing
|
A 35-year-old Chinese Female Arrested for a Suspected Doxxing Offence Relating to Emotional Dispute
|
Privacy Commissioner’s Office Laid Charges in a Doxxing Case
|
A 59-year-old Chinese Female Arrested for a Suspected Doxxing Offence
|
RECOMMENDED ONLINE TRAININGS
|
Webinar on “Preventing and Handling of Students’ Misbehaviour involving Cyberbullying and Doxxing”
|
Online Professional Workshops
|
Free Online Seminar: Introduction to the PDPO
|
Arrange an In-house Seminar for Your Organisation
|
RENEWAL OF DPOC’S MEMBERSHIP
|
|
Privacy Commissioner Publishes an Article on “New Anti-doxxing Regime is Beginning to Bear Fruits” at China Daily Hong Kong Edition
|
First Sentencing Case of the New Doxxing Offence – Privacy Commissioner Interviewed by Now TV’s “News Magazine”
|
First Sentencing Case of the New Doxxing Offence – Privacy Commissioner Interviewed by the Media
|
Privacy Commissioner Interviewed by TVB’s “News Magazine”
|
Reaching Out to Legal Professionals – Privacy Commissioner Attends the Law Society’s 2022 Pro Bono and Community Service Award Presentation Ceremony
|
Reaching Out to Medical and Healthcare Sector – Privacy Commissioner Explains the Requirements of the Personal Data (Privacy) Ordinance to Staff Members of the New Territories West Cluster of Hospital Authority
|
Reaching Out to the Community – Legal Counsel of the Privacy Commissioner’s Office Interviewed by HOY TV’s “City Focus”
|
|
Highlights of the “Implementation Rules for Personal Information Protection Certification”
《個人信息保護認證實施規則》的重點
|
International: European Commission Publishes Draft Adequacy Decision for EU-US Data Flows
|
EU: Council Adopts Position on AI Act
|
Germany: DSK Releases Updated Standard Data Protection Model
|
USA: OCR Publishes Bulletin on HIPAA Requirements for Online Tracking Technologies
|
|
|
Direct Marketing and Data Privacy Protection
Public and private organisations, as data users, may conduct direct marketing activities from time to time to promote their products and services to their own customers or service users. Instead of regulating all types of direct marketing activities, direct marketing is defined in the PDPO as the offering, or advertising of the availability, of goods, facilities or services; or the solicitation of donations or contributions for charitable, cultural, philanthropic, recreational, political or other purposes, through direct marketing means.
If the direct marketing activities conducted by your organisation involve the collection and use of customers’ personal data, you should comply with the regulatory regime on direct marketing under the PDPO. Before using customers’ personal data for your own direct marketing purposes, you must:
- Inform your customers of your intention to use their personal data for direct marketing, and you may not so use the data unless you have their consent;
- Provide the customers with information on the intended use of personal data, including the kinds of personal data to be used and classes of marketing subjects in relation to which the data is to be used;
- Provide the customers with a free-of-charge channel through which they may communication their consent to the intended use;
- Present the information to the customers in a manner that is easily understandable;
- Notify the customers of their opt-out-right for the first time using their personal data in direct marketing; and
- Stop using the customers’ personal data in direct marketing if they opt out, without any charge to them.
You could use the customers’ personal data in direct marketing only after receiving their consent to the intended use of their personal data. Here is an example of providing customers with a response channel where they give their consent to receive direct marketing materials:
|
Please view the PCPD’s Guidance below for further information about the regulation of direct marketing activities under the PDPO:
Guidance on Direct Marketing
|
|
|
PRIVACY COMMISSIONER’S FINDINGS
|
An Individual Used a Customer’s Personal Data in Direct Marketing Without Taking Specified Actions to Notify the Customer and Obtain his Consent, and Failed to Notify the Customer of His Opt-out Right
|
The Complaint
A few years ago, the Complainant made contact with several companies to enquire about home repair services, and Ms Y was a representative of one of the companies. One day, the Complainant received a direct marketing message via an instant massaging app from Ms Y regarding property investment and was informed that she could arrange transportation for viewing the properties.
Outcome
Ms Y pleaded guilty to two charges under the PDPO and was fined HK$4,000 in total (HK$2,000 in respect of each charge). The first charge related to the offence of using the personal data of the Complainant in direct marketing without taking specified actions to notify the customer and obtain his consent, in contravention of section 35C of the PDPO. The second charge related to the offence of failing to inform the Complainant, when using his personal data in direct marketing for the first time, of his right to request not to use his personal data in direct marketing without charge, in contravention of section 35F of the PDPO.
