Privacy Commissioner’s Office Signs MoU with the Philippines'
National Privacy Commission to Foster Closer Collaboration and Cooperation in Personal Data Privacy Protection

The Office of the Privacy Commissioner for Personal Data, Hong Kong, China and the National Privacy Commission of the Philippines executed a Memorandum of Understanding (MoU) on 22 May to strengthen their ties and foster closer cooperation in the protection of personal data privacy.

The MoU was signed on the sidelines of a meeting in Hong Kong between the two regulatory authorities.

Under the MoU, the scope of collaboration includes the sharing of information involving potential or on-going investigations or any other enforcement actions, providing mutual assistance in joint investigations into cross border personal data incidents or breaches, and collaboration in training and education on current and emerging data protection issues. The MoU forms the basis of a closer relationship between the two authorities in matters of mutual regulatory interest. 

Privacy Commissioner’s Office Organises Awards Presentation Ceremony of Short Video Competition for Primary School Students on “Respecting Privacy Begins with Me”
Recognising 23 Outstanding Primary School Teams in Promoting the Respect for and Protection of Personal Data Privacy

The PCPD held an Awards Presentation Ceremony of a Short Video Competition for Primary School Students on “Respecting Privacy Begins with Me” (Competition) on 12 May to recognise the efforts of 23 outstanding primary school teams in promoting the respect for and protection of personal data privacy.

The Awards Presentation Ceremony, which was officiated by the Under Secretary for Constitutional and Mainland Affairs Mr Clement WOO Kin-man, MH, JP was held at the Hong Kong Federation of Youth Groups Building in Quarry Bay. Other guests included members of the Personal Data (Privacy) Advisory Committee and the Standing Committee on Technology Development of the PCPD, Mr Addy WONG Wai-hung, MH, JP, the Honourable Carmen KAN Wai-mun, Ms Terese AU-YEUNG Kar-wa, Mr Joseph LIN Ho-man and Professor Jason LAU.

The judging panel of the Competition included the Privacy Commissioner Ms Ada CHUNG Lai-ling, the representative of the Hong Kong Aided Primary School Heads Association Mr WAN Chi-yeung and the Creative Director of WAW Creation Mr Tao YING. The panel adopted the criteria of expression of theme, filming techniques, creative content and acting performance in selecting 23 outstanding primary school teams for a total of seven categories of awards, including Best Privacy Protection – Champion, First Runner-up, Second Runner-up, Outstanding Privacy Captain (Merit Award), Best Acting Performance Privacy Captain (Performance Award), Most Creative Privacy Captain (Creative Award) and Most Active Participating School Award.

Over 320 Primary Three to Primary Six students from 41 schools participated in the Competition and altogether 74 entries were submitted. The Competition was held in teams. Participating teams could choose one of the three themes for their videos: “Respect Others’ Personal Data Privacy”, “Say ‘No’ to Cyberbullying” or “Stay Vigilant Online: Be Careful while Disclosing Personal Data”, and produce a short video clip that lasted for less than two minutes.

In addition to the Competition, the PCPD distributed a set of educational pamphlets to all primary schools in Hong Kong on protecting and respecting personal data privacy. The PCPD also launched a series of school talks on “Stay Vigilant Online: Say ‘No’ to Cyberbullying” to over 8,000 students from 30 primary schools. In collaboration with the Education Bureau and other education bodies, the PCPD has  been organising seminars on the prevention and handling of cyberbullying and doxxing acts among students. Furthermore, a one-stop “Children Privacy” thematic website has been set up to provide parents, teachers and students with the latest information on protecting children’s privacy.

Please click here for more information about the Competition and the winning videos.

Winners of the PCPD’s Privacy-Friendly Awards 2023 will be finalised soon. All award-winning organisations will be invited to the Presentation Ceremony to be held in August. Stay tuned!

