Happy 2025!

Sharing Festive Joy with Smart Elders –
Privacy Commissioner’s Office Volunteer Team Organises a Fraud Prevention Christmas Gathering for Around 200 Elders

The Volunteer Team of the PCPD visited St. James’ Settlement Wan Chai District Elderly Community Centre on 20 December and organised a Christmas fraud prevention gathering for around 200 elders. In addition to having the Privacy Commissioner Ms Ada CHUNG Lai-ling who delivered anti-fraud messages, artiste Mr LUK Ho-ming (陸浩明) also joined the gathering as a guest host and performer. The event aimed to enhance the elderly’s awareness of fraud prevention in a lively and joyful way.
 
During the event, the Privacy Commissioner Ms Ada CHUNG Lai-ling shared six tips on fraud prevention with the elderlies and reminded them to stay vigilant. 
 
Besides, artiste Mr LUK hosted a quiz session with prizes to test the elderly’s understanding of the protection of personal data privacy and fraud prevention skills. He also sang a popular song and invited the elderlies to join the chorus in a lively atmosphere. A number of elderlies received prizes at the lucky draw session during the event, and the Volunteer Team also distributed Christmas gift bags to every elder, with a view to bringing warmth and blessings to them before the festive season.
 
Established in 2022, the PCPD Volunteer Team has made multiple visits to elderly centres to raise the awareness of the elderly to prevent fraud. Recently, the Volunteer Team made home visits to elderly couples and elders who lived alone, and also helped prepare meal boxes for the needy. The Team donated anti-epidemic medical supplies to various social welfare organisations during the COVID-19 pandemic.

Please click here for the Privacy Commissioner’s presentation deck (Chinese only).

Privacy Commissioner’s Office Publishes Investigation Findings on the Data Breach Incident of the Electrical and Mechanical Services Department and the “Blind” Recruitment Advertisements Posted on the Online Platform of Jobs DB Hong Kong Limited

The PCPD published two sets of investigation findings on 9 December. The first set of findings relates to the data breach incident of the Electrical and Mechanical Services Department and the second set of findings relates to the “blind” recruitment advertisements (Blind Ads) posted on the online platform of Jobs DB Hong Kong Limited (JobsDB).

(1)  Data Breach Incident of the Electrical and Mechanical Services Department (EMSD)
 
The investigation arose from a data breach notification submitted by the EMSD to the PCPD on 1 May 2024, reporting its suspicion that the personal data of members of the public in its possession was leaked. The data breach involved the personal data of persons who had undergone testing in the “restriction-testing declaration” (RTD) operations conducted in 2022 (the Incident).
 
Background
 
The EMSD conducted a total of 14 RTD operations between March and July 2022 to carry out COVID-19 tests for the residents or visitors in 14 buildings (see Annex 1). To collect the data of persons who were subject to testing in the RTD operations, the EMSD procured and used the services of an e-Form Platform (the e-Form Platform) associated with the cloud platform ArcGIS Online and created 14 e-forms. The relevant e-forms and data were stored in the data repository of ArcGIS Online.
 
In late 2022, when the EMSD noted that the RTD operations had come to an end, it immediately notified the contractor not to renew the service contract after its expiry in late February 2023. According to the EMSD, the EMSD considered that the e-Form Platform account would be invalidated upon expiry of the contract, and the relevant information would be automatically deleted by the contractor. It was not until its receipt of the PCPD’s notification on 30 April 2024 that the EMSD learned that the personal data of persons who had undergone testing in the RTD operations could be browsed by anyone at the relevant website of ArcGIS Online without logging into any account or password. The EMSD hence immediately requested the contractor to remove the personal data involved from the e-Form Platform on the same day, so that the public could no longer browse the relevant information. The EMSD also submitted a data breach notification to the PCPD on the next day.
 
The Incident affected the personal data of over 17,000 persons. The personal data involved included names, addresses, Hong Kong Identity Card (HKID card) numbers, telephone numbers, ages, genders, whether the persons were vaccinated, whether they were tested positive in PCR tests and the respective dates.
 
