Privacy Commissioner’s Office Publishes “Artificial Intelligence: Model Personal Data Protection Framework”

Prof Hon William WONG Kam-fai (third right), Member of the PCPD’s Standing Committee on Technological Developments (SCTD) and Legislative Council member, Ms Ada CHUNG Lai-ling (middle), Privacy Commissioner, Mr Anthony CHIU Shin-hang (third left), Assistant Government Chief Information Officer (IT Infrastructure), Office of the Government Chief Information Officer, other members of the SCTD, including Mr Alan CHEUNG (second right), Ir Alex CHAN (second left), Adjunct Professor Jason LAU (first right) and Ms Cecilia SIU Wing-sze (first left), Assistant Privacy Commissioner for Personal Data (Legal, Global Affairs & Research), attended the media briefing on the publication of the “Artificial Intelligence: Model Personal Data Protection Framework”.

As AI technology rapidly develops, the application of AI has become increasingly prevalent. To address the challenges posed by AI to personal data privacy and to support the “Global AI Governance Initiative” of the Motherland, the PCPD issued the “Artificial Intelligence: Model Personal Data Protection Framework” on 11 June.
 
The Model Framework published by the PCPD has received support from the Office of the Government Chief Information Officer of the Hong Kong Government and Hong Kong Applied Science and Technology Research Institute. In addition, the PCPD consulted various experts and relevant stakeholders in the drafting of the Model Framework, including members of the Standing Committee on Technological Developments of the PCPD, public organisations, the technology industry, universities and AI suppliers. The PCPD expresses its sincere gratitude to these experts and stakeholders for their support and valuable comments during the process of drafting and publishing the Model Framework.
 
Specifically, the Model Framework, which is based on general business processes, provides a set of recommendations and best practices regarding governance of AI for the protection of personal data privacy for organisations which procure, implement and use any type of AI systems. The Model Framework aims to assist organisations in complying with the requirements under the Personal Data (Privacy) Ordinance (PDPO) and adhering to the three Data Stewardship Values and seven Ethical Principles for AI advocated in the “Guidance on the Ethical Development and Use of Artificial Intelligence” published by the PCPD in 2021. The Model Framework covers recommended measures in the following four areas:

• Establish AI Strategy and Governance: Formulate the organisation’s AI strategy and governance considerations for procuring AI solutions, establish an AI governance committee (or similar body) and provide employees with training relevant to AI;
• Conduct Risk Assessment and Human Oversight: Conduct comprehensive risk assessments, formulate a risk management system, adopt a “risk-based” management approach, and, depending on the levels of the risks posed by AI, adopt proportionate risk mitigating measures, including deciding on the level of human oversight;
• Customisation of AI Models and Implementation and Management of AI Systems: Prepare and manage data, including personal data, for customisation and/or use of AI systems, test and validate AI models during the process of customising and implementing AI systems, ensure system security and data security, and manage and continuously monitor AI systems; and
• Communication and Engagement with Stakeholders: Communicate and engage regularly and effectively with stakeholders, in particular internal staff, AI suppliers, individual customers and regulators, in order to enhance transparency and build trust.
  

To assist organisations in understanding the Model Framework, the PCPD has also published a leaflet setting out some key recommendations extracted from the Model Framework.
 
Please click here to download the “Artificial Intelligence: Model Personal Data Protection Framework”.

Please click here to download the Leaflet on the “Artificial Intelligence: Model Personal Data Protection Framework”.

PRIVACY 101

Build an Effective Privacy Policy Statement for Your Organisation

Organisations collect personal data from their employees, customers and clients in daily operations. According to the Data Protection Principle (DPP) 5 of the PDPO, a data user is required to fulfil the requirements of openness and transparency to ensure that data subjects can ascertain their policies and practices in relation to personal data, are informed of the kind of personal data held by the organisations and the main purposes for which personal data held by the organisation is or is to be used. To comply with the requirements, a Privacy Policy Statement (PPS) is required at all times if an organisation controls the collection, holding, processing or use of personal data.

What is a PPS?

A PPS is a general statement about an organisation’s privacy policies and practices in relation to the personal data it handles. It covers a wider scope and, in addition to some core elements of the Personal Information Collection Statement, includes other privacy-related policies and practices such as data retention policy, data security measures, data breach handling and the use of special tools such as website cookies. 

What should be included in a PPS?

• Statement of policy: to express an organisation’s overall commitment in protecting the individual’s privacy interests who provides personal information about themselves with the organisation.
• Statement of practices: to include the kind of personal data held by the organisation and the purposes for which it uses the data. The kind of personal data collected should depend on the organisation’s actual operational needs, which may include identification information, contact details, financial data, interests and preferences, location information of mobile devices, browser details and IP addresses. Common purposes for which these types of personal data are used may include the delivery of goods/services, the management of accounts, the processing of orders, the facilitation of website access, the compilation of aggregate statistics on website usage.

How to develop an effective PPS?

To effectively communicate your organisation’s data management policies and practices, it is a good practice to have a PPS in written form with using proper headings and adopting a layered approach in presentation in case the privacy policies and practices are complex and lengthy. The followings should also be stated clearly:

• Whether the website allows access by individuals who do not accept cookies, and what loss of functionality may result from not accepting cookies;
• How long the personal data will be retained;
• How to make a deletion request;
• How personal data will be used, processed, handled and transferred;
• That personal data would be disclosed to specified parties with the data subject’s express and voluntary consent, if that is the case;
• How your organisation ensures the security and confidentiality of the personal data collected;
• What personal data will be transferred to specified service providers and how the service providers will ensure protection of the personal data collected;
• Your policy on handling individuals’ requests to access and to correct individuals’ personal data held; and
• The contact details (e.g. office and email addresses) of the officer in your organisation who will answer enquiries.

