Privacy Awareness Week 2023

PCPD Launches the New Book《私隱法．保 — 了解你的個人資料私隱》

(“The Treasure-trove of Privacy – Understanding Your Personal Data Privacy”)

The Privacy Commissioner, Ms Ada CHUNG Lai-ling (fifth from right), Professor Guobin ZHU, School of Law, City University of Hong Kong (fourth from right), Mr CHU Ka-tim, Vice Principal of Hong Kong True Light College (fifth from left) and Mr Edmund CHAN, Associate Director of the City University of Hong Kong Press (second from left) take a photo with the members of the Personal Data (Privacy) Advisory Committee and the Standing Committee on Technological Developments.

The PCPD launched the new book《私隱法．保 — 了解你的個人資料私隱》(“The Treasure-trove of Privacy – Understanding Your Personal Data Privacy”) and held a seminar on “Cyberbullying and Doxxing Behaviour involving Students” at the Hong Kong Book Fair 2023 on 24 July.
 
The event attracted more than 120 participants. Privacy Commissioner Ms Ada CHUNG Lai-ling introduced the new Chinese book 《私隱法．保 — 了解你的個人資料私隱》(“The Treasure-trove of Privacy – Understanding Your Personal Data Privacy”) published by the PCPD and the City University of Hong Kong Press, and shared some practical tips for protecting personal data in daily life to deepen the public’s understanding of the Personal Data (Privacy) Ordinance (PDPO). Besides having Mr Sammy LEUNG, a renowned TV/radio host, as the moderator, the PCPD also invited the Chairman of the Hong Kong Association for Computer Education and Vice Principal of Hong Kong True Light College, Mr CHU Ka-tim, to speak as the guest speaker in a discussion on how to effectively protect students’ online privacy and security.
 
This year, the PCPD also set up a booth at the Hong Kong Book Fair, showcasing an array of publications issued in recent years concerning various privacy issues. The booth has an exquisite “check-in” spot where visitors may also collect souvenirs.
 
The book launch is a signature event of the “Privacy Awareness Week” (PAW) 2023. This year’s PAW is held from 24 to 30 July, with the theme “Building from the Foundation – Respect and Protect Personal Data Privacy”. The event is supported by members of the Asia Pacific Privacy Authorities (APPA). In addition to the events at the Hong Kong Book Fair 2023, the PCPD hosted a webinar on “Cybersecurity in Web 3.0 and Data Breach Handling” on 27 July to discuss the security risks of Web 3.0 and explain the “Guidance on Data Breach Handling and Data Breach Notifications” newly issued by the PCPD. The PCPD also put up posters of the PAW 2023 at bus stops and distributed them to government departments, district offices, schools, etc.

Winners of the PCPD’s Privacy-Friendly Awards 2023 will be announced soon. All award-winning organisations will be invited to the Awards Presentation Ceremony to be held on 31 August.  We will notify the winners of the details of this Ceremony individually.

PRIVACY 101

Data Breach Management in Your Business

A data breach is generally regarded as a suspected or actual breach of the security of personal data held by a data user, which exposes the personal data of data subject(s) to the risk of unauthorised or accidental access, processing, erasure, loss or use. Common causes of data breaches in Hong Kong include cyberattacks, system misconfigurations, loss of physical documents or portable devices, improper/wrongful disposal of personal data, inadvertent disclosure by email or post, and staff negligence/misconduct. Such breaches may constitute a contravention of Data Protection Principle 4 of the PDPO.  

