PCPD e-NEWSLETTER
ISSUE Jun 2023
|
|
|
|
PCPD e-NEWSLETTER
ISSUE Jun 2023
|
|
|
|
Privacy Commissioner’s Office Publishes Two Reports
|
At the media briefing on 1 June 2023, the Office of the Privacy Commissioner for Personal Data (PCPD) published two reports, namely (1) “Unauthorised Access to Credit Data in the TE Credit Reference System” and (2) “Privacy Protection in the Digital Age: A Comparison of the Privacy Settings of 10 Online Shopping Platforms”, and a leaflet on “Tips for Users of Online Shopping Platforms”.
|
(1) Investigation Report on the Unauthorised Access to Credit Data in the TE Credit Reference System
|
The TE Credit Reference System was operated by Softmedia Technology Company Limited (Softmedia). Around 680 money lending companies used the TE Credit Reference System, which contained the credit data of about 180,000 borrowers. The investigation arose from a complaint lodged by a complainant reporting that his credit data in the TE Credit Reference System was accessed a number of times by eight money lending companies unknown to him without his knowledge nor consent. The complainant was of the view that the TE Credit Reference System did not put in place adequate security measures to protect his personal data. As a result of the investigation, Privacy Commissioner Ms Ada CHUNG Lai-ling found that there were deficiencies in the security measures taken by Softmedia to protect personal data and in the retention period of credit data in the following three aspects:
- Failure to take practicable steps to protect the personal credit data from unauthorised access, processing or use;
- Weak password management; and
- Prolonged retention of the credit records of borrowers who had completed their repayments more than five years ago.
The Privacy Commissioner found it regrettable that Softmedia failed to implement appropriate security measures to monitor and manage the access to and use of the TE Credit Reference System by money lenders, resulting in the unauthorised access, processing or use of the complainant’s personal data. In addition, despite the volume and nature of the data in question, Softmedia failed to adopt a robust password policy or set expiration dates for passwords. Such password management did not meet the basic requirements for network security and demonstrated obvious inadequacies in Softmedia’s security measures for the protection of personal data. Furthermore, Softmedia retained over 50,000 credit records of borrowers who had completed their repayments more than five years ago. This constituted unnecessary and prolonged retention, disregarding the requirements of the Personal Data (Privacy) Ordinance (PDPO) and also exposing the personal data of the borrowers concerned to risks of data breach. In the circumstances, the Privacy Commissioner was of the opinion that Softmedia failed to take all practicable steps to protect the personal data in the TE Credit Reference System against unauthorised or accidental access, processing, or use, thereby contravening Data Protection Principle (DPP) 4(1) in Schedule 1 to the PDPO relating to the security of personal data. Softmedia also failed to take all practicable steps to ensure that personal data is not kept longer than is necessary, thus contravening DPP2(2). The Privacy Commissioner has served an enforcement notice on Softmedia, directing it to remedy the contraventions and prevent recurrence of similar contraventions. Through the report, the Privacy Commissioner also made the following recommendations to Softmedia and other operators of credit reference databases:
- Implement a Personal Data Privacy Management Programme (PMP);
- Appoint data protection officer(s) to monitor compliance with the PDPO;
- Appoint an independent compliance auditor to conduct regular compliance audits on the mechanism and means of providing credit reference services; and
- Increase penalties for contraventions to deter the recurrence of violations by money lenders.
Please click here to download the investigation report “Unauthorised Access to Credit Data in the TE Credit Reference System”.
|
(2) Report on “Privacy Protection in the Digital Age: A Comparison of the Privacy Settings of 10 Online Shopping Platforms”
|
The PCPD reviewed the privacy settings of 10 online shopping platforms commonly used in Hong Kong, including the websites and mobile applications of the relevant operators, to understand how these online shopping platforms collect and use users’ personal data. The platforms are, namely, Baby Kingdom – BKmall (BKmall), Carousell, eBay, Fortress, HKTVmall, JD.COM, PlayStation App (PlayStation), Price.com.hk, Samsung and Taobao. According to the review results, the PCPD’s overall observations on the protection of users’ privacy by the online shopping platforms reviewed are as follows:
- All online shopping platforms reviewed have formulated privacy policies, which specify that they collect between 12 to 23 types of personal data;
- BKmall, eBay, Price.com.hk and Samsung allow purchases without requiring user account registration;
- Most of the platforms have set a minimum registration age of 18. Only BKmall, Price.com.hk and Taobao have not specified any minimum registration age.