Please read the PCPD’s publication below to learn more about the PPS:

Guidance on Preparing Personal Information Collection Statement and Privacy Policy Statement.

PRIVACY COMMISSIONER’S FINDINGS

Collection of Copies of Hong Kong Identity Card and Bank Card from a Job Applicant Prior to the Acceptance of Employment Offer

The Complaint

The complainant applied for a job at a branch of a company. After the interview, the staff of the company requested to make a copy of the complainant’s Hong Kong Identity Card (HKID Card) and bank card (the Documents) in order to submit the same to the Human Resources Department for contract preparation and job allocation purposes. Thereafter, the complainant asked the company about the outcome of his job application but did not receive any response. The complainant was dissatisfied that the company collected the copies of the Documents prior to confirming his employment offer, and hence lodged a complaint with the PCPD.

Outcome

The company explained to the PCPD that the complainant had passed the interview at the branch, and the branch manager considered the application successful. In the circumstances, the Documents were copied and passed to the district manager for vetting purposes. However, during the vetting process, the district manager considered that the company had sufficient manpower and the complainant’s application was thus rendered unsuccessful.

Upon PCPD’s intervention, the company revised its guidelines relating to the collection of personal data from job applicants. According to the revised guidelines, the company would only collect copies of the Documents at the time the selected job applicant signs the contract or during the onboarding process.

The PCPD also issued a warning to the company, requesting it to recirculate the revised guideline regularly to ensure that the staff adhered to the relevant requirements regarding the collection of personal data from job applicants.

Lessons Learnt

In accordance with the “Code of Practice on the Identity Card Number and other Personal Identifiers” (the Code) issued by the PCPD, employers are permitted to collect a copy of an HKID Card in order to provide proof of compliance on the part of the employer with section 17J of the Immigration Ordinance (Cap.115), which provides that the employer shall inspect the HKID Card of a prospective employee before employing him. However, it is also highlighted in the Code that the employer shall not collect any HKID Card copy until the applicant is successfully recruited. In addition, as reiterated in the “Code of Practice on Human Resource Management” issued by the PCPD, an employer should not collect a copy of the HKID Card of a job applicant during the recruitment process unless and until the applicant has accepted an offer of employment.

A HKID Card copy contains important and sensitive personal data. Institutions shall take this case as an example to ensure the recruitment staff shall not collect the HKID Card copy of a job applicant unless and until the job applicant has accepted an offer of employment. Similarly, if a particular applicant has not accepted an offer of employment, it is not necessary to collect the bank account information for payroll purpose.

TECH TALK

Be Smart in the Internet Era – Protect Your Data Privacy When Using Internet of Things (IoT)

Internet of Things (IoT) is revolutionising our daily lives. By interconnecting the household or personal devices via the Internet, IoT devices embedded with electronics, sensors and software, are able to communicate and exchange data with other devices. For examples, smart watches, smart TVs, Internet protocol cameras and AI home assistants. All these IoT devices entail data collection and transmission, and often with automated monitoring and decision-making. 

With different features and designs, IoT devices may collect vast amount of sensitive personal data concerning an individual’s health, movements, habits and private life. Piecing together the data gathered via multiple IoT devices could allow the construction of the profile of an IoT devices user. Therefore, IoT devices users should be vigilant about the data security when using these devices.

Here are some practical tips to protect your personal data privacy when using IoT devices:

• Read the privacy policy carefully to understand what personal information will be collected, why the collection is necessary and how the personal information will be used, disclosed and/or shared before purchasing any IoT devices.
• Use separate user accounts/email addresses to register for each account of the IoT devices so that the data gathered from different devices cannot be integrated and analysed by data users or third parties easily.
• Avoid linking the IoT devices accounts with other private ones, such as the online banking account and social media account.
• Examine the privacy settings and understand the privacy implications of default settings in an IoT device. If in doubt, start with not sharing or uploading information and change appropriate settings.
• Set a strong password for your IoT devices instead of using the default username and password set by the devices. The password should be complex without comprising your personal data (such as name and date of birth etc.); and change your password regularly.
• Update and patch the firmwares (built-in software) timely and install security patches. Only download firmwares and security patches from trusted websites (such as the official website of the devices).
• Deleted all user account information and other personal data stored in the IoT device before disposal/resale because it may have stored your personal data.

WHAT’S ON

Enhancing Cybersecurity - Privacy Commissioner Gives Keynote Speech at HKCNSA Symposium 2024

The Privacy Commissioner for Personal Data (Privacy Commissioner), Ms Ada CHUNG Lai-ling, delivered a keynote speech at the inaugural HKCNSA Symposium 2024 organised by the Hong Kong China Network Security Association on 26 June.  The theme of the symposium was “Navigating Cyber Resiliency and Data Privacy in Mainland and Hong Kong’.
 
The Privacy Commissioner shared with participants the importance for enterprises to enhance their cybersecurity resilience and data privacy at the digital age. The Privacy Commissioner also introduced the work of her Office (PCPD) in safeguarding data security and cyber security, as well as the new “Artificial Intelligence: Personal Data Protection Model Framework” published by the PCPD amidst the personal data privacy challenges brought by the prevalence of artificial intelligence.
 
