PCPD e-NEWSLETTER
ISSUE Oct 2023
|
|
|
|
PCPD e-NEWSLETTER
ISSUE Oct 2023
|
|
|
|
Privacy Commissioner’s Office Urges the Public and Organisations to Guard against WhatsApp Account Hijacking
|
In the past month, the PCPD received data breach notifications from a total of five social welfare organisations and schools, reporting that their accounts on the instant messaging application WhatsApp used for communication with service users, students and/or parents of students had been hijacked. The fraudsters then impersonated the organisations and used the hijacked WhatsApp account to send messages to the contacts in the address books, attempting to swindle them. The incidents involved the personal data of nearly 900 individuals and the affected data included names and mobile phone numbers of service users, students, parents of students and/or staff members. On the PCPD’s advice, the organisations concerned have notified the affected individuals.
“WhatsApp account hijacking” generally refers to fraudsters impersonating victims’ friends and relatives and sending messages to them requesting them to forward the registration codes of their WhatsApp accounts; or using fake WhatsApp websites to obtain the victims’ telephone numbers and the registration codes of their WhatsApp accounts. The fraudsters then gain access to the victims’ WhatsApp accounts and impersonate the victim to send messages to contacts in the address book of the account for swindling money or personal data. In this regard, the PCPD reminds members of the public and organisations to be cautious of WhatsApp account hijacking. The PCPD recommends the public taking the following measures to protect personal data privacy:
Enable two-factor authentication on WhatsApp;
- Regularly check linked devices in WhatsApp settings and log out any devices that are no longer in use or unknown to the user;
- Never disclose any passwords or registration codes to others;
- When searching for the web version of WhatsApp on the internet, be careful with the links and do not click on fake WhatsApp web versions by mistake;
- Never download and use the WhatsApp application from unofficial sources;
- Authenticate the identity of the senders first when you receive messages about borrowing or remittance requests or asking for your personal data on WhatsApp; and
- Be alert when you receive unsolicited or suspicious text messages. Do not click on the links or disclose personal data arbitrarily.
Anyone who suspects that his/her personal data has been leaked may make enquiries or lodge complaints with the PCPD (“Personal Data Fraud Prevention Hotline”: 3423 6611 or email: communications@pcpd.org.hk). For more information about WhatsApp account hijacking, please refer to:
|
Raising Public Awareness of Fraud Prevention –
Privacy Commissioner’s Office Launches New Anti-fraud Promotional Video
|
Starting from June, the PCPD has published two episodes of the anti-fraud promotional videos under the theme of “Don’t Hand Over Your Personal Data – Beware of Fraudsters”. A new episode on “Healthcare Products Promotional Scam” was launched on 29 September, with artistes Alice FUNG So-bor (馮素波) and Timothy CHENG Tse-sing (鄭子誠) continuing to perform as key roles to remind members of the public to stay vigilant and prevent from falling into scammer’s traps. The videos can be viewed on the PCPD’s official YouTube channel, social media platforms, local TV and MTR in-train TVs.
Please click here to watch the latest PCPD’s anti-fraud video (Chinese only).
|
|
|
Preparing for Contingency – Formulate your Data Breach Response Plan
|
|
PRIVACY COMMISSIONER’S FINDINGS
|
PRIVACY COMMISSIONER’S FINDINGS
|
A Company Unfairly Collected a Job Applicant’s Personal Data
|
|
Securing Personal Data in the Cloud
|
|
|
The PCPD Welcomes The Chief Executive’s Policy Address 2023
|
A 24-year-old Chinese Male Arrested for Suspected Doxxing of a Police Officer and his Family Members
|
The PCPD has Completed the Inspection of the Customers’ Personal Data System of ZA Bank Limited to Ensure Data Security
|
RECOMMENDED ONLINE TRAININGS
|
Seminar on “Enhancing Data Security to Prevent Cyber Attacks”
|
Free Online Seminar: Introduction to the PDPO
|
Arrange an In-house Seminar for Your Organisation
|
RENEWAL OF DPOC’S MEMBERSHIP
|
|
Understanding the Mainland Laws – the PCPD Organises Experience Sharing Session on “Using Standard Contracts for Transferring Personal Information Out of the Mainland”
|
Reaching Out to the Business Sector – Privacy Commissioner Speaks at 2023 HKMA Quality Award Presentation Ceremony
|
Promoting Data Security – Privacy Commissioner Publishes an Article Entitled “Data Security must be Enhanced to Foil Threats”
|
Promoting Data Security – Privacy Commissioner Publishes an Article on Hong Kong Lawyer
|
Reaching Out to the Community – Privacy Commissioner Interviewed by the Media to Explain WhatsApp Account Hijacking
|
Announcement of the Appointment of New Members of the Personal Data (Privacy) Advisory Committee
|
Reaching Out to the IT Sector – Privacy Commissioner Speaks at the Hong Kong International Computer Conference 2023
|
Reaching Out to Governance Professionals – Assistant Privacy Commissioner Speaks at Practising Governance Annual Conference 2023
|
Telling a Good Hong Kong Story – PCPD Representatives Attend the 45th Global Privacy Assembly 2023
|
Showcasing Hong Kong – Assistant Privacy Commissioner Speaks at the Asia Privacy Bridge Forum 2023
|
Understanding the EU’s Privacy Laws – the PCPD Organises a Webinar
|
|
Highlights of the “Draft Regulations on Regulating and Facilitating Cross-Border Data Flow” 《規範和促進數據跨境流動規定(徵求意見稿)》的重點
|
International: UK-US Data Bridge Enters into Effect
|
Spain: AEPD Updates Breach Advisory and Breach Notification Tools
|
Privacy Professionals Need to be Aware of Tech Abuse
|
Performant Risk Mitigation for AI and LLMs
|
|
|
Preparing for Contingency – Formulate your Data Breach Response Plan
A data breach is generally regarded as a suspected or actual breach of the security of personal data held by an organisation (a data user), which exposes the personal data of individuals (data subjects) to the risk of unauthorised or accidental access, processing, erasure, loss or use. Data breaches could occur in any organisations. It is essential for organisations to formulate a comprehensive data breach response plan to ensure a quick response to and effective management of a data breach, which may minimise and contain its impact.