- PlayStation and Samsung collect users’ dates of birth to verify that they are over 18 years old. eBay and HKTVmall require users to confirm that they have reached the age of 18 during user registration. Although Carousell, Fortress and JD.COM have set minimum age requirements, there are no measures in place to prevent registration by persons under 18 years old;
- BKmall, Carousell, Fortress and Samsung provide options to users during the registration process to indicate whether they accept advertising or promotional messages. Although eBay, HKTVmall, PlayStation and Price.com.hk provide such options, the default setting is “agreed”. Taobao does not provide similar options during user registration but allows users to activate or deactivate “Personalised Recommendations” in the “Account Settings” section. JD.COM neither provides such an option during registration nor displays any message seeking relevant consent from users;
- All online shopping platforms reviewed track users’ activities, including location information, browsing history, transaction history and device information;
- All online shopping platforms reviewed state in their privacy policies that they transfer personal data of users to third parties, including business partners, affiliates or related companies, advertising and promotion partners, external service providers, etc.;
- Most online shopping platforms reviewed accept payment through third-party payment platforms;
- Carousell, eBay and PlayStation rank the highest in the readability of their privacy policies; and
- All online shopping platforms reviewed allow users to delete their user accounts. Carousell, eBay, JD.COM and Price.com.hk provide users with clearer means for account deletion.
The PCPD has issued the report to the operators of the online shopping platforms reviewed, and provided them with the following recommendations:
- Appoint a data protection officer and establish a Personal Data Privacy Management Programme;
- Collect only necessary personal data;
- Provide an option for using personal data in direct marketing;
- Provide secure payment channels;
- Provide a clear, comprehensive and easy-to-understand privacy policy;
- Cautiously use third-party services;
- Increase transparency in tracking users’ activities;
- Adopt “Privacy by Default” setting;
- Provide sufficient privacy setting control options to user; and
- Provide a convenient option to delete accounts.
Please click here to download the report on “Privacy Protection in the Digital Age: A Comparison of the Privacy Settings of 10 Online Shopping Platforms” (Chinese version only).
The PCPD also published a leaflet to provide tips to users of online shopping platforms on how to carry out online shopping safely while protecting their personal data privacy. Read the “TECH TALK" of this e-newsletter for more information.
|
The PCPD Launches Anti-fraud Promotional Campaign Entitled “Don’t Hand Over Your Personal Data – Beware of Fraudsters”
|
To raise public awareness of the prevention of fraud, the PCPD has launched a series of anti-fraud publicity activities under the theme of “Don’t Hand Over Your Personal Data – Beware of Fraudsters”. The activities feature short videos on fraud prevention starring artistes Alice FUNG So-bor (馮素波) and Timothy CHENG Tse-sing (鄭子誠), aiming to remind the public to stay vigilant in protecting their personal data privacy so as to avoid property loss. The PCPD’s anti-fraud campaign includes launching a poster entitled “Don’t Hand Over Your Personal Data – Beware of Fraudsters”. The poster will be distributed to District Offices, community centres, elderly community centres and schools, and will be displayed at major public transportation terminals and on online platforms, with a view to enhancing public awareness of fraud prevention and personal data privacy protection. In addition, the PCPD also invited artistes Alice FUNG and Timothy CHENG to perform as key roles in promotional videos to convey the message of fraud prevention in a realistic yet light-hearted way. The first video has been uploaded to the PCPD’s official YouTube channel and will be broadcast on local TV stations. Other videos will be broadcast in phases. The PCPD appeals to members of the public to contact our Office and seek assistance through the “Personal Data Fraud Prevention Hotline” 3423 6611 where necessary. If there is any suspicion of fraud on personal data which involves criminal offence(s), they should immediately report the case to the Police. Citizens may also visit “Scameter” (www.cyberdefender.hk/en-us) to check suspicious phone numbers, email addresses and websites, etc. Please click here to watch the PCPD’s anti-fraud video (Chinese only).
|
Privacy Commissioner Visits the Shenzhen Data Exchange to Foster Relationship
|
The PCPD visited the Shenzhen Data Exchange in Shenzhen on 6 June to deepen the understanding of each other’s work and exchange views on the parties’ future collaboration and the promotion of digital economy. The establishment of the Shenzhen Data Exchange is a significant move of the Shenzhen Municipal People’s Government in actualising the spirit of the State Council’s “Implementation Plan for the Comprehensive Reform of the Pilot Demonstration Zone for Building Socialism with Chinese Characteristics in Shenzhen (2020-2025)” and is a major initiative which aims to implement Shenzhen’s data marketisation reform. The Shenzhen Data Exchange strives to provide a national trading platform for cross-border and cross-boundary data flows through providing services that cover the complete data transaction cycle, from ensuring compliance, supporting circulation, connecting supply and demand, to developing the relevant ecosystem. The Data Exchange serves as a demonstration of data marketisation and provides transaction models in the Mainland’s development of a digital economy. Privacy Commissioner Ms Ada CHUNG Lai-ling said, “The PCPD is grateful for the hospitality of the Shenzhen Data Exchange. With increasing socio-economic interactions between Hong Kong and the Mainland following the promulgation of the 'Outline Development Plan for the Guangdong-Hong Kong-Macao Greater Bay Area', the importance of safeguarding data security and personal data cannot be overstated. The PCPD looks forward to fostering its collaboration with the Shenzhen Data Exchange in the future with a view to making further contributions to the development of the digital economy of the country.”
