Privacy Commissioner’s Office Offers Six Tips to Prevent Fraud
The Privacy Commissioner Demonstrates Deepfake Face Swapping

Privacy Commissioner Ms Ada CHUNG Lai-ling demonstrated instant face swapping through AI deepfake technology in a short video.

In the digital era, the use of smartphones, social media platforms or online shopping platforms has become increasingly prevalent, which unfortunately also presented opportunities for fraudsters. During the first half of 2024, the PCPD received nearly 600 enquiries relating to fraudulent activities targeting the personal data of the enquirers, which represented an increase of nearly 90% when compared to 312 cases year-on-year. The PCPD also noted a surge in various types of scams, all of which aimed at swindling citizens out of money and/or personal data. These include:

1.Scams Using Instant Messaging Applications (Apps)

• Fraudsters hijacked accounts on instant messaging apps and impersonated the victims to send messages to the contacts contained in their address books, aiming to swindle the victims out of money or personal data.
• Fraudsters impersonated government officials, government departments or public bodies to disseminate fake messages to deceive people for money and/or personal data.

2. Scams on Social Media Platforms

• With the rising demand for travel, fraudsters created fake pages on social media platforms pretending to be traveling agencies and deceived victims by selling fake travel products such as hotels, dining and flight package deals.
• Fraudsters used fake advertisements on social media platforms to deceive citizens into providing personal data or participating in false investment schemes.

3. Scam Videos Using Artificial Intelligence (AI) Technology

• Fraudsters manipulated public footages, used photos or audio recordings of government officials or celebrities to produce videos using AI deepfake technology to deceive people into investing in fake investment schemes.
• Fraudsters obtained victims’ biometric data, such as their facial images and voice, through social media, video calls or online public footages, to create videos using deepfake technology and impersonated victims’ friends, relatives or colleagues to swindle money and/or personal data.

4. Telephone Scams

• Fraudsters impersonated hotline customer service representatives of reputable organisations to induce victims to share their personal data and transfer money to fraudsters’ accounts.

In light of these scams, the PCPD appeals to members of the public and organisations to beware of various forms of fraudulent tricks, particularly those involving AI deepfake technology, and offers six essential tips to safeguard personal data privacy:

1. Be vigilant: Think twice before providing any personal data, verify the purpose of collection of such data and whether it is mandatory to provide them. Do not disclose personal data to others arbitrarily, avoid clicking or scanning suspicious links and QR codes, and do not log into any suspicious websites;
2. Keep an eye on your accounts and transaction records: Regularly check online banking for any unusual log-in activities, unauthorised transfers or transactions in your bank accounts or credit cards;
3. Password protection: Change the passwords of online banking accounts from time to time and enable two-factor authentication (if available). Never share passwords with anyone;
4. Smart use of social media and instant messaging apps: Minimise the sharing of biometric data, such as portrait photos and videos, on social media platforms and instant messaging apps, and review the relevant default security and privacy settings;
5. Authenticate the identity of callers: Even if the caller makes a video call or can provide your personal data, if you are in doubt about the identity of the caller, you should verify the authenticity of the caller or relevant organisations through other contact methods; and
6. Fraud prevention information: Pay attention to the fraud prevention information published by the PCPD, the Police or relevant organisations. Share the information with friends and relatives (especially the elderlies and youngsters) to enhance their awareness of fraud prevention.

To illustrate that it is easy to produce fake videos in the AI era, Privacy Commissioner Ms Ada CHUNG Lai-ling demonstrated instant face swapping through AI deepfake technology in a short video produced by the PCPD. Please click here to watch the video.

Anyone who suspects that his/her personal data has been leaked may make enquiries or lodge complaints with the PCPD (Personal Data Fraud Prevention Hotline: 3423 6611 or email: communications@pcpd.org.hk). If there is any suspicion of fraud on personal data which involves criminal offence(s), they should immediately report the case to the Police.

Citizens may also click here to visit “Scameter” to check suspicious phone numbers, email addresses and websites, etc.

PRIVACY 101

Privacy by Design and Personal Data Privacy Protection

Owing to the heightened public awareness of data privacy protection prompted by increasing trend of cyberattack and data breach incidents in Hong Kong and worldwide in recent years, personal data privacy protection in this digital era with the prevalent use of information and communication technologies (ICT) in the collection and use of customers’, clients’ and employees’ personal data has become a major challenge to organisations. Embracing privacy and personal data protection by incorporating “Privacy by Design” (PbD) into the organisation’s corporate governance strategy is of paramount importance.

PbD provides a robust and comprehensive approach to safeguard personal data privacy and addresses the ever-growing and systemic effects of ICT and large-scale networked infrastructure. It promotes embedding privacy as the default into the design, operation and management of ICT systems, across the entire information life cycle. It seeks to make privacy integral to organisational priorities, project objectives and work standards, covering business practices, operational processes, product and service design, physical architectures and networked infrastructure.

There are seven foundational principles of PbD for developing the ICT systems or applications:

1. Proactive and Preventive

Assess, identify, manage and prevent any data protection risks before data breaches occur. Risks can be minimised through good design and data management practices.

2. Data Protection as the Default

Data protection measures must be integrated into processes and features of the systems, which the measures to safeguard personal data should be automatically provided as default settings.

3. End-to-end Security
Security measures must be considered in the complete software development lifecycle (SDLC). Good security features and practices can be incorporated at every stage of the SDLC, and from the stage of data collection to data erasure.

4. Data Minimisation

Strictly collect, store and use personal data that is relevant and necessary for the intended purpose for which data is processed, instead of adopting a “collect first and think of what to do with it later” approach.

5. User-centric

Develop and implement ICT systems with individuals in mind – specifically, with the goal of personal data protection. Do this through default settings while giving individuals the option to customise settings with informative notices. The interface should be user-friendly, and features such as “just-in-time” notification or layered notices could be applied.

6. Transparency

Take a proactive role in informing individuals of what personal data is collected from them and how it is being used, and inform users of any third parties processing their personal data.