PRIVACY 101

Manage Your Data Processor Properly

Organisations (as data users) may outsource or entrust personal data processing tasks, such as web and server hosting, paper shredding and event management, to external agents or service providers (as data processors). Under the Personal Data (Privacy) Ordinance (PDPO), organisations are responsible for any improper handling of personal data by their data processors. To comply with the requirements under the PDPO, organisations should consider whether they truly need to engage data processors and take into account the following aspects before engaging data processors to process personal data on their behalf:

• Pass only the minimum personal data to data processors;
• Adopt contractual or other means to protect personal data entrusted to data processors; and
• Conduct an annual review to ensure that the management of data processors is adequate and comprehensive. 

Generally, the types of obligations to be imposed on data processors by contract include:

• Security measures to be taken by data processors;
• Timely return, destruction or deletion of the personal data no longer required;
• Prohibition against other use and disclosure of the personal data;
• Prohibition against sub-contracting to other service providers;
• Reporting of irregularities;
• Measures to ensure compliance with the agreed-upon obligations by contractor's staff;
• Organisation’s right to audit and inspect; and 
• Consequence for breach of the contact.

Please read the PCPD’s publication below to learn more about effectively monitoring the data processors: 

Outsourcing the Processing of Personal Data to Data Processors

PRIVACY COMMISSIONER’S FINDINGS

Unencrypted Documents Containing Personal Data Sent to an Incorrect Email Address

The Complaint

The complainant and her husband appointed a law firm to handle property conveyancing procedures. As part of the transaction, the complainant’s husband received an email from the law firm (the Email), with some conveyance documents attached. The complainant’s husband noted that a copy of the Email was also sent to an email address highly similar to the complainant’s. The complainant was dissatisfied that the law firm exposed her and her husband’s personal data to others. As a result, she lodged a complaint against the law firm with the PCPD.

Outcome

According to the law firm’s explanation, the person who sent the Email had not asked the complainant to verify the handwritten email address and had therefore erroneously typed it when sending the Email. The law firm also admitted that the sender had not encrypted the attached documents before sending them via the Email.

After the PCPD intervened, the law firm instructed its staff members to carefully verify the correct recipient addresses and the correct attachments before sending any email, and to encrypt and/or password protect all documents containing clients’ personal data sent via email. Furthermore, the law firm provided training to its staff members in relation to their standard practices of email correspondence.

The PCPD also issued a warning to the law firm, requiring it to urge its staff members to strictly comply with the relevant requirements under the PDPO on handling and protecting clients’ personal data, and strictly adhere to their data protection policies. The firm was also instructed to regularly remind its staff members about the importance of carefully handling clients’ personal data, and to periodically circulate the relevant policy to its staff members.

Lessons Learnt

The primary cause of the complaint was clearly a human error - misreading a handwritten email address. This is not an uncommon occurrence in workplaces where staff members regularly communicate with various parties via email. They may unwittingly overlook the importance of verifying the accuracy of email addresses. To prevent human errors similar to the one made in this case, organisations are advised to cultivate a culture of respect for personal data privacy. This can be achieved by establishing data protection policies and providing staff members with regular training.

TECH TALK

Stay Safe from Instant Messaging Scams

The use of instant messaging apps has grown increasingly widespread, enabling users to communicate and collaborate instantly and efficiently with their families, friends, co-workers and clients. These free instant messaging apps are also widely used by business organisations in the retail industry to handle customers’ inquiries. While enjoying the convenience brought by these instant messaging apps, users should be aware of the privacy risks involved in instant messaging.
 
Scammers are now turning to instant messaging platforms to send messages or invitations with malicious links, attempting to defrand users into providing their personal data. To stay safe from instant messaging scams, here are some recommended DOs and DON’Ts for users when using instant messaging apps:

DOs

• Enable message encryption in your instant messaging software and two-factor authentication;
• Review the security and privacy settings of your instant messaging service regularly;
• Keep your instant messaging apps (and other system components) up-to-date with the latest patches, enable personal firewall protection and install anti-malware software;
• Verify the identity of the sender and the validity of the request if you receive a message asking for money transactions or the purchase of virtual point cards or reload cards;

• Verify with the sender and scan the file with anti-malware software before opening a file received via instant messaging apps; and

• Avoid sending personal or sensitive information over instant messaging apps. If necessary, encrypt the information during data transmission. If technically feasible, enable message self-deletion as well.