|
|
|
Formulate Your Personal Data Retention Policy
|
|
PRIVACY COMMISSIONER’S FINDINGS
|
PRIVACY COMMISSIONER’S FINDINGS
|
Unauthorised Photo-taking in a Hospital
|
|
Privacy Protection in the Digital Age – Tips for Users of Online Shopping Platforms
|
|
|
A 39-year-old Chinese Female Arrested for a Suspected Doxxing Offence Relating to Emotional Entanglements
|
A 30-year-old Chinese Female Arrested for a Suspected Doxxing Offence Relating to Emotional Entanglements
|
The PCPD Proactively Commences Compliance Checks of All Credit Reference Agencies to Ensure the Data Security of Credit Reference Databases
|
The Mainland’s Measures on the Standard Contract for Cross-border – Transfers of Personal Information Takes Effect on 1 June
|
RECOMMENDED ONLINE TRAININGS
|
Seminar on “Cybersecurity in Web 3.0 and Data Breach Handling”
|
Free Online Seminar: Introduction to the PDPO
|
Arrange an In-house Seminar for Your Organisation
|
RENEWAL OF DPOC’S MEMBERSHIP
|
The PCPD Supports the “Directors Of The Year Awards 2023” Championed by The Hong Kong Institute of Directors
|
The PCPD Supports the Law Society of Hong Kong’s Forum on “Doing Business in Hong Kong in a Rapidly Changing World”
|
|
Reaching Out to the Community – Feature Interview with Privacy Commissioner by Ta Kung Pao
|
Privacy Commissioner Publishes an Article Entitled “AI’s Tipping Point: A Reminder on the Importance of Privacy and Ethics” at Hong Kong Lawyer
|
Telling a Good Hong Kong Story – PCPD Attends the 59th Asia Pacific Privacy Authorities Forum
|
Reaching Out to the Community – Privacy Commissioner Interviewed by the Media
|
Showcasing Hong Kong – Privacy Commissioner Speaks at the 6th National Data Privacy Conference of the National Privacy Commission, the Philippines
|
Launch of New Online Data Breach Notification Form
|
|
Highlights of the “Guidance on Filing the Standard Contract for Cross-border Transfers of Personal Information (1st Edition)” 《個人信息出境標準合同備案指南(第一版)》的重點
|
International: UK and US Announce Atlantic Declaration on Cooperation on AI and Data Transfers
|
EU: EDPB Adopts Finalised Guidelines on Calculation of Fines under GDPR
|
How Existing Data Privacy Laws May Already Regulate Data-related Aspects of AI
|
Consumer Health Data: A Risk-Based Approach to Digital Privacy
|
|
|
The PCPD is organising a book launch for our new Chinese book 《私隱法.保 — 了解你的個人資料私隱》(“The Treasure-trove of Privacy – Understanding Your Personal Data Privacy”), along with a seminar on “Cyberbullying and Doxxing Behaviour involving Students” at the Hong Kong Book Fair 2023. DPOC members will have the opportunity to win a free copy of this new book. Stay tuned for the details!
|
Winners of the PCPD’s Privacy-Friendly Awards 2023 will be finalised soon. All award-winning organisations will be invited to the Awards Presentation Ceremony to be held in August. Stay tuned!
|
|
|
Formulate Your Personal Data Retention Policy
Under the PDPO, DPP2 requires organisations (as data users) to take all practicable steps to ensure that personal data is not kept longer than is necessary for the fulfilment of the purpose for which the data is or is to be used. The PDPO does not stipulate a fixed retention period for personal data.
As a best practice, an organisation should develop its own personal data retention policy (including a review schedule and procedures) that outlines in detail the retention arrangements for personal data held by the organisation. Here are some useful tips for formulating an effective personal data retention policy:
- Establish a data retention schedule and conduct regular reviews of personal data to help determine whether the data is still required;
- Conduct regular reviews to help identify if specific personal data is still necessary. Erase the personal data that is no longer required; and
- Set maximum and minimum retention periods for personal data, taking into accounts any legal requirements or restrictions.
The organisation should also conduct regular data inventory checks to gain a clear understanding of the kinds of personal data it holds and how the personal data is being processed or erased. A template of the personal data inventory is shown below:
|
|
|
PRIVACY COMMISSIONER’S FINDINGS
|
Unauthorised Photo-taking in a Hospital
|
Background
A hospital reported to the PCPD that a research staff member from a university had attended a ward and an operating theatre for surgery observations. Although “No Photo Taking” signs were posted on the walls of the ward and the operating theatre, the staff member took photos and shared them with others via an instant messaging app. One of the photos showed the names, Hong Kong Identity Card numbers, gender, age and brief operation details of seven patients. The research staff stated that he was not aware that his act of photo sharing had inadvertently disclosed patients’ personal data.
Remedial Measures
Upon receiving a notification from the hospital, the PCPD initiated a compliance check and provided recommendations to the hospital to ensure compliance with the provisions of the PDPO. The hospital requested the university to remind its staff members to observe the guidelines of the hospital when they entered the clinical areas of the hospital. The university promulgated a new set of guidelines for the proper handling of patients’ personal data and sensitive information. It explicitly prohibited photo taking in any wards or operating theatres, as well as uploading and sharing of photos or text messages containing patient data through social media platforms or instant messaging app.
