|
|
|
|
A fruitful finale to the 39th International
Conference of Data Protection and Privacy Commissioners
(“ICDPPC”) hosted by the
Privacy Commissioner for Personal Data, Hong Kong
(“PCPD”) from 25 to 29 September
2017
The 39th ICDPPC was successfully held from 25 to 29 September
2017 at Kowloon Shangri-La, Hong Kong. With the theme
“Connecting West with East in Protecting and Respecting Data
Privacy”, the Conference has brought together more than 750
representatives from Data Protection Authorities
(“DPAs”), policy makers, government and business
leaders, information and communications technology
(“ICT”) professionals as well as academia and privacy
advocates from over 60 countries or regions to Hong Kong.
The five-day Conference consisted of Closed
Session (26 to 27 September 2017) for the ICDPPC members and
observers, and Open Session (28 to 29 September 2017) attended by
all in the data protection community.
|
|
|
Closed Session
At the Closed Session, in-depth discussions among the accredited
members of ICDPPC focused on the issues of government information
sharing. Speakers shared their views on the drivers and barriers to
government information sharing, how it could trigger public
concerns about discrimination and protection of sensitive
information, and what was to be done.
During the Conference period, 26 side events were
also staged by some 30 corporations and organisations from
different sectors of the community, covering a wide range of
privacy and data protection topics from global perspectives.
|
|
|
|
As the host of the 39th ICDPPC, the Privacy
Commissioner Mr Stephen Wong hosted a DPAs Dinner on 26 September
2017 to welcome representatives from the DPAs around the world.
Addressing the dinner, the Guest of Honour Mr Patrick Nip Tak-kuen,
Secretary for Constitutional and Mainland Affairs, said
that given the established network of global data protection
authorities, Hong Kong has been able to keep abreast of
international developments and trends in privacy protection, and
establish cross-border enforcement networks.
Winners of the ICDPPC Global Privacy and Data
Protection Awards were also announced during the dinner. The
inaugural awards had attracted 90 entries from data protection and
privacy authorities around the world. The PCPD’s “Be
SMART Online Thematic Website Enhancement” project won the
“Use of online tools” category award.
Various performances were also staged at the
dinner to showcase the cultural characteristics of Hong Kong, such
as the performance by the City Contemporary Dance Company, face
changing performance, etc.
|
|
|
|
|
Open Session
At the opening ceremony for Open Session, the Guest of Honour
and Secretary for Justice of Hong Kong SAR, The Honourable Rimsky
Kwok-keung YUEN, said Hong Kong has been the most popular data
centre in the region and is ready to serve as a data hub for the
Belt and Road Initiative, facilitating transfer and storage of
data, connecting and converging ideas and information between the
Mainland and the rest of the world. Mr Yuen said
that data privacy protection and free flow of data would
continue to be the core values in taking forward such a policy
initiative.
The Privacy Commissioner then elaborated in his
speech the phenomenal change in global privacy landscape and data
evolution in Hong Kong and the mainland of China. He
also took this opportunity to share the initial observations
of a comparative study carried out by his office between the
European Union’s General Data Protection Regulation
(“GDPR”) (which will come into effect in May next year)
and the Personal Data (Privacy) Ordinance with the Conference
attendants, with areas of “notice and consent”,
“accountability”, “sanction” and
“extra-territorial application” covered. He said his
office will publish guidance and organise seminars to help
organisations understand the GDPR’s standards. He also
stressed that data users need to add value beyond just complying
with the regulations, and it is high time for
developing an equitable data privacy right for all
stakeholders.
Mr Yuen then kicked off the Open Session of the
ICDPPC, in which local members of the public participated, together
with the Chair of ICDPPC Mr John Edwards and the Privacy
Commissioner Mr Stephen Wong.
At the Open Session, four main themes - (i) Data
Protection in Asia; (ii) Notice and Consent; (iii)
Cross-border Data Transfer; and (iv) Challenges of New Technology
were presented by an international panel of 60 distinguished
speakers, panellists and moderators.
|
|
|
|
|
All conference guests, delegates and speakers were
invited to the Sky Reception which was held in the evening of 28
September 2017 at International Commerce Centre, the tallest
building in Hong Kong. The Honourable Charles Mok, Legislative
Council Member, was invited to be the Guest of Honour of the
night. All participants enjoyed the magnificent 360°
Victoria Harbour views and great performances.
|
|
|
|
|
|
The 39th ICDPPC concluded with the closing
ceremony on 29 September 2017. The Chair of the ICDPPC Mr
John Edwards in his closing remarks thanked for the Privacy
Commissioner Mr Stephen Wong's effort in making the Conference a
great success. All conference participants gave a standing
ovation to show their appreciation.
|
|
|
|
|
|
|
Professional Workshops on Data
Protection
Oct to Dec 2017 workshops are open
for enrolment!