Lessons Learnt
Before using a data subject’s personal data in direct marketing, a data user (whether an individual or a representative of an organisation) must take the specified actions under section 35C of the PDPO. The specified actions include notifying the data subject: that the data user may not use his personal data for direct marketing unless he has received the data subject’s consent; of the kinds of personal data that the data user intends to use for direct marketing; of the classes of marketing subjects in relation to which the personal data of the data subject is to be used; and of a response channel through which the data subject can communicate his consent.
Pursuant to section 35F of the PDPO, the data user must also, when using the data subject’s personal data in direct marketing for the first time, notify the data subject of his right to request the data user to cease to so use the data, without charge to the data subject.
Failure to comply with each of the above requirements is a criminal offence, and is punishable by a fine up to HK$500,000 and imprisonment of up to 3 years.
|
Safeguard Your Webcams against Privacy Leakage
During the festive season, we often see an upsurge in the use of internet-connected cameras (webcams) especially because people can, via online video calls, easily connect with their beloved family and friends who are thousands of miles away. While webcams have become part of our everyday life, they also pose a threat to privacy and personal data security due to potential unauthorised access to webcams by hackers .
To protect your personal data privacy when using a webcam, follow the practical advice below to improve your webcam security:
- Select a webcam with firmware upgrades and bug fixes, and also enable encryption of the data in transit when users view images via the internet;
- Change the default password of the webcam when using it for the first time;
- Change the password regularly with complexity (such as allowing alphanumeric passwords) and do not reuse the same password;
- Ensure the network used by the webcam to be secure and do not monitor or administrate the webcam in public network;
- Check the webcam settings regularly, reset the account of the webcam immediately if the settings are changed unexpectedly;
- Update firmware of webcam to the latest version;
- Review the privacy settings regularly and adjust them if appropriate; and
- Do not set the webcam to monitor private or sensitive areas. Turn it off when it is not in use.
|
|
|
Privacy Commissioner Publishes an Article on “New anti-doxxing Regime is Beginning to Bear Fruits” at China Daily Hong Kong Edition
|
Privacy Commissioner Ms Ada CHUNG Lai-ling published an article to explain the new doxxing offences, which took effect in October 2021, and recapitulate the enforcement work and achievements of her Office in combatting doxxing over the past year. The Privacy Commissioner highlighted that the new anti-doxxing regime did not affect the normal and lawful business activities in Hong Kong, nor the freedom of speech and free flow of information that Hong Kong citizens enjoy.
The article was published in China Daily Hong Kong Edition on 28 December 2022. Please click here to read the article.
|
First Sentencing Case of the New Doxxing Offence – Privacy Commissioner Interviewed by Now TV’s “News Magazine”
|
Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by Now TV’s “News Magazine” on 22 December.
During the interview, the Privacy Commissioner explained the scope of the new doxxing offence and shared the enforcement work of the PCPD on combatting doxxing offence.
The Privacy Commissioner welcomed the court’s ruling on 15 December 2022 in the first sentencing case relating to the new doxxing offence. She considered that the eight months’ imprisonment term highlighted the seriousness of doxxing offence and served as a warning to the society.
Apart from law enforcement, the Privacy Commissioner also shared that the PCPD had launched a series of publicity and education campaigns about the new doxxing offence via various channels, including the broadcast of television and radio announcements, distributing promotional leaflets, organising seminars and launching a thematic website on “Doxxing Offences”.
The Privacy Commissioner also reminded members of the public that reposting doxxing messages could be considered as another disclosure of personal data. To avoid breaking the law, members of the public should think twice before publishing or forwarding any doxxing messages on the internet or social media.
Please click here to view the interview (Chinese only).
|
First Sentencing Case of the New Doxxing Offence – Privacy Commissioner Interviewed by the Media
|
Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by Commercial Radio “On A Clear Day” and RTHK “Open Line Open View” on 16 December 2022.
The Privacy Commissioner welcomed the court’s ruling on 15 December 2022 for the first sentencing case relating to the new doxxing offence. She considered that the eight months’ sentence highlighted the seriousness of doxxing offence, and served as a warning to the society.