DON’Ts

• Don’t reply to any messages from untrusted or unknown contacts, especially those asking for your personal data, passwords or other verification codes;
• Don’t set your instant messaging client to automatically accept file transfers to avoid placing yourself at very high risk of unknowingly accepting malware-infected files;
• Don’t click on URL links from untrusted or unknown contacts; and
• Don’t reveal personal information in your profile.

WHAT’S ON

Reaching Out to Schools – Privacy Commissioner Attends the 59^th Speech Day Ceremony of Lock Tao Secondary School 

The Privacy Commissioner Ms Ada CHUNG Lai-ling, attended the 59^th Speech Day Ceremony of Lock Tao Secondary School on 25 May. She officiated the ceremony and presented graduation certificates to the graduates.
 
The Privacy Commissioner delivered a speech at the ceremony and congratulated the graduates. Citing the school motto of Tsinghua University in Beijing, “Self-discipline and Social Commitment”, she encouraged the graduates to strive for continuous improvement, find their own paths in future with a discerning mind and embrace the world with a truthful, sincere, respectful and tolerant attitude. 
 
In addition, Privacy Commissioner Ms Ada CHUNG Lai-ling highlighted to the participants some essential points to note for cross-border transfers of personal data from Hong Kong.
 

Please click here for the Privacy Commissioner’s speech (Chinese only).

Understanding the Mainland Laws – Privacy Commissioner’s Office Organises a Webinar on “Review and Practical Implementation of the Mainland’s Personal Information Protection Law”

The PCPD organised a webinar on “Review and Practical Implementation of the Mainland’s Personal Information Protection Law” on 16 May, which attracted more than 130 attendees from various sectors including banking, insurance, government/ public bodies, legal and information technology.
 
Professor HONG Yan-qing of the School of Law of Beijing Institute of Technology and Ms Barbara LI, Partner of Reed Smith LLP, spoke at the webinar. They gave an overview of the Personal Information Protection Law and its latest developments, and shared their insights on how enterprises and organisations could comply with relevant laws and regulations.
 
In addition, Privacy Commissioner Ms Ada CHUNG Lai-ling highlighted to the participants some essential points to note for cross-border transfers of personal data from Hong Kong.
 
Please click here to download Professor Hong’s presentation deck (Simplified Chinese Only).
Please click here to download Ms Li’s presentation deck.
Please click here to download the Privacy Commissioner’s presentation deck. 

Reaching Out to Parents – Privacy Commissioner Explains the Serious Consequences of Cyberbullying and Doxxing Behaviour

The PCPD organised a webinar for parents on “Prevention and Handling of Cyberbullying and Doxxing Behaviour involving Students” on 5 May. The webinar, which was supported by the Hong Kong Association for Computer Education (HKACE) and the Hong Kong Federation of Youth Groups (HKFYG), attracted an attendance of over 150 participants.

In the webinar, Privacy Commissioner Ms Ada CHUNG Lai-ling highlighted the seriousness of the doxxing offences under the Personal Data (Privacy) Amendment Ordinance 2021 and cyberbullying behaviour. She also suggested measures on how parents could prevent their kids from being bullied or “doxxed” online. In addition, Youth Work Officer (uTouch Cyber Youth Outreach Service) of HKFYG Mr Roy LEUNG Ka-yu shared his experience in handling cyberbullying cases; while Chairman of the HKACE and Vice Principal of Hong Kong True Light College Mr CHU Ka-tim and Council Member of the HKACE and STEM Education and e-Learning Co-ordinator of St. Edward’s Catholic Primary School Ms CHENG Yuen-ting also shared their experiences in teaching students to adopt a positive attitude in the use of the internet.