These professional workshops are tailored to the
needs of those people wishing to deepen their knowledge of data
protection. Key features include:
- Analysis of each data protection
principle with relevant real-life scenarios
- Codes of Practice and Guidelines
- Updated guidance notes from the
PCPD
- Lessons learnt from real cases
- Recommended good practices
|
|
|
|
|
|
Stay SMART! Protect Your Personal Data - Tips for
the Elderly
The revised leaflet provides tips for the elderly
to be aware of the importance of protecting their personal data
privacy in order to keep away from possible privacy invasion.
|
|
|
|
|
|
Unnecessary collection of HKID
Card copy of a corporate customer’s representative by a
telecommunications company when the customer applied for
replacement of a mobile SIM card - Data Protection Principle (DPP) 1(1)
The Complaint
The Complainant was authorised by his employer to
apply for replacement of his employer’s mobile SIM card at a
branch of a telecommunications company. Although the Complainant
had produced his employer’s business registration certificate
and company chop, the telecommunications company demanded to scan
the Complainant’s HKID Card for record. Considering that the
telecommunications company had collected excessive personal data
from him, the Complainant lodged a complaint with the PCPD. The
telecommunications company explained that according to its
established practices, when a corporate customer applied for
replacement of a mobile SIM card, it would collect a copy of HKID
Card of the corporate customer’s representative, in addition
to the business registration certificate and company chop. The
representative’s HKID Card copy was collected for identity
verification to prevent the SIM card from being obtained by someone
impersonating the corporate customer.
|
|
|
|
|
Outcome
With respect to ascertaining if a corporate
customer’s representative is legally authorised by the
corporate customer, the Privacy Commissioner was of the view that
the telecommunications company should request the representative to
provide an authorisation letter containing the
representative’s name issued by the corporate customer. To
verify the representative’s identity, the telecommunications
company could request the representative to produce an
identification document with photo (e.g. HKID Card or staff card)
on-site to match it with the representative’s appearance and
name on the authorisation letter. If the telecommunications company
still had doubt about the representative’s identity, it could
contact the person-in-charge of the corporate customer direct for
clarification.
Hence, the Privacy Commissioner was of the view
that the telecommunications company’s collection of the HKID
Card copy of the corporate customer’s representative was
excessive and contravened DPP1(1).
After PCPD’s intervention, the
telecommunications company took various remedial measures, which
included ceasing collecting HKID Card number, or copy, of a
corporate customer’s representative when handling replacement
of a mobile SIM card; notifying its frontline staff of the said
arrangement; and destroying HKID Card data of corporate
customers’ representatives previously collected.
|
|
|
|
|
|
|
|
Q: What are the privacy requirements for dealing with the
biometric data collected?
A: (i) Establish strong controls for access to, use and transfer of
biometric data
Data users should not use an individual’s
biometric data for any purpose that is not related to the purpose
for which it was originally collected, unless they have the
individual’s explicit and voluntary consent to such use, or
if such use is exempted from the provisions of the Personal Data
(Privacy) Ordinance (the Ordinance).
|
|
|
Written policy and clear guidance should be
devised to ensure the proper use of the biometric data collected,
and to prevent unnecessary linkage between the biometric database
with other IT systems or databases that may result in the transfer
or change of use of the biometric data inadvertently.
(ii) Retention of biometric
data
Data users should regularly and frequently purge
biometric data which is no longer required for the purpose for
which it is collected.
|
|
|
(iii) Ensure data accuracy
Data users are required to take all reasonably
practicable steps to ensure that the personal data held is
accurate.
To ensure the
accuracy of the biometric recognition system, data users must
ascertain and be satisfied that the false acceptance rate and false
rejection rate of the biometric recognition system are within
reasonable limits, having regard to the size of the population
monitored by the system.
(iv) Secondary use
Data users are
required not to use personal data collected for a new purpose
without the express consent of the data subject.
Data users collecting
biometric data for one purpose must ensure that it is not being
used for another unrelated purpose without obtaining express
consent from data subject.
(v) Data
security
Given the sensitivity of biometric data, it is
important that data users guard against any risk of compromising
and thieving of the biometric database and that effective security
measures are implemented as are reasonably practicable in the
particular circumstances.
(vi) Duty to make the privacy policy
generally available
Data users should devise privacy policies and
procedures setting out clearly the rules and practices that are to
be followed in collecting, holding, processing and using biometric
data, and make them known to all parties concerned, such as
employees, contractors and/or customers.
(vii) Staff training
Proper training, guidance and supervision have to
be given to the staff responsible for the collection and management
of the biometric data. Employees who fail to properly carry out
their duties in the handling of biometric data should be subject to
appropriate disciplinary action.
(viii) Use of contractor
If contractors are engaged in the handling of
personal data, data users must adopt contractual or other means to
prevent personal data transferred to the contractor from being kept
longer than necessary and from unauthorised or accidental access,
processing, erasure, loss or use.
Extended
Reading:
Guidance on Collection and Use of Biometric
Data
|
|
|
|
|
|
Be SMART
Online FanPage
Make sure that you will
be kept up to date on data protection issues, news and
trends.
|
Motion Graphic Videos
– 6 DPPs
Understanding how the 6
DPPs represent the core of the Ordinance covering the life cycle of
a piece of personal data.
|
Response
to Media Enquiry or
Report
You can now visit our website to view PCPD’s response to
enquiry on latest privacy-related
issues.
|
|
|
|
For enquiry, please contact us.
Address: 12/F, Sunlight Tower, 248 Queen's Road East, Wan Chai,
Hong
Kong
Tel: (852) 2877 7171
You are receiving our e-Newsletters because you are a
current member of the DPOC and it is one of the membership
privileges that we provide. If you do not wish to receive them,
please click here to unsubscribe.
|
|
|
|