PCPD e-NEWSLETTER
ISSUE Feb 2024
|
|
|
|
PCPD e-NEWSLETTER
ISSUE Feb 2024
|
|
|
|
Reporting to Legislative Council – Privacy Commissioner Attends Meeting of Legislative Council Panel on Constitutional Affairs to Brief Members on PCPD’s Work in 2023
|
Privacy Commissioner Ms Ada CHUNG Lai-ling attended the meeting of the Legislative Council Panel on Constitutional Affairs to report on the work of the PCPD in 2023.
|
Privacy Commissioner Ms Ada CHUNG Lai-ling attended the Legislative Council Panel on Constitutional Affairs on 19 February to brief Members on the work of the PCPD in 2023 and its strategic focus this year. The Privacy Commissioner reported that in respect of enforcement actions against doxxing offences that were intrusive to personal data privacy, the PCPD handled 756 doxxing cases (including doxxing cases proactively uncovered by PCPD’s online patrols and doxxing-related complaints) in 2023. The figure significantly dropped by 57% when compared to 1,764 cases in 2022. Doxxing messages on the Internet had reduced by around 80% because of the PCPD’s strenuous efforts in combatting doxxing acts. The PCPD also publicised, promoted and strove to safeguard data security through different means, including the launching of the Data Security thematic webpage, the “Data Security Scanner” and the introduction of the data security hotline (2110 1155). Please click here for the Privacy Commissioner’s opening remarks (Chinese only). Please click here for the paper submitted by the PCPD to the Legislative Council Panel on Constitutional Affairs.
|
Privacy Commissioner Ms Ada CHUNG Lai-ling (front row, left), Assistant Privacy Commissioner (Legal, Global Affairs and Research) Ms Cecilia SIU Wing-sze (front row, right), Deputy Secretary for Constitutional and Mainland Affairs (1) Mr Raymond SY Kim-cheung, JP (back row, left) and Principal Assistant Secretary for Constitutional and Mainland Affairs 4 Mr Jacky LUM Kwok-keung (back row, right), attended the meeting of the Legislative Council Panel on Constitutional Affairs.
|
|
|
Effective Data Management – Update Your Organisation’s Personal Data Inventory
|
|
PRIVACY COMMISSIONER’S FINDINGS
|
PRIVACY COMMISSIONER’S FINDINGS
|
A Learning Centre for Interest Classes Collected Excessive Personal Data from Students and Their Parents
|
|
Online Behavioural Tracking
|
|
|
Implications of the Development or Use of Artificial Intelligence on Personal Data Privacy – the PCPD has Completed Compliance Checks on 28 Organisations
|
A 27-year-old Female Convicted and Sentenced for Doxxing a Pet Seller
|
The PCPD Fully Supports the Government’s Commencement of Public Consultation and Enactment of Legislation on Basic Law Article 23
|
Response of the PCPD on the HKU Faculty of Education’s Data Breach Incident
|
Privacy Commissioner Urges the Public to Stay Vigilant about the Worldcoin Project and Not to Disclose Biometric Data Arbitrarily
|
Medical and Healthcare Sector – Experience Sharing Session on Good Data Governance
|
Free Online Seminar: Introduction to the PDPO
|
Arrange an In-house Seminar for Your Organisation
|
APPLICATION / RENEWAL OF DPOC MEMBERSHIP
|
PCPD Supports the Digital Economy Summit 2024 – Smarter Technovation for All: Forging a Sustainable Future
|
|
Reaching Out to the Community – Privacy Commissioner Officiates the Launching Ceremony of “Discussing News and Information with Students and Teachers” Programme Organised by the Hong Kong Press Council
|
Reaching Out to Schools – Privacy Commissioner Speaks at “Values Education Conference”
|
Reaching Out to the Community – Privacy Commissioner Interviewed by Now News to Explain PCPD’s Compliance Report on the Use of Artificial Intelligence by Organisations
|
Reaching Out to University – Privacy Commissioner Speaks as Guest Lecturer on Safeguarding Data Security at City University of Hong Kong
|
Reaching Out to the Community – Privacy Commissioner Interviewed by the Media to Explain PCPD’s Work on Data Security
|
Reaching Out to the Community – Privacy Commissioner Interviewed by the Media
|
Raising Public Awareness of Fraud Prevention – the PCPD Launches a New Episode of Anti-fraud Promotional Video
|
Reaching Out to the Community – Representative of the PCPD Interviewed by TVB News’ “A Closer Look”
|
|
Highlights of the “Draft Administrative Measures on the Reporting of Cybersecurity Incidents”
《網絡安全事件報告管理辦法(徵求意見稿)》的重點
|
International: ASEAN Publishes Guide on Model Contractual Clauses and Standard Contractual Clauses for Data Transfers
|
Amending Australia’s Privacy Act: Small Businesses, Bigger Responsibilities
|
UK: Information Commissioner’s Office Publishes Response to Draft Regulations on Immigration Exemption in Data Protection Act
|
Opting In-n-Out: Five Key Analyses for Adtech Privacy Law Compliance
|
|
|
Effective Data Management – Update Your Organisation’s Personal Data Inventory
Organisations handle a vast amount of customer and employee personal data in their daily operations. To ensure effective management of personal data, an organisation should develop its own personal data inventory. This is a comprehensive and organised record that details how personal data is collected, stored, processed and managed. The personal data inventory also assists the organisation to understand the type of consent required from data subjects, determine the level of protection needed for different sensitivities of personal data (e.g. more sensitive data requires higher security), comply with data access and correction requests, and respond efficiently to data breach incidents.