Please click here to download the Privacy Commissioner’s presentation deck (Chinese Only).
Please click here to download Mr Leung’s presentation deck (Chinese Only).
Please click here to download Mr Chu’s presentation deck (Chinese Only).
Please click here to download Ms Cheng’s presentation deck (Chinese Only).

Privacy Commissioner Attends the Hong Kong News Awards 2022 Presentation Ceremony

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the Hong Kong News Awards 2022 Presentation Ceremony on 5 May to congratulate the award winners and award-winning newspapers. She hopes that the media will continue to produce more quality reports in the future to tell a good Hong Kong story.
 
The Hong Kong News Awards is a major event organised by the Newspaper Society of Hong Kong every year to recognise the achievements of outstanding journalists and enhance the professionalism of the industry. The Hong Kong News Awards 2022 include a total of 75 awards in four sections, including reporting, writing, photographic and design.

Privacy Commissioner Publishes an Article Entitled “Navigating Personal Data Privacy and Security in the Age of Digitisation” on A Plus

Privacy Commissioner Ms Ada CHUNG Lai-ling published an article entitled “Navigating Personal Data Privacy and Security in the Age of Digitisation” on A Plus, the journal of the Hong Kong Institute of Certified Public Accountants.

The Privacy Commissioner pointed out that cyberattacks and data breaches have been on the rise with digitisation advancing at breakneck speed. It is therefore important for organisations and professionals, including accountants and chief financial officers, to keep themselves abreast of the latest developments and measures in safeguarding data security.

The PCPD published the “Guidance Note on Data Security Measures for Information and Communications Technology” (the Guidance) earlier to provide businesses with recommended data security measures to facilitate their compliance with the requirements of the PDPO. The Privacy Commissioner hoped that the Guidance will serve as a best practice guide for organisations and assist them in gaining a competitive edge in today’s digital economy.

Please click here to read the article.

Reaching Out to the Community –  Privacy Commissioner Publishes “Hong Kong Letter” Entitled “Artificial Intelligence is a Double-Edged Sword. Tech Firms are Duty-Bound to Ensure Data Security”

Privacy Commissioner Ms Ada CHUNG Lai-ling published a “Hong Kong Letter” on RTHK Radio 1 on 29 April to highlight the privacy and ethical risks involved in generative artificial intelligence (AI)-powered chatbots. The Privacy Commissioner considered that tech companies, especially AI developers, have a responsibility to ensure data security of their AI systems.

The Privacy Commissioner explained that the operation of generative AI heavily depends on deep learning technology, which involves the use of massive amounts of raw data as training data. The training data may include sensitive personal data provided by users, or collected and copied from the internet. If users inadvertently input sensitive data into AI systems, their personal data may be susceptible to misuse beyond the original purpose of collection of such data.

The Privacy Commissioner agreed that we should treat the emerging technology with caution and openness. While not hindering the long-term development of new technologies, she recommended that the new technology should be regulated through laws, guidelines, industry standards, or even international standards. This would facilitate the development of generative AI in a healthy, lawful and ethical ecosystem.

Please click here to read the “Hong Kong Letter” (Chinese only).

Telling a Good Hong Kong Story – Privacy Commissioner's Office Welcomes a Delegation of Mainland Officials 

The Office of the Privacy Commissioner for Personal Data (PCPD) received a delegation of Mainland officials on 24 May. The delegation comprised 15 Mainland officials who took the Master of Laws programme in Common Law at the University of Hong Kong and the Chinese University of Hong Kong under the Training Scheme in Common Law for Mainland Legal Officials organised by the Department of Justice. 
 