What is a data breach response plan?
A data breach response plan is a document setting out how an organisation will respond in the event of a data breach. It provides a set of procedures to be followed in response to a data breach and outlines the organisation’s strategy for identifying, containing, assessing and managing the impact of the incident. Here are the essential elements of a data breach response plan:
-
Description of what constitutes a data breach;
-
Internal incident notification procedure to alert senior management, the data protection officer and/or the data breach response team;
-
Designation of the roles and responsibilities of the data breach response team members;
-
Contact details of data breach response team members;
-
Risk assessment workflow to assess harm to affected data subjects;
-
Containment strategy for containing and remedying the breach;
-
Communication plan to determine whether and how data subjects, regulatory authorities and/or other relevant parties should be notified;
-
Investigation procedure for investigating the breach and reporting to senior management;
-
Record-keeping policy to properly document the incident;
-
Post-incident review mechanism to identify improvement to prevent recurrence; and
-
Training or drill plan to ensure all relevant staff can follow the procedures properly when dealing with a data breach.
Please read the PCPD’s publications below to learn more about how to develop a comprehensive data breach response plan:
Guidance on Data Breach Handling and Data Breach Notifications (detailed guidance note)
Guidance on Data Breach Handling and Data Breach Notifications (summary pamphlet)
|
|
|
PRIVACY COMMISSIONER’S FINDINGS
|
A Company Unfairly Collected a Job Applicant’s Personal Data
|
The Complaint
According to the information given in a recruitment advertisement, the complainant applied to Company A for a clerical post. However, during the selection interview, the interviewer persuaded him to fill in an application form for a sales position at Company B. The complainant believed that Company A had used the pretext of a clerical recruitment to actually recruit sales representatives for Company B. As a result, he lodged a complaint with the PCPD.
Outcome
During the investigation, it was revealed that the selection interview was conducted in the office of Company B by a sales agent of Company B. The job descriptions discussed during the interview were related to the sales vacancy at Company B, not the clerical position at Company A.
Under Data Protection Principles (DPP) 1(2) of the Personal Data (Privacy) Ordinance (PDPO), a data user is required to collect personal data by lawful and fair means.
After the PCPD’s intervention, Company B issued a written warning to the staff member who conducted the selection interview and confirmed that the relevant personal data had been destroyed. Additionally, Company B reminded its staff to clearly state the vacancy being filled and Company B’s identity as the employer in job advertisements.
Consequently, the PCPD issued a warning letter to Company B, urging it to take practicable measures to ensure that its staff do not recruit sales agent through misleading means and to strictly comply with the requirements of the PDPO.
Lessons Learnt
Job applicants provide their personal data based on the information provided in job advertisements, expecting it to be used only for processing their applications for the advertised positions. If the advertised position does not actually exist, the collection of personal data may be considered unfair under the PDPO. It goes beyond job applicants’ reasonable expectations if the personal data collected from them is subsequently used to persuade them to apply for jobs at other companies.
Recruitment serves as the initial contact between job applicants and employers. Employers should proactively protect job applicants’ personal data, and consider respecting personal data privacy as an integral part of corporate governance. This not only portrays employers as ethical organisations but also aids in attracting high-caliber talents.
|
Securing Personal Data in the Cloud
The exponential increase in data collection and use in the digital world have spurred more and more organisations to employ cloud services in their business operations. Third-party cloud service providers offer computing and data storage services that can reduce IT equipment costs while enhancing operational efficiency and flexibility of information and communications systems. However, migrating personal data from on-premise locations to cloud platforms may pose privacy risks, as data breaches can still occur if cloud service providers fail to adhere to good practices and security policies in managing their cloud assets.
