PCPD e-NEWSLETTER
ISSUE Apr 2024
|
|
|
|
PCPD e-NEWSLETTER
ISSUE Apr 2024
|
|
|
|
Privacy Commissioner’s Office Publishes an Investigation Report on the Data Breach Incident of Cyberport
|
Privacy Commissioner Ms Ada CHUNG Lai-ling introduced the investigation report on the data breach incident of Cyberport.
|
On completion of its investigation into a data breach incident of the Hong Kong Cyberport Management Company Limited (Cyberport), the PCPD published an investigation report on 2 April. The investigation arose from a data breach notification lodged by Cyberport reporting that its computer systems and file servers had been attacked by ransomware and maliciously encrypted (the Incident). A hacker group identifying itself as Trigona had demanded a ransom payment from Cyberport to unlock the encrypted files. The Incident resulted in the leakage of the personal data of more than 13,000 data subjects, about 40% of whom were unsuccessful job applicants and former employees. The PCPD thanked Cyberport for the various information and cooperation provided by Cyberport in the investigation. According to the evidence obtained in the investigation, Privacy Commissioner Ms Ada CHUNG Lai-ling considered that the Incident was caused by the following deficiencies:
- Lack of effective detection measures in Cyberport’s information systems, resulting in its failure to effectively detect the brute force attacks on the information systems by the hacker, thus allowing the hacker to obtain the credentials of user accounts with administrative privileges, and subsequently launch ransomware attacks and exfiltrate the personal data stored in the systems;
- Failure to enable multi-factor authentication for remote access to data for verifying the identities of users authorised to remotely access Cyberport’s network. This allowed the hacker to gain access to its network through a remote desktop connection using the credentials of a user account, leading to the exfiltration of personal data;
- Insufficient security audits of the information systems, thereby failing to timely respond to changes in information technology and cybersecurity risks;
- Lack of specificity in the information security policy, which did not provide a concrete cybersecurity framework for its employees to follow; and
- Unnecessary retention of personal data: Cyberport failed to delete the personal data it collected after the expiration of the retention periods in accordance with its data retention policy, resulting in the unnecessary retention and hence leakage of the personal data concerned, which related to around 40% of the total number of individuals affected by the Incident.
Privacy Commissioner Ms Ada CHUNG Lai-ling considered that Cyberport is a well-established organisation that continuously holds and processes a substantial amount of personal data of different individuals. In this regard, stakeholders and the public would reasonably expect Cyberport to allocate sufficient resources to ensuring the security of its information systems and data protection. Therefore, to meet the expectations of stakeholders and the public, Cyberport should have implemented adequate organisational and technical security measures to safeguard its information systems that contain personal data. However, the investigation revealed that Cyberport had failed to implement sufficient and effective measures to ensure the security of its information systems prior to the Incident. Cyberport had also failed to promptly delete data in respect of which the retention periods had expired in accordance with its data retention policy. Based on the above, the Privacy Commissioner considered that Cyberport had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use, thereby contravening Data Protection Principle (DPP) 4(1) of the Personal Data (Privacy) Ordinance (PDPO) concerning the security of personal data. In addition, the Privacy Commissioner found that Cyberport had not taken all practicable steps to ensure that personal data was not kept longer than was necessary for the fulfilment of the purpose for which the data was used, thereby contravening DPP2(2) concerning the retention of personal data. The Privacy Commissioner has served an Enforcement Notice on Cyberport, directing it to remedy the contravention and prevent similar recurrence of the contravention. Through the report, the Privacy Commissioner also wishes to make the following recommendations to organisations which use information and communication technologies for processing personal data:
- Establish a personal data privacy management programme and appoint data protection officer(s);
- Establish a robust cybersecurity framework;
- Conduct timely risk assessments and security audits of information systems;
- Establish a corporate culture that values information security; and
- Delete personal data timely.
Please click here to download the Investigation Report “Ransomware Attack on the Information Systems of Hong Kong Cyberport Management Company Limited”.
|
|
|
What is Privacy Impact Assessment?