Lessons Learnt
Patient’s data are sensitive personal data that should be afforded a high degree of protection. To this end, organisations should formulate clear data protection guidelines, which include practical examples relevant to their operations to better illustrate what may constitute violations of the guidelines. Adequate staff training should be provided to instil a data protection mindset in staff and remind them to give due consideration to the established protocols on the proper handling of patients’ personal data.
|
Privacy Protection in the Digital Age – Tips for Users of Online Shopping Platforms
Online shopping has become a part of daily life for many people. During the process of online shopping, consumers need to provide personal data for registration and completing transactions. Online shopping platforms may also collect users’ browsing and consumption habits to provide personalised promotional information. Here are some useful tips for users of online shopping platforms to protect their privacy:
Protecting Personal Data Privacy
- Provide the minimum amount of personal data;
- Pay attention to direct marketing settings and make corresponding choices based on personal needs;
- Consider using third-party payment platforms;
- Read the privacy policy to understand the platform’s purposes and means of collecting personal data;
- Adjust privacy settings, and
- Delete unused accounts to avoid identity theft and reduce the risk of data leakage.
Safe Online Shopping
- Verify the authenticity of the platform and ensure that the website or application is the official one;
- Use the platform securely and avoid using public Wi-Fi for transactions and use strong passwords;
- “Stop and think” before providing personal data; and
- Regularly check online shopping accounts and report problems.
Please click here to download the leaflet on “Tips for Users of Online Shopping Platforms” recently published by the PCPD.
|
|
|
Reaching Out to the Community – Feature Interview with Privacy Commissioner by Ta Kung Pao
|
Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by Ta Kung Pao on the report on “Privacy Protection in the Digital Age: A Comparison of the Privacy Settings of 10 Online Shopping Platforms” published on 1 June by the PCPD. The Privacy Commissioner mentioned that the PCPD was working closely with the Government in carrying out a comprehensive review of the PDPO. She also offered tips to members of the public on the protection of personal data privacy in the big data era.
The Interview was published on 16 June on Ta Kung Pao. Please click here (A1, A2, video) to read the content of the feature interview (Chinese only).
|
Privacy Commissioner Publishes an Article Entitled “AI’s Tipping Point:
A Reminder on the Importance of Privacy and Ethics” at Hong Kong Lawyer
|
Privacy Commissioner Ms Ada CHUNG Lai-ling published an article entitled “AI’s Tipping Point: A Reminder on the Importance of Privacy and Ethics” at Hong Kong Lawyer to discuss the emergence of Generative Artificial Intelligence (AI), while highlighting the privacy and ethical risks that come with its use and the current regulatory landscape of AI.
The PCPD published the “Guidance on the Ethical Development and Use of Artificial Intelligence” in August 2021 to help organisations develop and use AI systems in a privacy-friendly and ethical manner. It recommends internationally recognised ethical AI principles to facilitate organisations’ compliance with the requirements of the PDPO when they develop and use AI.
The Privacy Commissioner emphasised that while Generative AI presents many opportunities to the society, it is important for all stakeholders, including tech companies and AI developers, to join hands in co-creating a safe and healthy ecosystem to make sure that the transformative technology would be used for human good.
Please click here to read the article.
|
Telling a Good Hong Kong Story – PCPD Attends the 59th Asia Pacific Privacy Authorities Forum
|
Privacy Commissioner Ms Ada CHUNG Lai-ling and representatives from the PCPD attended the 59th Asia Pacific Privacy Authorities (APPA) Forum from 6 to 7 June. The Forum was held in hybrid mode in Mexico City.
At the Forum, the PCPD’s Acting Chief Personal Data Officer (Compliance and Enquiries) Mr Brad KWOK shared with APPA members the findings of an investigation by the PCPD into a data breach incident which involved a Hong Kong professional association, in which servers containing personal data were attacked by ransomware and maliciously encrypted. The incident affected the personal data of over 100,000 members and non-members. An enforcement notice was served on the association, directing it to take remedial actions and prevent recurrence of the contravention.
|
Reaching Out to the Community – Privacy Commissioner Interviewed by the Media
|
Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by RTHK Radio 1’s “HK2000”, Now News’ “News Magazine” and RTHK Radio 1’s “Open Line Open View” on 2 June.
During the interviews, the Privacy Commissioner explained the two reports published on 1 June by the PCPD, namely an investigation report on the “Unauthorised Access to Credit Data in the TE Credit Reference System”, and a report on “Privacy Protection in the Digital Age: A Comparison of the Privacy Settings of 10 Online Shopping Platforms”.
The Privacy Commissioner said that the relevant operator of the TE Credit Reference System failed to implement appropriate security measures to monitor and manage the access to and use of the Credit Reference System. The Privacy Commissioner has served an enforcement notice on the company concerned, directing it to remedy the contraventions. The Privacy Commissioner mentioned that the PCPD carried out an inspection of another credit reference system last year.