The personal data inventory should be updated at least annually to ensure that all held personal data is accurately recorded. Accordingly, procedures for updating the personal data inventory should be established, including the timing for updates, the designated responsible individuals, the updating and reviewing processes, and the responsibilities for filing the inventory.
Here is an example of a personal data inventory:
|
|
|
PRIVACY COMMISSIONER’S FINDINGS
|
A Learning Centre for Interest Classes Collected Excessive Personal Data from Students and Their Parents
|
The Complaint
The complainant enrolled her son in an interest class at a learning centre (the Centre), which required her partial Hong Kong Identity (HKID) Card number and her son’s date of birth. Believing this to be an excessive collection of personal data, she filed a complaint with the PCPD.
Outcome
The Centre justified its collection of partial HKID Card numbers as a necessary step to confirm the guardians’ capacity and to verify their eligibility to register minors for classes. They also collected students’ dates of birth to offer birthday promotions, register for competitions, and sort students into age-appropriate classes.
The PCPD found that the collection of the parents’ HKID Card numbers would not aid the Centre in verifying their relationship with the students and that collecting only the year and month of birth should suffice for birthday offers and class allocations. The Centre’s practice of collecting complete dates of birth in anticipation of future competition sign-ups was deemed premature.
Following the PCPD’s intervention, the Centre revised its personal data collection policy. It ceased collecting guardians’ partial HKID Card numbers and only required the month and year of birth for new students. Additionally, the Centre disposed of the HKID Card numbers previously collected and retained only the month and year of birth for current students.
The PCPD also issued a warning to the Centre, urging it to carefully evaluate the necessity of personal data before collection and to ensure compliance with the relevant requirements under the Personal Data (Privacy) Ordinance (PDPO).
Lessons Learnt
Given the sensitivity of HKID Card numbers and the potential risk of identity theft, organisations must thoroughly assess the need and justification for collecting such information. Moreover, in an era of heightened concern for children’s privacy in society, organisations that demonstrate a commitment to respecting and protecting children’s privacy can distinguish themselves and earn the trust of parents.
|
Online Behavioural Tracking
|
In today’s digital age, organisations often collect information regarding users’ online interactions with their websites. The purposes for collecting user information range from remembering users preferences (such as language, font size, colour scheme) to maintain website consistency on subsequent visits, to analysing website navigation to optimise its design, establishing and maintaining a user’s logged-on identity to preserve his access rights, or tracking behaviour and preferences to create detailed profiles for personalised marketing or advertisements, which arouses privacy concerns.
Online Behavioural Tracking Information and the PDPO
Whether behavioural information collected constitutes personal data is determined case-by-case. It depends on three conditions, including (1) relating directly or indirectly to a living individual; (2) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and (3) in a form in which access to or processing of the information is practicable.
If directly or indirectly identifying someone from the behavioural tracking information is reasonably practicable (e.g., it includes a unique identifier like an account name or number), it is likely considered “personal data” under the PDPO. In cases lacking unique identifiers, organisations must evaluate whether the complete set of data could identify an individual. Organisations should bear in mind that a combination of identifiers may be sufficient to ascertain one’s identity.
