Click here to view the web version
Issue 8, 25 April 2017
What's On
The 39th International Conference of Data Protection and Privacy Commissioners (ICDPPC)
The 39th ICDPPC will be held in Hong Kong from 25 to 29 September 2017 and is open for registration. Register now to enjoy early bird discount!
The 39th ICDPPC will be held in Hong Kong from 25 to 29 September 2017 and is open for registration. Register now to enjoy early bird discount!
Training Updates
Introduction to the Personal Data (Privacy) Ordinance Seminar
Two extra sessions in May 2017 are open for enrolment!
To raise public awareness and their understanding of the Ordinance, the PCPD organises introductory seminars on the Ordinance twice a month.
Outline:
Two extra sessions in May 2017 are open for enrolment!
To raise public awareness and their understanding of the Ordinance, the PCPD organises introductory seminars on the Ordinance twice a month.
Outline:
- A general introduction to the Ordinance
- The six data protection principles
- Offences & Compensation
- Direct Marketing
DPOC Activity
Privacy Awareness Week 2017
Lunch Talk – Smart Use of Portable Storage Devices and Data Breach Handling
Date: 9 May 2017 (Tuesday)
Time: 12:30 pm to 2:00 pm
Agenda:
Lunch Talk – Smart Use of Portable Storage Devices and Data Breach Handling
Date: 9 May 2017 (Tuesday)
Time: 12:30 pm to 2:00 pm
Agenda:
- Sandwich lunch
- Welcoming remarks
- Talk on “Smart Use of Portable Storage Devices and Data Breach Handling”
Hold your own PAW 2017
The annual PAW 2017 will be held from 8 to 14 May 2017. You are cordially invited to hold your own PAW.
PCPD will recognise participating companies at our website.
The annual PAW 2017 will be held from 8 to 14 May 2017. You are cordially invited to hold your own PAW.
PCPD will recognise participating companies at our website.
Data Protection Principle (“DPP”) 3 - Whether the upload of the images to an online public platform is directly related to the purpose of collection
Question from Enquirer
The enquirer considered the services provided by the property management company to her residence substandard. For the purposes of lodging a complaint about this with the company as well as notifying other residents of her views, the enquirer proposed to take pictures and video clips of the staff member who was the subject of her complaint, and thereafter, possibly upload the pictures and video clips to an online public platform.
Question from Enquirer
The enquirer considered the services provided by the property management company to her residence substandard. For the purposes of lodging a complaint about this with the company as well as notifying other residents of her views, the enquirer proposed to take pictures and video clips of the staff member who was the subject of her complaint, and thereafter, possibly upload the pictures and video clips to an online public platform.
PCPD’s reply
The concerns relevant to this case are:
The concerns relevant to this case are:
- whether the images are "personal data" governed by the Ordinance (s.2(1) of the Ordinance);
- if so, whether the collection of the images are necessary and fair (DPP1(1) and DPP1(2) of the Ordinance); and
- whether the upload of the images is directly related to the purpose of collection (DPP3 of the Ordinance).
Q: What are the risks of using portable storage devices ("PSDs")?
Q: What are the areas that a risk assessment should look into to facilitate the formulation of the policy associated with the use of PSDs?
A: The use of PSDs means that large amounts of personal data can be quickly and easily copied to such devices without notice. If such PSDs are lost or stolen, unauthorised or accidental access or use of that personal data may result. In extreme cases, even personal data contained in files already deleted or previously stored on reformatted PSDs can easily be recovered.
Q: What are the areas that a risk assessment should look into to facilitate the formulation of the policy associated with the use of PSDs?
A: The risk assessment should at least look into the following areas:
- What types of PSDs are used to store personal data?
- What kinds of personal data are stored on PSDs and their sensitivity to the persons involved?
- Under what circumstances and how often are PSDs used for the storage of personal data?
- What is the likely impact on data subjects if a data breach incident involving PSDs occurs?
- Are there any controls, administrative or technical, in place for the use of PSDs?
Know Your Website Cookies
Check with your browser on how to configure the various cookie settings.
Administrative Appeals Board’s Decision
The Administrative Appeals Board (“AAB”) hears and determines appeals lodged against PCPD’s enforcement decisions.
AAB may confirm, vary or reverse PCPD’s decisions. The general practice of PCPD is to upload AAB’s decisions on an “as is” basis.
Industry-specific Resources
A number of compliance assistance and good practice resources are developed for specific industries.