The Privacy Commissioner also elaborated on the privacy settings of the 10 online shopping platforms reviewed by the PCPD. She reminded operators of online shopping platforms not to collect excessive personal data and to improve the transparency of their privacy policies. She also offered tips to members of public so that they may shop online safely.
Please click here to listen to the interview by RTHK Radio 1’s “HK2000” (Chinese only).
Please click here (first part, second part) to listen to the interview by Now News’ “News Magazine” (Chinese only).
Please click here to listen to the interview by RTHK Radio 1’s “Open Line Open View” (Chinese only).
|
Showcasing Hong Kong – Privacy Commissioner Speaks at the 6th National Data Privacy Conference of the National Privacy Commission, the Philippines
|
Privacy Commissioner Ms Ada CHUNG Lai-ling spoke through video recording at the 6th National Data Privacy Conference themed “Empowering DPOs and Protecting Personal Data Privacy Rights of Filipinos” held by the National Privacy Commission (NPC) of the Philippines on 25 May. The conference was one of the events of the NPC’s Privacy Awareness Week 2023.
In her speech, the Privacy Commissioner pointed out that the values of data and data privacy have been increasingly important in the digital age. She stressed that a secure, responsible and ethical use of data must be a priority for all organisations in making operational decisions.
The Privacy Commissioner also shared her insights as to how an effective PMP could be implemented by companies so that they could garner trust from their customers while laying a solid bedrock for their long-term business sustainability and growth. Apart from explaining the three core components of PMP that the PCPD has been advocating, the Privacy Commissioner also elaborated on the PCPD’s work on promoting the establishment of a PMP, including the publication of a “Best Practice Guide” in August 2018, the establishment of the Data Protection Officers’ Club and the launch of the Privacy-Friendly Awards in 2021.
Please click here for the Privacy Commissioner’s full speech.
|
Launch of New Online Data Breach Notification Form
|
The PCPD launched an online data breach notification form on 19 June. The online form is a web-based form with guided questions and multiple-choice answers which aims to help data users grasp the details of data breach incidents more comprehensively and effectively, and report data breach incidents to the PCPD in a more convenient manner. The form consists of four main parts:
- Basic information of the data user;
- Information of the contact person;
- Particulars of the data breach incident; and
- Assessment of the incident and remedial actions taken.
In addition to the online form, data users can still download the paper version of the data breach notification form for completion.
Data users are encouraged to use the above form to notify the PCPD of any data breach incidents. The PCPD does not accept oral notification.
Please click here to access the online data breach notification form.
Please click here to download the paper version of the data breach notification form.
|
|
|
A 39-year-old Chinese Female Arrested for a Suspected Doxxing Offence Relating to Emotional Entanglements
|
The PCPD arrested a Chinese female aged 39 in Kowloon on 27 June. The arrested person was suspected to have disclosed the personal data of a data subject without her consent, in contravention of section 64(3A) of the PDPO. The investigation revealed that the victim started a relationship with a male in August 2022, and the arrested person is his ex-girlfriend. Subsequently, a total of four messages containing the personal data of the victim were posted in three groups on a social media platform between August 2022 and May 2023, with negative comments on her. The personal data disclosed included the victim’s Chinese name, English surname and alias, age, mobile phone number, family status and photos. The PCPD reminds members of the public that they should not dox others because of personal disputes. Doxxing is not a means to resolve disputes as it would only escalate conflict. Moreover, doxxing is a serious offence and the offender is liable on conviction to a fine up to $1,000,000 and imprisonment for five years.
Relevant Provisions under the PDPO Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject –
- With an intent to cause any specified harm to the data subject or any family member of the data subject; or
- Being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject.
A person who commits an offence under section 64(3A) is liable on conviction to a fine of $100,000 and imprisonment for two years.
Pursuant to section 64(3C) of the PDPO, a person commits an offence if –
- The person discloses any personal data of a data subject without the relevant consent of the data subject –
- With an intent to cause any specified harm to the data subject or any family member of the data subject; or
- Being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject; and
- The disclosure causes any specified harm to the data subject or any family member of the data subject.
A person who commits an offence under section 64(3C) is liable on conviction on indictment to a fine of $1,000,000 and imprisonment for 5 years.
According to section 64(6) of the PDPO, specified harm in relation to a person means –
- Harassment, molestation, pestering, threat or intimidation to the person;
- Bodily harm or psychological harm to the person;
- Harm causing the person reasonably to be concerned for the person’s safety or well-being; or
- Damage to the property of the person.
|
A 30-year-old Chinese Female Arrested for a Suspected Doxxing Offence Relating to Emotional Entanglements
|
The PCPD arrested a Chinese female aged 30 in Kowloon on 13 June. The arrested person was suspected to have disclosed the personal data of two data subjects without their consents, in contravention of section 64(3A) of the PDPO. The investigation revealed that the male victim and the arrested person are arranging a divorce. After the two separated, the male victim developed a close relationship with the female victim. In April 2023, the female victim’s personal data was used to set up two accounts on a social media platform to publish various messages containing the personal data of the victims with negative comments on them. The personal data of the male victim disclosed in the messages included his Chinese name, alias, name of residential estate, area of work, occupation and photos, while the personal data of the female victim disclosed included her Chinese and English names, alias, nickname, place of work, name of company, occupation, licence number of her occupation and photos. The PCPD reminds members of the public that they should not dox others because of personal disputes. Doxxing is not a means to resolve disputes as it would only escalate conflict. Moreover, doxxing is a serious offence and the offender is liable on conviction to a fine up to $1,000,000 and imprisonment for five years.