Based on the information provided by the EMSD, subsequent to the Incident, the EMSD has strived to learn from the Incident and has implemented a series of measures and initiatives, which included strengthening privacy management, comprehensively reviewing the work and guidelines on the handling of personal data, stepping up staff training and supervision of contractors and enhancing departmental information technology support systems, so as to establish a more robust privacy protection framework and a corporate culture that values the protection of personal data.
 
Investigation Findings
 
In the course of the investigation, the PCPD has conducted five rounds of enquiries with the EMSD and approached the contractor twice to obtain relevant information. The PCPD thanked the EMSD and the contractor for their cooperation and the provision of the information and documents requested in the investigation. Having considered the circumstances of the Incident and the information obtained during the investigation, Privacy Commissioner Ms Ada CHUNG Lai-ling found that the following deficiencies of the EMSD were the main contributing factors of the occurrence of the Incident:-
 
1. Lack of written policies on the retention of personal data collected in the RTD operations. Hence, there was no clear guidance on the storage and disposal of data. While the EMSD might not be able to specify the retention period or formulate a data retention policy before or during the RTD operations, nonetheless all along it had only relied on the notification given to the contractor in late 2022 not to renew the contract as the basis for suggesting that a data retention period had actually been specified. However, there had not been any written policy specifying the retention period of the aforesaid data. Such written policies could provide a clear basis for the retention and disposal of data and could play an important role in this regard.
 
In particular, for this case, the data involved sensitive personal data, including the persons’ names, ages, genders, full addresses, phone numbers, as well as their HKID card numbers and PCR test results. Besides, the Incident affected over 17,000 persons. Therefore, the EMSD should be particularly vigilant and cautious in handling the data involved.
 
2. Failure to make unequivocal request to the contractor for deletion of the relevant data in late 2022, when the EMSD became aware that the RTD operations had come to an end. In notifying the contractor not to renew the contract, the EMSD had not explicitly requested the contractor to delete the personal data involved in the Incident. In fact, it was only when the EMSD became aware of the Incident on 30 April 2024 that it requested the contractor to remove the personal data involved from the e-Form Platform on the same day. The relevant data was then removed that evening, so that they could no longer be accessed by the public. It is evident that the data would be removed upon a request made with the contractor. 
 
The Privacy Commissioner considered that requesting the contractor to delete the relevant data when the EMSD notified the contractor not to renew the contract would have been an effective and practicable step to safeguard the personal data involved. However, the EMSD did not take this action.
 
3. Failure to take the initiative to delete the personal data involved, particularly during the period from late December 2022 to late February 2023 when the EMSD was still able to log in to the e-Form Platform to manage the personal data stored therein. Instead, the EMSD only waited for the contract with the contractor to expire, without taking the initiative to check and delete the personal data from the platform to avoid unnecessary or excessive retention of the personal data. This is a clear deficiency; and
 
4. Failure to properly follow up with the contractor on the deletion of data as the EMSD merely assumed that the contractor would act on its own volition after the expiry of the contract. The EMSD had never urged, checked or reminded the contractor to delete the personal data from the e-Form Platform, and had never sought to understand or monitor the progress or effectiveness of the contractor’s relevant actions. The EMSD, as the data user, should not merely await passively for the contractor to take action, nor should it ride on its trust in the contractor and not to verify the work done by the contractor. This is another obvious deficiency.
 
Privacy Commissioner Ms Ada CHUNG Lai-ling understood that amid the severe epidemic situation, departments involved in the RTD operations needed to deploy resources and act quickly. Owing to the time constraints, the EMSD might not have considered the policies and arrangements for deletion of personal data when they planned and conducted the RTD operations. However, since then, the EMSD has not formulated a policy on the retention period of the relevant personal data, nor has it made an unequivocal request to the contractor for data deletion; the EMSD also failed to proactively delete the personal data, or to follow up on and check the deletion of personal data by the contractor after the completion of the RTD operations, which resulted in the unnecessary exposure of the relevant personal data to the risk of data leakage. It is clear that not only had the EMSD failed to comply with the requirements of the Personal Data (Privacy) Ordinance (PDPO), it had also fallen short of the reasonable expectations of the public. In the circumstances, the Privacy Commissioner found that the EMSD:

1. had not taken all practicable steps to ensure that the personal data involved was not kept longer than was necessary for the fulfilment of the purpose for which the data was used, thereby contravening Data Protection Principle (DPP) 2(2) of the PDPO concerning the retention of personal data; and
2. had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use, thereby contravening DPP 4(1) of the PDPO concerning the security of personal data.