The Privacy Commissioner also reminded members of the public not to publish or repost any doxxing messages on social media platforms. Reposting doxxing messages could be considered as another disclosure of personal data and might constitute a doxxing offence.
|
Privacy Commissioner Interviewed by TVB’s “News Magazine”
|
Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by TVB’s “News Magazine”. The episode highlighted that the disclosure of intimate images might constitute a criminal offence. The Privacy Commissioner pointed out that the disclosure of intimate images may amount to a doxxing offence under the PDPO, and talked about the enforcement actions taken by her office to combat doxxing offences. She also reminded members of the public to think twice before reposting any doxxing messages on the internet or social media platforms to avoid breaking the law. The interview was broadcast on 10 December 2022.
|
Reaching Out to Legal Professionals – Privacy Commissioner Attends the Law Society’s 2022 Pro Bono and Community Service Award Presentation Ceremony
|
Privacy Commissioner Ms Ada CHUNG Lai-ling attended the 2022 Pro Bono and Community Service Award Presentation Ceremony of the Law Society of Hong Kong on 12 December 2022 and presented prizes in the ceremony. The Law Society has been organising the Pro Bono and Community Work Recognition Programme (the Programme) since 2010. The key objectives of the Programme are to promote public awareness of the pro bono work offered by members of the Law Society, trainee solicitors and registered foreign lawyers, and recognise their pro bono efforts and contributions to the society. The Privacy Commissioner is one of the judges for Distinguished Pro Bono Service Award (for individuals / law firms) this year.
|
Reaching Out to Medical and Healthcare Sector – Privacy Commissioner Explains the Requirements of the PDPO to Staff Members of the New Territories West Cluster of Hospital Authority
|
The PCPD and the New Territories West Cluster of Hospital Authority co-organised an in-house webinar on PDPO on 1 December 2022. During the webinar, Privacy Commissioner Ms Ada CHUNG Lai-ling and Acting Personal Data Officer Ms Ruby LAM elaborated on ways and means to comply with the requirements of the PDPO to over 200 participants from the management, medical and healthcare and support staff of Tuen Mun Hospital, Castle Peak Hospital, Pok Oi Hospital and Tin Shui Wai Hospital. The speakers also provided concrete examples and practical advice to the audience. The Privacy Commissioner highlighted the importance of data security and stressed that patients’ personal data privacy should be properly protected.
|
Reaching Out to the Community – Legal Counsel of the Privacy Commissioner’s Office Interviewed by HOY TV’s “City Focus”
|
Legal Counsel of the PCPD Ms Joyce LIU was interviewed by HOY TV’s “City Focus”. The episode highlighted that a man was arrested by the police earlier for a voyeurism offence after allegedly using a drone to covertly film individuals in their hotel rooms or residential units. Ms Liu pointed out that the use of drones to video-record the activities of individuals inside hotel rooms or residential units may amount to a contravention of Data Protection Principle 1 under the PDPO. Depending on the circumstances, if the drone operator shares the relevant recordings on the internet or social media platforms, that may also constitute a doxxing offence under the PDPO.
Please click here to view the interview, which was broadcast on 13 December 2022.
|
|
|
Privacy Commissioner’s Office Publishes an Investigation Report on Two Personal Data Breach Incidents of the Registration and Electoral Office
|
On completion of its investigations into two personal data breach incidents of the Registration and Electoral Office (the REO), the PCPD published an investigation report on 29 December 2022. Investigation Case (1): A Staff Member of the REO Wrongly Dispatched Files Containing the Data of Electors by Email to an Unknown Recipient Incident (1) occurred during the period when the fifth wave of COVID-19 ran rampant. At that time, the REO put in place special work-from-home arrangements by dividing staff into different teams to work at home alternately to reduce social contact. The clerical officer involved in the incident (the Clerical Officer) was arranged to work from home on certain days. At around 7 p.m. on 23 March 2022, the Clerical Officer planned to send two Excel files which contained the particulars of about 15,000 electors (including their Chinese and English names and residential addresses) (the Two Excel Files) to her personal email account to facilitate her work from home on the next day. However, the Clerical Officer inputted an incorrect email address so that the Two Excel Files were sent to an unknown recipient. The Clerical Officer only realised the mistake when she noticed that the email did not reach her personal email account after some 10 minutes. She then reported the situation to the Assistant Electoral Officer. According to the evidence obtained during the investigation, Privacy Commissioner Ms Ada Chung Lai-ling (Privacy Commissioner) considers that the following reasons had led to the occurrence of Incident (1):
- Failure of the staff of the REO to comply with the guidelines issued by the Office on information technology security;
- Inadequate awareness of data protection on the part of the staff of the REO; and
- Inadequate information security measures of the REO.