Recommended Practices for Organisations Uncertain about Whether Their Businesses Activities Involve Personal Data Collection
When uncertain if collected behavioural information for advertising/marketing purposes constitutes “personal data”, organisations are strongly advised to adopt fair and transparent practices, which include:
- To inform users of what types of information are being collected or tracked by them, the collection purpose and methods, whether the information would be transferred to third-parties (and if so, the classes of such third-parties and purpose of transfer), whether the information will be combined with other information for profiling and retention period;
- To inform users of whether any third-party is collecting or tracking their behavioural information, the nature of such third-parties, collection purposes and means, retention period and whether collected information would be further transferred to other parties by the third party. As the organisation is the entity which engages the third-party to collect or track user’s behaviour, it is the organisation’s responsibility to understand from the third-party what information is being collected and the means by which the information is collected; and
- To respect users’ preferences not to be tracked, offering opt-out choices and detailing the consequences. If opting out during website browsing is not possible, provide explanations to enable users to decide whether to continue browsing the website.
|
|
|
Reaching Out to the Community – Privacy Commissioner Officiates the Launching Ceremony of “Discussing News and Information with Students and Teachers” Programme Organised by the Hong Kong Press Council
|
Privacy Commissioner Ms Ada CHUNG Lai-ling officiated the launching ceremony of “Discussing News and Information with Students and Teachers” Programme (The Programme) organised by the Hong Kong Press Council on 24 February. The Programme is a new phase of the media and information literacy educational campaign organised by the Hong Kong Press Council. Seminars and workshops will be held for 50 primary and secondary schools within two years, with a view to enhancing the ability of teachers and students to assess the authenticity of news and information.
|
Reaching Out to Schools – Privacy Commissioner Speaks at “Values Education Conference”
|
Privacy Commissioner Ms Ada CHUNG Lai-ling attended the “Values Education Conference” co-organised by the Education Bureau and the Education University of Hong Kong on 23 February, and gave a presentation to around 70 primary and secondary school principals and teachers. In her presentation entitled “Privacy and Information Literacy”, the Privacy Commissioner elaborated on the personal data privacy risks arising from the use of online information, social media and AI chatbots, as well as the seriousness of the doxxing offences. The Manager (Corporate Communications) of the PCPD, Mr Eric PHENG, also shared some practical tips on how to protect personal data online with the participants. Please click here for the presentation deck (Chinese only).
|
Reaching Out to the Community – Privacy Commissioner Interviewed by Now News to Explain PCPD’s Compliance Report on the Use of Artificial Intelligence by Organisations
|
Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by Now News’ “News Magazine” on 23 February to explain the PCPD’s compliance report on the use of Artificial Intelligence (AI) by organisations. The Privacy Commissioner also provides tips to members of the public when they use AI.
During the interview, the Privacy Commissioner pointed out that as the development and use of AI has become increasingly common in Hong Kong, the PCPD carried out compliance checks on 28 local organisations to understand their practices in relation to the collection, use and processing of personal data in the development or use of AI, as well as their AI governance structure. No contravention of the PDPO was found during the compliance check process.
The Privacy Commissioner reminded organisations to observe the “Guidance on the Ethical Development and Use of Artificial Intelligence” published by the PCPD earlier when they develop or use AI-related products and services. Members of the public should also protect themselves when they provide their personal data, including reading the privacy policy before using AI chatbots, and providing minimal amount of personal data, etc.
Please click here (first part, second part) to view the interview by Now News’ “News Magazine” (Chinese only).
|
Reaching Out to University – Privacy Commissioner Speaks as Guest Lecturer on Safeguarding Data Security at City University of Hong Kong
|
Privacy Commissioner Ms Ada CHUNG Lai-ling gave a guest lecture entitled “Safeguarding Data Security Amid Increasing Cyberattacks” to university students at the School of Law of the City University of Hong Kong on 16 February. During the lecture, the Privacy Commissioner gave an overview of the six Data Protection Principles (DPP) under the PDPO. She also discussed the upward trends in cyberattacks and data breaches both globally and locally, and introduced the work and the initiatives that the PCPD has launched to promote and enhance data security. Please click here for the Privacy Commissioner's presentation deck.
|
Reaching Out to the Community – Privacy Commissioner Interviewed by the Media to Explain PCPD’s Work on Data Security
|
Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by Metro Radio’s “Roadmap to Knowledge Economy” on 9 February to give an account of the PCPD’s follow-up work on the data breach incident relating to the Faculty of Education of the University of Hong Kong. The Privacy Commissioner also explained the work of the PCPD on data security.
In particular, the Privacy Commissioner reminded organisations to implement a Personal Data Privacy Management Programme, adopt appropriate information security measures and strengthen employees’ training on data security. With a view to helping small and medium-sized enterprises to safeguard data security, the PCPD also launched the Data Security thematic webpage, the “Data Security Scanner” and a data security hotline last year.
|
Reaching Out to the Community – Privacy Commissioner Interviewed by the Media
|
Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by RTHK Radio 3’s “Hong Kong Today”, RTHK Radio 1’s “HK2000” and CRHK’s “On A Clear Day” on 29 and 30 January to explain the work of the PCPD in 2023 and a review report on “Privacy Concerns on Electronic Food Ordering at Restaurants”.