To safeguard the security of your customers’ personal data stored in the cloud and ensure the security of the cloud platforms, the followings are recommended measures for organisations.
When selecting cloud services, organisations should:
- Read the terms of service, and the security and privacy policies carefully. Choose a cloud service that aligns with the relevant security and privacy requirements;
- Assess the capabilities of cloud service providers, and seek formal assurance regarding the security controls of the cloud-based environment;
- Check whether the cloud service provider has the rights to use, disclose or make public sensitive data owned by the service user;
- Ensure that the cloud service provider has implemented adequate measures to protect and encrypt sensitive data;
- Ensure that the data can be safely and permanently erased upon service cancellation; and
- Understand whether and how the data and service can be migrated to another service provider.
When using the cloud service, organisations should:
- Establish robust access control and authentication procedures for the cloud platform, such as implementing strong password policies, multi-factor authentication, proper documentation and regular reviews of access rights;
- Review the available cloud-based security features and configure them appropriately, rather than relying solely on default security settings;
- Evaluate the necessity of storing sensitive data on the cloud platform;
- Classify users (staff members) into groups based on their roles and assign them with different access rights;
- Encrypt sensitive data before transmitting it to the cloud; and
- Perform regular backups for data stored on the cloud platform.
|
|
|
Understanding the Mainland Laws – the PCPD Organises Experience Sharing Session on “Using Standard Contracts for Transferring Personal Information Out of the Mainland”
|
The PCPD organised an Experience Sharing Session entitled “Using Standard Contracts for Transferring Personal Information Out of the Mainland” on 24 October, which attracted more than 110 participants from various sectors, including banking, insurance, government / public bodies, legal and information technology. At the Sharing Session, Privacy Commissioner Ms Ada CHUNG Lai-ling highlighted the requirements and key points of the Mainland’s “Standard Contract for Cross-border Transfers of Personal Information” and “Measures on the Standard Contract for Cross-border Transfers of Personal Information”. In addition, Chief Executive Officer of Nova Credit Limited Mr Samuel HO was invited as the guest speaker to share with participants the practical experience of Nova Credit's related company in pursuing cross-border transfers of personal information out of the Mainland through the execution of standard contracts, including the points to note when going through the approval process. Please click here to download the Privacy Commissioner’s presentation deck (Chinese only).
|
Reaching Out to the Business Sector – Privacy Commissioner Speaks at 2023 HKMA Quality Award Presentation Ceremony
|
Privacy Commissioner Ms Ada CHUNG Lai-ling spoke as the Guest of Honour on 13 October at the 2023 Hong Kong Management Association (HKMA) Quality Award Dinner and Presentation Ceremony. In her speech entitled “Succeeding in the Data-Driven World: How Good Data Governance Boosts Quality Management”, the Privacy Commissioner discussed elements of data governance that could contribute to good quality management, in the context of a rising number of cybercrimes. The Privacy Commissioner also recommended that organisations adopt the Privacy Management Programme as part of good data governance. The Quality Award was organised by the HKMA and seeks to reward and recognise organisations that have achieved outstanding standards of quality and made a lasting commitment to quality management. Please click here for the Privacy Commissioner’s presentation deck.
|
Promoting Data Security – Privacy Commissioner Publishes an Article Entitled “Data Security must be Enhanced to Foil Threats”
|
Privacy Commissioner Ms Ada CHUNG Lai-ling published an article entitled “Data security must be enhanced to foil threats”.
The Privacy Commissioner pointed out that as cybersecurity threats are on the rise, businesses and organisations, regardless of their scale, should proactively strengthen the security of their information systems to defend against future cyberattacks.
She encouraged organisations to adopt the recommended measures in the “Guidance Note on Data Security Measures for Information and Communications Technology” issued by the PCPD to enhance their data security measures and mitigate emerging threats, and provide proper training to staff. As an organisational measure to enhance data governance, organisations should also establish a personal data Privacy Management Programme to ensure their responsible collection, holding, processing and use of personal data.
The article was published in China Daily Hong Kong Edition, HK01, Hong Kong Economic Journal, Hong Kong Economic Times, Sing Tao Daily and Ta Kung Pao.
Please click here to read the article in Chinese.
Please click here to read the article in English.
|
Promoting Data Security – Privacy Commissioner Publishes an Article on Hong Kong Lawyer
|
Privacy Commissioner Ms Ada CHUNG Lai-ling published an article entitled “Data Security at the Heart of the Digital World” on Hong Kong Lawyer on 10 October.
The Privacy Commissioner pointed out that as navigation across various social media and online shopping platforms is getting more prevalent, different data security threats, including risks from data scraping and data breaches, are also on the rise. While most users may be attracted by the convenience and accessibility of such online services, the amount of personal data that one may have given away inadvertently may be more than necessary. As such, the Privacy Commissioner called on the adoption of a more cautious approach when using online services.