7. Risk Minimisation

Identify and mitigate data protection risk systematically. Risks can be reduced by designing and implementing the right processes and relevant ICT security measures when processing personal data.
 
Please read the PCPD’s publication to learn more about PbD:
Guide to Data Protection by Design for ICT Systems 

PRIVACY COMMISSIONER’S FINDINGS

The Staff of a Driving School Prematurely Collected Inquirer’s Hong Kong Identity Card Number

The Complaint

An individual made enquiries on course details and course fees at a driving school. He was required by the staff to provide his Hong Kong Identity (HKID) card number before obtaining a quotation of a driving course. He did not enrol in any courses with the driving school eventually and considered that the driving school should not retain his HKID card number. He therefore made a complaint to the PCPD.

Outcome

Data Protection Principle (DPP) 1 of the Personal Data (Privacy) Ordinance (PDPO) provides that personal data shall be collected for a lawful purpose directly related to a function or activity of the data user, the collection of the data is necessary for or directly related to that purpose and the data is adequate but not excessive in relation to that purpose. Furthermore, HKID card number is a sensitive personal data, a data user may only collect the HKID card number or a copy of the HKID card of an individual under the circumstances allowed in the Code of Practice on the Identity Card Number and Other Personal Identifiers (PI Code) issued by the Privacy Commissioner.

The driving school explained to the PCPD that the collection of HKID card number of the complainant was prepared for the driving tests conducted by the Transport Department. However, the driving school should not collect the complainant’s HKID card number prior to his enrolment in its courses. With the intervention of the PCPD, the driving school apologised to the complainant and destroyed his HKID card number.

Lessons Learnt

Notwithstanding that a data user is allowed to collect the HKID card number of an individual under the PI Code, a data user should duly consider the timing of collection. Premature collection of HKID card numbers may constitute wrongful collection. If a data user has not yet established a definite relationship with the data subject so as to justify the collection of HKID card numbers, the data user must not collect them at that point.

TECH TALK

Be Smart Online – Password Management and Data Privacy Protection

Password protection is one of the most common access control techniques for authentication in everyday online activities which requires assessing to online accounts – from logging in to email accounts or online retailers, to personal banking accounts. As the first line of defence, an effective and adequate password management is critical to safeguard your personal data against identity thefts or data breaches caused by cybercriminals’ unauthorised access of online accounts, devices and files. 

What are the recommended practices when we create or manage our passwords for different online accounts? Check out some dos and don'ts below:

Do’s

• Create a complex and unique password with a mix of at least eight mixed-case alphabetic characters, numerals and special characters;
• Change the default or initial password the first time you login to the online account;
• Change your password periodically, for example every 90 days;
• Use different passwords for different systems and accounts, in particular those for handling private and sensitive data;
• Adopt multi-factor authentication if possible to gain better protection against hacking attempts; and 
• Change your password immediately if you believe that it has been compromised, and notify the system or security administrator for follow-up actions.

Don’ts 

• Don’t use your own name/other information that might be easily obtained about you, including your HKID card numbers, license numbers, telephone numbers, date of birth, home/correspondence address etc.;
• Don’t use consecutive letters or numbers such as “abcdefgh” and “23456789”, or adjacent keys on the keyboard such as “qwertyui”;
• Don’t reuse recently used passwords; and
• Don’t store your password on any media unless it is protected from unauthorised access (such as encrypted with an approved encryption method).

WHAT’S ON

The PCPD Convenes Learning Session on Spirit of the Third Plenary Session of 20^th CPC Central Committee

The PCPD convened a learning session on the spirit of the Third Plenary Session of 20^th Central Committee (Plenary Session) of the Communist Party of China on 29 August. Privacy Commissioner Ms Ada CHUNG Lai-ling and the Deputy Privacy Commissioner for Personal Data Ms Amy LAM Lai-tim spoke at the session, enabling colleagues of the PCPD to gain a deeper understanding of the spirit of the Plenary Session.
 
At the session, colleagues of the PCPD learnt and discussed the “Resolution of the Central Committee of the Communist Party of China on Further Deepening Reform Comprehensively to Advance Chinese Modernization” (Resolution) considered and adopted at the Plenary Session, including the guiding ideology, overall goals and major principles of further deepening reform comprehensively, as well as the comprehensively reform master measures and tasks proposed in the Resolution, among others. The Privacy Commissioner also highlighted the parts of the Resolution on aspects such as national security, cyberspace governance and digital economy that are directly relevant to the work of the PCPD.
 
Privacy Commissioner Ms Ada CHUNG Lai-ling expressed her sincere gratitude to the publicity delegation who visited Hong Kong to speak to all sectors of the community on the spirit of the Plenary Session.

Reaching Out to the Community – Privacy Commissioner Interviewed by the Media to Explain the New Compliance Guide on Collecting and Handling ID Card Data

Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by RTHK Radio 1’s “HK2000” and “Open Line Open View” on 23 August and Now News’ “News Magazine” on 26 August to explain the new versions of the “Code of Practice on the Identity Card Number and other Personal Identifiers: Compliance Guide for Data Users” (the Compliance Guide) and the information leaflet titled “Your Identity Card Number and Your Privacy” (the Information Leaflet) issued by the PCPD.
 
During the interviews, the Privacy Commissioner pointed out that in view of the emergence of various kinds of fraudulent cases and the advancement of technology, the new versions of the Compliance Guide and Information Leaflet aim to remind organisations of the matters they should beware of when they collect and handle Hong Kong Identity (HKID) Card data, for example, that they should avoid using instant messaging applications or the camera functions of smartphones to collect HKID Card copies. The publications also seek to enhance the understanding of members of the public about when organisations could or are required to collect their ID card numbers or copies, thereby enhancing their vigilance in better safeguarding their personal data privacy and reducing the risks of falling prey to fraudsters.

Privacy Commissioner Attends Seminar on Spirit of Third Plenary Session of 20^th CPC Central Committee

Privacy Commissioner Ms Ada CHUNG Lai-ling attended a seminar on the spirit of the Third Plenary Session of the 20^th Central Committee (Plenary Session) of the Communist Party of China held by the Hong Kong Special Administrative Region Government on 26 August. The seminar featured speakers from the publicity delegation and enabled participants and members of the public to have a more profound and deeper understanding of the spirit of the Plenary Session.