Please click here for the Privacy Commissioner's speech (Chinese only).

Enhancing Cybersecurity – PCPD Participates in the “Bug Hunting Campaign 2024” as a Strategic Partner

The Office of the Privacy Commissioner for Personal Data (PCPD) participates in the “Bug Hunting Campaign 2024” (Campaign) as a Strategic Partner. The Campaign is co-organised by the Cyber Security and Technology Crime Bureau (CSTCB) of the Hong Kong Police Force and Cyberbay.  Organisations which enrol in the Campaign will have their website security levels tested by cybersecurity experts to help identify potential vulnerabilities. The CSTCB will announce the list of participating organisations that meet the specified cybersecurity requirements on the official website of “CyberDefender” to commend their efforts in safeguarding cybersecurity.
 
The PCPD will assist participating organisations in enhancing their staff awareness of data security and personal data protection. Eligible participating organisations can attend PCPD’s professional workshop on “Personal Data Privacy Management Programme” in August free of charge, as well as enjoy discounted rates for PCPD’s in-house training seminars.
 
Mr Brad KWOK, Chief Personal Data Officer (Compliance and Enquiries) of PCPD, attended the press conference for the launch of the Campaign and shared the latest trends of data breach incidents. Mr Kwok encouraged organisations to join the Campaign.

“Food Wise and Waste Less” – The PCPD Volunteer Team Prepares Meal Boxes for those in Need

The Volunteer Team of the PCPD assisted the Food Angel today in providing free meals to those in need. The Volunteer Team worked together to process food ingredients and prepared a total of 2,604 meal boxes to spread the message of love and care within the community.
 
The Privacy Commissioner and 10 members of the Volunteer Team assisted in the processing of food ingredients at Food Angel’s Chai Wan kitchen. The Volunteer Team collectively prepared 2,604 meal boxes, which were then donated to those in need.
 
Established in 2022, the PCPD Volunteer Team has made multiple visits to elderly centres to raise the awareness of the elderly to fraudulent scams. The Team also donated anti-epidemic medical supplies for various social welfare organisations during the COVID-19 pandemic.

Reaching Out to the Community – Privacy Commissioner Interviewed by the Media to Explain the “Artificial Intelligence: Model Personal Data Protection Framework”

Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by RTHK News’ “Hong Kong Today”, RTHK Radio 1’s “HK2000” and “Open Line Open View”, Commercial Radio’s “On a Clear Day”, Metro Radio’s “Roadmap to Knowledge Economy” and  Now News’ “News Magazine” on 12 June to explain the “Artificial Intelligence: Model Personal Data Protection Framework” (Model Framework) published by the PCPD.

The Privacy Commissioner said that the Model Framework covers recommendations on the best practice measures in four areas to assist organisations which procure, implement and use AI, including generative AI, in the handling of personal data in compliance with the requirements of the PDPO. 

Reaching Out to Legal Professionals – Privacy Commissioner Attends Celebration of the 2^nd Anniversary of the Establishment of AALCO Hong Kong Regional Arbitration Centre

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the celebration of the 2^nd anniversary of the establishment of Asian-African Legal Consultative Organization (AALCO) Hong Kong Regional Arbitration Centre on 5 June.
 
The AALCO is the only inter-governmental legal consultative organisation in the Asia-African region, covering almost all major countries in Asia and Africa. The arbitration centre in Hong Kong serves as a co-ordinating agency for the dispute resolution system of the AALCO, aiming to promote the development and effective operation of arbitration institutions and other alternative dispute resolution services.

Telling a Good Hong Kong Story – PCPD Representatives Attend and Speak at the National Data Privacy Conference of the Philippines

Privacy Commissioner Ms Ada CHUNG Lai-ling spoke through video recording at the 7^th National Data Privacy Conference on 30 May themed “Data Privacy For All: Embracing Inclusivity and Diversity” held by the National Privacy Commission (NPC) of the Philippines. The conference was one of the events of the NPC’s Privacy Awareness Week 2024.

In her speech, the Privacy Commissioner highlighted the importance of implementing targeted privacy protection measures that cater to the specific needs of vulnerable communities, such as children and senior citizens, in order to protect their privacy rights. The Privacy Commissioner also elaborated on the PCPD’s work on promoting data protection among vulnerable communities.

Assistant Privacy Commissioner for Personal Data (Legal, Global Affairs and Research) Ms Cecilia SIU (Assistant Privacy Commissioner) also spoke as a panellist at a panel discussion entitled “Cultivating Effective Data Privacy Awareness for Children”. She introduced PCPD’s approaches to cultivate privacy awareness of children.

Please click here for the Privacy Commissioner’s full speech. 

Please click here for the Assistant Privacy Commissioner’s presentation deck.

Raising Public Awareness to Combat Fraud – The PCPD Organises a Seminar on “Beware of Scams Protect Your Personal Data”

The PCPD organised a seminar on “Beware of Scams Protect Your Personal Data” in hybrid mode on 18 June, which attracted over 370 participants.

At the seminar, Assistant Privacy Commissioner for Personal Data (Corporate Communications and Compliance) of the PCPD Ms Joyce LAI shared practical tips of protecting personal data privacy when using smartphones, instant messaging software and social media with the participants. Senior Inspector of Police, Anti-Deception Coordination Centre (ADCC) (Publicity) of the Commercial Crime Bureau of the Hong Kong Police Force Mr Andy LAU also spoke as a guest speaker on the latest trends of scams, using real cases as examples.