The Privacy Commissioner also mentioned that the PCPD had joined hands with 11 data or privacy protection authorities around the globe to issue a joint statement to social media platforms in August this year to highlight the key privacy risks associated with data scraping, and remind them of their responsibilities to protect personal data from unlawful data scraping.
Please click here to read the article.
|
Reaching Out to the Community – Privacy Commissioner Interviewed by the Media to Explain WhatsApp Account Hijacking
|
Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by Commercial Radio News’ “News Bulletin”, RTHK Radio 1’s “HK2000” and Commercial Radio 1’s “On a Clear Day” on 5 and 6 October to explain the fraudulent tricks of WhatsApp Account Hijacking.
During the interviews, the Privacy Commissioner pointed out that the PCPD received data breach notifications from a total of five welfare organisations and schools last month relating to the hijacking of WhatsApp accounts, which reflected a rising trend in the number of hijacking cases on WhatsApp accounts. She said fraudsters impersonated the victims’ friends and relatives to request them to provide the registration codes of their WhatsApp accounts; or used fake WhatsApp websites to obtain the victims’ telephone numbers and registration codes. The fraudsters then gained access to the victims’ WhatsApp accounts and impersonated the victims to contact their friends and relatives for swindling money.
The Privacy Commissioner also reminded members of the public to take measures to safeguard their personal data privacy, which included enabling two-factor authentication on WhatsApp, being alert and authenticating the identities of the senders when they receive suspicious messages.
Please click here to listen to the interview by RTHK Radio 1’s “HK2000” (Chinese only).
|
Announcement of the Appointment of New Members of the Personal Data (Privacy) Advisory Committee
|
The Constitutional and Mainland Affairs Bureau announces the new membership of the Personal Data (Privacy) Advisory Committee (Committee) on 29 September. The new members were appointed for a term of two years from 1 October 2023 to 30 September 2025.
The Committee, established under section 11 of the PDPO, serves to advise the Privacy Commissioner for Personal Data on matters in relation to protection of personal data privacy.
Privacy Commissioner Ms Ada CHUNG Lai-ling is the Chairperson of the Committee. The new membership of the Committee is as follows:
- Ms Ada CHUNG Lai-ling (Chairperson)
- Ms Karen CHAN Ka-yin, JP
- Dr CHOW Kam-pui (new appointee)
- Ms Carmen KAN Wai-mun
- Mr Law FAI (new appointee)
- Mr Joseph LIN Ho-man, MH
- Ms Nikki NG Mien-hua (new appointee)
- Mr Patrick WONG Chi-kwong (new appointee)
- Deputy Secretary for Constitutional and Mainland Affairs or Principal Assistant Secretary for Constitutional and Mainland Affairs
|
Reaching Out to the IT Sector – Privacy Commissioner Speaks at the Hong Kong International Computer Conference 2023
|
Privacy Commissioner Ms Ada CHUNG Lai-ling delivered a speech on 28 September at the Hong Kong International Computer Conference 2023 themed “AI for Economic Development and Social Good”.
In her presentation entitled “AI and Privacy: Balancing Innovation with Ethical Use of Personal Data”, the Privacy Commissioner discussed the privacy and ethical risks associated with the use of Artificial Intelligence (AI) and explained the ethical principles as well as the good practices recommended in the “Guidance on the Ethical Development and Use of Artificial Intelligence” published by the PCPD.
The Privacy Commissioner also introduced other relevant guidances of the PCPD which apply to the use of AI.
The annual conference was organised by the Hong Kong Computer Society and brought together over 400 ICT professionals, government leaders and business executives.
Please click here for the Privacy Commissioner’s presentation deck.
|
Reaching Out to Governance Professionals – Assistant Privacy Commissioner Speaks at Practising Governance Annual Conference 2023
|
Assistant Privacy Commissioner for Personal Data (Corporate Communications and Compliance) of the PCPD Ms Joyce LAI attended the Practising Governance Annual Conference 2023 (Conference) on 26 October and gave a presentation entitled “How to Uphold Data Governance Standards in a Data Breach”. Ms Lai explained to the participants how to formulate a personal data breach response plan to prepare for the contingency of a data breach, and to take a step-by-step approach to contain damage and harm after a data breach. She also recommended that organisations should adopt Personal Data Privacy Management Programmes as part of good data governance. In addition, the PCPD set up a booth at the Conference to promote the Privacy Management Programme. Please click here for the presentation deck.
|
Telling a Good Hong Kong Story – PCPD Representatives Attend the 45th Global Privacy Assembly 2023
|
Privacy Commissioner Ms Ada CHUNG Lai-ling and representatives of the PCPD attended the 45th Global Privacy Assembly (GPA) from 15 to 20 October. The hybrid conference, which was held in Bermuda, featured discussions of privacy issues relating to artificial intelligence (AI) and other novel technologies, data scraping, cross-border data transfers and more.