|
|
PRIVACY COMMISSIONER’S FINDINGS
|
PRIVACY COMMISSIONER’S FINDINGS
|
An Online Store Sent Invoices Containing Personal Data to Customers via Unencrypted Weblinks
|
|
Customer Data Privacy – Secure Your Official Website
|
|
|
A 65-year-old Man Arrested for Suspected Doxxing of His Former Colleague
|
A 22-year-old Female Arrested for Suspected Doxxing Offence Relating to Emotional Entanglements
|
The PCPD Launches “Student Ambassador for Privacy Protection Programme – Partnering Schools Recognition Scheme 2024” cum “Future Leaders of AI and Privacy Protection Training Programme”
|
Free Online Seminar: Introduction to the PDPO
|
Arrange an In-house Seminar for Your Organisation
|
APPLICATION / RENEWAL OF DPOC MEMBERSHIP
|
Cyber Security Staff Awareness Recognition Scheme
|
|
Reaching Out to University – Privacy Commissioner Attends the Opening Ceremony of HKBU Fact Check Information Literacy Exhibition
|
Reporting to Legislative Council – Privacy Commissioner Attends Meeting of the Legislative Council Panel on Constitutional Affairs
|
Reporting to Legislative Council – Secretary for Constitutional and Mainland Affairs and Privacy Commissioner Attend Special Meeting of the Legislative Council Finance Committee
|
Telling a Good Hong Kong Story – Privacy Commissioner Publishes an Article at OneTrust DataGuidance
|
Privacy Commissioner Attends the “National Security Education Day” Opening Ceremony cum Seminar
|
Promoting Cross-Boundary Flow of Personal Information – the PCPD Organises Seminar on “Cross-boundary Flow of Personal Information Within the Greater Bay Area”
|
Safeguarding Privacy in a Digital World – Privacy Commissioner Publishes an Article entitled “Smart Use of Smartphones and Social Media Starts Today” on Hong Kong Lawyer
|
Reaching Out to the Community – Privacy Commissioner Interviewed by the Media to Explain Two Leaflets Issued by the PCPD
|
Safeguarding Privacy in Human Resources Management – Senior Legal Counsel Publishes an Article on HR e-Journal
|
|
Highlights of the “Regulations on Facilitating and Regulating Cross-Border Data Flow” 《促進和規範數據跨境流動規定》的重點
|
EU: European Parliament Publishes Analysis of Newly Proposed Rules to Strengthen GDPR Enforcement in Cross-border Cases
|
EU: European Parliament Adopts Its Position on New Procedural Rules for the Enforcement of the GDPR
|
EU: CJEU Publishes Opinion on Obligation of Supervisory Authorities to Act on Discovery of a Data Breach
|
California: Bill Requiring Deletion of Data Used for User Authentication on Social Media Re-referred to Committee
|
|
|
What is Privacy Impact Assessment?
A Privacy Impact Assessment (PIA) is generally regarded as a systematic risk assessment tool that can be usefully integrated into the decision-making process. It evaluates a proposal in terms of its impact upon personal data privacy, with the objective of avoiding or minimising adverse impacts. PIA has become a widely accepted privacy compliance tool and organisations (as data users) are advised to adopt it before launching any new business initiatives or projects that might have a significant impact on personal data privacy, because it offers organisations an early warning by identifying and detecting privacy problems associated with the projects before implementation. PIA should be undertaken by organisations to manage the privacy risks arising from a project that involves:
- Processing or the building up of a massive amount of personal data;
- The implementation of privacy-intrusive technologies that might affect a large number of individuals; or
- A major change in the organisational practices that may result in expanding the amount and scope of personal data to be collected, processed, or shared.
Why is a PIA useful?
A PIA is useful in:
- Enabling the decision-maker to adequately consider the impact on personal data privacy before undertaking the project;
- Directly addressing the privacy problems identified in the process and providing solutions or safeguards at the design stage;
- Providing benchmarks for future privacy compliance audits and control;
- Being a cost-effective way of reducing privacy risks; and
- Providing a credible source of information to allay privacy concerns from the public and stakeholders.
What should be included in a PIA?
A PIA should include the following four key components:
- Data processing cycle analysis: Examine the purpose and rationale behind the project, whether it is necessary to collect the kinds, amount and extent of personal data.
- Privacy risks analysis: Identify key privacy concerns and address them.
- Avoiding or mitigating privacy risks: Risks should be avoided or mitigated to protect personal data from unauthorised access, processing, erasure, loss or use.
- PIA report: The assessment findings, recommendations and proposed privacy protective measures should be clearly documented.
To learn more about the PIA, please refer to the PCPD’s publication below:
Privacy Impact Assessments
|
|
|
PRIVACY COMMISSIONER’S FINDINGS
|
An Online Store Sent Invoices Containing Personal Data to Customers via Unencrypted Weblinks
|
The Complaint
The complainant received an unencrypted weblink (the Weblink) to access his invoice after purchasing at an online store for home appliances (the Store). The complainant discovered that by modifying the last five digits of the Weblink, he could gain access to other customers’ invoices, which contained order information including their names, phone numbers, email addresses, delivery addresses and purchase details. The complainant was of the view that the Store had failed to safeguard customers’ personal data and hence lodged a complaint against the Store with the PCPD.