The Privacy Commissioner considers that the incident mainly involved human errors. The data breach incident stemmed from the negligence and lack of awareness on data protection of an individual staff member, which led to the contravention of the relevant guidelines of the REO on information technology security, which provided that “[staff should] only use the email system of the REO for transmission of classified information through email” and “[staff should not] use personal email accounts for official duties or for transmitting classified information or personal data”. Simply to facilitate her work at home, the staff member concerned sent an email which contained a huge amount of personal data of electors to an incorrect email address outside the REO’s email system with neither thorough consideration of the security risks involved nor careful checking of the email address of the recipient. On the other hand, the Privacy Commissioner also finds that the REO had not put in place appropriate information security measures prior to the incident, which allowed staff to use its email system to freely send files which contained personal data to personal email addresses outside the email system of the REO. This was another root cause for the incident. Investigation Case (2): The REO Wrongly Attached a Reply Slip Submitted by an Election Committee (EC) Member to a Test Email Incident (2) occurred in the preparatory stage for the 2022 Chief Executive Election (the Election). To prepare for the Election, the REO planned to issue test SMS and/or email messages on 27 April 2022 to EC members and/or their assistants who had provided their mobile phone numbers and/or email addresses to ensure that they could receive information related to the Election. Upon the REO’s receipt of the reply slips which contained contact information provided by EC members and their assistants, the information provided in the reply slips, which related to about 1,800 EC members and their assistants, would be manually inputted onto a computer list (the Master List). However, inaccuracies in the Master List were spotted despite multiple checkings on the scheduled date of dispatch of the test emails (i.e. 27 April 2022), the Senior Project Officer (the SPO), who was assigned to oversee the task of issuing the test emails (and SMS), therefore instructed staff members to check the email addresses and issue the test emails in batches. To facilitate checking, the Executive Assistants responsible for issuing the test emails would split their computer screens into two halves, with the left-hand side showing the draft test emails and the right-hand side showing the electronic copies of the reply slips. The Executive Assistants would use the up and down arrow keys on the keyboard to select the corresponding reply slips (shown in a preview window) and check against the email addresses inputted into the “bcc” fields of the draft test emails one-by-one. Thereafter, an Electoral Officer and the SPO would conduct the second and third checking using the Executive Assistants’ computers respectively. The Executive Assistants would only issue the relevant emails by pressing the “Send” button after the SPO had cross-checked the email addresses with the electronic copies of the reply slips and confirmed the contents of the test emails to be accurate. To speed up the process, the SPO instructed that the second checking be removed starting from the fourth batch of test emails. In the morning on 28 April 2022, it was discovered in the course of reviewing the issued test emails that an email sent to 38 EC members and 26 assistants at 4:42 a.m. had a reply slip containing the personal data of an EC member and his assistant wrongly attached to it. The personal data concerned were the names, email addresses and phone numbers of the EC member and his assistant, and the signature of the EC member. According to the evidence obtained during the investigation, the Privacy Commissioner considers that the following reasons had led to the occurrence of Incident (2):
- Negligence and inadequate awareness of data protection on the part of the staff of the REO;
- Deficiencies in the work process of the REO; and
- Absence of written procedures for the relevant work.