In the Open Session, Assistant Privacy Commissioner for Personal Data (Legal, Global Affairs and Research) Ms Cecilia SIU (Assistant Privacy Commissioner), spoke as a panellist at a side event organised by the European Commission entitled “International Cooperation in Action: The Role of the GPA”. She discussed how the PCPD had engaged actively with other data protection authorities in Asia and around the world through execution of memoranda of understanding, regular dialogues and participations in various international data protection networks, including the GPA.
In the Closed Session, the GPA’s International Enforcement Cooperation Working Group (IEWG), co-chaired by the PCPD, presented its annual report to the GPA. Some highlights of its work in 2023 included conducting closed enforcement sessions to facilitate information sharing and collaboration among data protection authorities on topics such as extraterritorial enforcement cooperation and cybersecurity. In a capacity building workshop hosted by the IEWG for GPA members on the topic of “Managing Breach Notifications and Investigations”, the Assistant Privacy Commissioner shared with the participants the challenges faced by the PCPD in managing breach notifications and investigations, as well as the corresponding solutions that addressed such challenges.
In addition, in response to the privacy risks associated with the recent emergence of AI, the Resolution on AI and Employment and the Resolution on Generative AI Systems were adopted by GPA members by consensus at the conference. The PCPD is a co-sponsor for both Resolutions.
The GPA is the leading international forum for over 130 data protection authorities from around the globe to discuss and exchange views on privacy issues and the latest international developments.
|
Showcasing Hong Kong – Assistant Privacy Commissioner Speaks at the Asia Privacy Bridge Forum 2023
|
Assistant Privacy Commissioner (Legal, Global Affairs & Research) of the PCPD Ms Cecilia SIU spoke through video recording at the Asia Privacy Bridge Forum 2023 held in Seoul, South Korea, on 12 October. Ms SIU delivered a speech entitled “Empowering Data Privacy Protection in AI in Hong Kong: the Key to Safety and Trust”. She pointed out that while the rapidly evolving AI technology, in particular, generative AI tools, has the potential to significantly enhance standard of living and boost productivity, it has also brought about privacy issues and ethical risks. Ms SIU highlighted the three roles of the PCPD in striving for safety and trust in the AI era, namely facilitator, educator and enforcer. She elaborated on the work of the PCPD, including facilitating organisations on lawful and responsible use of AI through issuing the “Guidance on Ethical Development and Use of Artificial Intelligence” in August 2021, educating the public through publishing a leaflet entitled “10 Tips for Users of AI Chatbots” in September 2023, and monitoring compliance with the law through handling complaints, conducting compliance checks, inspections and investigations, etc. The Forum was organised by the Barun ICT Research Centre, Yonsei University, Seoul, South Korea. The theme of this year’s Forum was “Data Access and Trust in AI Era”.
|
Understanding the EU’s Privacy Laws – the PCPD Organises a Webinar
|
The PCPD organised a webinar on “Review of the Implementation of the EU’s General Data Protection Regulation (GDPR) and the Way Forward” on 5 October, which attracted more than 140 attendees from various sectors including banking, insurance, government/ public bodies, legal and information technology.
Ms Karolina Mojzesowicz, Deputy Head of Unit Data Protection of the European Commission, and Ms Ruth Boardman, Partner and Co-head of International Privacy and Data Protection Group of Bird & Bird, were invited as guest speakers to share their insights on the latest developments of the privacy laws and regulations in the EU, and their practical experience in relation to the implementation and enforcement of the GDPR in the past five years, as well as their views on the challenges faced by organisations.
|
|
|
The PCPD Welcomes The Chief Executive’s Policy Address 2023
|
The PCPD welcomes the array of policy initiatives on protecting cybersecurity and promoting digital economy set out in the Chief Executive’s Policy Address.
In view of the recent increase in the frequency of cyberattacks and the growing threat on cybersecurity, the PCPD supports the proposal in the Policy Address to legislate on cybersecurity and enhance the protection of cybersecurity of critical infrastructure to address the challenges posed to cybersecurity. To ensure data security, the PCPD issued the “Guidance Note on Data Security Measures for Information and Communications Technology” in August last year and a new “Guidance on Data Breach Handling and Data Breach Notifications” in June this year, which provide a series of recommendations on data security measures to organisations and assist them in formulating data breach response plans and responding to data breach incidents to facilitate their compliance with the relevant requirements under the PDPO. Separately, the Policy Address proposes to take forward the work of the Digital Economy Development Committee and publish administrative measures for facilitating data flow and safeguarding data security within this year, with a view to fueling development of data-driven digital economy. Privacy Commissioner Ms Ada CHUNG Lai-ling, being a member of the Sub-group on Cross-boundary Data Collaboration of the Digital Economy Development Committee set up by the Financial Secretary and a member of the Hong Kong Expert Group on Cross-boundary Data Collaboration, welcomes the implementation of the new facilitation measures to promote cross-boundary data flow, thereby enhancing the collaborative development of the cities in the Greater Bay Area and promoting digital economy.
|
A 24-year-old Chinese Male Arrested for Suspected Doxxing of a Police Officer and his Family Members
|
The PCPD arrested a Chinese male aged 24 in Kowloon on 12 October. The arrested person was suspected to have disclosed the personal data of the victim and his family members without their consent, in contravention of section 64(3A) of the PDPO.