Please click here for Ms LAI’s presentation deck (Chinese only).

Please click here for Inspector LAU’s presentation deck (Chinese only).

The PCPD Receives Campaign of the Year Award

The PCPD’s Privacy-Friendly Awards 2023 has been awarded the “Hong Kong Campaign of the Year – Regulatory” award in the GovMedia Conference & Awards 2024.
 
Privacy Commissioner Ms Ada CHUNG Lai-ling is delighted with the recognition given by GovMedia, the organiser, for the PCPD’s efforts in promoting good data governance. The Privacy Commissioner said, “In addition to our role as an enforcer and educator, the PCPD is also a facilitator. We are committed to fostering a culture of respecting and protecting personal data privacy, and actively promoting the benefits of implementing a Personal Data Privacy Management Programme to organisations.”
 
Please click here for the list of awards.

Reaching Out to Governance Professionals – The PCPD’s Representatives Speak at “25^th Annual Corporate and Regulatory Update”

Chief Personal Data Officer (Compliance and Enquiries) of the PCPD Mr Brad KWOK and Senior Legal Counsel (Acting) of the PCPD Ms Clemence WONG spoke at the 25^th Annual Corporate and Regulatory Update organised by the Hong Kong Chartered Governance Institute (HKCGI) on 7 June.
 
At the event, Mr Kwok spoke about how to enhance cybersecurity and data security, and explained the key points in preventing and handling data breach incidents, while Ms Wong provided an overview of the obligations and responsibilities of contracting parties under the Standard Contract (Mainland, Hong Kong) for Cross-boundary Flow of Personal Information Within the Guangdong–Hong Kong–Macao Greater Bay Area.
 
Please click here for the presentation deck.

Telling a Good Hong Kong Story – The PCPD Welcomes a Delegation of Mainland Officials

The PCPD received a delegation of Mainland officials on 6 June. The delegation comprised 21 Mainland officials who took the Master of Laws programme in Common Law at the University of Hong Kong and the Chinese University of Hong Kong under the Training Scheme in Common Law for Mainland Legal Officials organised by the Department of Justice.
 
PCPD’s representatives, Senior Legal Counsel Ms Ines LEE, Senior Legal Counsel (Complaints) Ms Hermina NG and Head of Corporate Communications Ms Phoebe CHOW delivered a presentation to the delegates on “Protection of Personal Data in Hong Kong – Briefing on the Work of the PCPD”. The presentation covered Hong Kong’s personal data protection laws and an overview of the PCPD’s role and functions, as well as how the PCPD handles complaints, combats doxxing and promotes the protection of personal data privacy.

MEDIA STATEMENT

New Appointments to the Standing Committee on Technological Developments of the PCPD

Privacy Commissioner Ms Ada CHUNG Lai-ling, today announced the appointment of Prof Dit-yan YEUNG as a new member to the Standing Committee on Technological Developments (SCTD) of the PCPD and the re-appointment of Ir Alex CHAN, an incumbent member, both for a term of two years from 1 July 2024 to 30 June 2026.
 
Prof Dit-yan YEUNG is the Chair Professor of the Department of Computer Science and Engineering of the Hong Kong University of Science and Technology. His research interests are primarily in artificial intelligence, computer vision, machine learning and pattern recognition. For four years in a row since 2021, he has been awarded the AI 2000 Most Influential Scholar Award Honorable Mention by AMiner for being among the most influential scholars in AI.
  
Ir Alex CHAN is the General Manager of the Digital Transformation Division at the Hong Kong Productivity Council and leads the cybersecurity advisory team, including Hong Kong Computer Emergency Response Team. He is a seasoned IT consultancy professional with more than 20 years of experience in the consultancy, utilities and telecommunication industries. He is also a Vice President of Hong Kong Computer Society (HKCS) and a fellow member of HKCS.
 
With effect from 1 July 2024, the members of the SCTD (in alphabetical order of surname) are as follows:

• Ms Ada CHUNG Lai-ling (Privacy Commissioner) (Co-chairperson)
• Ms Cecilia SIU (Assistant Privacy Commissioner for Personal Data (Legal, Global Affairs & Research)) (Co-chairperson)
• Ir Alex CHAN
• Mr Alan CHEUNG
• Adjunct Prof Jason LAU
• Dr Gregg LI
• Prof the Hon William WONG Kam-fai, MH
• Prof Dit-yan YEUNG (new member)
• Prof S M YIU

The SCTD was established to advise the Privacy Commissioner on, among other things, the impacts of the developments in the processing of data and information technology on the privacy of individuals in relation to personal data. It comprises distinguished external members of exceptional calibre from the information and communications technology industry, particularly experts in fields such as information security, cybersecurity and artificial intelligence. The diversity of experts from academic and corporate backgrounds also ensures a broad representation of perspectives and insights, which assists the Privacy Commissioner in formulating policies and recommendations to address technological developments while safeguarding privacy in relation to personal data.

Telling a Good Hong Kong Story – Privacy Commissioner Attends the 61st Asia Pacific Privacy Authorities Forum

Privacy Commissioner Ms Ada CHUNG Lai-ling and senior officers of the PCPD attended the 61^st Asia Pacific Privacy Authorities (APPA) Forum held virtually from 20 to 21 June.
 