As a responsible data user, it is critical to formulate a comprehensive data breach handling policy with a clear action plan. This will enable a prompt response to and effective management of data breach incidents, thereby reducing the impact on affected individuals and the potential damage to the data users. Here are the recommended actions for data users to properly handle a data breach: 

• Action 1: Immediate gathering of essential information – promptly gather all relevant information of the data breach to assess the impact on data subjects and to identify appropriate mitigation measures.
• Action 2: Containing the data breach – after detecting the breach and conducting an initial assessment, take steps to contain the breach and remedial actions to lessen the harm or damage caused to the affected data subjects as effectively as possible.
• Action 3: Assessing the risk of harm – have a clear understanding of the risks of harm that may be caused by the data breach to the affected individuals. The possible harm may include threats to personal safety, identity theft, financial loss, humiliation or loss of dignity, damage to reputation or relationships, and loss of business or employment opportunities.
• Action 4: Considering giving data breach notifications – notify the PCPD, other law enforcement agencies and the affected data subjects as soon as practicable after becoming aware of the data breach, particularly if the data breach is likely to result in a real risk of harm to those affected data subjects.
• Action 5: Documenting the breach – maintain a comprehensive record of the incident, which should include all facts relating to the data breach, ranging from details of the breach and its effects to the containment and remedial actions taken by the data user, so that the data user can learn from the incident, facilitate a post-breach review and improve personal data handling practices as appropriate.

Please read the PCPD’s publication below to learn how to prepare for and handle data breaches:
Guidance on Data Breach Handling and Data Breach Notifications

PRIVACY COMMISSIONER’S FINDINGS

A Hospital Collected the Time Spent by a Doctor on Ward Rounds and the Number of Patients He Attended to, without Prior Notification

The Complaint

The complainant was a doctor at a public hospital. He was dissatisfied that the hospital management collected statistical data concerning him, such as the time he spent on ward rounds and the number of patients he attended to, without any prior notification.

Outcome

The hospital management explained that, due to changes in clinical service model, it collected data including doctors' consultation time and the number of patients attended to for calculating the service cost for different types of patients.

After the PCPD's intervention, the organisation managing the hospital promised to amend its internal guidelines to ensure that they cover the situations in which the employees' personal data is collected, and clearly states the purpose and use of such collection. 

The PCPD also issued a warning to the organisation, requesting it to closely monitor its employees' compliance with the said guidelines.

Lessons Learnt

The hospital management collected data for administrative and statistical purposes, which were directly related to its function of managing the hospital. However, the management collected the data without informing the doctors of the collection purposes. Hence, when the doctors learnt that the management had collected such data without prior notification, inevitably they speculated or were worried that the data was used to evaluate their work performance. Trust was hence damaged. The PCPD was pleased that the organisation had promptly taken the above remedial actions, and improved the transparency of personal data collection to avoid suspicion and rebuild trust with its employees.

TECH TALK

Privacy Protection in the Digital Age – Data Security Tips on Online Banking

With its convenience and easy accessibility, online banking (internet and mobile banking) allows users to perform banking transaction, check banking accounts and balances, and pay bills without time and geographical constraints. This shift from traditional banking methods via physical banks to digital channels also raises an important question on privacy protection to data subjects – do data subjects know how to safeguard their personal and financial data when banking online?

Here are some practical tips to protect your personal data when using online banking services: 

• Set a strong and unique password which is different from the ones for other services. Enable Two-Factor Authentication; 

• Change the login password regularly and never store the password on your computer, mobile phone or in plain sight;

• Protect the electronic devices used for logging into your online banking account. Keep the security token provided by your bank in a safe place;

• Avoid accessing your bank account with public computers or via public Wi-Fi;

• Log out your bank account immediately after use;

• Beware of any unusual login screen or process (e.g. a suspicious pop-up window or a request for additional personal data). Never respond to any unsolicited e-mail asking you to validate your login or account details;

• Monitor and report any unauthorised and unusual transactions. Contact your bank immediately if you suspect that you have been a victim of online fraud; and

• Install a reputable anti-virus or security protection programme on your computer.

WHAT’S ON

Enhancing Data Security – PCPD Organises a Seminar on “Cybersecurity in Web 3.0 and Data Breach Handling”

To promote and enhance data security, the PCPD organised a seminar on “Cybersecurity in Web 3.0 and Data Breach Handling” in hybrid mode on 27 July. The event was supported by the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) and the Hong Kong Computer Society and attracted nearly 200 participants.