The Privacy Commissioner considers that the incident was mainly caused by human errors. The incident stemmed from the negligence and lack of awareness of data protection on the part of the relevant staff and deficiencies in the REO’s relevant workflow. In the present case, the inaccuracies of the Master List apparently led to a sudden change in the workflow and last-minute cross-checking of email addresses in draft test emails against the reply slips by staff well after mid-night. The Privacy Commissioner considers that if the REO had proper workflow in place to ensure the Master list was promptly and accurately prepared, the staff members involved would not have to conduct last-minute manual checking under tight time constraints or use unreliable method to conduct the checking. Meanwhile, if the staff members involved had been more cautious in the checking process, the incident could have been avoided. In addition, the REO did not have any written procedures in relation to the mechanism of sending test emails, thus increasing the risks of human errors and non-compliance with the necessary steps. The Privacy Commissioner understands that staff of the REO were working under huge pressure in conducting last-minute checks. However, the lack of written procedures inevitably increased the risks of human errors, especially when the staff concerned needed to work for prolonged hours and the removal of the second checking to expedite the whole process undermined the effectiveness of the original three-tier checking mechanism. Overall, the Privacy Commissioner considers that “The two incidents revealed that the Registration and Electoral Office had not taken all practicable steps to ensure that personal data was protected from unauthorised or accidental access, processing, erasure, loss or use, I therefore find that the Registration and Electoral Office had contravened DPP4(1) concerning the security of personal data under the PDPO.” The Privacy Commissioner has served two Enforcement Notices on the REO directing it to remedy and prevent recurrence of the contravention. The Privacy Commissioner requested the REO to implement technological security measures to monitor the use of its email system, review and improve the workflow of collecting personal data from EC members and issuing bulk emails which contain personal data, as well as strengthen training in respect of information security and the protection of personal data. Incidentally, the Privacy Commissioner is pleased to note that the REO had striven to learn from the incidents. After the occurrence of the two incidents, the REO has enhanced security measures and reviewed the relevant workflow of personal data handling to strengthen the protection of personal data privacy. Through the report, the Privacy Commissioner wishes to make the following recommendations to organisations which possesses a huge amount of personal data:
- Thoroughly implement a Personal Data Privacy Management Programme;
- Conduct privacy risk assessments and formulate specific guidelines for non-routine work;
- Devise effective education and training plans on personal data security; and
- Deploy information security measures to mitigate the risk of human errors.
Please click here to download “Investigation Report: Two Personal Data Breach Incidents of the Registration and Electoral Office”.
|
Privacy Commissioner’s Office Laid Charge in a Doxxing Case
|
On 23 December 2022, the PCPD laid a charge against a Chinese male aged 31 (defendant) for “disclosing personal data without consent”, contrary to section 64(3A) of the PDPO. The case will have its first mention hearing at the Fanling Magistrates’ Court in the morning of 5 January 2023. The investigation revealed that the defendant and the victim were former co-workers of a company. Their relationship turned sour because of performance at work, which ultimately led to the dismissal of the defendant by the company. Later in mid-October 2021, personal data of the victim, including his Chinese name, mobile phone number, name of his former residential estate, name of employer, along with information on the past deeds of the victim, were posted on a social media platform. The PCPD arrested the defendant on 2 September 2022. Relevant provisions under the PDPO Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject –
(a) with an intent to cause any specified harm to the data subject or any family member of the data subject; or (b) being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject.
A person who commits an offence under section 64(3A) is liable on conviction to a fine of $100,000 and imprisonment for 2 years.
According to section 64(6) of the PDPO, specified harm in relation to a person means –
(a) harassment, molestation, pestering, threat or intimidation to the person; (b) bodily harm or psychological harm to the person; (c) harm causing the person reasonably to be concerned for the person’s safety or well-being; or (d) damage to the property of the person.
|
Privacy Commissioner’s Office Publishes an Inspection Report on the Personal Data System of TransUnion
|
The PCPD published an Inspection Report on the personal data system of TransUnion Limited (TransUnion) on 20 December 2022. With the advancement in technology and the wide use of TransUnion’s services, there is an increasing public expectation on the data security measures adopted by TransUnion as regards its consumer credit database. In the circumstances, Privacy Commissioner Ms Ada CHUNG Lai-ling invoked the power vested in her under section 36 of the PDPO to carry out an inspection to review the personal data system of TransUnion. On 28 November 2022, TransUnion Credit Information Services Limited, a wholly owned subsidiary of TransUnion, has been appointed as one of the credit reference agencies under the Multiple Credit Reference Agencies Model developed by The Hong Kong Association of Banks, the Hong Kong S.A.R. Licensed Money Lenders Association Limited, and The Hong Kong Association of Restricted Licence Banks and Deposit-taking Companies. The findings of the inspection reveal that, during the inspection, TransUnion’s