Outcome
After the PCPD intervened, the Store promptly rectified the problem. External access to the information contained in the invoice(s) was no longer feasible by clicking on the Weblink or modifying the digits of the Weblink. To prevent recurrence of similar incidents, the Store pledged that invoices containing personal data would be sent to customers in portable document format (PDF) in the future, instead of providing them with weblinks.
The PCPD issued a warning to the Store, requiring them to strictly comply with the relevant requirements of the PDPO on handling customers’ personal data by taking all practicable steps to ensure that any personal data held by them is protected against unauthorised or accidental access, processing, erasure, loss or use.
Lessons Learnt
The primary cause of the complaint pertaining to the use of weblinks to provide customers with their respective invoices stemmed from the Store’s failure to adopt stringent security measures to protect the personal data of designated customers from any unauthorised access, or to detect the vulnerability arising from the modification of the weblinks. Prior to engaging in any practices that would involve the handling of personal data, organisations should conduct thorough risk assessments on the transmission and storage of personal data, such as the implementation of adequate encryption tools to protect personal data transmission, and to identify and address any vulnerabilities in their data security. This can minimise the risk of exposing customers’ personal data and ensure compliance with the relevant requirements under the PDPO.
|
Customer Data Privacy – Secure Your Official Website
|
Having a website for your organisation to communicate its information and offer online services to customers is essential for every organisation in today’s digital age. With the responsibility of keeping a large amount of visitors’ personal data, securing your website is of utmost importance to reduce the risk of a cyber-attack and ensure that your website and its visitors are safe and secure.
To protect your website and its visitors’ personal data privacy, here are some recommended practices on data security:
- Use Hypertext Transfer Protocol Secure (HTTPS) to encrypt all data transmitted between your website and your visitors’ web browsers, so that the data cannot be intercepted by hackers easily;
- Install Secure Socket Layer (SSL) certificate on your website to encrypt data transfers between your website and the server, including those involving credit card details, personal information, and contact details;
- Keep your website and its software (such as the website's content management system, any plugins or extensions) and your web server software up-to-date to fix vulnerabilities and address security issues of the website;
- Use a web application firewall to defend against typical web application attacks and block suspicious traffic (such as SQL injection and cross-site scripting), so that it can act as another layer of security in addition to those measures implemented at the application code level;
- Use multi-factor authentication (MFA) to provide an extra layer of security;
- Monitor your website for suspicious activities to identify potential security threats and take actions before they become a problem; and
- Scan files for malware uploaded by website visitors to ensure that such files are free from viruses, spyware, trojan and ransomware.
|
|
|
Reaching Out to University – Privacy Commissioner Attends the Opening Ceremony of HKBU Fact Check Information Literacy Exhibition
|
Privacy Commissioner Ms Ada CHUNG Lai-ling attended the opening ceremony of the Fact Check Information Literacy Exhibition of the Hong Kong Baptist University (HKBU) on 25 April. The HKBU Fact Check Information Literacy Exhibition will be held from 24 April to 11 May to raise students’ awareness of and competence in fact checking and information literacy. HKBU Fact Check is independently operated by the School of Communication of the HKBU, and aims to provide fact-checking services to the public and combat the spread of misinformation.
|
Reporting to Legislative Council – Privacy Commissioner Attends Meeting of the Legislative Council Panel on Constitutional Affairs
|
Privacy Commissioner Ms Ada CHUNG Lai-ling attended meeting of the Legislative Council Panel on Constitutional Affairs on 26 April to brief Members on the protection of personal data privacy in the digital age.
The Privacy Commissioner pointed out to Members that to enhance data security, the PCPD handled 394 self-initiated compliance checks and 169 data breach notifications from April 2023 to March 2024. The PCPD assisted the organisations concerned in handling the data breach incidents and taking remedial measures to comply with the requirements of the PDPO and minimise the chances of recurrence of similar incidents.
The rapid development of technologies in the digital age has also brought numerous challenges to the protection of personal data privacy. To assist the public and organisations in addressing the personal data privacy risks associated with cyber technologies, the PCPD has been carrying out a variety of work at the local and international levels, including the publication of review reports, guidelines or leaflets on areas such as artificial intelligence, online shopping platforms, social media and smartphones.
Please click here for the Privacy Commissioner’s opening remarks (Chinese only).
Please click here for the Privacy Commissioner’s presentation deck (Chinese only).