During the Forum, the Privacy Commissioner gave an overview of the “Artificial Intelligence: Model Personal Data Protection Framework” (Model Framework) recently published by the PCPD. The Privacy Commissioner explained to APPA members that the Model Framework aims to provide internationally well-established and practical recommendations and best practices to assist organisations to procure, implement and use AI, including generative AI, in compliance with the relevant requirements of the PDPO.
  
As the co-chair of the International Enforcement Cooperation Working Group of the Global Privacy Assembly, the PCPD reported on the work of the Working Group to attendees. Senior Legal Counsel of the PCPD Ms Hermina NG also shared with the attendees the PCPD’s enforcement work.
 
Major themes discussed at the APPA Forum included the following:

• AI governance policies and initiatives;
• Investigations and enforcements;
• Handling data breach incident reports;
• Privacy Enhancing Technologies; and
• Children’s privacy. 

Founded in 1992, APPA is the principal forum for privacy and data protection authorities in the Asia Pacific region to strengthen cooperation, discuss best practices and share updated information on emerging technologies, trends and changes to privacy regulation. APPA forums are held bi-annually. The 61st APPA Forum was hosted by the Office of the Information and Privacy Commissioner for British Colombia, Canada.

A 54-year-old Male Arrested for Suspected Doxxing Arising from Monetary Disputes

The PCPD arrested a Chinese male aged 54 in the New Territories on 18 June. The arrested person was suspected to have disclosed the personal data of a data subject without her consent, in contravention of section 64(3A) of the PDPO.
 
The PCPD’s investigation revealed that in early 2023 the victim signed a provisional tenancy agreement as well as an undertaking to pay commission with a view to renting a shop space to start a business. Subsequently, she sent copies of her company’s registration record, which contained the company’s registered address and her HKID card to the estate agent (the Agent) concerned for the rental arrangement. The victim later decided not to proceed with the rental arrangement and a dispute arose between her and the Agent as regards the commission payment. In September 2023, the victim received a total of three messages demanding her to pay the commission to the Agent, or else debt collectors would call on her. In October 2023, two dunning flyers were posted at the registered address of the victim’s company, alongside a copy of her HKID card disclosing the particulars of her personal data, including her Chinese name, English name, name in Chinese Commercial Code, HKID card number, date of birth, gender and her photo, etc.
 
The PCPD reminds members of the public that they should not dox others because of monetary disputes. Moreover, identity cards contain sensitive personal data. Disclosing or reposting copies of identity cards without the consent of the data subject concerned, either arbitrarily or maliciously, may constitute a doxxing offence. An offender is liable on conviction to a fine up to $1,000,000 and imprisonment for five years. 

Relevant Provisions under the PDPO
 
Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject – 

1. with an intent to cause any specified harm to the data subject or any family member of the data subject; or
2. being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject. 
   

A person who commits an offence under section 64(3A) is liable on conviction to a fine of $100,000 and imprisonment for two years.

Pursuant to section 64(3C) of the PDPO, a person commits an offence if – 

1. the person discloses any personal data of a data subject without the relevant consent of the data subject –
   1. with an intent to cause any specified harm to the data subject or any family member of the data subject; or
   2. being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject; and
      
2. the disclosure causes any specified harm to the data subject or any family member of the data subject.
   

A person who commits an offence under section 64(3C) is liable on conviction on indictment to a fine of $1,000,000 and imprisonment for five years.

According to section 64(6) of the PDPO, specified harm in relation to a person means – 

1. harassment, molestation, pestering, threat or intimidation to the person;
2. bodily harm or psychological harm to the person;
3. harm causing the person reasonably to be concerned for the person’s safety or well-being; or
4. damage to the property of the person.

A 31-year-old Female Arrested for Suspected Doxxing Arising from Personal Disputes

The PCPD arrested a Chinese female aged 31 in Kowloon on 13 June. The arrested person was suspected to have disclosed the personal data of a data subject without her consent, in contravention of section 64(3A) of the PDPO.
 
The PCPD’s investigation revealed that the victim is a professional and her personal data is listed in the register of the relevant profession. The victim’s husband operates a retail business. As the arrested person had been a regular customer of the business since 2019, the arrested person also knew the victim. However, the victim’s husband and the arrested person cut off contact in 2023 when their relationship turned sour. In March 2024, messages containing the personal data of the victim were disclosed in a chat group on an instant messaging application, alongside negative comments about the victim and her husband and a copy of the victim’s registration information contained in the register of the relevant profession. The personal data disclosed included the victim’s Chinese name, English name, registration number of her professional qualification, date of registration of her professional qualification, name of the university which she attended, year of graduation, current grade and post.
 
The PCPD reminds members of the public that they should not dox others because of personal disputes. Doxxing is a serious offence and the offender is liable on conviction to a fine up to $1,000,000 and imprisonment for five years.

The PCPD Publishes the Investigation Findings on Four Cases Complaining about Excessive Fees Imposed by the Hong Kong Examinations and Assessment Authority for Accessing Marking Records and Examination Scripts

On completion of its investigations into four cases complaining about excessive fees imposed by the Hong Kong Examinations and Assessment Authority (HKEAA) for accessing marking records and examination scripts, the PCPD published its findings on 6 June.
 
The investigations arose from four complaints received by the PCPD. The complaints were lodged by four candidates of 2023 Hong Kong Diploma of Secondary Education Examination (HKDSE) respectively who complained against the HKEAA for imposing excessive fees for accessing marking records and examination scripts. The relevant fees were as follows:

Background
 
According to the website of the HKEAA, starting from the 2023 examination, the data access requestor will not be provided with a hardcopy of the requested data, but will be provided with an email containing a password and a link for downloading the requested personal data, including marking records and examination scripts.
 