|
The PCPD Proactively Commences Compliance Checks of All Credit Reference Agencies to Ensure the Data Security of Credit Reference Databases
|
The PCPD published an investigation report on the unauthorised access to the credit data in the TE Credit Reference System on 1 June. As a result of the investigation, Privacy Commissioner Ms Ada CHUNG Lai-ling found that the operator of the TE Credit Reference System had failed to take all practicable steps to protect the personal data in the TE Credit Reference System against unauthorised or accidental access, processing, or use, and inappropriately retained over 50,000 credit records longer than was necessary, thereby contravening DPP4(1) in Schedule 1 to the PDPO relating to the security of personal data and DPP2(2) relating to the duration of retention of personal data respectively. The Privacy Commissioner has served an enforcement notice on the relevant operator, directing it to remedy the contraventions and prevent recurrence of similar contraventions.
In the light of the findings of the above-mentioned investigation report, and the concern raised by the community on the handling of borrowers’ credit data by credit reference databases in Hong Kong, the PCPD will proactively commence compliance checks of all credit reference agencies in Hong Kong in order to ensure the protection of the personal data privacy of borrowers and the data security of credit reference databases. The checks will cover whether the security measures adopted by the credit reference agencies in respect of the credit data of borrowers and the retention period of such data comply with the requirements of the PDPO.
|
The Mainland’s Measures on the Standard Contract for Cross-border –
Transfers of Personal Information Takes Effect on 1 June
|
The PCPD noted that the Measures on the Standard Contract for Cross-border Transfers of Personal Information (the Measures) promulgated by the Cyberspace Administration of China (CAC) came into operation on 1 June.
The PCPD reminds local enterprises and organisations which conduct businesses on the Mainland, especially enterprises and organisations which transfer personal information out of the Mainland on a smaller scale, such as small- and medium-sized enterprises, that if the conditions prescribed in the Measures are met, they may need to enter into a standard contract and file the contract with the local cyberspace administration authorities at the provincial level before effecting the transfer of personal information. Specifically, according to the Measures, personal information processors (including enterprises or organisations) which satisfy all of the following conditions may rely on the execution of standard contracts to transfer personal information out of the Mainland and shall first carry out personal information protection impact assessment:
- Where the personal information processor is not an operator of critical information infrastructure;
- Where the personal information processor which transfers personal information out of the Mainland processes personal information of not more than 1 million persons (in aggregate);
- Where the personal information processor which transfers out personal information has cumulatively made outbound transfers of personal information of not more than 100,000 persons (in aggregate) since 1 January of the preceding year; and
- Where the personal information processor which transfers out personal information has cumulatively made outbound transfers of sensitive personal information of not more than 10,000 persons since 1 January of the preceding year.
The relevant personal information processor shall enter into a standard contract strictly in accordance with the template standard contract appended to the Measures, and shall file the contract with the local cyberspace administration authority at the provincial level within 10 working days of the effective date of the contract.
It is noteworthy that personal information processors which are required to duly undergo security assessments for transferring personal information outside the jurisdiction shall not deploy tactics such as quantity splitting so that they may transfer personal information outside the jurisdiction by entering into standard contracts.
The personal information protection impact assessment shall assess, among others, the following key matters:
- The legality, propriety and necessity of the purpose, scope and manner of processing of the personal information by the personal information processor and the recipient outside the jurisdiction;
- The scale, scope, category and sensitivity of the outbound personal information, and the risks that cross-border transfer of personal information might pose to the rights and interests of individuals regarding personal information;
- Whether the obligations undertaken by the recipient outside the jurisdiction and the management, technical measures and capabilities of such recipient to perform such obligations can ensure the security of the outbound data;
- The risks of the outbound personal information suffering from alteration, destruction, leakage, loss or illegal use, etc., during and after the cross-border transfers, and whether the channels provided to uphold the rights and interests of individuals regarding personal information are clear, etc.;
- The impact of personal information protection policies and regulations of the location of the recipient outside the jurisdiction on the performance of the standard contract; and
- Other matters that may affect the security of the cross-border transfers of personal information.
Please click here for the full text of the Measures and the template standard contract (Chinese only).
Please click here for a Guidance published by the CAC on 30 May on Filing the Standard Contract for Cross-border Transfers of Personal Information which sets out the details on the mode of filing, filing procedures, and materials to be submitted, etc. (Chinese only).
|
Highlights of the “Guidance on Filing the Standard Contract for Cross-border Transfers of Personal Information (1st edition)” 《個人信息出境標準合同備案指南(第一版)》的重點
|
The “Measures on the Standard Contract for Cross-border Transfers of Personal Information” (the Measures), promulgated by the CAC, came into operation on 1 June 2023 (as previously introduced in the March 2023 issue of this column). On 30 May 2023, the CAC released the “Guidance on Filing the Standard Contract for Cross-border Transfers of Personal Information (1st edition)” (the Guidance) to provide practical guidelines on the filing requirements. This article provides a recap of the salient requirements of the Measures and an overview of the Guidance.