The two members of the publicity delegation, i.e. the Vice-chairperson of the Constitution and Law Committee of the National People’s Congress and the Chairman of the Legislative Affairs Commission of the Standing Committee of the National People’s Congress, Mr SHEN Chunyao, and the Secretary of the Communist Party of China Leadership Group of the Ministry of Commerce and the Minister of Commerce, Mr WANG Wentao, spoke on the “Resolution of the Central Committee of the Communist Party of China on Further Deepening Reform Comprehensively to Advance Chinese Modernisation” (Resolution). They explained the guiding ideology, overall goals and major principles of further deepening reform comprehensively, and the importance of promoting Chinese modernisation, as well as the comprehensively master measures and tasks proposed in the Resolution, among others.

Promoting AI Security – Privacy Commissioner Publishes an Article Titled “Artificial Intelligence: The Model Personal Data Protection Framework” on Hong Kong Lawyer

Privacy Commissioner Ms Ada CHUNG Lai-ling published an article titled “Artificial Intelligence: The Model Personal Data Protection Framework” on Hong Kong Lawyer.

In the article, the Privacy Commissioner provided an overview of the global regulatory landscape and international collaborative efforts related to the development of AI. She also introduced the “Artificial Intelligence: Model Personal Data Protection Framework” (the Model Framework) published by the PCPD in June, including the recommendations and best practices set out in the Model Framework, which covered the four areas of: (i) AI strategy and governance; (ii) risk assessment and human oversight; (iii) the customisation of AI models and the implementation and management of AI systems; and (iv) communication and engagement with stakeholders.

The Privacy Commissioner believed that the adoption of the Model Framework will enable organisations to implement and use AI in a way that complies with the PDPO. She also encouraged organisations to adopt the Model Framework as part of their organisational AI policy.

Please click here to read the article.

Reaching Out to the Community – Privacy Commissioner Interviewed by the Media on the Latest Trend of Deepfake Fraud Cases

Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by RTHK Radio 1’s “Open Line Open View” on 7 August to explain the latest trend of fraud cases using AI deepfake technology and to provide advice on protecting personal data privacy.

During the interview, the Privacy Commissioner pointed out that with the increase in the number of fraud cases and heightened awareness of prevention of fraud among members of the public, the number of enquiries received by the PCPD in the first half of 2024 (nearly 600) relating to fraudulent activities targeting the personal data of the enquirers has increased by nearly 90% when compared to the same period last year.

Given that AI deepfake technology had become more sophisticated, the Privacy Commissioner reminded members of the public of the creation of fake photos and videos using the deepfake technology. She advised citizens to think twice and build a “human firewall” when they encounter suspicious photos or videos in order to protect their personal data privacy and avoid falling into the traps of swindlers.

Please click here to listen to the interview by RTHK Radio 1’s “Open Line Open View” (Chinese only).

Promoting AI Security – Privacy Commissioner Publishes an Article Entitled “The Era of AI: A Model Framework for Personal Data Protection for Directors”

Privacy Commissioner Ms Ada CHUNG Lai-ling published an article entitled “The Era of AI: A Model Framework for Personal Data Protection for Directors” on The 21st Century Director, the monthly magazine of The Hong Kong Institute of Directors.
 
In the article, the Privacy Commissioner introduced the “Artificial Intelligence: Model Personal Data Protection Framework” (the Model Framework) published by the PCPD. The Privacy Commissioner highlighted that the Model Framework was published with a view to assisting companies to procure, implement and use AI, including generative AI, in compliance with the relevant requirements of the PDPO. In particular, the Privacy Commissioner emphasised that support from and active participation by top management, including board directors, is pivotal to establishing a company’s AI strategy and governance.
 
The Privacy Commissioner encouraged company directors to lead their companies in adopting the Model Framework to reduce compliance costs and establish good AI governance.
 
Please click here to read the article.

Reaching Out to the Community – Privacy Commissioner Interviewed by the Media to Remind the Public to Stay Vigilant Against Fraud

Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by RTHK Radio 1’s “HK2000” on 2 August to explain the latest fraudulent tricks and remind members of the public to stay vigilant against fraud.

During the interview, the Privacy Commissioner pointed out that with the increase in the number of fraud cases and heightened awareness of prevention of fraud among members of the public, the number of enquiries received by the PCPD in the first half of 2024 relating to fraudulent activities targeting the personal data of the enquirers has increased by nearly 90% when compared to the same period last year. The most recent forms of fraud include telephone scams, hijacking of instant messaging applications, fake pages on social media platforms pretending to be travelling agencies purportedly selling fake travel products, and using AI deepfake technology to impersonate victims’ relatives and friends to swindle money and/or personal data.

The Privacy Commissioner emphasised that as the development of AI becomes more mature, there would likely be more fraud cases involving deepfake technology in future. She advised the public to minimise the sharing of portrait photos and videos on social media platforms and to review their default privacy settings.

Please click here to listen to the interview by RTHK Radio 1’s “HK2000” (Chinese only).

Reaching Out to the Property Management Sector – Privacy Commissioner Attends the First Anniversary Ceremony of Smooth Implementation of the Property Management Licensing Regime 

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the “First Anniversary Ceremony of Smooth Implementation of the Property Management Licensing Regime cum Continuing Professional Development Seminar” hosted by the Property Management Services Authority (PMSA) on 1 August. The Privacy Commissioner received the certificate of appreciation from the PMSA in recognition of the support of the PCPD given to the PMSA in implementing the “Continuing Professional Development Scheme” on mandatory basis after the end of the transitional period of the licensing regime relating to the property management industry and enhancing the status and professionalism of the property management industry. 

Promoting AI Safety – the PCPD Organises a Seminar 

The PCPD organised a seminar on “AI and Privacy Protection: Balancing Innovation and Safety” in hybrid mode on 30 July, which attracted nearly 1,000 participants.