Complaint Matter (I)
 
The four complainants considered that in view of the change in the form of provision of requested data, the fee imposed for accessing the data should be reduced. However, the fee imposed by the HKEAA for the first data access application was reduced by only HK$20 (from HK$400 to HK$380). Three of the complainants also observed that the fee for accessing the data of each additional subject remained unchanged (at HK$104). The complainants thus lodged the complaints with the PCPD against the HKEAA for imposing excessive fees for accessing marking records and examination scripts. In support of their complaints, the four complainants provided the following justifications:

1. Given that the HKEAA changed its form of providing the requested data from provision of hard copies to dissemination by way of email, one complainant questioned if three aspects of the HKEAA’s expenditure on complying with a data access request should have been reduced, including some items of the labour costs should have been saved, computer operating time costs should have been significantly reduced with the development of computer hardware and the exclusion of “printer operating and maintenance costs”; and other costs such as “paper and stationery costs” should also have been saved;
2. Another complainant also considered that the provision of the requested data by way of email did not involve “printer operating and maintenance costs” and “paper and stationery costs”;
3. Two complainants were of the view that the HKEAA had saved photocopying cost by providing the requested data in electronic form. According to the complainants’ estimation, the total number of pages of the document requested by him was much more than 10 pages and the relevant photocopying cost was much more than HK$20. Therefore the complainants considered that the reduction in the fee imposed on the electronic copies was not reasonable.

Complaint Matter (II)

One of the complainants further considered that as HKEAA had already retained scan copies of the candidates’ personal data, it should have been able to provide electronic copies of the data to the data access requestors. However, between 2012 and 2022, notwithstanding that the HKEAA was able to provide electronic copies of the requested data, it still chose to comply with data access requests by providing hard copies of the data at a higher cost and calculated the fees imposed on that basis. As such, the complainant lodged a complaint against the HKEAA for contravening section 28(4) of the PDPO, that is, the fee imposed by the HKEAA for complying with a data access request was higher than the lowest fees the HKEAA imposed for complying with the request in other form.

Investigation Findings

Complaint Matter (I)

According to section 28(3) of the PDPO, no fee imposed for complying with a data access request shall be excessive. 

Privacy Commissioner Ms Ada CHUNG Lai-ling completed the investigations into the four complaints after five rounds of enquiries. Based on the information obtained from the investigations and the relevant facts, the Privacy Commissioner found that the fees imposed by the HKEAA for complying with the data access requests were lower than the necessary and directly related costs incurred in complying with the data access request. Such costs included labour costs, computer operating time costs and other costs, but did not include “printer operating and maintenance costs” and “paper and stationery costs”. As such, the Privacy Commissioner found that the fees imposed by the HKEAA for complying with the data access requests were not excessive and the HKEAA had not contravened section 28(3) of the PDPO.

Complaint Matter (II)

For complaint matter (II), section 28(4) provides that, if a data user may comply with a data access request by supplying a copy of the personal data to which the request relates, and the copy can be provided in one of 2 or more forms, the data user shall not, and irrespective of the form in which the data user complies with the request, impose a fee which is higher than the lowest fee the data user imposes for complying with the request in other form.

According to the information provided by the HKEAA, between 2012 and 2022 when the HKEAA handled data access requests, all the requested data was provided in hard copies. At the material time it was not feasible and secure to provide electronic copies to candidates directly. The HKEAA was thus unable to provide copies of marking records and examination scripts by means other than hard copies between 2012 and 2022.

The Privacy Commissioner found that the requirement under section 28(4) of the PDPO is premised on the fact that a data user may provide a copy of the personal data to which a data access request relates in one of 2 or more forms. As the HKEAA could only provide copies of the relevant data in one form (that is, in the form of hard copies) between 2012 and 2022, section 28(4) of the PDPO was therefore not applicable. The Privacy Commissioner considered that complaint matter (II) was not substantiated. In other words, the HKEAA had not contravened section 28(4) of the PDPO.

Relevant Provisions under the PDPO

According to section 28(3), no fee imposed for complying with a data access request shall be excessive.

Section 28(4) provides that, if a data user may comply with a data access request by supplying a copy of the personal data to which the request relates, and the copy can be provided in one of 2 or more forms, the data user shall not, and irrespective of the form in which the data user complies with the request, impose a fee which is higher than the lowest fee the data user imposes for complying with the request in any of those forms.

Please click here to read the PCPD's Guidance Note “Proper Handling of Data Access Request and Charging of Data Access Request Fee by Data Users” for further information about the handling of data access requests. 

Please click here to download the Investigation Findings “Complaints by Hong Kong Diploma of Secondary Education Examination candidates against the Hong Kong Examinations and Assessment Authority about Excessive Fees Imposed for Accessing Marking Records and Examination Scripts”.

MAINLAND CORNER

Highlights of the “Practical Guidance of Cybersecurity Standards – Classification Guidelines for Sensitive Personal Information (Draft Consultation Paper)” 
《網絡安全標準實踐指南 – 敏感個人信息識別指南 (徵求意見稿)》的重點

To guide personal information processors in identifying sensitive personal information and to regulate the processing, export and protection of sensitive personal information, the National Technical Committee 260 on Cybersecurity of Standardization Administration of China released the “Practical Guidance of Cybersecurity Standards – Classification Guidelines for Sensitive Personal Information (Draft Consultation Paper)” (the Draft Guidance) on 11 June 2024.