During the interviews, the Privacy Commissioner reminded the food and beverage industry to comply with the requirements of the PDPO when they collect customers’ personal data and that, in particular, consent should be obtained from customers and to provide the information as required by law when using their personal data for direct marketing. The Privacy Commissioner also hopes that the review report would raise the awareness of the public, so that they would be more vigilant when they use QR codes to order food and pay attention to whether the codes have been tampered with. Customers should also check the default privacy settings before using mobile apps for food ordering.
In addition, the PCPD received 157 data breach notifications in 2023, which represented a significant increase of 50% when compared to 2022. The Privacy Commissioner believed that the increase was attributable to the occurrence of several large-scale data breach incidents and the hacking of an instant messaging app in 2023, and the strengthening of promotion and education work by the PCPD, which helped to enhance the awareness of enterprises.
|
Raising Public Awareness of Fraud Prevention – the PCPD Launches a New Episode of Anti-fraud Promotional Video
|
Since June last year, the PCPD has released three episodes of the anti-fraud promotional videos under the theme of “Don’t Hand Over Your Personal Data – Beware of Fraudsters” to raise public awareness to prevent fraud.
In view of the occurrence of online romance scams from time to time, the PCPD launched a new episode of the anti-fraud promotional videos, themed “Romance Scam”. Artistes Alice FUNG So-bor (馮素波) and Timothy CHENG Tse-sing (鄭子誠) continued to perform in the episode to remind members of the public to stay vigilant and prevent fraud. The video has been published on the PCPD’s official YouTube channel.
Incidentally, PCPD’s anti-fraud promotional videos can be viewed on the PCPD’s social media platforms, local TV and MTR in-train TVs.
Please click here to watch the latest PCPD’s anti-fraud video (Chinese only).
|
Reaching Out to the Community – Representative of the PCPD Interviewed by TVB News’ “A Closer Look”
|
Chief Personal Data Officer (Compliance & Enquiries) of the PCPD Mr Brad KWOK was interviewed by TVB News’ “A Closer Look” to explain the report on “Privacy Concerns on Electronic Food Ordering at Restaurants” published by the PCPD earlier.
According to the report, all restaurants that provided mobile applications (apps) food ordering services used customers’ personal data for direct marketing.
During the interview, Mr Kwok reminded customers to read the privacy terms of the mobile apps concerned carefully before registration, such as the types and purposes of collection of personal data, and that they could also choose non-electronic means of food ordering. He also suggested that restaurants offering mobile apps for food ordering should allow customers to place orders in the capacity of guests (without registration) or avoid collecting personal data or collect minimal amount of personal data according to need.
Please click here to view the interview by TVB News’ “A Closer Look”, which was broadcast on 15 February (Chinese only).
|
|
|
Implications of the Development or Use of Artificial Intelligence on Personal Data Privacy – the PCPD has Completed Compliance Checks on 28 Organisations
|
With the development and use of AI becoming increasingly common in Hong Kong, organisations may collect, use or process personal data when they develop or use AI systems, thereby posing risks to personal data privacy. In order to understand the implications of the development and use of AI on personal data privacy in Hong Kong, the PCPD carried out compliance checks on 28 local organisations (Organisations) from August 2023 to February 2024 to understand their practices in relation to the collection, use and processing of personal data in the development or use of AI, as well as the AI governance structure of the relevant organisations. The exercise covered various sectors, including telecommunications, finance and insurance, beauty services, retail, transportation and education sectors, and government departments. Based on the findings of the compliance checks, the PCPD has the following overall observations as regards the Organisations’ data protection practices when they develop or use AI:
- 21 organisations used AI in their day-to-day operations, which included using AI in data analysis, assessing interview performance of job candidates, and utilising chatbots to respond to customer enquiries, etc.;
- Among the 21 organisations, 19 of them established internal AI governance frameworks, such as setting up an AI governance committee and/or appointed designated officer to oversee the development or use of AI products or services;
- Only 10 out of the 21 organisations collected personal data through AI products and services. The 10 organisations provided data subjects with Personal Information Collection Statements on or before the collection of their personal data, which specified the purposes for which the data is to be used, as well as the classes of person to whom the data may be transferred;
- Eight out of the 10 organisations had conducted privacy impact assessments prior to the development or use of AI products and services;
- All of the 10 organisations implemented appropriate security measures to ensure that the personal data held by them was protected against unauthorised or accidental access, processing, erasure, loss or use in the course of the development or use of AI products or services. These measures included granting access to personal data to authorised personnel only, encrypting personal data at rest and in transit, conducting regular security vulnerability assessments and penetration tests, or providing employees with written guidelines and trainings; and
- Among the 10 organisations, nine of them retained personal data collected through the AI products or services. Out of these, eight organisations specified retention periods for personal data and would delete or anonymise the data when the original purpose of collection has been achieved. The remaining organisation allowed data subjects to delete their personal data themselves.