At the seminar, Privacy Commissioner Ms Ada CHUNG Lai-ling introduced the PCPD’s newly published “Artificial Intelligence: Model Personal Data Protection Framework” and elaborated on the best practices for any organisations which procure, implement and use AI systems (including generative AI) that involve the use of personal data. Director of Multimedia Systems and Analytics of Artificial Intelligence and Trust Technologies of Hong Kong Applied Science and Technology Research Institute Dr Arvin TANG also shared with the participants some practical experience on how AI could be developed and applied in a privacy-friendly manner.

Please click here for the Privacy Commissioner’s presentation deck (Chinese only).

Please click here for Dr Tang’s presentation deck (Chinese only).

Promoting AI Security –  PCPD Representative Speaks to the Financial Sector

Acting Senior Legal Counsel (Global Affairs & Research) of the PCPD Ms Joyce LIU spoke on 27 August at a webinar jointly organised by Hong Kong Investment Funds Association and Private Wealth Management Association on the PCPD’s recent guidance titled “Artificial Intelligence: Model Personal Data Protection Framework” (Model Framework). 

During the webinar, Ms LIU shared with practitioners the personal data privacy challenges faced by the financial services sector in relation to the use of AI, and explained how the Model Framework could help formulate and enhance the AI strategy and governance of their organisations. 

Please click here for the presentation deck.

Raising Public Awareness to Combat Fraud – PCPD’s Representative Attends Anti-fraud Promotional Event 

Head of Corporate Communications of the PCPD Ms Phoebe CHOW attended the APEXperiment anti-fraud closing ceremony organised by Junior Chamber International Apex on 24 August to serve as the award presenter and guest speaker.

At the event, Ms CHOW presented awards to winners of the youth category of an anti-fraud slogan competition. During a panel discussion, she shared with participants the tips on how to avoid falling into scam traps and protect personal data.

Reaching Out to the Legal Sector – PCPD’s Representative Speaks at the Webinar Entitled “Cross-boundary Flow of Personal Information Within the Greater Bay Area”

Acting Senior Legal Counsel of the PCPD Ms Clemence WONG spoke at the “Cross-boundary Flow of Personal Information Within the Greater Bay Area” Webinar organised by the Hong Kong Academy of Law on 20 August, which attracted more than 110 participants from the legal sector.
 
At the webinar, Ms WONG provided the participants with an overview of the six data protection principles and the requirements for cross-border transfers of personal data from Hong Kong under the PDPO. She also elaborated on the facilitation measures relating to the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong–Hong Kong–Macao Greater Bay Area (Mainland, Hong Kong).
 
Please click here for the presentation deck.

Nurturing Talents – the PCPD Summer Internship Programme 2024

The PCPD has organised a Summer Internship Programme (Programme) this year, with a view to providing university students with practical work experience and preparing them for their future career development, as well as deepening their understanding of the PCPD’s work.
 
Two interns from the University of Hong Kong have participated in the Programme this year. They are now working in the Corporate Communications and Global Affairs and Research Divisions respectively, through which they gain an understanding of various aspects of the PCPD’s work in safeguarding the personal data privacy of members of the public.

Reaching Out to the Banking Sector – the PCPD and Hong Kong Institute of Bankers Jointly Organise a Seminar

The PCPD and the Hong Kong Institute of Bankers co-organised a seminar on “Data Protection and Data Access Request” on 16 August, which attracted more than 600 participants from the banking sector.
 
At the seminar, Personal Data Officer (Complaints) of the PCPD Mr Austin WONG elaborated on the rights of data subjects to access their data under the PDPO and the relevant requirements. Mr Wong also introduced some complaint cases involving the banking industry.

Please click here for the presentation deck.

Reaching Out to the Banking Sector – the PCPD, Hong Kong Monetary Authority and Hong Kong Association of Banks Jointly Organise a Seminar

The PCPD, the Hong Kong Monetary Authority and the Hong Kong Association of Banks co-organised a seminar on recommended measures to enhance data security and to handle data breaches on 9 August, which attracted more than 140 participants from the banking sector.

At the seminar, Acting Senior Legal Counsel Ms Clemence WONG and Acting Senior Personal Data Officer (Compliance and Enquiries) Ms Ayee MAN of the PCPD highlighted the key points in preventing and handling data breach incidents, as well as explained how to adopt proper security measures to enhance data security. They also shared some data breach cases in the banking industry and elaborated on the causes of the breaches and the remedial measures taken.

Please click here for the presentation deck.

MEDIA STATEMENT

The PCPD Issues New Versions of “Code of Practice on the Identity Card Number and Other Personal Identifiers: Compliance Guide for Data Users” and Information Leaflet Titled “Your Identity Card Number and Your Privacy”

The Hong Kong Identity (HKID) card contains sensitive personal data. The leakage of such data may lead to identity theft and perpetration of fraud. Hence, organisations should be particularly careful when they collect and handle the HKID Card data of members of the public and ensure compliance with the relevant requirements of the PDPO. The PCPD issued a new version of the “Code of Practice on the Identity Card Number and other Personal Identifiers: Compliance Guide for Data Users” (the Compliance Guide) to assist organisations in complying with the requirements under the “Code of Practice on the Identity Card Number and other Personal Identifiers” issued by the PCPD as regards the collection, accuracy, retention, use and security of HKID Card numbers, copies of the HKID Card and other personal identifiers.
 
Furthermore, the PCPD also issued a new version of the information leaflet titled “Your Identity Card Number and Your Privacy” (the Information Leaflet), which explains to the public how to protect their privacy concerning HKID Card numbers and copies in different scenarios in their daily lives. These scenarios include the collection of HKID card copies by banks, insurance companies or estate agents in compliance with statutory requirements, the collection of HKID Card numbers by building security guards, and when prospective employers can request copies of HKID Cards from prospective employees, etc.

Please click here to download the new “Code of Practice on the Identity Card Number and other Personal Identifiers: Compliance Guide for Data Users”.
 
Please click here to download the new “Your Identity Card Number and Your Privacy” information leaflet.