Please click here for the paper submitted by the PCPD to the Legislative Council Panel on Constitutional Affairs.
|
Reporting to Legislative Council – Secretary for Constitutional and Mainland Affairs and Privacy Commissioner Attend Special Meeting of the Legislative Council Finance Committee
|
Mr Erick TSANG Kwok-wai, GBS, IDSM, JP, Secretary for Constitutional and Mainland Affairs (SCMA) attended a special meeting of the Legislative Council Finance Committee on 18 April to elaborate on the estimated expenditure for the Constitutional and Mainland Affairs Bureau for 2024-25. Privacy Commissioner Ms Ada CHUNG Lai-ling also attended the meeting to answer questions raised by Members. During the meeting, the Privacy Commissioner pointed out that safeguarding data security and cyber security would be one of the work priorities of the PCPD in the coming year. Apart from handling data breach incidents, complaints about deficiencies in data security and proactively carrying out compliance checks and inspections, the PCPD would continue to strengthen its publicity and education efforts and to offer in-house courses for enterprises so as to raise their ability and awareness in ensuring data security. Please click here for the opening remarks of the SCMA (Chinese only).
|
Telling a Good Hong Kong Story – Privacy Commissioner Publishes an Article at OneTrust DataGuidance
|
Privacy Commissioner Ms Ada CHUNG Lai-ling published an article entitled “Hong Kong: Standard Contract for the Cross-boundary Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area” at OneTrust Data Guidance.
The Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong–Hong Kong–Macao Greater Bay Area (Mainland, Hong Kong) (the GBA SC) was jointly formulated and published by the Cyberspace Administration of China (CAC), the Innovation, Technology and Industry Bureau of the Government of the Hong Kong Special Administrative Region (ITIB) and the PCPD on 13 December 2023. In the article, the Privacy Commissioner introduced the scope of the GBA SC and the key obligations and responsibilities to which personal information processors and recipients should pay attention.
The Privacy Commissioner encourages enterprises to adopt the GBA SC to carry out cross-boundary transfers of personal information in the Greater Bay Area, and highlighted that the GBA SC, as a facilitation measure to promote cross-boundary flows of personal information (i.e., personal data) in the Greater Bay Area, represented a breakthrough under the “One Country, Two Systems” system to foster the development and success of Hong Kong and the Greater Bay Area.
Please click here to read the article.
|
Privacy Commissioner Attends the “National Security Education Day” Opening Ceremony cum Seminar
|
Privacy Commissioner Ms Ada CHUNG Lai-ling attended the “National Security Education Day” Opening Ceremony cum Seminar on 15 April. On 1 July 2015, the National Security Law of the People’s Republic of China was passed at the 15th meeting of the Standing Committee of the 12th National People’s Congress, and the National People’s Congress designated 15 April of each year as the National Security Education Day. This year marks the 10th anniversary of a holistic approach to national security promulgated by President Xi Jinping. Data security, cyber security and artificial intelligence security, which also involve preventing infringements on personal data privacy, are the major areas of the holistic approach to national security. As the authority responsible for monitoring and supervising compliance with the provisions of the PDPO, the PCPD will continue to promote data security, cyber security and artificial intelligence security, to ensure that national security and the personal data privacy of members of the public are adequately safeguarded.
|
Promoting Cross-Boundary Flow of Personal Information – the PCPD Organises Seminar on “Cross-boundary Flow of Personal Information Within the Greater Bay Area”
|
The PCPD organised a Seminar on “Cross-boundary Flow of Personal Information Within the Greater Bay Area” on 9 April, which attracted more than 130 participants from various sectors, including banking, legal, government/ public bodies and insurance. Government Chief Information Officer Ir. Tong WONG, JP and Senior Systems Manager of the Office of the Government Chief Information Officer Ms Joyce YIU were invited to provide an overview of the facilitation measures of the GBA SC, including the relevant filing requirements and an update on the “early and pilot implementation” arrangement of the GBA SC. At the Seminar, Privacy Commissioner Ms Ada CHUNG Lai-ling and Acting Senior Legal Counsel of the PCPD Ms Clemence Wong also explained the obligations and responsibilities of contracting parties under the GBA SC, and highlighted the requirements under the PDPO in transferring personal data out of Hong Kong as well as the specified relaxation provisions under the Regulations on Facilitating and Regulating Cross-Border Data Flow recently issued by the CAC. Please click here for the Government Chief Information Officer’s presentation deck (Chinese only). Please click here for the Privacy Commissioner’s presentation deck (Chinese only).
|
Safeguarding Privacy in a Digital World – Privacy Commissioner Publishes an Article Entitled “Smart Use of Smartphones and Social Media Starts Today” on Hong Kong Lawyer
|
Privacy Commissioner Ms Ada CHUNG Lai-ling published an article entitled “Smart Use of Smartphones and Social Media Starts Today” on Hong Kong Lawyer.
