|
|
|
|
|
|
|
Privacy Commissioner Mr Stephen Wong
delivered a presentation to the Insurance Authority titled
“Personal Data Protection and Data Governance” (17
January 2018)
|
|
|
|
|
|
|
|
|
|
|
|
|
Guidance on
Election Activities for Candidates, Government Departments, Public
Opinion Research Organisations and Members of the
Public
The Privacy Commissioner issued the above Guidance
Note to remind stakeholders involved in election activities to
comply with the requirements under the Personal Data (Privacy)
Ordinance (“the Ordinance”) in handling personal data
at different stages of election activities so as to avoid data
leakage.
|
|
|
|
|
|
|
|
|
|
|
|
|
DPOC has always been an effective platform where
members can share good practices and learn from each other. We
cordially invite members to share your strategies and practices in
data protection by contributing articles and/or photos of your
successful campaigns to us. Please click “Share with
us” to let us know your good practice!
|
|
|
|
|
|
|
|
|
Professional Workshops on Data
Protection
Feb
to Mar 2018 workshops are open for enrolment!
These professional workshops are
tailored to the needs of those people wishing to deepen their
knowledge of data protection. Key features include:
- Analysis of each data protection
principle with relevant real-life scenarios
- Codes of Practice and Guidelines
- Updated guidance notes from the
PCPD
- Lessons learnt from real cases
- Recommended good practices
|
|
|
|
|
|
|
|
|
Are you ready for the implementation
of European Union General Data Protection
Regulation?
In order to help organisations understand the
standards and the possible impact on their operations of the
European Union (“EU”) General Data Protection
Regulation (“GDPR”) which will come into effect in May
2018, the PCPD will organise or co-organise with third parties
activities in relation to the education and promotion on the EU
GDPR. Please complete and send the opt-in form to us to receive
information on the activities described above.
|
|
|
|
|
|
|
|
|
Data Access Request and Accuracy and
Retention of Personal Data (Data Protection Principle
2)
A company received a Data Access
Request (“DAR”) lodged by a former employee (the
“Employee”) who had left the company for 15 years,
requesting for copies of his payroll information during his
employment (the “Requested Data”). The company checked
and confirmed that they were still holding the Requested Data.
Knowing that the Code of Practice on Human Resource Management (the
“Code”) issued by the PCPD requires an employer to
retain ex-employees’ personal data for not more than 7 years,
the company wished to be advised on whether they should comply with
the DAR by providing a copy of the Requested Data to the Employee,
or destroy the Requested Data to comply with the requirements of
the Code.
Relevant Provisions of the Ordinance
and the Code
Section 18(1)(a) of the Ordinance stipulates that
an individual can request a data user to confirm whether it holds
his personal data. Section 18(1)(b) of the Ordinance further
stipulates that the individual can request the data user to provide
him with a copy of such data. Section 19(1) of the Ordinance
requires the data user to comply with the request within 40 days
after receiving it.
Concerning the continued retention of personal
data of former employees, paragraph 4.2.3 of the Code stipulates
that an employer should not retain the personal data of a former
employee for a period longer than 7 years from the date the former
employee ceases employment with the employer.
|
|
|
|
|
|
|
PCPD's
Comment
As long as a data user is in possession of the data
requested by a data requestor at the time the request is received,
the data user should comply with the data access request by
providing the requestor with a copy of the requested data. In this
regard, the employer should comply with the DAR by providing the
employee with a copy of the Requested Data, then comply with the
Code by destroying the Requested Data in their possession. The
employer should also devise procedures on data destructions to make
sure the retention requirement under the Code will be fully
complied with in the future.
|
|
|
|
|
|
|
|
|
|
|
|
|
Q: What are the legal requirements that a data user must
comply with when collecting personal data directly from a data
subject?
A: DPP1(3) specifies that a data user, when
collecting personal data directly from a data subject, must take
all reasonably practicable steps to ensure that:
a. the data subject is explicitly or implicitly
informed, on or before the collection of his personal data, of
whether the supply of the personal data is voluntary or obligatory
(if the latter is the case, the consequence for the individual if
he does not supply the personal data); and
b. the data subject is explicitly informed:
- on or before the collection of his
personal data, of the purpose for which the personal data is to be
used and the classes of persons to whom the personal data may be
transferred; and
- on or before the first use of the
personal data, of the data subject’s rights to request access
to and correction of the personal data, and the name (or job title)
and address of the individual who is to handle any such request
made to the data user.
|
|
|
|
|
Q: What are Personal
Information Collection Statement and Privacy Policy Statement, and
how are they different?
|
|
|
|
|
A: A Personal Information Collection Statement
(“PICS”) (or its equivalent) is a statement given by a
data user for the purpose of complying with the notification
requirements under DPP1(3) of the Ordinance. While the Ordinance
does not require the notification to be given in writing, it is
good practice for the requisite information to be provided to the
data subjects in writing in the interests of transparency and to
avoid possible misunderstanding between the parties.
A Privacy Policy Statement (“PPS”) (or
its equivalent) is a general statement about a data user’s
privacy policies and practices in relation to the personal data it
handles. It is good practice to have a PPS in written form to
effectively communicate the data user’s data management
policies and practices despite the Ordinance is silent on the
format or presentation of a PPS.
For the purpose of complying with DPP1(3), a PICS should be
provided to a data subject by a data user on or before collecting
personal data directly from that data subject.
On the other hand, in order to fulfil the
requirements of openness and transparency under DPP5, a PPS is
required AT ALL TIMES if a data user controls the collection,
holding, processing or use of personal data. Typically the PPS
covers a wider scope and, in addition to some of the core elements
of the PICS, may include other privacy related policies and
practices such as data retention policy, data security measures,
data breach handling, the use of special tools such as cookies on
websites.
|
|
|
|
|
|
|
|
|
|
|
Secure Socket Layer
(SSL)
Make good use of SSL to
protect online information.
|
Media
Responses
PCPD's responses
to media enquiries about the Ordinance and the current personal
data privacy issues.
|
Online
Training Platform
It provides a
convenient channel for data users who wish to understand the
requirements of the Ordinance online.
|
|
|
|
|
|
|
For enquiry, please contact us.
Address: 12/F, Sunlight Tower, 248 Queen's Road East, Wan Chai,
Hong
Kong
Tel: (852) 2877 7171
You are receiving our e-Newsletters because you are a
current member of the DPOC and it is one of the membership
privileges that we provide. If you do not wish to receive them,
please click here to unsubscribe.
|
|
|
|