The PCPD has now completed the compliance checks and has found no contravention of the PDPO during the compliance check process. The results of this compliance check exercise demonstrate that there is an increasing number of organisations (including both public and private organisations) deploying AI to enhance their daily operational efficiency.
The PCPD issued the “Guidance on the Ethical Development and Use of Artificial Intelligence” in August 2021 to facilitate the healthy development and use of AI in Hong Kong as well as assist organisations to mitigate privacy and ethical risks in complying with the relevant provisions of the PDPO in their development or use of AI.
Through this compliance check exercise, the PCPD would like to provide the following recommended measures to organisations which develop or use AI:
- If an organisation collects or processes personal data in the development or use of AI, it should adopt measures to ensure compliance with the PDPO, as well as monitor and review AI systems on a continuing basis;
- Establish a strategy for the development or use of AI and an internal AI governance structure, and provide adequate training to all relevant personnel;
- Conduct comprehensive risk assessment (including privacy impact assessment) to systematically identify, analyse and evaluate the risks, including privacy risks, in relation to the development or use of AI, and adopt appropriate risk management measures that are commensurate with the risks, for instance, adopt a higher level of human oversight for an AI system with a higher risk profile; and
- Communicate and engage effectively with stakeholders to enhance transparency in the use of AI, and fine-tune AI systems in response to concerns raised by stakeholders.
|
A 27-year-old Female Convicted and Sentenced for Doxxing a Pet Seller
|
On 15 February 2024, the West Kowloon Magistrates’ Court convicted a 27-year-old female, Miss CHAN Tung-ching (defendant), of one charge of a doxxing offence upon her guilty plea. The Court on the same day sentenced the defendant to two weeks’ imprisonment, suspended for 3 years, and a fine of HK$500. Privacy Commissioner Ms Ada CHUNG Lai-ling welcomed the court’s ruling.
Background of the Case The defendant purchased three kittens from the victim in late 2022. The defendant subsequently requested a refund from the victim because of the health issue of one of the kittens, but the two could not agree on the amount of refund and a dispute arose between them. In May 2023, the defendant posted a message containing the personal data of the victim in an open discussion group on a social media platform, alongside some negative comments and allegations against the victim. The personal data disclosed included the victim’s Chinese name, photo, parts of her mobile phone numbers and former area of residence. The PCPD arrested the defendant on 16 November 2023. Upon legal advice obtained from the Department of Justice, one charge of “disclosing personal data without data subject’s consent”, contrary to section 64(3A) of the PDPO, was laid against her on 25 January 2024 in respect of the doxxing act. Court Proceedings The defendant pleaded guilty to the charge at the West Kowloon Magistrates’ Court and was convicted by the Court on 15 February 2024 in relation to the disclosure of the personal data of the victim made by the defendant on a social media platform in May 2023 without the consent of the victim, with an intent to cause specified harm to the victim or her family members, or being reckless as to whether specified harm would be (or would likely be) caused to the victim or her family members.
Relevant Provisions under the PDPO Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject –
- with an intent to cause any specified harm to the data subject or any family member of the data subject; or
- being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject.
A person who commits an offence under section 64(3A) is liable on conviction to a fine of $100,000 and imprisonment for two years.
According to section 64(6) of the PDPO, specified harm in relation to a person means –
- harassment, molestation, pestering, threat or intimidation to the person;
- bodily harm or psychological harm to the person;
- harm causing the person reasonably to be concerned for the person’s safety or well-being; or
- damage to the property of the person.
|
The PCPD Fully Supports the Government’s Commencement of Public Consultation and Enactment of Legislation on Basic Law Article 23
|
The PCPD welcomes and supports the Government’s commencement of public consultation and enactment of legislation on Article 23 of the Basic Law to introduce a new “Safeguarding National Security Ordinance” to improve the regime for safeguarding national security. In order to address the national security risks posed by the current information technology or electronic world and new technologies that may emerge in the future, the Government proposes to introduce offences to combat acts endangering national security that are done in relation to a computer or electronic system. The PCPD supports the combatting of serious acts of sabotage or weakening of public infrastructure, or acts done in relation to a computer or electronic system without lawful authority which endanger national security. The PCPD agrees that the proposed offences will not hinder the development of innovation and technology, but instead provide a safer environment for the development of related fields.