The victim is a police officer who took part in an arrest operation in 2019, as a consequence of which he was doxxed by others. In July 2023, an online group published a “wanted” person post about the victim on a social media platform, offering a reward for locating the victim. On the same day, two self-made “wanted” person notices about the victim and his family members, which contained their personal data alongside some fabricated offences committed by them, were posted in reply to the said post. The personal data disclosed included the partial Chinese names of the victim and his two family members as well as their photos. The occupation and the rank of the victim were also shown in one of the photos. The PCPD reminds members of the public that uploading or reposting doxxing messages, as well as responding to some online calls for doxxing and disclosing the personal data of data subjects without their consents, may also constitute a doxxing offence. Offenders are liable on conviction to a fine up to $1,000,000 and imprisonment for five years. Members of the public are urged not to flout the law.
Relevant Provisions under the PDPO Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject –
- with an intent to cause any specified harm to the data subject or any family member of the data subject; or
- being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject.
A person who commits an offence under section 64(3A) is liable on conviction to a fine of $100,000 and imprisonment for two years.
Pursuant to section 64(3C) of the PDPO, a person commits an offence if –
- the person discloses any personal data of a data subject without the relevant consent of the data subject –
-
with an intent to cause any specified harm to the data subject or any family member of the data subject; or
-
being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject; and
- the disclosure causes any specified harm to the data subject or any family member of the data subject.
A person who commits an offence under section 64(3C) is liable on conviction on indictment to a fine of $1,000,000 and imprisonment for five years.
According to section 64(6) of the PDPO, specified harm in relation to a person means –
- harassment, molestation, pestering, threat or intimidation to the person;
- bodily harm or psychological harm to the person;
- harm causing the person reasonably to be concerned for the person’s safety or well-being; or
- damage to the property of the person.
|
The PCPD has Completed the Inspection of the Customers’ Personal Data System of ZA Bank Limited to Ensure Data Security
|
The PCPD published an inspection report on the customers’ personal data system of ZA Bank Limited (ZA Bank).
The rapid development of fintech in the banking industry in Hong Kong in recent years has led to the provision of a one-stop financial service to customers through digital channels. ZA Bank was granted a virtual banking license by the Hong Kong Monetary Authority in March 2019 and became the first virtual bank in Hong Kong in March 2020. The Bank delivers digital banking services to customers mainly through the Internet and mobile applications. Having considered that virtual banks handle vast amounts of sensitive personal data on a daily basis, Privacy Commissioner Ms Ada CHUNG Lai-ling invoked the power vested in her under section 36 of the PDPO to carry out an inspection to review the customers’ personal data system of ZA Bank, in particular to ensure the security of the system. The findings of the inspection reveal that as of 30 June 2023, ZA Bank had almost 700,000 retail customers. ZA Bank has established a Personal Data Privacy Management Programme and appointed a dedicated Data Protection Officer to systematically and responsibly develop a system to comply with the requirements the PDPO and to manage customers’ personal data. In addition, the Privacy Commissioner is pleased to note that ZA Bank is committed to protecting personal data privacy through measures such as implementing a paperless office, conducting drill exercises to prevent the threat of phishing attacks and promoting a culture of privacy in the workplace. Overall, the Privacy Commissioner considers that ZA Bank has generally complied with the requirements of DPP of Schedule 1 to the PDPO in the handling of customers’ personal data. Nevertheless, the Privacy Commissioner recommends ZA Bank to strengthen the management of its data processors, enhance the monitoring capabilities of the data loss prevention system, limit the time for staff to access customers’ personal data, centrally manage its internal policies and guidelines on the handling of personal data, and continuously and regularly review its personal data system so as to strengthen the protection of customers’ personal data. Through the findings of this inspection, the Privacy Commissioner would like to remind the organisations which handle vast amounts of customers’ personal data to strengthen their measures to safeguard data security, including the following:
- Establish a Personal Data Privacy Management Programme;
- Appoint a designated officer as Data Protection Officer;
- Formulate comprehensive system security policies and procedures;
- Devise a role-based access to customer data; and
- Appoint and manage data processors prudently
Please click here to download “Inspection Report: The Customers’ Personal Data System of ZA Bank Limited”.
|
Highlights of the “Draft Regulations on Regulating and Facilitating Cross-Border Data Flow” 《規範和促進數據跨境流動規定(徵求意見稿)》的重點
|
To further regulate and facilitate the orderly and free flow of data, the Cyberspace Administration of China released a set of “Draft Regulations on Regulating and Facilitating Cross-Border Data Flow” (the Draft Regulations) on 28 September 2023 to collect public opinions until 15 October 2023. The Draft Regulations introduced certain exemptions where data processors may not be required to conduct and report security assessments, enter into personal information standard contracts, or obtain personal information protection certification as required under the relevant laws and regulations relating to cross-border transfers of data. This article provides an overview on the Draft Regulations.