The Privacy Commissioner has served an Enforcement Notice on the EMSD, directing it to take measures to remedy the contraventions and prevent recurrence of similar contraventions in future.
 
Download “Investigation Findings: Data Breach Incident of the Electrical and Mechanical Services Department”:
https://www.pcpd.org.hk/english/enforcement/commissioners_findings/files/r24_06502_e.pdf
 
(2)  Eight Organisations Placed Blind Ads on JobsDB
 
The PCPD is concerned that the act of placing Blind Ads on online recruitment platforms by organisations to collect personal data from job applicants may constitute a contravention of the relevant requirements under the PDPO. The PCPD had earlier on initiated investigations against JobsDB and eight organisations that had placed Blind Ads on JobsDB and wished to publish the investigation findings on 9 December.
 
In general, a Blind Ad is one that does not identify the recruiting organisation (either the employer or a recruitment agency acting on its behalf) nor contain sufficient information to identify the organisation, and does not provide a means for job applicants to make further enquiries or such means does not contain sufficient information to identify the organisation, but directly invites job applicants to submit their personal data, such as their HKID Card numbers, contact details or resumes.

 
The PCPD’s investigation revealed that organisations that have registered an account with JobsDB can place recruitment advertisements on the JobDB’s online platform. Since January 2024, candidates have been able to apply for the advertised jobs by clicking the “Quick apply” button as instructed in the advertisements and submit the requisite personal data. Once submitted, the information will be stored in JobsDB’s management system and the applicants would be able to request the deletion of their personal data via JobsDB, while JobsDB also controls the circumstances and the duration for which organisations can access the relevant data.
 
In the circumstances, JobsDB controls the collection, holding, processing (which includes deletion) and use of the applicants’ personal data. In this regard, JobsDB is a “data user” under the PDPO and must comply with the relevant requirements under the PDPO and the DPPs.
 
Investigation also revealed that a recruiting organisation can publish recruitment advertisements in the name of a “Private Advertiser” without disclosing its name. The eight recruiting organisations under investigation published Blind Ads in the names of “Private Advertisers” (see Annex 2) to collect the job applicants’ personal data. The eight recruiting organisations in question are also “data users” under the PDPO and they involved prospective employers and those acting on their behalves. Their businesses are in the areas of financial securities, apparel retail, Chinese medicine and transportation services, etc.
 
Having considered the circumstances of the cases and the information obtained from the investigations, Privacy Commissioner Ms Ada CHUNG Lai-ling found that all of the eight organisations that placed the aforesaid Blind Ads on JobsDB and requested job applicants to submit their personal data to unknown recruiting companies and JobsDB that published the same on its platform were involved in the unfair collection of the job applicants’ personal data, and this constituted contraventions of DPP 1(2) of the PDPO. The Privacy Commissioner has therefore served enforcement notices on JobsDB and three recruiting organisations, directing them to take measures to remedy the contraventions and prevent recurrence of similar contraventions in future, and issued an advisory letter to each of the remaining five organisations. 
 
Through the findings of the investigation, the Privacy Commissioner would also like to call upon other operators of online recruitment platforms to:

• Beware of anyone using Blind Ads to perpetrate frauds or collect personal data by unfair means; and
• Carefully review recruitment advertisements received to identify Blind Ads and avoid publishing the same in order to protect the personal data privacy of members of the public.

The PCPD reiterated that Blind Ads may be used as an unscrupulous means to collect personal data and may be misused by swindlers to collect personal data for fraudulent activities. When job seekers are unable to ascertain the employers’ identities, they should check and verify the information contained in the Blind Ads carefully and should not respond to the Blind Ads arbitrarily and submit their personal data.
 
For members of the public who wish to make any enquiries or lodge any complaint against the placing of Blind Ads, please contact the PCPD (telephone: 2827 2827 or email: communications@pcpd.org.hk/complaints@pcpd.org.hk).
 