國家互聯網信息辦公室(網信辦)早前發布的《個人信息出境標準合同辦法》(《標準合同辦法》) 1已於2023年6月1日起正式實施(本欄曾於2023年3月作出介紹)。網信辦亦於2023年5月30日發布《個人信息出境標準合同備案指南(第一版)》(《備案指南》) 2,就備案要求提供實務指引。本文旨在回顧《標準合同辦法》的重點要求及概述《備案指南》。
《標準合同辦法》的重點要求
具體而言,《標準合同辦法》要求個人信息處理者(當中包括企業或機構)如同時符合以下情況3,可通過訂立標準合同的方式向境外提供個人信息,並於向境外提供個人信息前開展個人信息保護影響評估:
- 非關鍵信息基礎設施運營者;
- 處理個人信息不滿100萬人的;
- 自上年1月1日起累計向境外提供個人信息不滿10萬人的;及
- 自上年1月1日起累計向境外提供敏感個人信息不滿1萬人的。
標準合同
標準合同範本的內容涵蓋個人信息處理者和境外接收方的義務4、境外接收方所在地的個人信息保護政策和法規對合同履行的影響5、個人信息主體的權利6、個人信息主體尋求救濟的方式7、違約責任8等。個人信息處理者和境外接收方亦可按需要加入其他條款,但不得與標準合同相衝突。
個人信息保護影響評估
至於個人信息保護影響評估,當中應包括以下事項9:
- 個人信息處理者和境外接收方處理個人信息的目的、範圍、方式等的合法性、正當性、必要性;
- 出境個人信息的規模、範圍、種類、敏感程度,個人信息出境可能對個人信息權益帶來的風險;
- 境外接收方承諾承擔的義務,以及履行義務的管理和技術措施、能力等能否保障出境個人信息的安全;
- 個人信息出境後遭到篡改、破壞、洩露、丟失、非法利用等的風險,個人信息權益維護的渠道是否通暢等;
- 境外接收方所在國家或者地區的個人信息保護政策和法規對標準合同履行的影響;
- 其他可能影響個人信息出境安全的事項。
《備案指南》
《備案指南》對個人信息出境標準合同的備案方式、流程、提交材料等要求作出了具體説明:
- 備案方式10:個人信息處理者應當在標準合同生效之日起10個工作日內,通過送達書面材料並附帶材料電子版的方式,向所在省級網信辦備案。
- 備案流程11:標準合同備案流程包括材料提交、材料查驗及反饋備案結果、補充或者重新備案等環節。
- 提交材料12:備案的所需材料包括備案方代表的身份證明文件、標準合同、及個人信息保護影響評估等。
《備案指南》提供的標準合同範本所涵蓋的内容與《標準合同辦法》的附件範本相同。
就個人信息保護影響評估而言,附件三《承諾書(模板)》則進一步明確指出「個人信息保護影響評估工作為備案之日前3個月內完成,且至備案之日未發生重大變化」13。附件五亦提供《個人信息保護影響評估(模板)(出境版)》14供個人信息處理者參考。具體要求包括:
1. 評估工作簡述
- 包括起止時間、組織情況、實施過程、實施方式等內容。
- 如有第三方機構參與評估,需說明第三方機構的基本情況及參與評估的情況,並在相關內容頁上加蓋第三方機構公章。
2. 出境活動整體情況 – 包括但不限於:
- 個人信息處理者基本情況
- 個人信息出境涉及業務和信息系統情況
- 擬出境個人信息情況
- 個人信息處理者個人信息保護能力情況
- 境外接收方情况
3. 擬出境活動的影響評估情况
4. 出境活動影響評估結論
總結
總括而言,《標準合同辦法》及《備案指南》為個人信息處理者透過與境外接收方訂立合同的個人信息跨境方式提供了落地藍本,細化個人信息保護影響評估報告的具體要求。有關個人信息處理者和境外接收方宜密切留意網信辦或其他官方機構發出的最新指引,就其個人信息的出境活動作適時整改,為合法合規經營做好準備。
1 全文:http://www.cac.gov.cn/2023-02/24/c_1678884830036813.htm
2 全文:http://www.cac.gov.cn/2023-05/30/c_1687090906222927.htm
3《標準合同辦法》第四條清楚指明個人信息處理者不得採取數量拆分等手段,將依法應當通過出境安全評估的個人信息通過訂立標準合同的方式向境外提供。
4 標準合同範本第二及第三條
5 標準合同範本第四條
6 標準合同範本第五條
7 標準合同範本第六條
8 標準合同範本第八條
9《標準合同辦法》第五條
10《備案指南》第二條
11《備案指南》第三條
12《備案指南》第三(一)條及附件一
13《備案指南》附件三《承諾書(模板)》
14《備案指南》附件五《個人信息保護影響評估(模板)(出境版)》
|
|
|
Seminar on “Cybersecurity in Web 3.0 and Data Breach Handling”
|
With the development and evolution of the internet into the third generation (Web 3.0), digitising business marketing and operation has become the trend. The risks of personal data breaches resulting from cybersecurity vulnerabilities are also increasing. How enterprises and organisations can ensure customer data is properly protected in the Web 3.0 online world, as well as prepare for and respond to any data breach crisis has become an important issue for the management.