Reference was made to regulations including the Personal Information Protection Law, the Cybersecurity Law and the Data Security Law when crafting the Draft Guidance. The Draft Guidance sets out the classification methods concerning sensitive personal information and identifies common categories and examples of such sensitive personal information for reference. The consultation period ended on 24 June 2024. This article provides an overview of the Draft Guidance.

為指導個人信息處理者識別敏感個人信息，並規範有關敏感個人信息的處理、出境和保護，全國網絡安全標準化技術委員會（網安標委）於2024年6月11日發布《網絡安全標準實踐指南 – 敏感個人信息識別指南 (徵求意見稿)（《徵求意見稿》）¹。

《徵求意見稿》是依據《個人信息保護法》、《網絡安全法》及《數據安全法》等法律法規所制定，並就敏感個人信息提出識別方法，列出了常見的敏感個人信息類別和示例，以供參考。《徵求意見稿》的意見反饋期已於2024年6月24日完結，有關重點如下：

定義

《徵求意見稿》就「個人信息」及「敏感個人信息」作出的定義與《個人信息保護法》下的定義一致²，即：

• 「個人信息」指以電子或者其他方式記錄的與已識別或者可識別的自然人有關的各種信息³。
• 「敏感個人信息」 指一旦洩露或者非法使用，容易導致自然人的人格尊嚴受到侵害或者人身、財產安全受到危害的個人信息⁴。

敏感個人信息識別⁵

《徵求意見稿》明確指出，個人信息處理者應按照以下規則，識別敏感個人信息:

1. 符合以下任何一項條件的個人信息，均應識別為敏感個人信息：

   1. 個人信息一旦遭到洩露或者非法使用，容易導致自然人的人格尊嚴⁶受到危害;

   2. 個人信息一旦遭到洩露或者非法使用，容易導致自然人的人身安全受到危害⁷;

   3. 個人信息一旦遭到洩露或者非法使用，容易導致自然人的財產安全受到危害⁸。

2. 按照《徵求意見稿》第4章和附錄A識別收集、產生的常見敏感個人信息⁹；

3. 既要考慮單項敏感個人信息識別，也要考慮多項一般個人信息匯聚或融合後的整體屬性，分析其一旦洩露或非法使用可能對個人權益造成的影響，如果符合 a.所述條件，應將匯聚或融合後的個人信息整體參照敏感個人信息進行保護。

    

常見敏感個人信息¹⁰

《徵求意見稿》第4章把常見敏感個人信息分為以下八大類：

1. 生物識別信息：也稱生物特徵識別信息，是指對自然人的物理、生物或行為特徵進行技術處理得到的、能夠單獨或者與其他信息結合識別該自然人身份的個人信息。
2. 宗教信仰信息：與個人信仰的宗教、宗教組織、宗教活動相關的個人信息。
3. 特定身份信息：對個人人格尊嚴和社會評價有重大影響或有其他不適宜公開的身份信息，特別是那些可能導致社會歧視的特定身份信息。
4. 醫療健康信息：與個人的醫療就診、身體或心理健康狀況相關的個人信息¹¹。
5. 金融帳戶信息：與個人的銀行、證券等帳戶和帳戶資金交易相關的個人信息。
6. 行蹤軌跡信息：與個人所處地理位置、活動地點和活動軌跡等相關的個人信息¹²。
7. 不滿十四周歲未成年人的個人信息。
8. 其他敏感個人信息：除以上信息外，其他一旦洩露或者非法使用，容易導致自然人的人格尊嚴受到侵害或者人身、財產安全受到危害的常見個人信息。

《徵求意見稿》將每個類別當中的具體敏感個人信息示例詳列於附錄A中，詳情請參閲下表：

總結

總括而言，《徵求意見稿》就敏感個人信息的分類及常見示例提供更具體的指引，相信能為有關個人信息處理者及監管機構提供更清晰的參考指標。隨著國家對敏感個人信息的規範和保護更為重視，有關持份者宜密切留意最新標準的制定及發布，以遵守不同法規下的要求。

¹ 全文：https://www.tc260.org.cn/front/postDetail.html?id=20240611204152

² 《徵求意見稿》第2章。

³ 個人信息不包括匿名化處理後的信息。

⁴ 敏感個人信息包括生物識別、宗教信仰、特定身份、醫療健康、金融帳戶、行蹤軌跡等信息，以及不滿十四周歲未成年人的個人信息。

⁵《徵求意見稿》第3章。

⁶ 維護個人的人格尊嚴包括維護生命權、身體權、健康權、姓名權、名稱權、肖像權、名譽權、榮譽權、隱私權以及其他人格權益。容易導致自然人人格尊嚴受到侵害的情形可能包括“人肉搜索”、非法侵入他人網絡帳戶、販賣個人信息、電信詐騙、損害個人名譽、歧視性差別待遇等。

⁷ 例如洩露、非法使用個人的行蹤軌跡信息，可能會造成個人信息主體的人身安全受到損害。

⁸ 例如洩露、非法使用金融帳戶信息，可能會造成個人信息主體的財產損失。

⁹ 根據用戶的個人信息推斷其敏感個人信息，推斷出的信息也屬於敏感個人信息。

¹⁰《徵求意見稿》第4章。

¹¹ 個人過去、現在或未來的健康狀況均屬於醫療健康信息。

¹² 個人過去、現在的行蹤軌跡均屬於行蹤軌跡信息。

¹³ 通過申請手機精准位置權限（如安卓系統ACCESS_FINE_LOCATION權限）采集的位置信息是精准定位信息，連續采集的精准定位信息可用于生成行蹤軌跡。

RECOMMENDED TRAININGS

Seminar on “Lessons from Data Breach Cases and Recommended Data Security Measures” (Rerun)

The PCPD notes that cyberattacks on the information systems of organisations occurred from time to time, resulting in the leakage of personal data. These incidents were generally caused by the organisations’ failures to adopt adequate and effective organisational or technical security measures to protect their information systems, or by the negligence or error of staff members.