At the seminar, Mr Lawrence LAW, Security Consultant of the HKCERT, spoke as a guest speaker on the cyber attacks and challenges in Web 3.0, and the best practices for enhancing cyber security for Web 3.0. Acting Chief Personal Data Officer (Compliance & Enquiries) of the PCPD Mr Brad KWOK also gave an overview of the “Guidance on Data Breach Handling and Data Breach Notifications” newly issued by the PCPD.

The seminar is one of the activities of the PCPD’s Privacy Awareness Week 2023, which was held from 24 to 30 July under the theme of “Building from the Foundation – Respect and Protect Personal Data Privacy”.

Please click here to download Mr Law’s presentation deck (Chinese Only).

Please click here to download Mr Kwok’s presentation deck (Chinese Only).

Promoting Data Security – Privacy Commissioner Publishes an Article entitled “PCPD’s Updated Guidance on Data Breach” on Hong Kong Lawyer

Privacy Commissioner Ms Ada CHUNG Lai-ling published an article entitled “PCPD’s Updated Guidance on Data Breach” on Hong Kong Lawyer to introduce the new “Guidance on Data Breach Handling and Data Breach Notifications” (the Guidance) issued by the PCPD in June 2023.

The Privacy Commissioner pointed out that in the light of the increasing cybersecurity threats and evolving technological developments, the importance of data and data security cannot be overstated. The Guidance will serve as a practical manual to assist businesses in responding to data breaches by preparing for both the “BEFORE” and “AFTER” scenarios. It contains recommendations on formulating a personal data breach response plan before data breaches occur and a step-by-step approach to contain the relevant damage and harm after the occurrence of a breach. To encourage timely notification, the PCPD has also launched an e-Data Breach Notification Form in June 2023 to provide for a more convenient means of notification.

Please click here to read the article.

Reaching Out to the Community – Privacy Commissioner Officiates the Closing Ceremony of “Discussing News and Information at School” Programme Organised by the Hong Kong Press Council 

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the closing ceremony of “Discussing News and Information at School” Programme organised by the Hong Kong Press Council on 8 July. She officiated the ceremony and presented prizes for an essay competition.

The Privacy Commissioner delivered a speech at the ceremony, pointing out that social media platforms are carriers of all kinds of information, and the use of social media carries inherent yet non-negligible risks to users’ privacy in relation to personal data. She highlighted that in the era of advanced technology and information explosion, students should learn to think critically in order to become “a wise man who never hesitates in making decisions”, as the old Chinese saying goes.

Please click here for the Privacy Commissioner’s speech (Chinese only).

MEDIA STATEMENT

PCPD Publishes a New Book Entitled《私隱法．保 — 了解你的個人資料私隱》(“The Treasure-trove of Privacy – Understanding Your Personal Data Privacy”) 

In the light of rapid technological changes and different challenges posed to personal data privacy in recent years, PCPD has collaborated with the City University of Hong Kong Press to publish a new Chinese book 《私隱法．保 — 了解你的個人資料私隱》(“The Treasure-trove of Privacy – Understanding Your Personal Data Privacy”) to enable members of the public better understand the requirements of the PDPO and how to protect their personal data privacy in their daily lives. The book was available for sale at the booth of City University of Hong Kong Press at the Hong Kong Book Fair 2023 (Booth No. 1D-A26). The PCPD also set up a booth (Booth No. 3G-D07) at the Book Fair to promote the importance of respecting and protecting personal data privacy to the public.

The new book contains a comprehensive account of the data protection principles under the PDPO using plain and simple language that is easy for readers to understand. It illustrates the application of the PDPO using real-life scenarios and decided court cases to help readers understand how to safeguard their personal data privacy.
 