In order to protect job applicants’ personal data and project positive corporate image, the PCPD appeals to employers to:

• Increase transparency in placing recruitment advertisements and disclose the identities of the organisations;
• Refrain from placing Blind Ads to collect job applicants’ personal data; and
• If necessary, consider engaging a recruitment agency who is identified in the advertisement to collect the personal data from job applicants.

Download “Investigation Findings: Eight Organisations Placed Blind Ads on JobsDB”:
https://www.pcpd.org.hk/english/enforcement/commissioners_findings/files/r24_03031_e.pdf

Please click here to refer to Annex 1 (Dates, Buildings and Number of Persons Involved in the 14 RTD Operations) and Annex 2 (Particulars of the Blind Ads Placed by Eight Recruiting Organisations on JobsDB). 

Interested schools, NGOs and SMEs are welcome to obtain further information by emailing training@pcpd.org.hk. 

PRIVACY 101

Good Data Governance – It’s Time for a Data Clean-up

Organisations, as data users, usually collect, hold, process and use customers’ personal data in their daily operations. According to Section 26 of the PDPO, organisations should take all practicable steps to erase personal data held when the data is no longer required for the purpose for which it was used.

To ensure compliance and maintain effective data governance, organisations have the responsibilities to erase the personal data, preventing it from being kept longer than necessary. A top-down approach to data destruction management is essential, necessitating the development of organisation-wide policies, guidelines and procedures. Additionally, organisations should establish clear personal data retention and erasure policies.

As the year draws to a close, it is a perfect time for organisations to review their internal data inventory and erase personal data that is no longer required. Here are some useful tips on data retention and erasure for organisations:

• Develop a personal data retention policy that specifies in detail the retention period of personal data they hold; 
• Establish a personal data erasure policy that sets out specific management practices on how each type of records, digital or physical, is to be identified for erasure;
• Maintain an erasure record as evidence of compliance with the erasure policy; and
• Regularly review retention and erasure polices to ensure they keep pace with evolving work practices and technology developments.

To learn more about data protection in personal data erasure, please refer to Guidance on Personal Data Erasure and Anonymisation.

PRIVACY COMMISSIONER’S FINDINGS

Unauthorised Access to an International Fashion Chain’s Customer Personal Data System

Background 

An international fashion company reported to the PCPD that its customer personal data system for e-commerce customers and loyalty programme members suffered a ransomware attack. As a result, about 200,000 customer records containing names, telephone numbers, email addresses, genders and age ranges were compromised. 

The company engaged an independent consultant for investigation, which revealed that the company had failed to identify a known exploitable vulnerability. The attacker successfully logged into the customer personal data system with valid credentials and installed ransomware in the company’s network.

Remedial Measures

The company took the following remedial measures:

• Notified all affected customers;
• Scanned the system for all identified vulnerabilities and applied patches; 
• Strengthened the detection and protection measures of its monitoring system;
• Enforced multi-factor authentication at login; and
• Defined retention periods and erased obsolete data on an annual basis.

Lessons Learnt

Data users should regularly review and monitor security of their networks and test and apply security patches in a timely manner. Data users should also limit the retention period of personal data, which should not be longer than necessary for the fulfilment of the collection purpose. The shorter the retention period, the lower the security risks.

TECH TALK

Online Gaming and the Protection of Personal Data

In the digital age, computers, mobile devices, social network and video games can be played online against other players. Online gaming is not merely a form of entertainment; it also serves as a networking platform where anonymous players can communicate through text messages or microphones. However, this may pose privacy risks and cyber threats, including the disclosure of personal data, data breach, phishing, identity theft or even malware infections.