consumer credit database stored the personal data and consumer credit records of over 5.6 million consumers. In general, TransUnion attached great importance to the personal data held by it, adopted good practices and the security measures of its consumer credit data system conformed with international standards. The Privacy Commissioner is also pleased to note that TransUnion has accepted the advice of the PCPD in implementing a Personal Data Privacy Management Programme and appointing a designated officer as the data protection officer to institutionalise a proper system for the collection, handling, processing and use of personal data in compliance with the PDPO. The Privacy Commissioner considers that in the protection of personal data, TransUnion has complied with the requirements of Data Protection Principle 4 of Schedule 1 to the PDPO as regards the security of personal data. The above notwithstanding, the Privacy Commissioner recommends TransUnion to formulate internal policies and standards which are applicable in Hong Kong based on its global policy, set out the roles and responsibilities of the Data Protection Officer more clearly, standardise the procedures of managing internal activity log records, revise its policies relating to the handling of suspected abnormal access by credit providers, and conduct regular and timely reviews on the practices of its data processors in handling personal data. During the inspection, TransUnion launched a free “Credit Alert Service” on the advice of the PCPD, which alerts service subscribers by email whenever there are crucial changes to their credit reports (e.g. changes of telephone numbers or addresses, or when there are application enquiries or opening of accounts), so that the individuals concerned are aware of the changes in their credit reports and may take early preventive measures or remedial actions. Besides, TransUnion also launched a new feature, on the advice of the Privacy Commissioner, to allow individuals who were victims or suspected victims of doxxing to add remarks to their credit reports, thereby alerting credit providers using the consumer credit reference service of TransUnion (i.e. banks or financial institutions) to the matter when reviewing the credit reports and assessing the individuals’ credit applications. Through the findings of the inspection, the Privacy Commissioner would like to make the following recommendations to organisations which handle vast amounts of customers’ personal data:
- Establish a Personal Data Privacy Management Programme and appoint a designated Officer as Data Protection Officer;
- Formulate a local policy;
- Fulfil corporate social responsibility and strive to enhance the protection of personal data privacy;
- Monitor access to personal data; and
- Prudently appoint and manage data processors.
Please click here to download “Inspection Report: Personal Data System of TransUnion Limited”:
|
A 32-year-old Chinese Male Convicted of Online Doxxing
|
On 13 December 2022, the West Kowloon Magistrates’ Court convicted a 32-year old male Mr IP Chun-hin (defendant) of two charges of the new doxxing offence. Privacy Commissioner Ms Ada CHUNG Lai-ling welcomed the court’s ruling. This is the second conviction involving contravention of the doxxing offences of the PDPO under the new anti-doxxing regime which took effect on 8 October 2021. Owing to a monetary dispute, the defendant posted the names, residential address and names of the employers of the victims on two different groups of a social media platform without their consents between 19 and 20 October 2021. The mobile phone number of one of the victims was also posted on one of the groups. The PCPD arrested the defendant on 13 December 2021, which was the first arrest made after the new anti-doxxing regime had come into effect. Upon legal advice of the Department of Justice, the PCPD laid charges against the defendant on 20 May 2022 in respect of his doxxing of the two victims on two different occasions.
Court Proceedings In the court hearing on 13 December 2022, the defendant was found guilty of two charges contravening section 64 (3A) and 64(3C) of the PDPO, respectively, after trial. The court found that the defendant made the disclosures between 19 and 20 October 2021 on two different groups of a social media platform without the two victims’ consents, with an intent to cause specified harm to the victims or their family members, or being reckless as to whether specified harm would be, or would likely be, caused to them or their family members, and the disclosures resulted in specified harm to one of the victims. The court has adjourned the case to 3 January 2023 for sentence, pending acquisition of relevant reports. The defendant was granted bail pending sentence. Relevant Provisions under the PDPO Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject – (a) with an intent to cause any specified harm to the data subject or any family member of the data subject; or (b) being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject. A person who commits an offence under section 64(3A) is liable on conviction to a fine of $100,000 and imprisonment for 2 years. Pursuant to section 64(3C) of the PDPO, a person commits an offence if – (a) the person discloses any personal data of a data subject without the relevant consent of the data subject –
- with an intent to cause any specified harm to the data subject or any family member of the data subject; or
- being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject; and
(b) the disclosure causes any specified harm to the data subject or any family member of the data subject. A person who commits an offence under section 64(3C) is liable on conviction on indictment to a fine of $1,000,000 and imprisonment for 5 years. According to section 64(6) of the PDPO, specified harm in relation to a person means – (a) harassment, molestation, pestering, threat or intimidation to the person; (b) bodily harm or psychological harm to the person; (c) harm causing the person reasonably to be concerned for the person’s safety or well-being; or (d) damage to the property of the person.