The book also contains new chapters on the new doxxing offences and topical privacy issues arising from emerging technologies such as artificial intelligence, chatbot, Web 3.0 and the metaverse and draws on everyday scenarios such as the use of social media, online shopping, remote working and the use of surveillance cameras and drones to analyse interesting personal data privacy issues and provide helpful tips for readers to protect their personal data privacy.

This book can be purchased at the bookstore of the City University of Hong Kong Press or through their website at

• Link: https://www.cityu.edu.hk/upress/the-treasure-trove-of-privacy
• QR code:

A 41-year-old Chinese Male Arrested for Posting a Doxxing Message

The PCPD arrested a Chinese male aged 41 in the New Territories on 27 July 2023. The arrested person was suspected to have disclosed the personal data of the victim without his consent, in contravention of section 64(3A) of the PDPO.

PCPD’s investigation revealed that the victim had a monetary dispute with a third party in 2020. Subsequently, a message containing the personal data of the victim was posted on a personal account of a social media platform in December 2022 requesting settlement of the outstanding loan from the victim. The personal data disclosed included the victim’s English name, mobile phone number, his photos and a copy of the victim’s Hong Kong Identity Card (HKID card) which showed particulars of his Chinese name, English name, HKID card number, date of birth, gender and a photo of him, etc.
 
The PCPD reminds members of the public that identity cards contain sensitive personal data. Disclosing or reposting copies of identity cards without the consent of the data subject concerned, either arbitrarily or maliciously, may constitute a doxxing offence. An offender is liable on conviction to a fine up to $1,000,000 and imprisonment for five years.

Relevant Provisions under the PDPO
 
Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject – 

1. with an intent to cause any specified harm to the data subject or any family member of the data subject; or
2. being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject

A person who commits an offence under section 64(3A) is liable on conviction to a fine of $100,000 and imprisonment for two years.

Pursuant to section 64(3C) of the PDPO, a person commits an offence if – 

1. the person discloses any personal data of a data subject without the relevant consent of the data subject – 

   1. with an intent to cause any specified harm to the data subject or any family member of the data subject; or

   2. being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject; and

2. the disclosure causes any specified harm to the data subject or any family member of the data subject. 

A person who commits an offence under section 64(3C) is liable on conviction on indictment to a fine of $1,000,000 and imprisonment for five years.

According to section 64(6) of the PDPO, specified harm in relation to a person means—

1. harassment, molestation, pestering, threat or intimidation to the person;
2. bodily harm or psychological harm to the person;
3. harm causing the person reasonably to be concerned for the person’s safety or well-being; or
4. damage to the property of the person.

A 47-year-old Chinese Male Arrested for a Suspected Doxxing Offence Relating to Monetary Disputes

The PCPD arrested a Chinese male aged 47 in the New Territories on 18 July. The arrested person was suspected to have disclosed the personal data of a former co-worker without his consent, in contravention of section 64(3A) of the PDPO.
 
The investigation revealed that the victim and the arrested person had worked in the same company between late 2021 and early 2023. During this period, the victim had repeatedly borrowed money from the arrested person, but the two disputed over whether the victim had settled the loan in full. Subsequently, a total of 14 messages containing the personal data of the victim were posted in an open discussion group and in a personal account on a social media platform between January 2023 and March 2023, with negative comments on the victim. The personal data disclosed included the victim’s Chinese name, English name, partial Hong Kong Identity Card number, name of the victim’s residential estate and building and his photos.

The PCPD reminds members of the public that they should not dox others because of personal disputes. Doxxing is not a means to resolve disputes as it would only escalate conflict. Moreover, doxxing is a serious offence and the offender is liable on conviction to a fine up to $1,000,000 and imprisonment for five years.

A 58-year-old Chinese Female Arrested for a Suspected Doxxing of a Staff of a Real Estate Agency

The PCPD arrested a Chinese female aged 58 in Kowloon on 11 July. The arrested person was suspected to have disclosed the personal data of a staff of a real estate agency without her consent, in contravention of section 64(3A) of the PDPO.
 