|
Response of the PCPD on the HKU Faculty of Education’s Data Breach Incident
|
The PCPD received a data breach notification from the Faculty of Education of the University of Hong Kong (HKU) on 7 February, reporting that about 7,400 data subjects had been affected by the data breach incident. The PCPD noted that the relevant organisation was notifying the affected data subjects, and the PCPD has commenced a compliance check into the incident in accordance with established procedures. Having considered that the incident involved the leakage of personal data, the PCPD appeals to the affected persons to make enquiries or complaints with the PCPD or the relevant organisation if they suspect that their personal data have been leaked. The PCPD calls on the affected persons to be vigilant of potential theft of their personal data and take the following measures to protect personal data privacy:
- Consider changing the passwords of online accounts and activate the multi-factor authentication feature (if available);
- Beware of any unusual logins of personal emails;
- Stay vigilant when they receive any suspicious calls, text messages or emails from unknown sources;
- Do not arbitrarily open attachments or links in text messages or emails, or disclose personal data readily; and
- Be vigilant against phishing or other possible scams.
|
Privacy Commissioner Urges the Public to Stay Vigilant about the Worldcoin Project and Not to Disclose Biometric Data Arbitrarily
|
The PCPD executed court warrants on 31 January and entered six premises of the Worldcoin project located at Yau Ma Tei, Kwun Tong, Wan Chai, Cyperport, Central and Causeway Bay to carry out investigations. The PCPD is concerned that the operation of Worldcoin in Hong Kong involves serious risks to personal data privacy, and believes that the collection and processing of sensitive personal data by the relevant organisation may be in contravention of the requirements of the PDPO. With a view to protecting the personal data privacy of members of the public, the PCPD has proactively commenced an investigation against Worldcoin in accordance with established procedures. According to the intelligence collected earlier, participants of the Worldcoin project need to let the relevant organisation collect their iris information through iris scanning in order to obtain a registered identity (i.e. World ID; Worldcoin called it a human passport for the Internet), after which the participants would receive free cryptocurrency Worldcoin tokens. The PCPD has exercised its powers under the PDPO in the operation on 31 January to enter six premises with court warrants for the purposes of investigation. The PCPD requested the relevant parties to furnish required documents and information. Privacy Commissioner Ms Ada CHUNG Lai-ling appeals to members of the public to stay vigilant about the Worldcoin project. Before providing any biometric data, citizens should consider the following issues in relation to the relevant organisation:
- The legitimacy for collecting biometric data;
- The extent and purpose of collection of the biometric data;
- The intended use of those data and the classes of persons or organisations to whom the data will be disclosed or transferred;
- The retention period of the biometric data; and
- The safety precautions taken for the protection of the biometric data.
With regard to the collection of personal data, DPP 1 requires that personal data must be collected for a lawful purpose directly related to a function or activity of the data user; the collection of the data must be necessary, adequate but not excessive in relation to that purpose, and the means of collection must be lawful and fair. Organisations must take all practicable steps to notify the data subjects on or before the collection of the data the purpose of data collection, the classes of persons to whom the data may be transferred, whether it is obligatory or voluntary for the data subjects to supply the data and the consequences for the data subjects if the data subjects fail to supply the data. As regards data retention, DPP 2 requires data users to take all practicable steps to ensure that personal data is not kept longer than is necessary for the fulfillment of the purpose for which the data is used. In respect of the use of personal data, DPP 3 requires that unless with the data subject’s express and voluntary consent, personal data must not be used for any “new purpose”, that is, a purpose other than the purpose for which the data was to be used at the time of the collection of the data. With regard to the security of personal data, DPP 4 requires that all practicable steps shall be taken by data users to ensure that any personal data held by them is protected against unauthorised or accidental access, processing, erasure, loss or use. Members of the public who wish to lodge any complaint against Worldcoin in relation to the collection, holding, processing or use of personal data, or wish to provide any information of the Worldcoin project, please contact the PCPD (telephone: 2827 2827; email: complaints@pcpd.org.hk) as soon as possible. For further information about the collection of biometric data, please refer to the “Guidance on Collection and Use of Biometric Data”.
|
Highlights of the “Draft Administrative Measures on the Reporting of Cybersecurity Incidents”
《網絡安全事件報告管理辦法(徵求意見稿)》的重點
|
To regulate the reporting of cybersecurity incidents and mitigate the losses and harm caused by such incidents, the Cyberspace Administration of China issued the “Draft Administrative Measures on the Reporting of Cybersecurity Incidents” (Draft Measures) on 8 December 2023 for public consultation. Apart from outlining the key obligations of network operators in the event of cybersecurity incidents, the Draft Measures, through its two appendices, also seeks to classify cybersecurity incidents into different categories and provide a template reporting form for network operators to make reference to. The consultation of the Draft Measures ended on 7 January 2024. This article provides an overview of the Draft Measures.