The Privacy Commissioner pointed out that as the use of smartphones and social media platforms had become prevalent in our daily lives, the underlying personal data privacy risks in using these devices and online platforms should not be overlooked. Recognising that many lawyers nowadays would utilise the convenience and benefits of social media to communicate with their clients and expand their online presence, the Privacy Commissioner emphasised the importance for lawyers to stay vigilant against insidious cyberattacks that might target the sensitive personal data or privileged information stored on their mobile devices. The Privacy Commissioner reminded users of smartphones and social media platforms to be cautious about any suspicious online activities and to use these digital tools in a way that protects their personal data. Users are encouraged to refer to the two leaflets entitled (1) “Protect Your Personal Data – Smart Use of Smartphones” and (2) “Protect Your Personal Data – Be Smart on Social Media” published by the PCPD for some practical tips on minimising personal data privacy risks when using smartphones and social media platforms. Please click here to read the article.
|
Reaching Out to the Community – Privacy Commissioner Interviewed by the Media to Explain Two Leaflets Issued by the PCPD
|
Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by RTHK Radio 1’s “HK2000” and “Open Line Open View” on 26 March to explain the two leaflets issued by the PCPD entitled “Protect Your Personal Data – Smart Use of Smartphones” and “Protect Your Personal Data – Be Smart on Social Media”. During the interviews, the Privacy Commissioner reminded members of the public to secure their smartphones. They should never remove the security restrictions of their smartphone (e.g. by “jailbreaking” or “rooting”), should install the latest system updates and turn off wireless communications when they are not in use. They should also secure the data stored on their smartphones, avoid using unencrypted public Wi-Fi and public chargers, and erase data before repair or disposal of smartphone, as well as minimise the risks of using apps. When using social media platforms, members of the public should stay vigilant when they sign up for a new account and post information on social media, use a dedicated email account for registration, limit public access to their information, minimise their digital footprints, beware of “tag” and delete obsolete social media posts. Please click here to listen to the interview by RTHK Radio 1’s “HK2000” (Chinese only).
Please click here to listen to the interview by RTHK Radio 1’s “Open Line Open View” (Chinese only).
|
Safeguarding Privacy in Human Resources Management – Senior Legal Counsel Publishes an Article on HR e-Journal
|
Senior Legal Counsel of the PCPD Ms Hermina NG published an article titled “Protecting Personal Data Privacy When Using Instant Messaging Apps in Human Resources Management: Recommendations from the Office of the Privacy Commissioner for Personal Data” in the “HR e-Journal” of the Hong Kong Institute of Human Resource Management. In the article, Ms Ng highlights the importance of protecting personal data privacy when human resources practitioners use instant messaging apps and outlines the PCPD’s recommendations for protecting personal data privacy. The article also introduces the recently updated information leaflet, “Human Resource Management: Common Questions”, issued by the PCPD, which aims to promote good practice by human resources practitioners to better protect personal data privacy in human resources management. Please click here to read the article.
|
|
|
A 65-year-old Man Arrested for Suspected Doxxing of His Former Colleague
|
The PCPD arrested a Chinese male aged 65 in the New Territories on 25 April. The arrested person was suspected to have disclosed the personal data of a data subject without his consent, in contravention of section 64(3A) of the PDPO. The PCPD’s investigation revealed that the victim and the arrested person worked in the same company in 2023. They had a dispute over work issues in February 2024 and the arrested person subsequently left the company in early March 2024. In mid-March 2024, two messages containing the personal data of the victim were posted in a personal account of a social media platform, alongside some negative comments against him. The personal data disclosed included the victim’s Chinese name, English surname and alias, mobile phone number, job title, office address, office telephone number, business email address and photo. The email address also showed the name of the company of the victim. The PCPD reminds members of the public that they should not dox others because of personal disputes. Doxxing is not a means to resolve disputes as it would only escalate conflict. Moreover, doxxing is a serious offence and the offender is liable on conviction to a fine up to $1,000,000 and imprisonment for five years.
Relevant Provisions under the PDPO Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject –
- with an intent to cause any specified harm to the data subject or any family member of the data subject; or
- being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject.
A person who commits an offence under section 64(3A) is liable on conviction to a fine of $100,000 and imprisonment for two years.
Pursuant to section 64(3C) of the PDPO, a person commits an offence if –
- the person discloses any personal data of a data subject without the relevant consent of the data subject –
- with an intent to cause any specified harm to the data subject or any family member of the data subject; or
- being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject; and
- the disclosure causes any specified harm to the data subject or any family member of the data subject.