|
A 35-year-old Chinese Female Arrested for a Suspected Doxxing Offence Relating to Emotional Dispute
|
The PCPD arrested a Chinese female aged 35 on Hong Kong Island on 8 December 2022. She was suspected to have disclosed the personal data of a data subject without her consent, in contravention of section 64(3A) of the PDPO. The investigation revealed that the victim and the husband of the arrested person developed a close relationship between 2019 and 2021, after which the victim exposed the said relationship to the arrested person. Subsequently, three messages containing the personal data of the victim were posted in a chat group on a social media platform between November 2021 and May 2022, alongside some negative comments and allegations against her. The personal data disclosed included the victim’s Chinese name, English name, alias, year of birth, area of residence, area of work, as well as her occupation and photos. The PCPD reminds members of the public that doxxing is a serious offence. An offender is liable on conviction to a fine up to $1,000,000 and imprisonment for 5 years. The PDPO applies equally to the online world. To avoid breaking the law, members of the public should think twice before publishing or forwarding any doxxing messages on the internet or social media platforms.
|
Privacy Commissioner’s Office Laid Charges in a Doxxing Case
|
On 7 December 2022, the PCPD laid a total of 14 charges against a Chinese female aged 36 (defendant) for “disclosing personal data without consent”, contrary to section 64(3A) of the PDPO. This is the fourth case where charges were laid under the new anti-doxxing regime which came into operation in October 2021. The investigation revealed that the defendant was an online trader and the victim was her supplier. Their business relationship later turned sour because of a monetary dispute. In December 2021, the personal data of the victim and her husband was disclosed in about 14 groups on a social media platform, together with allegations about fraudulent behaviour. The personal data disclosed included the Chinese names, phone number and photos of the victim and her husband. The PCPD arrested the defendant on 26 July 2022.
|
A 59-year-old Chinese Female Arrested for a Suspected Doxxing Offence
|
The PCPD arrested a Chinese female aged 59 in the New Territories North on 2 December 2022. She was suspected to have disclosed the personal data of a data subject without his consent, in contravention of section 64(3A) of the PDPO. The investigation revealed that the victim had previously rented a flat from the arrested person and disputes arose between the parties on rental payments. Subsequently, in March 2022, three messages containing the personal data of the victim, with some negative comments, were posted in a group on a social media platform. The personal data disclosed included the victim’s Chinese name, his occupation and the district of his residence. A partly redacted copy of the victim’s Hong Kong Identity (HKID) Card showing his Chinese name, English name, HKID card number, date of birth and his photo was also disclosed. The PCPD reminds members of the public that identity cards contain sensitive personal data. Disclosing or forwarding copies of identity cards on the internet or social media platforms without the consent of the data subject concerned, either arbitrarily or maliciously, may constitute a doxxing offence. An offender is liable on conviction to a fine up to $1,000,000 and imprisonment for 5 years.
|
Highlights of the “Implementation Rules for Personal Information Protection Certification”
《個人信息保護認證實施規則》的重點
|
On 18 November 2022, the State Administration for Market Regulation and the Cyberspace Administration of China jointly issued the “Implementation Rules for Personal Information Protection Certification” (the Rules), which set out the basic principles and requirements for the certification of personal information processors in relation to their personal information processing activities, including cross-border transfers of personal information. The Rules are intended to, among others, enhance the capability of personal information protection through certification of personal information processors. This article provides an overview of the Rules.