為規範網絡安全事件的報告及減少網絡安全事件所造成的損失和危害,國家互聯網信息辦公室(網信辦)於2023年12月8日發布《網絡安全事件報告管理辦法(徵求意見稿)》(《徵求意見稿》)1,供公眾提供意見。除明確指出網絡運營者在發生網絡安全事件時應進行的通報工作,《徵求意見稿》亦透過其兩份附件,就網絡安全事件作出分級指南區別,並提供網絡安全事件信息報告表供網絡運營者參考。《徵求意見稿》的意見回饋時間已於2024年1月7日截止,有關重點如下:
規管對象
在國內建設、運營網絡或者通過網絡提供服務的網絡運營者在發生危害網絡安全的事件時,應當及時啟動應急預案進行處置2,並遵從《徵求意見稿》的條文進行報告3。《徵求意見稿》亦進一步針對「為運營者提供服務的組織或個人」提出要求,當「發現運營者發生較大、重大或特別重大網絡安全事件時」,應當提醒運營者報告網絡安全事件。運營者若有意隱瞞或拒不報告,可向網信部門報告4。
網絡安全事件的定義及分類分級
「網絡安全事件」是指由於人為原因、軟硬體缺陷或故障、自然災害等,對網絡和信息系統或其中的數據造成危害,對社會造成負面影響的事件5。
《徵求意見稿》在其附件一《網絡安全事件分級指南》(《分級指南》)中,就如何劃分網絡安全事件的分級作出更仔細的説明。根據《分級指南》,網絡安全事件可分成四個級別,包括:
|
網絡運營者的報告義務
網絡運營者在發生網絡安全事件時,應當及時啟動應急預案進行處置並按照《分級指南》,把屬於較大、重大或特別重大的網絡安全事件,於1小時內進行報告6。《徵求意見稿》第5條及其附件二的《網絡安全事件信息報告表》規定有關報告應至少包括:
- 事發單位名稱及發生事件的設施、系統、平台的基本情況;
- 事件發現或發生時間、地點、事件類型、已造成的影響和危害,已採取的措施及效果7;
- 事態發展趨勢及可能進一步造成的影響和危害;
- 初步分析的事件原因;
- 進一步調查分析所需的線索,包括可能的攻擊者信息、攻擊路徑、存在的漏洞等;
- 擬進一步採取的應對措施以及請求支援事項;
- 事件現場的保護情況;
- 其他應當報告的情況。
《徵求意見稿》特別提到,對於1小時內不能判定事發原因、影響或趨勢等的,運營者可先報告上述第一項和第二項的內容,其他情況則可於24小時內補報。另外,事件報告後若出現新的重要情況或調查取得階段性進展,亦應當及時報告8。
最後,在事件處置結束後,運營者應當於5個工作日內對事件原因、應急處置措施、危害、責任處理、整改情況、教訓等進行全面分析總結,形成報告,按照原渠道上報9。
法律責任
《徵求意見稿》指明網絡運營者若未按照規定報告網絡安全事件,網信部門可按照有關法律、行政法規的規定進行處罰,並指明對遲報、漏報、謊報或者瞞報的運營者及有關責任人將從重處罰10。如運營者已採取合理必要的防護措施及主動報告,同時按照有關程序進行處置、盡最大努力降低事件影響,可視乎情況免除或從輕追究運營者及有關責任人的責任。11
總結
總括而言,《徵求意見稿》就網絡安全事件的分級以及網絡安全事件報告的機制、具體内容和處置流程等,提供了清晰指引。有關網絡運營者宜就更爲細化的規範及監管要求進行及時整改,確保其網絡安全管理符合法規條文,做到網絡數據安全合規流動。
1 全文:http://www.cac.gov.cn/2023-12/08/c_1703609634347501.htm
2《徵求意見稿》第4條。
3《徵求意見稿》第2條。
4《徵求意見稿》第8條。
5《徵求意見稿》第12條。
6《徵求意見稿》第4條。
7 對勒索軟體攻擊事件,還應當包括要求支付贖金的金額、方式、日期等。
8《徵求意見稿》第6條。
9《徵求意見稿》第7條。
10《徵求意見稿》第10條。
11《徵求意見稿》第11條。
|
|
|
Medical and Healthcare Sector – Experience Sharing Session on Good Data Governance
|
Medical and healthcare records contain sensitive personal data of individuals, and any unauthorised or accidental access, processing, erasure or loss of use of such data may have significant impact or cause harm to the affected individuals.