PCPD's representatives Ms Ines LEE, Senior Legal Counsel, Ms Hermina NG, Senior Legal Counsel (Complaints) and Ms Phoebe CHOW, Head of Corporate Communications, delivered a presentation on "Protection of Personal Data in Hong Kong – Briefing on the Work of the PCPD". The presentation covered Hong Kong's personal data protection laws and an overview of the PCPD's role and functions, in particular the work of the legal team, as well as how the PCPD handles complaints and promotes the importance of protecting personal data privacy.

Five PCPD Websites Receive “Triple Gold Award” in the Web Accessibility Recognition Scheme 2022-2023

For three consecutive years, five websites of the PCPD have been granted “Gold Award” under the Web Accessibility Recognition Scheme (Scheme). The five websites, which have met 27 judging criteria for web accessibility and provided all internet users, including persons with disabilities, with convenient access to online information, were granted “Triple Gold Award” this year. This represents a significant improvement from the previous round (2020-2021) when only one website (the thematic website “Be SMART Online”) received the “Triple Gold Award”.
 
The Scheme is organised by the Hong Kong Internet Registration Corporation Limited and the Office of the Government Chief Information Officer.
 
The award-winning websites are as follows:

• PCPD website;
• Be SMART Online;
• Children Privacy;
• Elderly Corner;
• Think Privacy! Be SMART Online.

MEDIA STATEMENT

A 43-year-old Chinese Male Arrested for a Suspected Doxxing Offence Relating to Commercial Disputes

The PCPD arrested a Chinese male aged 43 in the New Territories on 18 May. The arrested person was suspected to have disclosed the personal data of a data subject without his consent, in contravention of section 64(3A) of the PDPO.
 
The investigation revealed that the arrested person and the victim used to be business partners, but the partnership broke up in late 2021 and the two persons had disputes over the sale of shares. In December 2022, two posts containing the personal data of the victim with negative comments on him were found on a social media platform. Later in January 2023, a letter containing the personal data of the victim was posted by mail to his former neighbour, and four letters containing the personal data of the victim, his wife and daughter were posted by mail to the daughter’s school, all with similar negative comments on the victim. Collectively, the personal data disclosed included the victim’s Chinese name, name of the estate where he lived, partial Hong Kong Identity Card number, photos depicting the faces of the victim and his wife, as well as the Chinese name of his daughter and the class that his daughter attended.
  
The PCPD reminds members of the public that doxxing is a serious offence. An offender is liable on conviction to a fine up to $1,000,000 and imprisonment for five years. The PDPO applies equally to the real world and online world. To avoid breaking the law, members of the public should think twice before disclosing others’ personal data in the real world or online world.
 
Relevant Provisions under the PDPO

Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject –

1. with an intent to cause any specified harm to the data subject or any family member of the data subject; or
2. being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject.

A person who commits an offence under section 64(3A) is liable on conviction to a fine of $100,000 and imprisonment for 2 years.

Pursuant to section 64(3C) of the PDPO, a person commits an offence if – 

1. the person discloses any personal data of a data subject without the relevant consent of the data subject  – 
   1. with an intent to cause any specified harm to the data subject or any family member of the data subject; or
   2. being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject; and
2. the disclosure causes any specified harm to the data subject or any family member of the data subject.

A person who commits an offence under section 64(3C) is liable on conviction on indictment to a fine of $1,000,000 and imprisonment for 5 years.

According to section 64(6) of the PDPO, specified harm in relation to a person means – 

1. harassment, molestation, pestering, threat or intimidation to the person;
2. bodily harm or psychological harm to the person;
3. harm causing the person reasonably to be concerned for the person’s safety or wellbeing; or
4. damage to the property of the person.

A 37-year-old Male Convicted and Sentenced for Doxxing an Intermediary of Foreign Domestic Helpers

On 17 May, the Shatin Magistrates’ Court convicted a 37-year old male Mr HUI Kam-fat (defendant) of one charge of a doxxing offence upon his guilty plea. The Court on the same day sentenced the defendant to four weeks’ imprisonment, suspended for 18 months. Privacy Commissioner Ms Ada CHUNG Lai-ling welcomed the court’s ruling.
  