The PCPD organises this seminar to help enterprises and organisations understand how to effectively manage cybersecurity risks and data leakage incidents. The seminar will elaborate on the contents of the “Guidance on Data Breach Handling and Data Breach Notifications” newly issued by the PCPD. A cybersecurity expert from the Hong Kong Computer Emergency Response Team Coordination Centre will also elaborate on the security risks of Web 3.0 and share best practices for enhancing cybersecurity for Web 3.0 with participants.
Date: 27 July 2023 (Thursday)
Time: 3:00pm – 4:15pm
Fee: $300 (Standard fee) / Free (For DPOC members only)
Language: Cantonese
Who Should Attend: Organisations who use ICT to handle personal data and members of the public with an interest in the topic
|
Professional Workshop on Recent Court and Administrative Appeals Board Decisions
|
Legal professionals and compliance officers should keep abreast of the latest decisions and arguments of the court and the Administrative Appeals Board relating to personal data privacy. In this regard, our PCPD lawyer will give you a deep dive into those cases and the commonly deployed provisions of the PDPO, strengthening your understanding of the cases from a legal perspective and the knowledge in the interpretation and application of the PDPO.
Date: 12 July 2023 (Wednesday)
Time: 2:15pm – 5:15pm
Fee: $950/$760*
(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)
Language: English
Who Should Attend: Solicitors, barristers, in-house lawyers, data protection officers, compliance officers, company secretaries and administration managers.
|
Professional Workshop on Data Protection in Insurance
|
Insurance transactions involve a large amount of customers’ personal data, including customers’ names, telephone numbers, addresses, identity card numbers, etc. Therefore, it is necessary for insurance practitioners to understand the requirements under the PDPO. This workshop examines key concepts of data protection compliance, and illustrates various scenarios in the industry operations to highlight potential issues and the solutions in relation to personal data privacy.
Date: 26 July 2023 (Wednesday)
Time: 2:15pm – 5:15pm
Fee: $750/$600*
(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)
Language: Cantonese
Who should attend: Insurance practitioners, data protection officers, compliance officers, solicitors, advisers and other personnel undertaking work relating to the insurance industry.
|
Other Professional Workshops on Data Protection from August to September 2023:
|
Online Free Seminar – Introduction to the PDPO Seminar
|
The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. Details of the upcoming sessions are as below:
|
Seminar Outline:
- A general introduction to the PDPO;
- The six Data Protection Principles;
- Offences and compensation;
- Direct marketing; and
- Q&A session.
|
Arrange an In-house Seminar for Your Organisation
|
Teaching employees how to protect personal data privacy is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and data privacy protection, you can make a request for an in-house seminar via our online form.
The seminar outline is as follows:
- A general introduction to the PDPO;
- The six Data Protection Principles (industry-related cases will be illustrated);
- Handling of data breach incidents;
- Direct marketing;
- Offences and compensation; and
- Q&A session.
Duration: 1.5 hours
|
Renewal of DPOC’s Membership
|
Renew your DPOC membership today and continue to enjoy privileged access to course enrolments throughout the year!
Special offer for organisational renewals:
Organisations can join the 2-for-1 scheme, which enables you to receive two memberships for the price of one annual fee (HK$350).
Renew your membership now to keep up-to-date with the latest news and legal developments!
|
The PCPD Supports the “Directors Of The Year Awards 2023” Championed by The Hong Kong Institute of Directors
|
The PCPD is delighted to be one of the supporting organisations of The Hong Kong Institute of Directors (HKIoD)’s “Directors Of The Year Awards 2023”, which is a signature event of the HKIoD to promote good corporate governance and director professionalism. “Transform for a Better Tomorrow” is the theme of the event this year.
For more details, please click here.
|
The PCPD Supports the Law Society of Hong Kong’s Forum on “Doing Business in Hong Kong in a Rapidly Changing World”
|
The PCPD is delighted to be one of the supporting organisations of the Law Society of Hong Kong’s Forum on “Doing Business in Hong Kong in a Rapidly Changing World”, which will take place on 11 July at the Hong Kong Convention and Exhibition Centre. For more details, please click here.
|
The PCPD values the opinions of all our DPOC members. We love to hear your ideas and suggestions on what privacy topics you would like to learn more about. Email your thoughts to us at dpoc@pcpd.org.hk and we shall include the most popular topics in our future e-newsletters.
|
|
|
Contact Us
Address: Unit 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong
Tel: 2827 2827
If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
|
Copyright
Disclaimer
The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.
The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.
If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.
|
|
|
|