A 45-year-old Man Arrested for Suspected Doxxing of His Former Supervisor

The PCPD arrested a Chinese male aged 45 in the New Territories on 26 Aug. The arrested person was suspected to have disclosed the personal data of his former supervisor without his consent, in contravention of section 64(3A) of the PDPO.

The PCPD’s investigation revealed that the victim was formerly the supervisor of the arrested person and they worked in the same company (the Company). In December 2023, the arrested person was dismissed because of work performance issues. Thereafter, the arrested person demanded the victim to reinstate him but in vain, and the parties also had a row over the properties which were placed inside the arrested person’s previous office in the Company. Subsequently, between March and April 2024, flyers containing the personal data of the victim were posted on three occasions in the vicinity of the Company and near his son’s school, alongside some negative comments against him.  The personal data disclosed included the victim’s Chinese name and photo. The flyers also contained photos of the victim’s wife as well as his son and daughter.

The PCPD reminds members of the public that they should not dox others because of work disputes. Doxxing is a serious offence and the offender is liable on conviction to a fine up to $1,000,000 and imprisonment for five years.

Relevant Provisions under the PDPO
 
Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject – 

1. With an intent to cause any specified harm to the data subject or any family member of the data subject; or
2. Being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject. 
   

A person who commits an offence under section 64(3A) is liable on conviction to a fine of $100,000 and imprisonment for two years.

Pursuant to section 64(3C) of the PDPO, a person commits an offence if – 

1. The person discloses any personal data of a data subject without the relevant consent of the data subject –
   1. With an intent to cause any specified harm to the data subject or any family member of the data subject; or
   2. Being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject; and
      
2. The disclosure causes any specified harm to the data subject or any family member of the data subject.
   

A person who commits an offence under section 64(3C) is liable on conviction on indictment to a fine of $1,000,000 and imprisonment for five years.

According to section 64(6) of the PDPO, specified harm in relation to a person means – 

1. Harassment, molestation, pestering, threat or intimidation to the person;
2. Bodily harm or psychological harm to the person;
3. Harm causing the person reasonably to be concerned for the person’s safety or well-being; or
4. Damage to the property of the person.

A 48-year-old Male Arrested for Suspected Doxxing Acts

The PCPD arrested a Chinese male aged 48 in the New Territories on 16 August. The arrested person was suspected to have disclosed the personal data of a data subject without his consent, in contravention of section 64(3A) of the PDPO.
 
The PCPD’s investigation revealed that the victim and the arrested person formerly were both members of a trade association (the Association). As the victim disagreed with the operation of the Association, he resigned from the Association in December 2023. In July 2024, the relationship between the victim and the arrested person further deteriorated because of an incident. In August 2024, a fictitious newspaper article was distributed through an instant messaging application and a video was published on the official website of the Association, both of which disclosed the personal data of the victim alongside some negative comments against him. The personal data disclosed included copies of the victim’s birth certificate and other registration forms which showed the victim’s Chinese name, English name, English alias, signature, HKID Card number, Home Return Permit number, gender, date and place of birth, race and place of origin, correspondence address, telephone numbers and education background, etc.. Other personal data disclosed included the victim’s nationality, residential address, past and present positions in different institutions and photos.
 
The PCPD reminds members of the public that they should not dox others because of personal disputes. Moreover, doxxing is a serious offence and the offender is liable on conviction to a fine up to $1,000,000 and imprisonment for five years.

A 25-year-old Male Arrested for Suspected Doxxing Arising from Relationship Entanglements

The PCPD arrested a Chinese male aged 25 in Kowloon on 12 August. The arrested person was suspected to have disclosed the personal data of his ex-girlfriend without her consent, in contravention of section 64(3A) of the PDPO.
 
The PCPD’s investigation revealed that the victim and the arrested person formerly were lovers, but the two broke up in July 2024. Shortly afterwards, four images containing the personal data of the victim were posted in a personal account on a social media platform, alongside some negative comments against her. The personal data disclosed included the victim’s Chinese name, date of birth, mobile phone number, username of her social media account, as well as the names of the residential estate and building where she resides.
 
The PCPD reminds members of the public that they should not dox others because of relationship disputes. Doxxing is a serious offence and the offender is liable on conviction to a fine up to $1,000,000 and imprisonment for five years.

Privacy Commissioner Publishes Investigation Findings on the Data Breach Incidents of The Council of the Hong Kong Laureate Forum Limited and The Hong Kong Ballet Limited

On completion of its investigation into the data breach incidents of The Council of the Hong Kong Laureate Forum Limited (the Council) and The Hong Kong Ballet Limited (HKB), the PCPD published its findings on 8 August.

1) The Ransomware Attack on the Information Systems of the Council

The investigation arose from a data breach notification submitted by the Council to the PCPD on 27 September 2023, reporting that its computer systems and file servers had been attacked by ransomware (the Incident).

The investigation revealed that the initial intrusion into the Council’s network took place on 26 September 2023. It was discovered that a hacker obtained the credentials of a user account of the Council with administrator privileges through a brute force attack, and subsequently gained access to the Council’s server from the firewall virtual private network (VPN) zone. The hacker proceeded to perform lateral movement within the Council’s network and subsequently deployed and executed ransomware identified as “Elbie”, which resulted in the encryption of files contained in one server and seven endpoints. Furthermore, the backup data stored in another server was also sabotaged by the hacker.

The Incident affected the personal data of 8,122 individuals, which included approximately 7,200 e-newsletter subscribers, and the personal data affected included their names and email addresses. The other 920-odd individuals affected included applicants for young scientists, Shaw Laureates and their accompanying persons, forum ambassadors/event helper applicants, locally engaged scientists and speakers, reviewers, event helpers, current and former staff members of the Council as well as board members of the Council. The personal data affected included names, addresses, email addresses, telephone numbers, passport information, full/partial passport/ HKID Card numbers, bank account/credit card information, dates of birth, nationalities/places of birth, CVs/transcripts, affiliated organisations and/or academic backgrounds.

The Council implemented various organisational and technical remedial measures after the Incident, which included the configuration of firewall rules, the conduct of a full-scale account audit and implementation of a strong password policy, in order to enhance the overall system security to safeguard personal data privacy.