Background of the Case
 
The defendant signed a contract with the victim, an intermediary, for employment of a foreign domestic helper in 2021. The victim and the defendant later ran into a monetary dispute after the domestic helper had failed to report duty. In April 2022, the defendant posted the personal data of the victim, including her Chinese name, English name, the name of the school which she attended, photos of her as well as the name of her business and business address, etc. in three doxxing messages on a social media platform alongside some negative comments and allegations.
 
The PCPD arrested the defendant on 13 October 2022. Upon legal advice obtained from the Department of Justice, one charge of “disclosing personal data without data subject’s consent causing specified harm”, contrary to section 64(3C) of the PDPO, was laid against the defendant on 20 April 2023 in respect of his doxxing act.
 
Court Proceedings
 
The defendant pleaded guilty to the charge at the Shatin Magistrates’ Court and was convicted by the Court in relation to the three disclosures of the personal data of the victim made by the defendant on a social media platform on 7 and 8 April 2022 without the consent of the victim, with an intent to cause specified harm to the victim or her family members, or being reckless as to whether specified harm would be (or would likely be) caused to the victim or her family members, and the disclosures resulted in specified harm to the victim.

A 37-year-old Chinese Male Arrested for Suspected Reposting of Doxxing Message

The PCPD arrested a Chinese male aged 37 in the New Territories on 11 May. He was suspected to have disclosed the personal data of a data subject without her consent, in contravention of section 64(3A) of the PDPO.
 
The investigation revealed that in July 2022, a post containing the personal data of the victim (the Post) with negative comments on her was published on a social media platform. Shortly afterwards, the Post with negative comments on the victim was forwarded by someone to a chat group of an instant messaging app, persuading group members to contact the victim or her husband. The personal data disclosed included the victim’s mobile phone number, residential address and a copy of the victim’s Hong Kong Identity Card (HKID card) which showed particulars of her Chinese name, English name, HKID card number, date of birth, gender and a photo of her, etc.
  
The PCPD reminds members of the public that identity cards contain sensitive personal data. Disclosing or reposting copies of identity cards without the consent of the data subject concerned, either arbitrarily or maliciously, may constitute a doxxing offence. An offender is liable on conviction to a fine up to $1,000,000 and imprisonment for 5 years.

MAINLAND CORNER

An Overview on Personal Information Protection Enforcement Cases on the Mainland
内地個人信息保護執法案例一覽

Since the Personal Information Protection Law (PIPL) came into effect on 1 November 2021, the Cyberspace Administration of China (CAC), together with other mainland authorities, has undertaken different enforcement actions with a view to establishing a sound and effective personal information protection regulatory regime. Around 6,000 cases involving personal information protection were processed and handled by the procuratorial organs of the Mainland in 2022. In March 2023, the Supreme People’s Procuratorate of China announced 8 typical cases which involved infringements upon individuals’ personal information for public reference¹. This article provides an executive summary to illustrate the personal information protection enforcement efforts in the Mainland.   

《個人信息保護法》自2021年11月1日正式實施，迄今已有一年半的時間。國家互聯網信息辦公室 （網信辦）連同不同執法部門和司法機構就完善國内個人信息保護制度提出多項政策措施和法規標準，而全國檢察機關在2022年共立案辦理個人信息保護公益訴訟案件6,000餘件。今年3月，最高人民檢察院發布了8宗典型個人信息保護檢察公益訴訟案例作公衆參考。本文將概括8宗案例的案情重點，以闡述國内就個人信息保護執法方面的工作成果。

有關收集敏感個人信息的案例 – 案例一至四

在8宗發布的案例中，案例一至四均涉及收集敏感個人信息的問題。

案例一涉及健身房强制要求會員使用其具有人臉識別、指紋識別等功能的信息管理系統以進入健身房。在部分會員明確拒絕人臉採集識別後，該健身房擅自將會員辦卡時提供的照片錄入系統作為刷臉進出憑證，並在會員要求刪除照片等信息時，以無管理權限為由拒絕刪除。