The investigation revealed that the victim was an assistant of a real estate agency. In September 2022, through the assistance of the victim, the arrested person purchased a pre-sale residential unit . At the request of the arrested person, the victim signed an undertaking and provided the arrested person with a copy of her Hong Kong Identity Card (HKID card). The arrested person also took a photo of the victim holding the said undertaking (the Photo). In November 2022, the Photo together with a copy of the victim’s HKID card and business card were found circulating in several groups in an instant messaging application and were posted on an internet discussion forum. The personal data disclosed included the victim’s mobile phone number, position and company name, as well as a copy of the victim’s HKID card which showed particulars of her Chinese name, English name, HKID card number, date of birth, gender and a photo of her.
  

The PCPD reminds members of the public that doxxing is a serious offence. An offender is liable on conviction to a fine up to $1,000,000 and imprisonment for five years.

The PCPD Issues New Guidance on Data Breach Handling and Data Breach Notifications to Safeguard Data Security

With the surge in cyberattacks owing to technological advancements, the number of data breach incidents reported to the PCPD in the first half of 2023 (as of 29 June) has increased by more than 20% to 55 cases when compared to the second half of 2022. The impact of data breaches goes beyond harm to the affected individuals as organisations can also suffer reputational damage and other losses. Against this background, the PCPD issued a new “Guidance on Data Breach Handling and Data Breach Notifications” (the Guidance) to assist organisations in preparing themselves in the event a data breach occurs. The Guidance also contains practical recommendations to help organisations handle data breaches so as to contain the damage and harm that follows from such incidents.

The Guidance also points out that organisations should notify the PCPD and the affected data subjects as soon as practicable after becoming aware of the data breach, particularly if the data breach is likely to result in a real risk of harm to those affected data subjects.
 
Separately, the PCPD has launched an e-Data Breach Notification Form. The online form is a web-based form with guided questions and multiple-choice answers which enables organisations to grasp the details of data breach incidents more comprehensively and effectively, and report data breach incidents to the PCPD in a more convenient manner.
 
Please click here to download the “Guidance on Data Breach Handling and Data Breach Notifications”.

MAINLAND CORNER

Highlights of the “Information Security Technology – Implementation Guidelines for Notices and Consent in Personal Information Processing”
《信息安全技術   個人信息處理中告知和同意的實施指南》的重點

Under the Mainland’s Personal Information Protection Law (PIPL)¹, consent is one of the legal bases for processing personal information. Prior to such processing, data processors are required to give notices to individuals by informing them of the information required under the PIPL. However, “consent” and “notices” are not clearly defined in the PIPL. On 23 May 2023, the National Information Security Standardisation Technical Committee and the State Administration for Market Regulation jointly published the “Information Security Technology – Implementation Guidelines for Notices and Consent in Personal Information Processing” (the Guidelines) which clarifies the specific methods and procedures for personal information processors to notify individuals under different scenarios and stipulates the rules in obtaining consent from individuals. The Guidelines will come into effect on 1 December 2023. This article provides a brief overview on the salient requirements of the Guidelines. 

《個人信息保護法》規定取得個人同意為個人信息處理者可處理個人信息的其中一項法律基礎。《個人信息保護法》亦要求個人信息處理者在處理個人信息前，應向個人告知與其個人信息處理相關的事項。然而，《個人信息保護法》中並未就「告知」和「同意」等作明確定義。國家標準化管理委員會和國家市場監督管理總局於2023年5月23日聯合發布《信息安全技術 個人信息處理中告知和同意的實施指南》(《實施指南》)²，就個人信息處理者在不同場景下應向個人提出告知的具體方法和步驟，以及取得其同意的實施方法提供清晰的實務指引。《實施指南》將於2023年12月1日實施。本文旨在概述《實施指南》的重點要求。