Having considered the circumstances of the Incident and the information obtained during the investigation, Privacy Commissioner Ms Ada CHUNG Lai-ling found that the following deficiencies of the Council were the contributing factors of the occurrence of the Incident:

1. Deficiencies in information system management, which included the failure to update the firmware of the firewall, which had multiple critical vulnerabilities, the absence of any update of the anti-virus software database since 2019, the absence of multi-factor authentication for remote access to verify the identity of users, the absence of password policy, the absence of network segmentation and internal firewall security rules, and the failure to conduct security audit and vulnerability assessment;
2. Lax monitoring of the data security measures adopted by the service vendor, resulting in the Council’s failure to ensure that the vendor delivered all the services contained in its service agreement, including the timely update of software and the installation of patches. Consequently, the Council only discovered the outdated firewall firmware with multiple critical vulnerabilities and the outdated antivirus database after the Incident;
3. Lack of policies and guidelines on information security: Hence, staff members and vendors did not have a clear understanding of their responsibilities under the network security framework and the required security protocol and practices; and
4. Lack of appropriate data backup solutions, which led to the failure to keep original data and backup data on different networks. Consequently, the backup data was sabotaged by the hacker in the Incident, making data recovery impossible.

Based on the above, the Privacy Commissioner found that the Council had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use, thereby contravening the requirements concerning security of personal data under DPP 4(1) of the PDPO.

The Privacy Commissioner has served an Enforcement Notice on the Council, directing it to take measures to remedy the contravention and prevent similar recurrence of the contravention.

2) The Ransomware Attack on the Servers of HKB

The investigation arose from a data breach notification submitted by HKB to the PCPD on 16 October 2023, reporting that HKB suffered from a ransomware attack on 29 September 2023, which affected four physical servers of the information systems of HKB (the HKB Incident).

The investigation revealed that the initial intrusion into HKB’s network took place on 15 September 2023. As the operating software of a server (the Server) was outdated at the time of the HKB Incident, the hacker successfully gained access to HKB’s network by exploiting the vulnerabilities in the Server. Subsequently, the hacker employed various malicious tools and programmes, including credential dumping tools and remote access tools, to acquire passwords of the information technology (IT) administrator and user accounts and to obtain information about the network and details of computers connected to the network. The information obtained was used by the hacker to carry out lateral movement in HKB’s network.

On 17 September 2023, the hacker employed a domain administrator account to deploy “LockBit” ransomware on HKB’s information systems, which resulted in the encryption of files and exfiltration of data and files stored therein. 

The investigation also found that, HKB was unable to determine the data contained in the encrypted files. Based on HKB’s estimation, the number of the affected individuals might be 37,840, which included HKB’s staff members, job applicants, ticket subscribers, guest artists, activity participants, donors, sponsors and vendors. The personal data affected included names, HKID Card numbers, passport numbers, photographs, dates of birth, addresses, email addresses, telephone numbers, health information, bank account numbers and/or credit card numbers (without CVV), employment information and academic information.

HKB implemented various organisational and technical remedial measures after the HKB Incident, which included redeploying its IT network infrastructure to align with security design principles, and updating its cybersecurity policies to enhance the overall system security to safeguard personal data privacy. HKB has also engaged a cybersecurity expert to provide advice on cybersecurity measures to improve and maintain its information systems in alignment with the latest cybersecurity standards.

Having considered the circumstances of the HKB Incident and the information obtained during the investigation, the Privacy Commissioner found that the following deficiencies of HKB were the contributing factors of the occurrence of the HKB Incident:

1. Outdated operating software of the Server, which was vulnerable to multiple critical remote code execution vulnerabilities. Moreover, HKB did not have any policy or procedures on the patching or update of its servers, which revealed a glaring deficiency in HKB’s regular patching and updating practices;
2. Unnecessary exposure of the Server to the Internet during system migration performed by the service vendor, thereby significantly increasing the risk of cyberattacks. This led to the Server being exploited by the hacker in the HKB Incident;
3. Lack of monitoring of the data security measures adopted by the service vendor, resulting in HKB’s failure to ensure that the vendor performed timely updates and implemented adequate security measures to safeguard the personal data stored in the information systems. Further, there was no requirement on safeguarding data security in the relevant service contract signed with the service vendor; and
4. Absence of security assessments and security audits of the information systems, which resulted in HKB’s inability to identify the vulnerabilities in the Server, and increased the risks of attacks on its information systems.

Based on the above, the Privacy Commissioner found that HKB had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use, thereby contravening the requirements concerning security of personal data under DPP 4(1) of the PDPO.

The Privacy Commissioner has served an Enforcement Notice on HKB, directing it to take measures to remedy the contravention and prevent similar recurrence of the contravention.

The PCPD understands that small-and-medium enterprises and non-profit-making organisations may only have limited resources to ensure cybersecurity. However, it is worth noting that cyberattacks and data breaches have been on the rise globally with increasing digitisation of the information systems of organisations. 

The Privacy Commissioner recommends organisations to take appropriate organisational and technical measures to protect information systems that contain personal data, including the following:

• Regularly conducting risk assessments of security systems;
• Using firewalls and other software to protect computer networks;
• Regularly updating software;
• Regularly conducting vulnerability assessments and penetration tests on information and communications systems;
• Implementing patch management;
• Separating internal database servers from web servers; and
• Providing appropriate training for employees to raise their security awareness to build a “human firewall”.

The PCPD encourages organisations to observe the recommendations contained in the “Guidance Note on Data Security Measures for Information and Communications Technology” and the “Guidance on Data Breach Handling and Data Breach Notifications” to prepare themselves against any cyberattacks and to enhance cybersecurity and data security.

To assist organisations in safeguarding data security, the PCPD has already launched a “data security” thematic webpage, a “Data Security Hotline” (2110 1155), and the “Data Security Scanner”, which is a self-assessment toolkit for organisations to assess the adequacy of their data security measures for information and communication technology systems.