檢察院認爲，根據《個人信息保護法》，消費者的人臉、指紋等屬於生物識別類敏感個人信息。涉案服務場所屬公共場所，非維護公共安全必需，且未取得消費者單獨同意，其強制採集、非加密傳輸、違法存儲、未定期刪除敏感個人信息的行為，損害了眾多消費者合法權益。

案例二涉及醫療衛生機構過度收集指紋和人臉等個人生物識別信息。

檢察院認爲，根據《個人信息保護法》，相關的醫療衛生機構違反個人信息處理的合法、正當、必要和誠信原則，除過度收集服務對象的指紋和人臉等個人生物識別信息外，亦未按要求解決電子簽核系統的弱口令、數據未加密等安全漏洞，未能防患未經授權的訪問及個人信息洩露、篡改、丟失等高風險，並未落實網絡安全等級保護制度的要求。

案例三涉及旅遊景區要求遊客進行刷臉認證，卻未就其人臉信息的儲存和使用獲取遊客意願。檢察院認爲營運該景區的公司未告知刷臉的必要性及後續如何處理刷臉信息，對人臉信息儲存和使用缺乏具體制度規範。

案例四涉及保險代理機構在合作醫院推銷相關保險產品。部分保險代理機構業務人員在推銷保險產品過程中，為精準銷售「手術意外險」等保險產品，通過合作醫院違法獲取大量患者的姓名、手術類型、聯絡電話等醫療健康信息，並對相關患者進行保險推銷。

檢察院認爲，根據《個人信息保護法》，醫療健康信息屬於可能影響公民人身、財產安全的敏感個人信息。醫療機構違反法律規定的合法、正當、必要和誠信原則，在未經患者同意前便向保險代理機構提供相關個人信息，嚴重侵害公民個人信息安全和合法權益。

有關侵犯公民個人信息刑事附帶民事公益訴訟的案例 – 案例五至七

在案例五關於電信網絡詐騙的案件中，犯罪者通過非法獲取股民電話號碼和證券公司信息，創建虛假股票投資微信群碼，以進行電信網絡詐騙；而在案例六中，有犯罪者通過網絡技術手段非法侵入某軟體公司的電腦信息系統，透過獲取該公司系統內多達六萬條的客戶訂單信息（當中包含消費者的姓名、手機、住址及交易記錄），進行轉售和詐騙。

在案例七中，某快遞公司營業點的主管以及倉庫管理員被揭發利用職務便利通過營業點主管帳戶查詢指定客戶之手機號碼以及對應的快遞單號，再通過手機拍照將快遞單號發至購買方。購買方其後通過快遞業數據採集工具，獲取快遞單號在某快遞公司的所有信息，當中包括寄收方的姓名、聯絡方式、收寄貨地址、物品信息等。有關企業内部員工利用工作便利泄露信息，加上快遞數據采集工具管理不善，導致大量公民個人信息受到侵害。

在這些案件中，檢察機關均對犯罪者提起刑事附帶民事公益訴訟，依法追究犯罪者的刑事與民事雙重責任，可對侵犯公民個人信息的違法行爲起到有效震懾作用。

有關政府部門就政務公開信息的案例 – 案例八

在案例八中，有關政府部門基於保障房屋信息必須公開公示的要求，忽略了對個人敏感信息的保護，未有依法進行去標識化、匿名化處理，在2013年至2022年期間公開展示了多個公租房項目申請人員的搖號結果、配租結果等信息，亦公開了含有公民個人姓名、身份證號碼、戶籍所在地、申請住房門牌號、申請家庭人口情況、人均居住建築面積、人均可支配月收入等信息。

