Click here to view the web version
Issue 6, 28 March 2017
What's On
Renew your membership today and continue to enjoy various privileges throughout the year!
Special offer for organisational renewal:
Each organisation is entitled to the 2 for 1 scheme, i.e. two memberships. The annual fee remains at HK$350 per organisation.
Has your DPOC membership lapsed? Renew today!
Don't miss your membership privileges throughout the year, including:
- Free Access to Online Training Platform
- Enjoy 20% discount on the registration fee of PCPD activities
- Obtain latest PCPD news
- Briefings and sharing sessions for members' only
- And more... !
PCPD's Response to Media Enquiry Regarding the Suspected Theft of Registration and Electoral Office Computers that Involve Personal Data of Registered Voters
(This media statement provides Chinese version only)
(This media statement provides Chinese version only)
“Big Data, Artificial Intelligence and Privacy” Seminar
Re-open for registration!
The speakers will share some recent applications of big data analytics and artificial intelligence, look into the challenges and privacy risks associated with these innovative technologies, and explore the possible solutions.
Date: 26 April 2017 (Wednesday)
Time: 3:00 pm to 5:00 pm
Re-open for registration!
The speakers will share some recent applications of big data analytics and artificial intelligence, look into the challenges and privacy risks associated with these innovative technologies, and explore the possible solutions.
Date: 26 April 2017 (Wednesday)
Time: 3:00 pm to 5:00 pm
PCPD Launches the New TV API – “Think Privacy! Be Smart Online”
View the PCPD's latest TVC on our YouTube channel.
View the PCPD's latest TVC on our YouTube channel.
Guidance on CCTV Surveillance and Use of Drones
The PCPD has revised “ Guidance on CCTV Surveillance and Use of Drones” with illustrations to provide recommendations to data users on using CCTV and drones from the perspective of protecting personal data privacy.
The PCPD has revised “ Guidance on CCTV Surveillance and Use of Drones” with illustrations to provide recommendations to data users on using CCTV and drones from the perspective of protecting personal data privacy.
Data Protection Principle (“DPP”) 1 - Excessive Collection of customers’ Hong Kong Identity Card numbers for authentication purposes by a beauty centre
The Complaint
The Complainant, a customer of a beauty centre (the “Beauty Centre”), was required to provide her Hong Kong Identity Card number (“ID card number”) for online appointment bookings at the Beauty Centre. The Complainant considered the collection of her ID card number to be excessive, so she lodged a complaint with the PCPD.
Extended Reading:
The Complaint
The Complainant, a customer of a beauty centre (the “Beauty Centre”), was required to provide her Hong Kong Identity Card number (“ID card number”) for online appointment bookings at the Beauty Centre. The Complainant considered the collection of her ID card number to be excessive, so she lodged a complaint with the PCPD.
Outcome
The Privacy Commissioner’s investigation revealed that the Beauty Centre had issued a membership card to individual customers bearing the customer’s photo and a unique membership number.
The Privacy Commissioner was of the view that the collection of customers’ ID card numbers for authentication purposes was unnecessary and excessive, as the membership card number sufficed for the same purpose. Even if the Complainant could not produce her membership card on the spot, the Beauty Centre could ask for her name, telephone number and address to verify her identity. Therefore, the Beauty Centre had contravened DPP1(1).
In the course of the investigation, the Beauty Centre ceased the practice of collecting ID card numbers from customers and destroyed the records of ID card numbers previously collected to remedy the contravention. In the circumstances, the Privacy Commissioner decided to put the Beauty Centre on warning instead of serving an enforcement notice on it.
The Privacy Commissioner’s investigation revealed that the Beauty Centre had issued a membership card to individual customers bearing the customer’s photo and a unique membership number.
