Click here to view the web version
Issue 9, 10 May 2016
What's On
PCPD has recently released the following publications:
- Code of Practice on Human Resource Management (April 2016 - First Revision)
- Compliance Guide for Employers and Human Resource Management Practitioners (April 2016 - First Revision)
- Human Resource Management: Some Common Questions (April 2016 - First Revision)
- Privacy Guidelines: Monitoring and Personal Data Privacy at Work (April 2016 - First Revision)
Privacy Awareness Week 2016 Highlights
Privacy Awareness Week (PAW) is an international event that raises awareness on the importance of protecting personal data privacy. The theme of PAW 2016 in Hong Kong is “Data Protection in Your Hands”. It is supported by 125 partner secondary schools and about 400 members of the Data Protection Officers' Club.
Promotional Campaign on Social Media (1-7 May 2016)
A set of posters was developed to promote “Data Protection in Your Hands”. Members of the public (individuals and organisations) can download and use for education and promotion purpose.
Public Education Roadshow on Personal Data Protection (1-7 May 2016)
An exhibition truck toured around Hong Kong Island, Kowloon and New Territories to provide practical tips for data protection in daily chores such as responding to direct marketing approaches and using smartphones and social networks.
Educational Talk to Senior Citizens (4 May 2016)
To help senior citizens recognise potential data privacy risks and prevent them from being victimised by crime and financial exploitation, a talk was scheduled to share the tips on personal data protection in daily life.
DPOC Welcoming Reception cum Lunch Talk (5 May 2016)
The Privacy Commissioner for Personal Data welcomed DPOC members at the reception. A talk was held to highlight the requirements of new direct marketing regime and to share with members on the recent direct marketing conviction cases.
Award presentation ceremony for recognition scheme on promoting privacy protection and TV advertisement competition (7 May 2016)
A recognition scheme on promoting privacy protection and a TV advertisement competition were held under the Student Ambassador for Privacy Protection Programme. Partner schools and finalists of the competition were invited to the award presentation ceremony as a wrap-up of the PAW.
DPOC Activity
Hold you own PAW 2016
Share Best Practices with Us!
We encourage members to share their corporate strategies and practices in data protection.
You are most welcome to be one of the guest speakers of our upcoming events, or contribute articles and photos of successful corporate experience.
Share your thoughts with us via dpoc@pcpd.org.hk
We encourage members to share their corporate strategies and practices in data protection.
You are most welcome to be one of the guest speakers of our upcoming events, or contribute articles and photos of successful corporate experience.
Share your thoughts with us via dpoc@pcpd.org.hk
Q. What are the privacy requirements for dealing with the biometric data collected?
A:
(i) Establish strong controls for access to, use and transfer of biometric data
Data users should not use an individual’s biometric data for any purpose that is not related to the purpose for which it was originally collected, unless they have the individual’s explicit and voluntary consent to such use, or if such use is exempted from the provisions of the Ordinance.
Written policy and clear guidance should be devised to ensure the proper use of the biometric data collected, and to prevent unnecessary linkage between the biometric database with other IT systems or databases that may result in the transfer or change of use of the biometric data inadvertently.
(ii) Retention of biometric data
Data users should regularly and frequently purge biometric data which is no longer required for the purpose for which it is collected.
(iii) Ensure data accuracy
Data users are required to take all reasonably practicable steps to ensure that the personal data held is accurate.
To ensure the accuracy of the biometric recognition system, data users must ascertain and be satisfied that the false acceptance rate and false rejection rate of the biometric recognition system are within reasonable limits, having regard to the size of the population monitored by the system.
(iv) Secondary use
Data users are required not to use personal data collected for a new purpose without the express consent of the data subject.
Data users collecting biometric data for one purpose must ensure that it is not being used for another unrelated purpose without obtaining express consent from data subject.
(v) Data security
Given the sensitivity of biometric data, it is important that data users guard against any risk of compromising and thieving of the biometric database and that effective security measures are implemented as are reasonably practicable in the particular circumstances.
(vi) Duty to make the privacy policy generally available
Data users should devise privacy policies and procedures setting out clearly the rules and practices that are to be followed in collecting, holding, processing and using biometric data, and make them known to all parties concerned, such as employees, contractors and/or customers.
(vii) Staff training
Proper training, guidance and supervision have to be given to the staff responsible for the collection and management of the biometric data. Employees who fail to properly carry out their duties in the handling of biometric data should be subject to appropriate disciplinary action.
(viii) Use of contractor
If contractors are engaged in the handling of personal data, data users must adopt contractual or other means to prevent personal data transferred to the contractor from being kept longer than necessary and from unauthorised or accidental access, processing, erasure, loss or use.
A:
(i) Establish strong controls for access to, use and transfer of biometric data
Data users should not use an individual’s biometric data for any purpose that is not related to the purpose for which it was originally collected, unless they have the individual’s explicit and voluntary consent to such use, or if such use is exempted from the provisions of the Ordinance.
Written policy and clear guidance should be devised to ensure the proper use of the biometric data collected, and to prevent unnecessary linkage between the biometric database with other IT systems or databases that may result in the transfer or change of use of the biometric data inadvertently.
(ii) Retention of biometric data
Data users should regularly and frequently purge biometric data which is no longer required for the purpose for which it is collected.
(iii) Ensure data accuracy
Data users are required to take all reasonably practicable steps to ensure that the personal data held is accurate.
To ensure the accuracy of the biometric recognition system, data users must ascertain and be satisfied that the false acceptance rate and false rejection rate of the biometric recognition system are within reasonable limits, having regard to the size of the population monitored by the system.
(iv) Secondary use
Data users are required not to use personal data collected for a new purpose without the express consent of the data subject.
Data users collecting biometric data for one purpose must ensure that it is not being used for another unrelated purpose without obtaining express consent from data subject.
(v) Data security
Given the sensitivity of biometric data, it is important that data users guard against any risk of compromising and thieving of the biometric database and that effective security measures are implemented as are reasonably practicable in the particular circumstances.
(vi) Duty to make the privacy policy generally available
Data users should devise privacy policies and procedures setting out clearly the rules and practices that are to be followed in collecting, holding, processing and using biometric data, and make them known to all parties concerned, such as employees, contractors and/or customers.
(vii) Staff training
Proper training, guidance and supervision have to be given to the staff responsible for the collection and management of the biometric data. Employees who fail to properly carry out their duties in the handling of biometric data should be subject to appropriate disciplinary action.
(viii) Use of contractor
If contractors are engaged in the handling of personal data, data users must adopt contractual or other means to prevent personal data transferred to the contractor from being kept longer than necessary and from unauthorised or accidental access, processing, erasure, loss or use.
Tips on Search Engines
Change your SafeSearch settings to block vulgar content from being displayed in search results and protect yourself from phishing websites.
Training Updates
Introduction to the Personal Data (Privacy) Ordinance Seminar from Jul - Dec 2016 are now open for enrolment!
Six Data Protection Principles
Data user has to follow the six DPPs which represent the normative core of the PD(P)O and cover the entire life cycle of a piece of personal data.