定義

《實施指南》就包括以下術語作出明確定義：

• 告知 (Notice) – 使個人知曉其個人信息處理活動及其有關規則的行為³
• 同意 (Consent) – 個人對其個人信息進行處理自願、明確作出授權的行為⁴
• 明示同意 (Explicit consent) – 個人通過書面、口頭等方式主動作出聲明，或者自主作出肯定性動作⁵，對其個人信息進行處理作出明確授權的行為
• 單獨同意 (Separate consent) – 個人針對其個人信息進行特定處理而專門作出具體、明確授權的行為，不包括一次性針對多種目的或方式的個人信息處理活動作出的同意⁶

告知

告知方式

《實施指南》把告知的方式分爲「一般告知」，「增强告知」和「即時提示」三種，並對每種告知方式分別作出具體規範：⁷

• 一般告知 – 主要用於個人信息處理者在處理個人信息前向個人全面闡述個人信息處理規則，且通常採用制定、展示個人信息保護政策（或被稱為「隱私協議」、「隱私政策」、「隱私權政策」等）的形式進行告知。
• 增强告知 – 主要用於幫助個人理解個人信息處理規則中的關鍵內容或與特定業務功能處理目的相關的個人信息處理規則，且通常採用個人不可繞過的方式（如設置專門介面或單獨步驟）向個人告知相關信息，以協助個人作出是否同意的決定。
• 即時提示 – 主要用於在個人使用產品或服務過程中，進一步強化個人對收集個人信息的目的的理解、方便個人獲取有價值的信息等。

告知内容

《實施指南》就收集個人信息時須告知的內容作出了詳細的規定，明確提及「一般告知」中需提供的資料包括告知個人信息處理者的身份和聯繫方式等基本情況，個人信息的處理目的、處理方式，處理的個人信息種類、保存期限、安全措施等規則，個人的權利及行使方式和程序，處理個人詢問、投訴的渠道和機制等內容⁸。《實施指南》亦就「增强告知」和「即時提示」的適用情況提出進一步指引，例如涉及開通收集個人生物識別信息的業務功能前，宜通過增強告知方式向個人告知處理個人生物識別信息的必要性、對個人權益的影響，處理目的、方式，以及保存期限等規則⁹；而在收集個人信息的過程中，需個人予以配合的（如人臉識別時需要個人點頭配合）的，宜通過即時提示方式提醒收集的具體時機、注意點等¹⁰。

告知的實施

《實施指南》從告知的界面或渠道、告知內容的展示、告知的時機和頻率提出具體規則：

• 告知的界面或渠道 – 需以便於個人立即閱讀、獲取的方式，設計適當的告知界面或渠道，並根據載體、環境等的不同進行調整，優化告知界面或渠道的形式；¹¹
• 告知內容的展示 – 需以個人視角的用戶體驗和權益保障為出發點，以清晰易懂、內容簡潔、主次分明為目標設計展示方案；¹²
• 告知的時機和頻率 – 可通過設置合理的告知時機和頻率，並將首次告知、同步告知、再次告知等時機相結合，優化不同階段告知內容的體量，以提升個人接受度。¹³

同意

《實施指南》把同意機制的選擇劃分為「明示同意」和「其他同意」兩大類。原則上，個人信息處理者需使用「明示同意」的方式，以確保個人在理解收集目的和相關處理規則的基礎上能自主給出具體、清晰 、明確的意願表示 。同時，個人信息處理者亦應避免採取被動接受、預設選擇的方式，以導致個人忽略對其信息處理規則的關注。¹⁴

然而，若因客觀條件限制、個人自身習慣、保護各方合法利益等原因而無法以「明示同意」的方式表達同意時，個人信息處理者則需同時滿足以下條件才可推定出個人表示同意：¹⁵

• 取得明示同意存在顯著困難¹⁶；
• 經個人信息保護影響評估確認個人信息的處理不會對個人權益造成不利影響；
• 已採取了適當的方式向個人告知其個人信息處理規則；及
• 被推定為個人同意的情形不影響個人行使撤回同意的權利。