Owing to the overwhelming response of the seminar held earlier, the PCPD reruns this seminar, where Privacy Commissioner Ms Ada CHUNG Lai-ling and Chief Personal Data Officer of the PCPD Mr Brad Kwok will talk about lessons learnt from data breach cases which occurred in recent years, and elaborate on the causes of the data breaches and the remedial measures taken. The speakers will also provide their recommendations on how to enhance cybersecurity and data security measures, as well as highlight the key points in preventing and handling data breach incidents.

Organisations in all sectors which utilise ICT to handle personal data, IT professionals and members of the public with an interest in the topic are welcome to attend.

Enrolment is on a first-come-first-served basis.

Date: 9 July 2024 (Tuesday)

Time: 3:00pm – 4:30pm

Mode: Online / Face-to-face

(Physical venue: Lecture Room of the PCPD’s Office, 12/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong)

Fee: Free-of-charge

Language: Cantonese

Who should attend: Organisations in all sectors, IT professionals and members of the public with an interest in the topic

Professional Workshop on Recent Court and Administrative Appeals Board Decisions

Legal professionals and compliance officers should keep abreast of the latest decisions and arguments of the court and the Administrative Appeals Board relating to personal data privacy. In this regard, the PCPD lawyer will give you a deep dive into those cases and the commonly deployed provisions of the PDPO, strengthening your understanding of the cases from a legal perspective and the knowledge in the interpretation and application of the PDPO.

Date: 17 July 2024 (Wednesday)

Time: 2:15pm – 5:15pm

Mode: Online

Fee: $950/$760*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: English

Who should attend: Solicitors, barristers, in-house legal counsels, data protection officers and compliance officers, company secretaries and administration managers

Professional Workshop on Data Protection in Insurance

Insurance transactions involve a huge amount of customers’ personal data, including customers’ names, telephone numbers, addresses, identity card numbers, etc. Therefore, it is necessary for insurance practitioners to understand the requirements under the PDPO.

This workshop examines key concepts of data protection compliance, and illustrates various scenarios in industry operations to highlight potential issues and the solutions in relation to personal data privacy. 

Date: 24 July 2024 (Wednesday)

Time: 2:15pm – 5:15pm

Mode: Face-to-face

(Physical venue: Lecture Room, the PCPD’s Office, 12/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong)

Fee: $750/$600*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: Insurance practitioners, data protection officers, compliance officers, solicitors, advisers and other personnel undertaking work relating to the Insurance Industry

Other Professional Workshops on Data Protection in August 2024:

Online Free Seminar – Introduction to the PDPO Seminar

The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. Details of the upcoming sessions show below:

Seminar Outline:

• A general introduction to the PDPO;
• The six Data Protection Principles;
• Offences and compensation;
• Direct marketing; and
• Q&A session. 

Arrange an In-house Seminar for Your Organisation 

Teaching employees how to protect personal data privacy is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and data privacy protection, you can make a request for an in-house seminar via our online form.

The seminar outline is as follows:

• A general introduction to the PDPO;
• The six Data Protection Principles (industry-related cases will be illustrated);
• Data security management;
• Handling of data breach incidents;
• Direct marketing;
• Offences and compensation; and
• Q&A session.

Duration: 1.5 hours

APPLICATION / RENEWAL OF DPOC MEMBERSHIP

Apply or renew your DPOC membership today and enjoy privileged access to course enrolments throughout the year!

Special offer for organisational renewals:

Organisations can join the 2-for-1 scheme, which enables you to receive two memberships for the price of one annual fee (HK$450 starting from 1 April).

Join us now to keep up-to-date with the latest news and legal developments!

SUPPORTING EVENT

PCPD Supports the HKIoD Award Series for Director Excellence 2024

The PCPD is delighted to be one of the supporting organisations of the HKIoD Award Series for Director Excellence 2024, organised by The Hong Kong Institute of Directors (HKIoD). “Leading with Agility in an Era of Innovation” is the theme of the Awards this year. The award series consists of the Directors of the Year Awards (DYA) and the first Climate Governance Awards (CGA). The DYA aims to recognise outstanding boards and directors, and to promote good practices in corporate governance and director professionalism. The CGA aims to recognise and inspire exemplary achievements in climate governance, and to advocate climate action by directors.

Please click here for the Awards nomination form and related information.

SUGGESTION BOX

The PCPD values the opinions of all our DPOC members. We love to hear your ideas and suggestions on what privacy topics you would like to learn more about. Email your thoughts to us at dpoc@pcpd.org.hk and we shall include the most popular topics in our future e-newsletters.

Contact Us

Address: Unit 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong

Tel: 2827 2827

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
 

Copyright

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.