To be a smart gamer, here are some practical tips to safeguard your personal data while playing online games:

• Understand the privacy statements and other related terms and conditions of the online game to learn how its manufacturer will use your personal data;
• Check the privacy settings and select what kind of personal data to be disclosed;
• Stay alert and avoid revealing personal data when creating game accounts, personal profiles or usernames. This prevents cybercriminals from trying to collect your personal data, commit fraud or steal your cyber assets while playing online;
• Consider using different email addresses, profile pictures and strong passwords for each game you play, and separate these information from your real life identity;
• Avoid sharing personal data with other players through online profiles or conversation, such as real name, home address, age, gender, pictures, etc.;
• Avoid downloading unauthorised programmes or attachments relating to the game. Third party game plugins may help advance your game level quickly but they may also contain spywares and malwares; and
• Install anti-malware software to protect your devices, and ensure the latest detection and repair engines have been applied.

WHAT’S ON

Enhancing Data Security – the PCPD Collaborates with HKIRC to Launch a New Episode of Promotional Video 

To assist organisations in raising employees’ awareness of cyber security and personal data protection, the PCPD and the Hong Kong Internet Registration Corporation Limited (HKIRC) have jointly launched a series of promotional videos to provide relevant guidance and tips to organisations in a lively manner.

The second episode, themed “Handling of Data Breach Incidents”, is now available at the PCPD’s website, YouTube channel and other social media platforms, as well as HKIRC’s “Cybersec Training Hub”.

Please click here to watch the video.

Reaching Out to the Medical Sector – The Privacy Commissioner Attends the Hong Kong Medical Association 105^th Anniversary Celebration Kick-off Ceremony cum Annual Dinner 2024

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the Hong Kong Medical Association (HKMA) 105^th Anniversary Celebration Kick-off Ceremony cum Annual Dinner 2024 on 14 December and exchanged views with stakeholders from the medical sector on the protection of the personal data privacy of patients.

Founded in 1920, the HKMA is committed to advancing medical standards and safeguarding the public’s health in Hong Kong.

Promoting Cross-Boundary Flow of Personal Information – Privacy Commissioner Speaks at the Briefing for Facilitation Measure on the Greater Bay Area Standard Contract

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the Briefing for Facilitation Measure on the “Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong–Hong Kong–Macao Greater Bay Area (Mainland, Hong Kong)” (GBA SC) organised by the Digital Policy Office on 10 December and gave a presentation. The Privacy Commissioner introduced the terms of the GBA SC and the relevant requirements under the PDPO to attendees coming from various sectors. She encouraged enterprises to adopt the GBA SC for cross-boundary transfers of personal information within the GBA.

Please click here for the Privacy Commissioner’s presentation deck (Chinese only).

Reaching Out to Legal Professionals – Privacy Commissioner Attends the 2024 Pro Bono and Community Service Award Presentation Ceremony

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the 2024 Pro Bono and Community Service Award Presentation Ceremony of the Law Society of Hong Kong on 9 December and presented prizes at the ceremony.
 
The Law Society has been organising the Pro Bono and Community Work Recognition Programme (Programme) since 2010. The key objectives of the Programme are to promote public awareness of the pro bono work performed by members of the Law Society, trainee solicitors, registered foreign lawyers and university law students, and to recognise their pro bono efforts and contributions to the society. The Privacy Commissioner is a member of the judging panel for Distinguished Pro Bono Service Award (for individual/law firm) this year.

Reaching Out to the Community – Privacy Commissioner Attends China Macro Economy and Integration with the Greater Bay Area Forum 2024

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the China Macro Economy and Integration with the Greater Bay Area Forum 2024 organised by the Sing Tao News Corporation on 6 December and exchanged views with different stakeholders in the community.
 
Titled “New Macro Economics and Creating New Dynamics”, the China Macro Economy and Integration with the Greater Bay Area Forum 2024 focused on the new economic situations of China and the United States, the strategy of the Greater Bay Area and the reform direction for Hong Kong.

Enhancing Cybersecurity – Privacy Commissioner Attends the HKCNSA 1^st Anniversary Ceremony

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the Hong Kong China Network Security Association (HKCNSA) 1^st Anniversary Ceremony as the Guest of Honour on 5 December. The Privacy Commissioner extended congratulations to the HKCNSA and wished the association continuous success, while helping its members to bolster their ability to safeguard data security.

HKCNSA is a non-profit organisation dedicated to promoting cybersecurity and information security.