MAINLAND CORNER

Highlights of the “Draft Measures for the Administration of National Cyberspace Identity Authentication Public Services”
《國家網絡身份認證公共服務管理辦法（徵求意見稿）》的重點

To strengthen the protection of personal information and to regulate Mainland’s public service infrastructure for the authentication of national cyberspace identities (IDs) and accelerate the implementation of the Mainland’s trusted online identity strategy, the Ministry of Public Security and the Cyberspace Administration of China released the “Draft Measures for the Administration of National Cyberspace Identity Authentication Public Services” (Draft Measures) on 26 July 2024. According to the Draft Measures, the Mainland government will establish a national public service platform (Public Service Platform) for, among others, granting and authenticating cyberspace IDs, which will be in the form of cyberspace numbers¹ and cyberspace credentials². Individuals may voluntarily apply for their cyberspace numbers and cyberspace credentials to avoid providing personal information in plaintext (e.g. their government-issued ID card numbers) to internet service providers for account registration and identity authentication purposes. The Draft Measures also set out specific obligations of the Public Service Platform and internet service providers to ensure compliance with the relevant laws and regulations on personal information protection. The consultation of the Draft Measures ended on 25 August 2024. This article provides an overview of the Draft Measures.

為強化個人信息保護、規範國家網絡身份認證公共服務建設應用及加快實施網絡可信身份戰略，公安部及國家互聯網信息辦公室（網信辦）於2024年7月26日發布了《國家網絡身份認證公共服務管理辦法（徵求意見稿）》（《徵求意見稿》）³。《徵求意見稿》提出建設國家統一的網絡身份認證公共服務平台（ 「公共服務平台」），為自然人提供申領網號⁴、網證⁵以及進行身份核驗等服務⁶。自然人可自願向公共服務平台申領網號、網證，從而避免在互聯網平台進行用戶登記、核驗真實身份信息時，向互聯網平台提供政府發放的身份證號碼等明文身份信息。《徵求意見稿》亦具體地闡明了公共服務平台及互聯網平台的義務，以確保它們遵循與個人信息相關的法律法規。《徵求意見稿》的意見反饋時間已於2024年8月25日截止，重點摘錄如下：

申請資格⁷

持有有效法定身份證件的自然人，可自願向公共服務平台申領網號、網證⁸。未滿十四歲的自然人應徵得其父母或者其他監護人同意，並由其父母或其他監護人代為申領。已滿十四歲而未滿十八歲的自然人則應當在其父母或其他監護人的監護下申領網號、網證。

值得注意的是，持有港澳居民來往內地通行證、台灣居民來往大陸通行證、外國人永久居留身份證等身份證件的自然人亦可自願向公共服務平台申領網號、網證⁹。

公共服務平台的使用方式及互聯網平台的責任

《徵求意見稿》鼓勵互聯網平台按照自願原則接入公共服務，用以支持用戶使用網號、網證登記、核驗用戶真實身份信息¹⁰。如用戶選擇使用網號、網證登記、核驗身份並通過驗證，互聯網平台不得要求用戶另行提供明文身份信息（除非法律、行政法規另有規定或用戶同意）¹¹。

若互聯網平台需核驗用戶身份但無需留存用戶法定身份證件信息，公共服務平台應僅提供用戶身份核驗結果。若互聯網平台確需獲取、留存相關信息，在經用戶授權或者獲取其單獨同意後，公共服務平台應當按照最小化原則提供¹²。公共服務平台若要處理敏感個人信息，則應當取得個人的單獨同意¹³。

最後，未經自然人單獨同意，互聯網平台不得擅自處理或者對外提供相關數據信息，法律、行政法規另有規定的除外¹⁴。

有關公共服務平台處理用戶個人信息的責任

《徵求意見稿》提到，公共服務平台在處理用戶個人信息前，應當通過用戶協議等書面形式，以顯著方式、清晰易懂的語言真實、準確、完整地向用戶告知下列事項¹⁵：

1. 公共服務平台的名稱和聯繫方式；
2. 用戶個人信息的處理目的、處理方式，處理的個人信息種類、保存期限；
3. 用戶依法行使其個人信息相關權利的方式和程序；及
4. 法律、行政法規規定應當告知的其他事項。

如處理敏感個人信息的，公共服務平台還應當向個人告知處理的必要性以及對個人權益的影響。

另外，《徵求意見稿》亦要求公共服務平台加強數據安全和個人信息保護，依法建立並落實安全管理制度與技術防護措施¹⁶。

違反《徵求意見稿》的法律責任

最後，公共服務平台和互聯網平台若違反《徵求意見稿》的有關規定，國務院公安部門、國家網信部門將在各自職責範圍內依照《網絡安全法》、《數據安全法》、《個人信息保護法》予以處罰；如構成犯罪的，則依法追究刑事責任¹⁷。

總結

總括而言，《徵求意見稿》明確了使用「網號」及「網證」進行網絡身份認證的方式，同時確立了公共服務平台在收集個人信息時應遵從「最小化和必要性原則」，闡明了有關平台在處理用戶個人信息時的義務，為國家網絡身份認證公共服務平台的建設打下根基。

基於《徵求意見稿》所述的公共服務，互聯網服務的用戶登記、核驗真實身份信息時，可通過國家網絡身份認證手機應用程式自願申領並使用「網號」及「網證」進行非明文登記、核驗，無需向互聯網平台等提供明文個人身份信息，可減少互聯網平台以落實「實名制」為由過度收集及保留公民個人信息。

雖然相關的國家網絡身份認證手機應用程式（試點版）已經在多個應用商店上線，相關持份者亦應密切留意《徵求意見稿》的定稿及最新的規例變更（如有），以確保遵從最新的規定。

¹ Cyberspace number is an online personal identifier composed of letters and numbers which corresponds to a natural person’s identity but does not include personal information in plaintext (Article 2 of the Draft Measures).

² Cyberspace credential refers to a cyberspace identity authentication certificate that carries (i) the cyberspace number; and (ii) the personal information of a natural person which is not in plaintext (Article 2 of the Draft Measures).