單獨同意

在《個人信息保護法》的基礎上，《實施指南》就以下情形需獲取的「單獨同意」提出指引：

• 《個人信息保護法》所提及的情形 – 向其他個人信息處理者提供其處理的個人信息所需的單獨同意¹⁷
• 《實施指南》的重點指引 – 個人信息處理者需在提供個人信息前向個人告知接收方的身份、聯繫方式、處理目的、處理方式和個人信息的種類，並取得個人的單獨同意。¹⁸
• 公開個人信息所需的單獨同意¹⁹  – 個人信息處理者公開其處理的個人信息前， 需向個人告知所公開個人信息的種類、公開的目的、方式、 範圍， 可能對個人產生的不利影響以及個人的權利， 並取得個人的單獨同意。²⁰
• 公共場所收集信息用於維護公共安全之外的目的所需的單獨同意²¹ – 個人信息處理者需向個人告知處理與該目的相關的個人信息處理規則，並取得個人的單獨同意。²²
• 處理敏感個人信息應當取得的單獨同意²³ – 除向個人告知處理敏感個人信息的目的、方式、範圍等個人信息處理規則，還需告知處理敏感個人信息的必要性以及對個人權益的影響，並取得個人單獨同意。²⁴
• 向境外提供個人信息的單獨同意²⁵ – 個人信息處理者向境外提供個人信息的，需向個人告知境外接收方的身份、聯繫方式、處理目的、處理方式，個人信息的種類、保存時間、保存區域（至少具體到國家或地區）以及個人向境外接收方行使相關權利的方式等內容 ，並取得個人的單獨同意。²⁶

拒絕同意與撤回同意

《實施指南》亦細化了個人就拒絕同意與撤回同意的實施要點。就拒絕同意而言，在個人拒絕同意後，如相關個人信息並非為個人信息處理者提供服務所必需，則不應以頻繁詢問、請求（如48小時內超過1次詢問）同意方式對個人造成打擾²⁷；就撤回同意而言，在個人撤回同意後，個人信息處理者需在承諾時限內（即不超過15日）完成對撤回同意請求的確認，以及完成刪除或匿名化相關個人信息的操作，並向個人回饋撤回同意的結果。²⁸

總結

總括而言，由於《個人信息保護法》未曾就「告知」、「同意」及「單獨同意」等作出任何釋義，《實施指南》所提出的定義及詳細指引將具指導性參考價值。《實施指南》的附錄涵蓋了13類個人信息處理場景下的告知和同意實施要點，有關個人信息處理者宜細閱相關的規則，確保能在開展個人信息處理活動前就妥善保障個人權益。

¹  全文：http://www.npc.gov.cn/npc/c30834/202108/a8c4e3672c74491a80b53a172bb753fe.shtml

²  公告：https://www.tc260.org.cn/front/postDetail.html?id=20230531114357

³  第3.4條

⁴  第3.5條 – 包括通過積極的行為作出授權（即明示同意），或者通過個人的行為而推定其作出授權。

⁵  第3.6條 –肯定性動作包括個人主動勾選、主動點擊「同意」、「註冊」、「發送」、「撥打」、主動填寫或提供等。

⁶  第3.7條 –單獨同意的告知內容與取得同意的方式需與其他處理活動予以區分。

⁷  第8.1條

⁸  第8.2.1(a)條

⁹  第8.2.1(c)(3)條

¹⁰  第8.2.1(e)條

¹¹  第8.3.2條

¹²  第8.3.3條

¹³  第8.3.4條

¹⁴ 第9.1.1條

¹⁵ 第9.1.2條

¹⁶ 例如：產品或服務的業務功能所需的網絡等環境條件受限；產品或服務的展示界面或渠道以及個人的回饋方式受限；未能掌握與個人溝通的渠道，導致無法確認個人作出了明示同意等。