A person who commits an offence under section 64(3C) is liable on conviction on indictment to a fine of $1,000,000 and imprisonment for five years.
According to section 64(6) of the PDPO, specified harm in relation to a person means –
- harassment, molestation, pestering, threat or intimidation to the person;
- bodily harm or psychological harm to the person;
- harm causing the person reasonably to be concerned for the person’s safety or well-being; or
- damage to the property of the person.
|
A 22-year-old Female Arrested for Suspected Doxxing Offence Relating to Emotional Entanglements
|
The PCPD arrested a Chinese female aged 22 in the New Territories on 12 April. The arrested person was suspected to have disclosed the personal data of a data subject without his consent, in contravention of section 64(3A) of the PDPO. The PCPD’s investigation revealed that the victim and the arrested person once were in a relationship, but their relationship came to an end in December 2023. Shortly after the breakup, a message containing the personal data of the victim was posted in a public discussion group of a social media platform, alongside some negative comments against him. The personal data disclosed included the victim’s Chinese name, photo, and a partly redacted copy of his Hong Kong Identity Card (HKID card) which showed particulars including his Chinese name, English name, partial HKID card number, date of birth, gender and his photo, etc. The PCPD reminds members of the public that they should not dox others because of personal disputes. Moreover, identity cards contain sensitive personal data. Disclosing or reposting copies of identity cards without the consent of the data subject concerned, either arbitrarily or maliciously, may constitute a doxxing offence. An offender is liable on conviction to a fine up to $1,000,000 and imprisonment for five years.
|
The PCPD Launches “Student Ambassador for Privacy Protection Programme – Partnering Schools Recognition Scheme 2024” cum “Future Leaders of AI and Privacy Protection Training Programme”
|
The PCPD has launched the “Student Ambassador for Privacy Protection Programme – Partnering Schools Recognition Scheme 2024” (SAP) and encourages all secondary schools to join the network of “partnering schools” to foster a culture of respecting and protecting personal data privacy on campus. The SAP is supported by the Business-School Partnership Programme of the Education Bureau, Microsoft Hong Kong and the Hong Kong Association for Computer Education. The SAP consists of five “privacy protection missions” and participating schools are required to arrange their students to complete the missions jointly or independently. On top of the anti-doxxing mission, given the rising popularity of the use of Artificial Intelligence (AI) chatbots, the PCPD also includes the following special mission to raise the awareness of students to the privacy risks brought by AI: Future Leaders of AI and Privacy Protection Training Programme The theme of the Future Leaders of AI and Privacy Protection Training Programme (Future Leaders Programme) is “Small Leaders, Big Wisdom, Joins Hands to Build the AI Future”. The Future Leaders Programme enables participating students learn about personal data privacy management programme and the standards of ethical use of AI through various activities, including a topical seminar, exchanges with data protection officers and an AI interactive workshop presented by Microsoft Hong Kong. The activities were designed to prepare the participants for future career developments in the AI era. Partnering schools of the SAP will receive diamond, gold, silver and bronze awards, while students who have completed the Future Leaders Programme will be awarded a certificate. Students with outstanding performance will be recognised as “Star Performers” of the Future Leaders Programme, with prizes awarded to them.
Please click here to visit the SAP website for more details of the SAP and the Future Leaders Programme (Chinese only).