³ 全文：https://www.cac.gov.cn/2024-07/26/c_1723675813897965.htm

⁴ 即與自然人身份信息一一對應，由字母和數字組成、不含明文身份信息的網絡身份符號（《徵求意見稿》第二條）。

⁵ 即承載網號及自然人非明文身份信息的網絡身份認證憑證（《徵求意見稿》第二條）。

⁶《徵求意見稿》第二條。

⁷《徵求意見稿》第四條。

⁸《徵求意見稿》第四條。

⁹  亦包括居民身份證、定居國外的中國公民的護照、前往港澳通行證、港澳居民居住證、台灣居民居住證等等，見《徵求意見稿》第十五條。

¹⁰《徵求意見稿》第七條。

¹¹《徵求意見稿》第七條。

¹²《徵求意見稿》第八條。

¹³《徵求意見稿》第九條。

¹⁴《徵求意見稿》第八條。

¹⁵《徵求意見稿》第十條。

¹⁶《徵求意見稿》第十二條。

¹⁷《徵求意見稿》第十四條。

RECOMMENDED TRAININGS

Professional Workshop on Data Protection in Banking / Financial Services

The application of fintech has developed rapidly in recent years, changing the landscape of the financial world. Practitioners of the banking and financial industry may face different personal data privacy issues in their business operations. To deal with these new challenges, a clear understanding of the requirements under the PDPO is necessary. This workshop examines the risks of handling personal data in the daily operations of banking and financial services institutions, and provides practical advice on how to deal with these issues effectively.

Date: 4 September 2024 (Wednesday)

Time: 2:15pm – 5:15pm

Mode: Online

Fee: $750/$600*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: Data protection officers, compliance officers, banking / financial practitioners, company secretaries and solicitors.

Practical Workshop on Data Protection Law

With the rising public awareness and expectations of personal data privacy protection, it has become a regular practice for organisations to incorporate personal data privacy protection as part of their corporate governance responsibilities to gain customers’ trust and confidence. This workshop will examine the practical application of the PDPO at work by sharing real-life cases and providing practical advice. 

Date: 11 September 2024 (Wednesday)

Time: 2:15pm – 5:15pm

Mode: Online

Fee: $950/$760*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: Solicitors, barristers, legal counsels, data protection officers and compliance officers.

Professional Workshop on Data Protection and Data Access Request

Receiving Data Access Requests (DAR) is a frequent occurrence for many organisations. For example, employees may request employers for copies of their previous appraisal reports; patients may request for copies of their medical records, etc. Handling DAR properly, effectively and in a timely manner poses a challenge to many organisations. This workshop will examine in detail the compliance requirements for handling DAR under the PDPO and offer practical guidance to participants on handling DAR. 

Date: 25 September 2024 (Wednesday)

Time: 2:15pm – 5:15pm

Mode: Face-to-face

(Physical venue: Lecture Room, the PCPD’s Office, 12/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong)

Fee: $750/$600*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: Solicitors, data protection officers, administration managers, human resource officers, customer services personnel.

New Series of Professional Workshops on Data Protection from Oct to Dec 2024:

Online Free Seminar – Introduction to the PDPO Seminar

The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. Details of the upcoming sessions show below: 

Seminar Outline:

• A general introduction to the PDPO;
• The six Data Protection Principles;
• Offences and compensation;
• Direct marketing; and
• Q&A session. 

Arrange an In-house Seminar for Your Organisation 

Teaching employees how to protect personal data privacy is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and data privacy protection, you can make a request for an in-house seminar via our online form.

The seminar outline is as follows:

• A general introduction to the PDPO;
• The six Data Protection Principles (industry-related cases will be illustrated);
• Data security management;
• Handling of data breach incidents;
• Direct marketing;
• Offences and compensation; and
• Q&A session.

Duration: 1.5 hours

APPLICATION / RENEWAL OF DPOC MEMBERSHIP

Apply or renew your DPOC membership today and enjoy privileged access to course enrolments throughout the year!

Special offer for organisational renewals:

Organisations can join the 2-for-1 scheme, which enables you to receive two memberships for the price of one annual fee (HK$450).

Join us now to keep up-to-date with the latest news and legal developments!

SUPPORTING EVENTS

The PCPD Supports the HKIoD’s Directors’ Symposium 2024

The PCPD is delighted to be one of the supporting organisations of the “Directors’ Symposium 2024” organised by the Hong Kong Institude of Directors (HKIoD). 

“Leading with Agility in an Era of Innovation” is the theme of the “Directors’ Symposium 2024”. It aims to help businesses to steer through economic doldrums, and highlight good corporate governance and director professionalism by offering participants the opportunity to gain inspirations from world-class business and community leaders of various industries as speakers through their insights, wisdom and strategies sharing.

Please click here for more information about the “Directors’ Symposium 2024”.

The PCPD Supports the ISACA China Hong Kong Chapter 2024 Annual Conference

The PCPD is delighted to be one of the supporting organisations of the “ISACA China Hong Kong Chapter 2024 Annual Conference” (the Conference) organised by the ISACA China Hong Kong Chapter is now open for enrolment. 

“AI in the Age of Digital Transformation: Risks, Strategies, and Governance” is the theme of the Conference. The Conference aims to provide actionable insights to help organisations navigate the complexities of AI and leverage its benefits while mitigating associated risks. It will gather thought leaders, innovators, and professionals from across the globe to engage in an in-depth exploration of AI's role in digital transformation. Participants will have the opportunity to attend expert-led sessions, engage in interactive discussions, and network with peers to share experiences and solutions.

The event consists of a pre-conference workshop, a main conference and a post-conference workshop from 12 to 14 September.

Please click here for the enrollment form and relevant information of “ISACA China Hong Kong Chapter 2024 Annual Conference”.

SUGGESTION BOX

The PCPD values the opinions of all our DPOC members. We love to hear your ideas and suggestions on what privacy topics you would like to learn more about. Email your thoughts to us at dpoc@pcpd.org.hk and we shall include the most popular topics in our future e-newsletters.

Contact Us

Address: Unit 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong

Tel: 2827 2827

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
 

Copyright

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.