該部門收到檢察機關發出的行政公益訴訟訴前檢察建議後，對涉及公民個人敏感信息採取點對點的去標識及匿名化舉措，並立即從互聯網上撤除已超過公示期限的信息。

總結

總括而言，這些典型案例展示了國内就保護個人信息權益的執法成果。根據最高檢第八檢察廳負責人表示，檢察機關將繼續加大個人信息保護領域公益訴訟的辦案力度，突出保護重點人員、重點領域的個人信息，嚴格保護敏感類別信息及特定群體的個人信息。各持份者宜密切留意這方面的最新發展，並適時就其機構的個人信息保護措施作調整。

1. Full announcement:

https://www.spp.gov.cn/spp/xwfbh/wsfbt/202303/t20230330_609756.shtml#1 

RECOMMENDED ONLINE TRAININGS

Professional Workshop on Personal Data Privacy Management Programme

With the ever-rising expectation of customers and stakeholders on the responsible use of personal data by organisations, the protection of personal data privacy should no longer be seen as purely a compliance issue. To build trust with customers, and enhance competitive and reputational advantages, organisations should construct and implement a comprehensive Personal Data Privacy Management Programme (PMP) to proactively embrace personal data privacy protection as part of their corporate governance responsibilities and apply it as a business imperative throughout the organisations. 

By joining this workshop, participants will be able to understand the key components of a PMP, and master the knowledge of how to maintain and improve the PMP on an ongoing basis, so as to implement the PMP effectively in their organisations.

Date: 7 June 2023 (Wednesday)

Time: 2:15pm – 4:15pm

Fee: $750/$600*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who Should Attend: Data protection officers, compliance professionals, company secretaries, solicitors, executives from business and public sectors, and those who are interested in keeping abreast of the data protection trend and best practices.

Professional Workshop on Data Protection in Human Resource Management

Proper, lawful and smart management of employees’ personal data is an indispensable quality of a good human resource management professional. Since job applicants, current and former employees may request access to their personal data kept by organisations from time to time, employers or human resource management professionals have to ensure compliance with the requirements of the PDPO when they collect and handle data of their employees. On the other hand, employers should meet public expectations to constantly protect and respect their employees’ personal data privacy. This online workshop enables participants to learn how to handle different scenarios and strengthen their knowledge of data protection in human resource management. 

Date: 14 June 2023 (Wednesday)

Time: 2:15pm – 5:15pm

Fee: $750/$600*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: Human resource officers, data protection officers, compliance officers, solicitors, administration managers, recruitment agents.

Other Professional Workshops on Data Protection from June to September 2023: 

Online Free Seminar – Introduction to the PDPO Seminar

The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. Details of the upcoming sessions are as below:

Seminar Outline:

• A general introduction to the PDPO;
• The six Data Protection Principles;
• Offences and compensation;
• Direct marketing; and
• Q&A session. 

Arrange an In-house Seminar for Your Organisation 

Teaching employees how to protect personal data privacy is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and data privacy protection, you can make a request for an in-house seminar via our online form.

The seminar outline is as follows:

• A general introduction to the PDPO;
• The six Data Protection Principles (industry-related cases will be illustrated);
• Handling of data breach incidents;
• Direct marketing;
• Offences and compensation; and
• Q&A session.

Duration: 1.5 hours

Renewal of DPOC’s Membership

Renew your DPOC membership today and continue to enjoy privileged access to course enrolments throughout the year!

Special offer for organisational renewals:

Organisations can join the 2-for-1 scheme, which enables you to receive two memberships for the price of one annual fee (HK$350).

Renew your membership now to keep up-to-date with the latest news and legal developments!

SUGGESTION BOX

The PCPD values the opinions of all our DPOC members. We love to hear your ideas and suggestions on what privacy topics you would like to learn more about. Email your thoughts to us at dpoc@pcpd.org.hk and we shall include the most popular topics in our future e-newsletters.

Contact Us

Address: Unit 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong

Tel: 2827 2827

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
 

Copyright

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.