Reaching Out to the Community – Privacy Commissioner Attends the Hong Kong Ombudsman 35^th Anniversary Reception

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the Hong Kong Ombudsman 35^th Anniversary Reception on 3 December and exchanged views with various stakeholders in the community.
 
The PCPD has been working with the Office of The Ombudsman to enhance public administration and safeguard public interest. Officers of the PCPD have also received The Ombudsman’s Awards for Officers of Public Organisations for eight consecutive years in recognition of their outstanding performance and professionalism in handling complaints and enquiries.

Promoting Cyber Security and AI Security – Privacy Commissioner Publishes an Article on Hong Kong Lawyer 

Privacy Commissioner Ms Ada CHUNG Lai-ling published an article titled “Cyber Security and AI Security: Prioritising Protection of Personal Data Privacy in the Digital Era” on Hong Kong Lawyer.

In the article, the Privacy Commissioner provided an overview of the key findings from the “Hong Kong Enterprise Cyber Security Readiness Index and AI Security Survey 2024” jointly published by the PCPD and the Hong Kong Productivity Council.

In particular, the Privacy Commissioner highlighted that the readiness index rose from 47.0 to 52.8 (out of 100) compared with last year, with the index for Corporates reaching an all-time high of 73.1 points. However, nearly 70% of the surveyed enterprises had experienced at least one type of cyberattack in the past 12 months, with phishing attacks continuing to be the most common type of cyberattack among these enterprises.

The Privacy Commissioner encouraged enterprises to make good use of the “Data Security” Package and the “Artificial Intelligence: Model Personal Data Protection Framework” recently launched by the PCPD to strengthen their capabilities in safeguarding cyber security and AI security.

Please click here to read the article.

Enhancing Data Security for Schools – the PCPD Organises a Seminar for the Education Sector

The PCPD organised a seminar on “Preventing and Handling Data Breach Incidents and Enhancing Data Security Measures for the Education Sector” in hybrid mode on 16 December, which attracted over 380 principals and teachers to attend.

 
At the seminar, Mr Brad KWOK, Chief Personal Data Officer (Compliance and Enquiries) of the PCPD, shared lessons learnt from the data breach cases related to schools, and elaborated on the causes of the data breaches and the remedial measures taken. He also explained the key points in preventing and handling data breach incidents. In addition. Mr CHU Ka-tim, Chairman of the Hong Kong Association for Computer Education (HKACE) and Principal of Shatin Pui Ying College, and Mr FONG Ting-hei, Co-opted Council Member of the HKACE and Vice Principal of Pope Paul VI College, also shared the best practices for handling personal data at schools with the participants.

Please click here to download Mr Kwok’s presentation deck (Chinese only).

Please click here to download the presentation deck of Mr Chu and Mr Fong (Chinese only).

Reaching Out to Social Welfare Sector – PCPD’s Representative Speaks at the 3^rd SocTech Symposium 2024

Assistant Privacy Commissioner for Personal Data (Corporate Communications and Compliance) Ms Joyce LAI gave a presentation at the 3^rd SocTech Symposium 2024 organised by the Hong Kong Council of Social Service on 11 December.
 
In her presentation entitled “Data Security and Use of Artificial Intelligence (AI)”, Ms Lai spoke on how to enhance data security and adopt proper security measures, as well as introduced the “Artificial Intelligence: Model Personal Data Protection Framework” published earlier by the PCPD.

Please click here to download the presentation deck (Chinese only).

MEDIA STATEMENT

Re-Appointment of a Member to the Standing Committee on Technological Developments of the PCPD

On 30 December, Privacy Commissioner Ms Ada CHUNG Lai-ling announced the re-appointment of Dr Alan CHEUNG as a member to the Standing Committee on Technological Developments (SCTD) of the PCPD for a term of two years from 1 January 2025 to 31 December 2026.
 
Dr Alan CHEUNG is the Chief Director of the Artificial Intelligence and Trust Technologies division at Hong Kong Applied Science and Technology Research Institute (ASTRI). He leads the division in driving ASTRI’s initiatives, particularly in FinTech and Smart City, through Generative AI, multimedia data analytics, Federated Learning, Blockchain, Cybersecurity, and privacy-enhancing applications.