|
Highlights of the “Regulations on Facilitating and Regulating Cross-Border Data Flow” 《促進和規範數據跨境流動規定》的重點
|
Our October 2023 column introduced the “Draft Regulations on Regulating and Facilitating Cross-Border Data Flow” (the Draft Regulations). Six months after the release of the Draft Regulations, the CAC released the “Regulations on Facilitating and Regulating Cross-Border Data Flow” (the Regulations) on 22 March 2024, which came into effect on the same day. The Regulations introduces, amongst others, certain exemptions where data processors may be exempted from conducting security assessments, entering into standard contracts, or obtaining personal information protection certification. This article provides an overview of the Regulations:
本欄曾於2023年10月 簡介《規範和促進數據跨境流動規定(徵求意見稿)》。該意見稿發布接近半年後,國家互聯網信息辦公室 (網信辦)於2024年3月22日正式發布《促進和規範數據跨境流動規定》(《規定》)1,並於公布之日起施行。《規定》列出豁免數據處理者申報數據出境安全評估、訂立個人信息出境標準合同、或通過個人信息保護認證的情形等,相關重點如下:
獲得豁免的情形
《規定》列明,免於申報數據出境安全評估、訂立個人信息出境標準合同、通過個人信息保護認證的情形包括:
- 國際貿易、跨境運輸、學術合作、跨國生產製造和市場營銷等活動中收集和產生的數據向境外提供,當中不包含個人信息或者重要數據2;
- 數據處理者在境外收集和產生的個人信息傳輸至境內處理後向境外提供,處理過程中沒有引入境內個人信息或者重要數據3;
- 數據處理者向境外提供個人信息(當中不包括重要數據),並符合下列條件之一4:
- 為訂立、履行個人作為一方當事人的合同,如跨境購物、跨境寄遞、跨境匯款、跨境支付、跨境開戶、機票酒店預訂、簽證辦理、考試服務等,確需向境外提供個人信息的;
- 按照依法制定的勞動規章制度和依法簽訂的集體合同實施跨境人力資源管理,確需向境外提供員工個人信息的;
- 緊急情況下為保護自然人的生命健康和財產安全,確需向境外提供個人信息的;
- 關鍵信息基礎設施運營者以外的數據處理者自當年1月1日起累計向境外提供不滿10萬人個人信息(不含敏感個人信息)的。
重要數據不獲豁免
從上述獲豁免的情形可見,凡涉及重要數據的數據出境活動將不獲豁免。《規定》第二條列明,未被相關部門、地區告知或者公開發布為重要數據的,數據處理者不需要作為重要數據申報數據出境安全評估。
雖然《數據出境安全評估辦法》對「重要數據」作出了定義5,但有關數據處理者亦應密切留意其他法規和規範文件等對重要數據作出的明確規範。例如,全國網絡安全標準化技術委員會於2024年3月發布《數據安全技術 數據分類分級規則》6,規定了數據分類分級的原則、框架、方法和流程,提供了數據識別指南。
應申報數據出境安全評估的情形及數據處理者的責任
《規定》指出,數據處理者向境外提供數據,如符合下列條件之一的,應當透過所在地省級網信部門向國家網信部門申報數據出境安全評估7:
- 關鍵信息基礎設施運營者向境外提供個人信息或者重要數據;
- 關鍵信息基礎設施運營者以外的數據處理者向境外提供重要數據,或者自當年1月1日起累計向境外提供100萬人以上個人信息(不含敏感個人信息)或者1萬人以上敏感個人信息。
《規定》亦提到,關鍵信息基礎設施運營者以外的數據處理者自當年1月1日起累計向境外提供10萬人以上、不滿100萬人個人信息(不含敏感個人信息)或者不滿1萬人敏感個人信息的,應當依法與境外接收方訂立個人信息出境標準合同或者通過個人信息保護認證8。
數據處理者向境外提供個人信息的,應當履行告知、取得個人單獨同意、進行個人信息保護影響評估等義務9。
通過數據出境安全評估的結果有效期為3年,自評估結果出具之日起計算。若數據處理者需要繼續進行數據出境活動且未發生需要重新申報數據出境安全評估情形的,可以在有效期屆滿前60個工作日内,通過所在地省級網信部門向國家網信部門提出延長評估結果有效期申請。如獲批准,有關評估結果可延長有效期3年10。
在國家數據分類分級的保護制度框架下,自由貿易試驗區可自行制定區內需要納入數據出境安全評估、個人信息出境標準合同、個人信息保護認證管理範圍的數據清單(亦即負面清單)11。有關負面清單經省級網路安全和信息化委員會批准後,應報送國家網信部門、國家數據管理部門作備案。負面清單外的數據,可以免予申報數據出境安全評估、訂立個人信息出境標準合同、通過個人信息保護認證。
最後,《規定》特別提到,若《數據出境安全評估辦法》和《個人信息出境標準合同辦法》等相關規定與《規定》不一致,《規定》的條文將作準12。
總結
總括而言,《規定》就數據出境安全評估、個人信息出境標準合同、個人信息保護認證等數據出境制度作出優化調整13,明確了獲得豁免的場景,為促進數據依法有序自由流動打好基礎。值得一提的是,網信辦於《規定》發布之日亦同時發布了《數據出境安全評估申報指南(第二版)》和《個人信息出境標準合同備案指南(第二版)》14。有關更新除了將《規定》的内容整合在内,亦簡化了申報和備案所需提交的資料,並提供了網上數據出境申報系統15,供數據處理者使用。有關數據處理者宜細閱有關更新,適時及適當地就其合規情況進行整改。
1 全文:https://www.cac.gov.cn/2024-03/22/c_1712776611775634.htm
2《規定》第三條。
3《規定》第四條。
4《規定》第五條。
5 根據《數據出境安全評估辦法》第19條,「重要數據」是指一旦遭到篡改、破壞、洩露或者非法獲取、非法利用等,可能危害國家安全、經濟運行、社會穩定、公共健康和安全等的數據。
6 全文:https://www.tc260.org.cn/front/postDetail.html?id=20240321201412 (《數據安全技術 數據分類分級規則》將於2024年10月1日起實施。)
7《規定》第七條。
8《規定》第八條。
9《規定》第十條。
10 《規定》第九條。
11《規定》第六條。
12《規定》第十三條。
13 https://www.cac.gov.cn/2024-03/22/c_1712776612187994.htm
14 https://www.cac.gov.cn/2024-03/22/c_1712783131692707.htm
15 https://sjcj.cac.gov.cn/#/login
|
|
|
Professional Workshop on Data Protection in Direct Marketing Activities
|
Organisations often use customers’ personal data to conduct direct marketing activities to promote products or services. These activities are governed by the PDPO. Organisations have the responsibility to ensure that their employees clearly understand and comply with the provisions on direct marketing under the PDPO, which also helps organisations maintain a positive reputation and demonstrate their corporate social responsibility.