¹⁷ 《個人信息保護法》第14和23條

¹⁸ 第9.3.2條 （若向多個其他個人信息處理者提供個人信息，如提供個人信息的目的、方式、種類等一致，提供過程同時或同一場景發生的，可在告知內容中逐一列舉接收方的身份和聯繫方式，由個人一併進行同意。）

¹⁹《個人信息保護法》第25條

²⁰ 第9.3.3條 （例如：對於公開個人在其社交應用帳號下記錄的信息，個人信息處理者需允許個人在發布信息之前能夠自由選擇信息的公開範圍，且不得自動設定為向所有不特定用戶公開的選項， 個人自行調整隱私偏好的除外。）

²¹《個人信息保護法》第26條

²² 第9.3.4條

²³《個人信息保護法》第29條

²⁴ 第9.3.5條 （例如，個人信息處理者為了開通網上投資理財服務而需要收集投資人姓名、 手機號碼、 身份證號和銀行卡號等 的，可在一個表單頁面中就需要收集的多項欄位一併告知並一次性取得個人單獨同意，對於其中的「身份證號」和「銀行卡號」標識 為 「敏感個人信息」。另外，如為實現某一特定目的需要同時處理多項敏感個人信息，可一併告知並一次性取得其個人單獨同意 。）

²⁵《個人信息保護法》第39條

²⁶ 第9.3.6條

²⁷ 第9.5條

²⁸ 第9.6.2條

RECOMMENDED TRAININGS

Professional Workshop on Data Protection and Data Access Request

Receiving Data Access Requests (DAR) is a frequent occurrence for many organisations. Handling DAR properly, effectively and in a timely manner poses a challenge to many organisations. This workshop will examine in detail the compliance requirements for handling DAR under the PDPO and offer practical guidance to participants on handling DAR.

Date: 9 Aug 2023 (Wednesday)

Time: 2:15pm – 5:15pm

Fee: $750/$600*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who Should Attend: Solicitors, data protection officers, administration managers, human resource officers, customer services personnel.

Practical Workshop on Data Protection Law

With the growing public awareness and expectations of the protection of personal data privacy, it has become a norm for organisations to incorporate personal data privacy protection as part of their corporate governance responsibilities to gain customers’ trust and confidence. This workshop will examine the practical application of the PDPO at work by the sharing of real-life cases and providing practical advice. 

Date: 16 Aug 2023 (Wednesday)

Time: 2:15pm – 5:15pm

Fee: $950/$760*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: Solicitors, barristers, in-house legal counsels, data protection officers, compliance officers

Other Professional Workshops on Data Protection in September 2023: 

Online Free Seminar – Introduction to the PDPO Seminar

The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. Details of the upcoming sessions are as below:

Seminar Outline:

• A general introduction to the PDPO;
• The six Data Protection Principles;
• Offences and compensation;
• Direct marketing; and
• Q&A session. 

Arrange an In-house Seminar for Your Organisation 

Teaching employees how to protect personal data privacy is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and data privacy protection, you can make a request for an in-house seminar via our online form.

The seminar outline is as follows:

• A general introduction to the PDPO;
• The six Data Protection Principles (industry-related cases will be illustrated);
• Handling of data breach incidents;
• Direct marketing;
• Offences and compensation; and
• Q&A session.

Duration: 1.5 hours

Renewal of DPOC’s Membership

Renew your DPOC membership today and continue to enjoy privileged access to course enrolments throughout the year!

Special offer for organisational renewals:

Organisations can join the 2-for-1 scheme, which enables you to receive two memberships for the price of one annual fee (HK$350).

Renew your membership now to keep up-to-date with the latest news and legal developments!

SUGGESTION BOX

The PCPD values the opinions of all our DPOC members. We love to hear your ideas and suggestions on what privacy topics you would like to learn more about. Email your thoughts to us at dpoc@pcpd.org.hk and we shall include the most popular topics in our future e-newsletters.

Contact Us

Address: Unit 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong

Tel: 2827 2827

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
 

Copyright

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.