With effect from 1 January 2025, the members of the SCTD (in alphabetical order of surname) are as follows:

• Ms Ada CHUNG Lai-ling (Privacy Commissioner) (Co-chairperson)
• Ms Fiona LAI (Assistant Privacy Commissioner for Personal Data (Acting) (Legal, Global Affairs & Research)) (Co-chairperson)
• Ir Alex CHAN
• Dr Alan CHEUNG
• Adjunct Prof Jason LAU
• Dr Gregg LI
• Prof Hon William WONG Kam-fai, MH
• Prof Dit-Yan YEUNG
• Prof S M YIU

The SCTD was established to advise the Privacy Commissioner on, among other things, the impacts of the developments in the processing of data and information technology on the privacy of individuals in relation to personal data. It comprises distinguished external members of exceptional calibre from the information and communications technology industry, particularly experts in fields such as information security, cybersecurity, computing science and artificial intelligence. The diversity of experts from academic and corporate backgrounds also ensures a broad representation of perspectives and insights, which assists the Privacy Commissioner in formulating policies and recommendations to address technological developments while safeguarding privacy in relation to personal data.

MAINLAND CORNER

Highlights of the “Global Cross-border Data Flow Cooperation Initiative” 

《全球數據跨境流動合作倡議》的重點

To promote global cooperation on cross-border data flow and to build a mechanism to ensure efficient, convenient and secured cross-border data flow, the Cyberspace Administration of China issued the “Global Cross-border Data Flow Cooperation Initiative” (the Initiative)¹ on 20 November 2024. The Initiative proposes a series of recommendations, including how to ensure the safe and orderly cross-border flows of personal information. This article provides an overview of the Initiative.

為推動全球數據跨境流動合作、構建高效便利安全的數據跨境流動機制，國家網信辦於2024年11月20日發布《全球數據跨境流動合作倡議》（《倡議》）²。《倡議》提出一系列建議，包括如何保障個人信息跨境安全有序流動，其重點摘錄如下：

數據跨境流動的重要性及風險

《倡議》指出，數據跨境流動對於各國電子商務、數字貿易乃至經濟科技文化等諸多方面至關重要，能有效降低貿易成本、加快產業數字化轉型等等，實現以數據流動為牽引的新型全球化³。

然而，《倡議》亦提到，雖然各國正推動全球數據跨境流動合作，但同時普遍關注國家安全、公共利益、個人私隱以及知識產權等風險⁴。

《倡議》提倡的原則

《倡議》呼籲各國秉持開放、包容、安全、合作、非歧視的原則，平衡數字技術創新、數字經濟發展、數字社會進步與保護國家安全、公共利益、個人私隱和知識產權的關係⁵。

《倡議》內的重點建議

《倡議》共列出了十一項建議，當中按照數據的類型，有以下建議：

不涉及國家安全、公共利益和個人私隱的數據

• 尊重不同國家、不同地區之間數據跨境流動相關制度的差異性，支持此類別數據自由流動⁶。

涉及國家安全、公共利益的非個人數據

• 尊重各國依法對這些數據採取必要的安全保護措施，保障相關非個人數據跨境安全有序流動⁷。

個人信息⁸

• 尊重各國為保護個人私隱等個人信息權益採取的措施，鼓勵各國在保護個人信息的前提下為個人信息跨境傳輸提供便利途徑。
• 建立健全個人信息保護法律和監管框架，鼓勵就此交流最佳實踐和良好經驗。
• 提升個人信息保護機制、規則之間的兼容性，推動相關標準、技術法規及合格評定程序的互認。
• 鼓勵企業獲得個人信息保護認證，以表明其符合個人信息保護標準，保障個人信息跨境安全有序流動。

《倡議》亦鼓勵各國政府探索建立數據跨境流動管理負面清單，促進數據跨境高效便利安全流動⁹。

保障數據安全

為促進數據安全，《倡議》提出：

• 提高保障數據跨境高效便利安全流動的技術能力，推動數據跨境流動相關的技術與安全保障能力評價標準的國際互認¹⁰。
• 禁止通過在數字產品和服務中設置後門、利用數字技術基礎設施中的漏洞等手段非法獲取數據，共同打擊數據領域跨境違法犯罪活動¹¹。