為進一步規範和促進數據依法有序自由流動,國家互聯網信息辦公室於2023年9月28日發布《規範和促進數據跨境流動規定(徵求意見稿)》(《徵求意見稿》)1,向公眾徵求意見。有關意見反饋時間已於2023年10月15日結束。《徵求意見稿》提出有關數據處理者在哪些情景下能就申報數據出境安全評估,訂立個人信息標準合同,或通過個人信息保護認證獲得豁免,以遵從相關法律法規所提及的數據出境規定。《徵求意見稿》的重點如下:
不需要申報數據出境安全評估、訂立個人信息出境標準合同、通過個人信息保護認證的情景
《徵求意見稿》就不需要申報數據出境安全評估、訂立個人信息出境標準合同、通過個人信息保護認證的數據出境情景提出數項豁免場景,當中包括:
- 不包含個人信息或者重要數據的國際貿易、學術合作、跨國生產製造和市場營銷等活動中產生的數據出境2;
- 向境外提供的個人信息不是在境内收集產生3;
- 相關的數據出境活動是必須,並符合以下情形之一4:
-
- 為訂立、履行個人作為一方當事人的合同所必需,如跨境購物、跨境匯款、機票酒店預訂、簽證辦理等,而必須向境外提供個人信息的;
- 按照依法制定的勞動規章制度和依法簽訂的集體合同實施人力資源管理,而必須向境外提供內部員工個人信息的;
- 緊急情況下為保護自然人的生命健康和財產安全等,而必須向境外提供個人信息的。
不需要申報數據出境安全評估 的情景
《徵求意見稿》亦就不需要申報數據出境安全評估的情景提出豁免,當中包括:
- 未被相關部門、地區告知或者公開發布為重要數據的,數據處理者不需要作為重要數據申報數據出境安全評估6;
- 預計一年內向境外提供1萬人以上、不滿100萬人個人信息,與境外接收方訂立個人信息出境標準合同並向省級網信部門備案或者通過個人信息保護認證的,可以不申報數據出境安全評估7。
其他規定
《徵求意見稿》另外提出,自由貿易試驗區可自行制定因自貿區需要而納入數據出境安全評估、個人信息出境標準合同、個人信息保護認證管理範圍的數據清單(簡稱負面清單),並在獲得省級網絡安全和信息化委員會批准後,向國家網信部門備案。負面清單以外的數據出境,可以不申報數據出境安全評估、訂立個人信息出境標準合同或通過個人信息保護認證8。
《徵求意見稿》亦明確規定國家機關和關鍵信息基礎設施運營者在向境外提供個人信息(包括敏感個人信息)和重要數據時,應依照有關法律、行政法規、部門規章規定執行9。數據處理者在向境外提供重要數據和個人信息時,亦應履行其數據安全保護義務,保障數據出境安全10。
總結
總括而言,《徵求意見稿》就數據跨境提出進一步的擬定法規,就數據處理者能在甚麽情景下獲得豁免(如實施該等擬定法規)作出説明。值得注意的是,《徵求意見稿》特別提及當《數據出境安全評估辦法》、《個人信息出境標準合同辦法》等相關規定與《徵求意見稿》並不一致,有關規定將按照《徵求意見稿》(如實施該等擬定法規)所執行11。有關數據處理者宜密切留意内地法規的最新立法進展,以確保其個人信息跨境處理活動合規有序。
1 全文:http://www.cac.gov.cn/2023-09/28/c_1697558914242877.htm
2《徵求意見稿》第一條。
3《徵求意見稿》第三條。
4《徵求意見稿》第四條。
5 根據《徵求意見稿》第五條,基於個人同意向境外提供個人信息的,應當取得個人信息主體同意。
6《徵求意見稿》第二條。
7 根據《徵求意見稿》第六條,向境外提供100萬人以上個人信息的,應當申報數據出境安全評估。但基於個人同意向境外提供個人信息的,應當取得個人信息主體同意。
8《徵求意見稿》第七條。
9《徵求意見稿》第八條。
10《徵求意見稿》第九條。
11《徵求意見稿》第十一條。
|
|
|
Seminar on “Enhancing Data Security to Prevent Cyber Attacks”
|
Recently, cyberattacks on the information systems of various organisations have been reported, leading to the leakage of personal data and arousing public concern about data security. As cyberattack incidents are becoming increasingly serious and unpredictable, issues like how enterprises and organisations may prevent cyberattacks and avoid the leakage of the personal data of their customers and employees, as well as how they may prepare for and handle a data breach incident have become an important subject for the management team.