This workshop will explain in detail the requirements of the direct marketing provisions under the PDPO and provide participants with practical guidance on compliance and share conviction cases relating to direct marketing, aiming to help participants understand how to properly use customers’ personal data in direct marketing activities.
Date: 8 May 2024 (Wednesday)
Time: 2:15pm – 5:15pm
Mode: Online
Fee: $750/$600*
(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)
Language: Cantonese
Who should attend: Data protection officers, compliance officers, company secretaries, administration managers, IT Managers, solicitors, database managers and marketing professionals
|
Professional Workshop on Data Protection in Human Resource Management
|
Since job applicants, current and former employees may request access to their personal data kept by organisations from time to time, employers or human resource management professionals have to ensure compliance with the requirements of the PDPO when they collect and handle data of their employees. On the other hand, employers should meet public expectations to constantly protect and respect their employees’ personal data privacy. This workshop enables participants to learn how to handle different scenarios and strengthen their knowledge of data protection in human resource management.
Date: 29 May 2024 (Wednesday)
Time: 2:15pm – 5:15pm
Mode: Face-to-face
(Physical venue: Lecture Room, the PCPD’s Office, 12/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong)
Fee: $750/$600*
(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)
Language: Cantonese
Who should attend: Human resource officers, data protection officers, compliance officers, solicitors, administration managers, recruitment agents
|
Other Professional Workshops on Data Protection in June 2024:
|
Online Free Seminar – Introduction to the PDPO Seminar
|
The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. Details of the upcoming sessions show below:
|
Seminar Outline:
- A general introduction to the PDPO;
- The six Data Protection Principles;
- Offences and compensation;
- Direct marketing; and
- Q&A session.
|
Arrange an In-house Seminar for Your Organisation
|
Teaching employees how to protect personal data privacy is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and data privacy protection, you can make a request for an in-house seminar via our online form.
The seminar outline is as follows:
- A general introduction to the PDPO;
- The six Data Protection Principles (industry-related cases will be illustrated);
- Data security management;
- Handling of data breach incidents;
- Direct marketing;
- Offences and compensation; and
- Q&A session.
Duration: 1.5 hours
|
APPLICATION / RENEWAL OF DPOC MEMBERSHIP
|
Apply or renew your DPOC membership today and enjoy privileged access to course enrolments throughout the year!
Special offer for organisational renewals:
Organisations can join the 2-for-1 scheme, which enables you to receive two memberships for the price of one annual fee (HK$450 starting from 1 April).
Join us now to keep up-to-date with the latest news and legal developments!
|
Cyber Security Staff Awareness Recognition Scheme
|
The Hong Kong Internet Registration Corporation Limited and ISACA China Hong Kong Chapter co-organise the first-ever cyber security staff awareness related organisation recognition scheme in Hong Kong – the “Cyber Security Staff Awareness Recognition Scheme”, and the PCPD is one of the scheme partners. The scheme aims to recognise organisations that are aware of the importance and have implemented suitable measures to enhance cybersecurity staff awareness within their organisations in the past 12 months, in order to encourage the implementation of cyber security awareness measures and hence the enhancement of organisations’ protection level.
Please click here for more details.
|
The PCPD values the opinions of all our DPOC members. We love to hear your ideas and suggestions on what privacy topics you would like to learn more about. Email your thoughts to us at dpoc@pcpd.org.hk and we shall include the most popular topics in our future e-newsletters.
|
|
|
Contact Us
Address: Unit 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong
Tel: 2827 2827
If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
|
Copyright
Disclaimer
The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.
The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.
If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.
|
|
|
|