總結

《倡議》針對數據跨境流動的挑戰，為全球數據治理提出了「中國方案」，在兼顧發展與安全的基礎上，為國際社會提供高效便利安全的數據跨境流動合作框架。

¹ Full text: https://www.cac.gov.cn/2024-11/20/c_1733706018163028.htm

² 全文：https://www.cac.gov.cn/2024-11/20/c_1733706018163028.htm

³ 《倡議》第一段。

⁴ 《倡議》第二段。

⁵ 《倡議》第三段。

⁶ 《倡議》第二項建議。

⁷ 《倡議》第三項建議。

⁸ 《倡議》第四項建議。

⁹ 《倡議》第五項建議。

¹⁰ 《倡議》第九項建議。

¹¹ 《倡議》第十一項建議。

RECOMMENDED TRAININGS

Professional Workshop on Data Protection in Insurance

Insurance practitioners handle a large amount of customers’ personal data, including customers' names, telephone numbers, addresses, identity card numbers, etc. in their daily operation. Therefore, a proper understanding of the requirements under the PDPO is necessary. 

This workshop will examine core concepts of practical data protection compliance illustrated by specific scenarios to highlight potential problems and their resolution. Participants will also engage in discussion of real cases relating to the handling of personal data in different aspects of insurance work.

Date: 8 January 2025 (Wednesday)

Time: 2:15pm – 5:15pm

Mode: Face-to-face

(Physical venue: Lecture Room, the PCPD’s Office, 12/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong)

Fee: $750/$600*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: Insurance practitioners, data protection officers, compliance officers, solicitors, advisers and other personnel undertaking work relating to the insurance industry

Professional Workshop on Personal Data Privacy Management Programme

With the ever-rising expectations of customers and stakeholders regarding organisations’ responsible use of personal data in recent years, the protection of personal data privacy should no longer be seen as purely a compliance issue. To build trust with customers and enhance their competitive and reputational advantages, organisations should develop and implement a comprehensive Personal Data Privacy Management Programme (PMP) to proactively embrace personal data privacy protection as part of their corporate governance responsibilities and apply it as a business imperative throughout the organisations. 

By attending this workshop, participants will understand the key components of a PMP, and learn how to continuously maintain and improve it for effective implementation in their organisations. 

Date: 15 January 2025 (Wednesday)

Time: 2:15pm – 4:15pm

Mode: Online

Fee: $750/$600*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: Data protection officers, compliance professionals, company secretaries, solicitors, executives from business and public sectors, and those who are interested in keeping abreast of the data protection trend and best practices.

New Series of Professional Workshops on Data Protection from Feb to Mar 2025:

Online Free Seminar – Introduction to the PDPO Seminar

The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. Details of the upcoming sessions are shown below: 

Seminar Outline:

• A general introduction to the PDPO;
• The six Data Protection Principles;
• Offences and compensation;
• Direct marketing; and
• Q&A session. 

Arrange an In-house Seminar for Your Organisation 

Teaching employees how to protect personal data privacy is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and data privacy protection, you can make a request for an in-house seminar via our online form.

The seminar outline is as follows:

• A general introduction to the PDPO;
• The six Data Protection Principles (industry-related cases will be illustrated);
• Data security management;
• Handling of data breach incidents;
• Direct marketing;
• Offences and compensation; and
• Q&A session.

Duration: 1.5 hours

APPLICATION / RENEWAL OF DPOC MEMBERSHIP

Apply or renew your DPOC membership today and enjoy privileged access to course enrolments throughout the year!

Special Offer for Organisational Renewals:

Organisations can join the 2-for-1 scheme, which enables you to receive two memberships for the price of one annual fee (HK$450).

Join us now to keep up-to-date with the latest news and legal developments!

SUGGESTION BOX

The PCPD values the opinions of all our DPOC members. We love to hear your ideas and suggestions on what privacy topics you would like to learn more about. Email your thoughts to us at dpoc@pcpd.org.hk and we shall include the most popular topics in our future e-newsletters.

Contact Us

Address: Unit 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong

Tel: 2827 2827

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
 

Copyright

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.