為落實《個人信息保護法》有關規範個人信息處理活動和促進個人信息合理利用的相關規定,以及鼓勵個人信息處理者通過認證方式提升個人信息保護能力1,國家巿場監督管理總局 (市監局) 和國家互聯網信息辦公室 (網信辦) 決定根據《認證認可條例》2實施個人信息保護認證,並於2022年11月18日聯合發布《個人信息保護認證實施規則》3(《規則》) ,規定了對個人信息處理者開展個人信息收集、存儲、使用、加工、傳輸、提供、公開、刪除以及跨境等處理活動進行認證的基本原則和要求4。
適用情況及認證依據
認證制度屬自願性質5,並適用於兩類個人信息處理活動,分別是 (一) 境內的個人信息處理活動以及 (二) 跨境的個人信息處理活動。如要取得認證,兩類處理活動的個人信息處理者均需符合國家標準GB/T 35273-2020《信息安全技術 個人信息安全規範》(《標準》) 6的要求7。如需開展信息跨境處理活動的個人信息處理者,還需額外符合規範文件TC260-PG-20222A《網絡安全標準實踐指南—個人信息跨境處理活動安全認證規範》(《規範》) 8的要求9。
雖然《標準》及《規範》只屬指引性文件,不具法律約束力,但《規則》明確規定《標準》及《規範》作為認證的依據。由此可見,個人信息處理者必需先符合相關規範文件的要求才能取得認證。
《規則》也公布兩個不同的個人信息保護認證標誌10:
(一) 不含跨境處理活動的個人信息保護認證標誌如下:
|
(二) 包含跨境處理活動的個人信息保護認證標誌如下:
|
|
|
RECOMMENDED ONLINE TRAININGS
|
Webinar on “Preventing and Handling of Students’ Misbehaviour involving Cyberbullying and Doxxing”
|
With online learning, social networking, entertainment and other online activities becoming an integral part of students’ daily lives, it is vital to educate them to surf and communicate online with a right attitude. This webinar aims to explain to educators the protection of personal data online and the doxxing offences introduced by Personal Data (Privacy) (Amendment) Ordinance 2021. Speakers will also share their teaching experience in preventing and dealing with students’ cyberbullying behaviours, with a view to assisting participants in teaching students to say “No” to cyberbullying and “doxxing”.
Principals and teachers from primary and secondary schools are welcome to attend. The event is supported by the Education Bureau (EDB). Attendees will receive 1.5 CPD hours from the EDB.
Date: 6 January 2022 (Friday)
Time: 4:00pm – 5:30pm
Fee: Free of charge
Language: Cantonese
Target audience: principals and teachers of primary and secondary schools
|
Online Professional Workshop on Data Protection in Banking / Financial Services
|
This workshop examines the personal data privacy issues facing banking and financial personnel in their daily operation and provides practical steps that can be taken to deal with the issues effectively.
Date: 11 January 2023 (Wednesday)
Time: 2:15pm – 5:15pm
Fee: $750/$600*
(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)
Language: Cantonese
Who should attend: data protection officers, compliance officers, company secretaries, solicitors, advisers and other personnel undertaking work relating to the banking / financial industry.
|
Online Practical Workshop on Data Protection Law
|
This workshop, to be conducted by experienced lawyers from the PCPD, is for people who are charged with the responsibility in advising on compliance with the PDPO to acquire solid grounding in the application and interpretation of the provisions of the PDPO.
Date: 15 February 2023 (Wednesday)
Time: 2:15pm – 5:15pm
Fee: $950/$760*
(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)
Language: Cantonese
Who should attend: solicitors, barristers, in-house legal counsels, data protection officers, compliance officers
|
Other Professional Workshops on Data Protection from Feb to Mar 2023:
|
Online Free Seminar – Introduction to the PDPO Seminar
|
The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. Details of the upcoming sessions are as below:
|
Seminar Outline:
- A general introduction to the PDPO;
- The six Data Protection Principles;
- Offences and compensation;
- Direct marketing; and
- Q&A session.
|
Arrange an In-house Seminar for Your Organisation
|
Teaching employees how to protect personal data privacy is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and data privacy protection, you can make a request for an in-house seminar via our online form.
The seminar outline is as follows:
- A general introduction to the PDPO;
- The six Data Protection Principles (industry-related cases will be illustrated);
- Handling of data breach incidents;
- Direct marketing;
- Offences and compensation; and
- Q&A session.
Duration: 1.5 hours
|
Renewal of DPOC’s Membership
|
Renew your DPOC membership today and continue to enjoy privileged access to course enrolments throughout the year!
Special offer for organisational renewals:
Organisations can join the 2-for-1 scheme, which enables you to receive two memberships for the price of one annual fee (HK$350).
Renew your membership now to keep up-to-date with the latest news and legal developments!
|
The PCPD values the opinions of all our DPOC members. We love to hear your ideas and suggestions on what privacy topics you would like to learn more about. Email your thoughts to us at dpoc@pcpd.org.hk and we shall include the most popular topics in our future e-newsletters.
|
|
|
Contact Us
Address: Unit 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong
Tel: 2827 2827
If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
|
Copyright
Disclaimer
The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.
The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.
If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.
|
|
|
|