The Privacy Commissioner was of the view that the collection of customers’ ID card numbers for authentication purposes was unnecessary and excessive, as the membership card number sufficed for the same purpose. Even if the Complainant could not produce her membership card on the spot, the Beauty Centre could ask for her name, telephone number and address to verify her identity. Therefore, the Beauty Centre had contravened DPP1(1).
In the course of the investigation, the Beauty Centre ceased the practice of collecting ID card numbers from customers and destroyed the records of ID card numbers previously collected to remedy the contravention. In the circumstances, the Privacy Commissioner decided to put the Beauty Centre on warning instead of serving an enforcement notice on it.
Extended Reading:
- Guidance on Proper Handling of Customer’s Personal Data for the Beauty Industry
- Code of Practice on the Identity Card Number and Other Personal Identifiers
Q: What are the legal requirements that a data user must comply with when collecting personal data directly from a data subject?
Q: What are Personal Information Collection Statement (“PICS”) and Privacy Policy Statement (“PPS”), and how are they different?
A: DPP1(3) specifies that a data user, when collecting personal data directly from a data subject, must take all reasonably practicable steps to ensure that:
- the data subject is explicitly or implicitly informed, on or before the collection of his personal data, of whether the supply of the personal data is voluntary or obligatory (if the latter is the case, the consequence for the individual if he does not supply the personal data); and
- the data subject is explicitly informed:
- on or before the collection of his personal data, of the purpose for which the personal data is to be used and the classes of persons to whom the personal data may be transferred; and
- on or before the first use of the personal data, of the data subject’s rights to request access to and correction of the personal data, and the name (or job title) and address of the individual who is to handle any such request made to the data user.
Q: What are Personal Information Collection Statement (“PICS”) and Privacy Policy Statement (“PPS”), and how are they different?
A: A PICS (or its equivalent) is a statement given by a data user for the purpose of complying with the notification requirements under DPP1(3) of the Personal Data (Privacy) Ordinance (the “Ordinance”). While the Ordinance does not require the notification to be given in writing, it is good practice for the requisite information to be provided to the data subjects in writing in the interests of transparency and to avoid possible misunderstanding between the parties.
A PPS (or its equivalent) is a general statement about a data user’s privacy policies and practices in relation to the personal data it handles. It is good practice to have a PPS in written form to effectively communicate the data user’s data management policies and practices despite the Ordinance is silent on the format or presentation of a PPS.
For the purpose of complying with DPP1(3), a PICS should be provided to a data subject by a data user on or before collecting personal data directly from that data subject.
On the other hand, in order to fulfil the requirements of openness and transparency under DPP5, a PPS is required AT ALL TIMES if a data user controls the collection, holding, processing or use of personal data. Typically the PPS covers a wider scope and, in addition to some of the core elements of the PICS, may include other privacy related policies and practices such as data retention policy, data security measures, data breach handling, the use of special tools such as cookies on websites.
A PPS (or its equivalent) is a general statement about a data user’s privacy policies and practices in relation to the personal data it handles. It is good practice to have a PPS in written form to effectively communicate the data user’s data management policies and practices despite the Ordinance is silent on the format or presentation of a PPS.
For the purpose of complying with DPP1(3), a PICS should be provided to a data subject by a data user on or before collecting personal data directly from that data subject.
On the other hand, in order to fulfil the requirements of openness and transparency under DPP5, a PPS is required AT ALL TIMES if a data user controls the collection, holding, processing or use of personal data. Typically the PPS covers a wider scope and, in addition to some of the core elements of the PICS, may include other privacy related policies and practices such as data retention policy, data security measures, data breach handling, the use of special tools such as cookies on websites.
“Be SMART Online” Thematic Website
A one-stop portal to provide useful information and tips to protect personal data on computer and to reduce the risks of online privacy breach.
Response to Media Enquiry or Report
You can now visit our website to view PCPD’s response to enquiries on latest privacy-related issues.
DPOC e-Newsletter Reader Survey
We want to hear your thoughts and feedback so that we can improve the e-Newsletter. Please complete the survey.