Against this background, the PCPD organises this seminar to explain means to enhance cybersecurity and some recommended data security measures, and highlight the key points in preventing and handling data breach incidents. A guest speaker from the Cyber Security and Technology Crime Bureau of the Hong Kong Police Force will also discuss the latest development and trends of cyber threats for enterprises and organisations, using real cybercrime cases as examples.
Organisations in all sectors which utilise ICT to handle personal data and members of the public with an interest in the topic are welcome to attend. Enrolment is on a first-come-first-served basis.
Date: 7 November 2023 (Tuesday)
Time: 3:00 pm – 4:15 pm
Format: Online / Face-to-face (Physical venue: the PCPD’s Office, 12/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong)
Fee: Free-of-charge
Language: Cantonese
Who Should Attend: organisations in all sectors which utilise ICT to handle personal data and members of the public with an interest in the topic
|
Professional Workshop on Data Protection and Data Access Request (Face-to-face)
|
Receiving Data Access Requests (DAR) is a frequent occurrence for many organisations. For example, employees may request employers for copies of their previous appraisal reports; patients may request for copies of their medical records, etc.
Handling DAR properly, effectively and in a timely manner poses a challenge to many organisations. This workshop will examine in detail the compliance requirements for handling DAR under the PDPO and offer practical guidance to participants on handling DAR.
Date: 8 November 2023 (Wednesday)
Time: 2:15pm – 5:15pm
Venue: the PCPD’s Office, 12/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong
Fee: $750/$600*
(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)
Language: Cantonese
Who Should Attend: solicitors, data protection officers, administration managers, human resource Officers and customer services personnel
|
Professional Workshop on Data Protection Law (Online)
|
With the growing public awareness and expectations of the protection of personal data privacy, it has become a norm for organisations to incorporate personal data privacy protection as part of their corporate governance responsibilities to gain customers’ trust and confidence.
This workshop will examine the practical application of the PDPO at work by the sharing of real-life cases and providing practical advice. This workshop is particularly suitable for barristers, solicitors, in-house legal counsels, data protection officers and compliance officers.
Date: 22 November 2023 (Wednesday)
Time: 2:15pm – 5:15pm
Fee: $950/$760*
(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)
Language: English
Who should attend: solicitors, barristers, in-house legal counsels, data protection officers and compliance officers
|
Professional Workshops on Data Protection in Banking / Financial Services (Face-to-face)
|
The application of fintech has developed rapidly in recent years, changing the landscape of the financial world. Practitioners of the banking and financial industry may face different personal data privacy issues in their business operations. To deal with these new challenges, a clear understanding of the requirements under the PDPO is necessary.
This workshop examines the risks of handling personal data in the daily operations of banking and financial services institutions, and provides practical advice on how to deal with these issues effectively. It is particularly suitable for data protection officers, compliance officers, banking/ financial practitioners, company secretaries and solicitors.
Date: 6 December 2023 (Wednesday)
Time: 2:15pm – 5:15pm
Venue: the PCPD’s Office, 12/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong
Fee: $750/$600*
(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)
Language: Cantonese
Who should attend: data protection officers, compliance officers, company secretaries, solicitors, advisers and other personnel undertaking work relating to the banking/financial industry
|
Online Free Seminar – Introduction to the PDPO Seminar
|
The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. Details of the upcoming session shows below:
|
Seminar Outline:
- A general introduction to the PDPO;
- The six Data Protection Principles;
- Offences and compensation;
- Direct marketing; and
- Q&A session.
|
Arrange an In-house Seminar for Your Organisation
|
Teaching employees how to protect personal data privacy is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and data privacy protection, you can make a request for an in-house seminar via our online form.
The seminar outline is as follows:
- A general introduction to the PDPO;
- The six Data Protection Principles (industry-related cases will be illustrated);
- Handling of data breach incidents;
- Direct marketing;
- Offences and compensation; and
- Q&A session.
Duration: 1.5 hours
|
Renewal of DPOC’s Membership
|
Renew your DPOC membership today and continue to enjoy privileged access to course enrolments throughout the year!
Special offer for organisational renewals:
Organisations can join the 2-for-1 scheme, which enables you to receive two memberships for the price of one annual fee (HK$350).
Renew your membership now to keep up-to-date with the latest news and legal developments!
|
The PCPD values the opinions of all our DPOC members. We love to hear your ideas and suggestions on what privacy topics you would like to learn more about. Email your thoughts to us at dpoc@pcpd.org.hk and we shall include the most popular topics in our future e-newsletters.
|
|
|
Contact Us
Address: Unit 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong
Tel: 2827 2827
If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
|
Copyright
Disclaimer
The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.
The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.
If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.
|
|
|
|