To help hospitals and organisations in the medical and healthcare sector better protect personal data privacy and enhance data governance, the PCPD has invited the Outstanding Gold Awardees of the PCPD’s “Privacy-Friendly Awards 2023” from the sector to share their practical experience and insights into developing a Personal Data Privacy Management Programme, as well as handling any issues that organisations may encounter in implementing data governance and strengthening data security.
Enrolment is on a first-come-first-served basis.
Date: 8 March 2024 (Friday)
Time: 3:30pm – 5:00pm
Mode: Online / Face-to-face
(Physical venue: Lecture Room, the PCPD’s Office, 12/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong)
Fee: $100*
(*PCPD’s DPOC members and awardees of the Privacy-Friendly Awards 2023 may enjoy a free-of-charge discount)
Language: Cantonese
Who should attend: Medical and healthcare professionals, practitioners and providers, data protection officers and others who handle healthcare data in their daily works
|
Professional Workshop on Recent Court and Administrative Appeals Board Decisions
|
Legal professionals and compliance officers should keep abreast of the latest decisions and arguments of the court and the Administrative Appeals Board relating to personal data privacy. In this regard, the PCPD lawyer will give you a deep dive into those cases and the commonly deployed provisions of the PDPO, strengthening your understanding of the cases from a legal perspective and the knowledge in the interpretation and application of the PDPO.
Date: 6 March 2024 (Wednesday)
Time: 2:15pm – 5:15pm
Mode: Online
Fee: $950/$760*
(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)
Language: Cantonese
Who should attend: Solicitors, barristers, in-house lawyers, data protection officers, compliance officers, company secretaries and administration managers
|
Professional Workshop on Data Protection and Data Access Request
|
Receiving Data Access Requests (DAR) is a frequent occurrence for many organisations. For example, employees may request employers for copies of their previous appraisal reports; patients may request for copies of their medical records, etc. Handling DAR properly, effectively and in a timely manner poses a challenge to many organisations.
This workshop will examine in detail the compliance requirements for handling DAR under the PDPO and offer practical guidance to participants on handling DAR.
Date: 13 March 2024 (Wednesday)
Time: 2:15pm – 5:15pm
Mode: Online
Fee: $750/$600*
(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)
Language: Cantonese
Who should attend: Solicitors, data protection officers, administration managers, human resource officers, customer services personnel
|
Other Professional Workshops on Data Protection from March to June 2024:
|
Online Free Seminar – Introduction to the PDPO Seminar
|
The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. Details of the upcoming sessions show below:
|
Seminar Outline:
- A general introduction to the PDPO;
- The six Data Protection Principles;
- Offences and compensation;
- Direct marketing; and
- Q&A session.
|
Arrange an In-house Seminar for Your Organisation
|
Teaching employees how to protect personal data privacy is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and data privacy protection, you can make a request for an in-house seminar via our online form.
The seminar outline is as follows:
- A general introduction to the PDPO;
- The six Data Protection Principles (industry-related cases will be illustrated);
- Data security management;
- Handling of data breach incidents;
- Direct marketing;
- Offences and compensation; and
- Q&A session.
Duration: 1.5 hours
|
APPLICATION / RENEWAL OF DPOC MEMBERSHIP
|
Apply or renew your DPOC membership today and enjoy privileged access to course enrolments throughout the year!
Special offer for organisational renewals:
Organisations can join the 2-for-1 scheme, which enables you to receive two memberships for the price of one annual fee (HK$350).
Join us now to keep up-to-date with the latest news and legal developments!
|
We would like to inform you that starting from 1 April 2024, there will be a revised DPOC membership fee of $450. This adjustment is necessary to support the improvement and expansion of our offerings. Please apply or renew your DPOC membership early if you wish to enjoy the current package.
|
PCPD Supports the Digital Economy Summit 2024 – Smarter Technovation for All: Forging a Sustainable Future
|
The PCPD is delighted to be one of the supporting organisations of the Digital Economy Summit 2024 – Smarter Technovation for All: Forging a Sustainable Future, jointly organised by the Government of the Hong Kong Special Administrative Region and Cyberport. The summit will delve into the transformative power of smart cities, exploring how cutting-edge technologies and innovative applications are reshaping the urban landscape and modern digital economy through the lenses of sustainability, connectivity, and resilience.
Please click here for more details.
|
The PCPD values the opinions of all our DPOC members. We love to hear your ideas and suggestions on what privacy topics you would like to learn more about. Email your thoughts to us at dpoc@pcpd.org.hk and we shall include the most popular topics in our future e-newsletters.
|
|
|
Contact Us
Address: Unit 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong
Tel: 2827 2827
If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
|
Copyright
Disclaimer
The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.
The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.
If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.
|
|
|
|