Skip to content

DPOC e-Newsletter

Facebook Youtube

Newly refurbished PCPD conference room

To cope with the increasing demand for briefings on data protection and a meeting place for data protection professionals across the city, the PCPD has recently refurbished its conference room. With more seating capacity and cutting-edge audio visual facilities, the PCPD conference room now accommodates more than 100 attendees of seminars or workshops at one time, providing the attendees a better learning experience.

The latest series of Professional Workshops on Data Protection from October to December is now open for enrolment. Please sign up to grasp the latest knowledge on data protection and experience the new facility. For details of the workshops, please refer to the "Training Update" section below.
 

Privacy Commissioner Mr Stephen Wong delivered a presentation for the Hong Kong Federation of Women titled "Hong Kong's Advantage as the Data Centre for the Belt and Road Initiative and the Greater Bay Area" (18 September 2018).
Download presentation materials (Chinese only)

Seminar on "How to Construct Comprehensive Privacy Management Programme"
Exclusively for DPOC members!

The PCPD has recently issued the "Best Practice Guide on Privacy Management Programme" (the Guide), which is a "2.0 version" of the 2014 issue. This seminar will  take you through the concrete examples, charts, templates of questionnaire and checklist in the Guide to help you construct a comprehensive Privacy Management Programme (PMP) in your organisation. 

Don't miss this chance to get the latest development of PMP. Enrol now!
Enrol now!

ICO issues first enforcement action under the GDPR

The ICO has issued the first formal enforcement action under the EU GDPR and the UK Data Protection Act 2018 on Canadian data analytics firm AggregateIQ Data Services Ltd, requiring it to cease processing any personal data of UK or EU citizens obtained from UK political organisations for the purposes of data analytics, political campaigning or any other advertising purposes.
Read more
 

Majority of charities have seen databases shrink after GDPR implementation

A survey has found that complying with the new data protection rules has had mixed effects for the UK charity sector. The survey of 176 charity workers found that 53% had seen their email database shrink to some extent as a result of complying with the GDPR.
Read more
 

Uber to pay $148 million in settlement over 2016 data breach

Uber Technologies Inc. will pay $148 million to settle claims related to a large-scale data breach that exposed the personal information of more than 25 million of its US users.
Read more
 

SMBs face costs of up to $2.5 million after a data breach

Small and mid-market companies have become a lucrative and attractive prospect for cybercriminals. According to Cisco's SMB Cybersecurity Report released recently which includes 1816 survey respondents across 26 countries, 53 percent of midmarket companies have experienced a data breach. 
Read more
 

Google releases framework to guide data privacy legislation

Google has released a set of privacy principles to guide US Congress as it prepares to write legislation aimed at governing how websites collect and monetise user data. The framework calls for allowing users to easily access and control the data that’s collected about them and requiring companies to be transparent about their data practices.
Read more

Professional Workshops on Data Protection
Oct - Dec 2018 workshops are now open for enrolment!

These professional workshops are tailored to the needs of those people wishing to deepen their knowledge of data protection. Key features include:

  • Analysis of each data protection principle with relevant real-life scenarios
  • Codes of Practice and Guidelines
  • Updated guidance notes from the PCPD
  • Lessons learnt from real cases
  • Recommended good practices
Enrol now!
 

Introduction to the Personal Data (Privacy) Ordinance Seminar
Limited seats available for Oct - Dec 2018 seminars!

This seminar can familiarise you with the key elements of the Personal Data (Privacy) Ordinance, in particular your obligations as data users and your rights as data subjects.

Outline:

  • A general introduction to the Ordinance
  • The six data protection principles
  • Direct marketing
  • Offences & compensation
Enrol now!

DPOC has always been an effective platform where members can share good practices and learn from each other. We cordially invite members to share your strategies and practices in data protection by contributing articles and/or photos of your successful initiatives to us. Please click "Share with us" to let us know your good practice!
Share with us!

Physical Tracking and Monitoring Through Electronic Devices

The leaflet addresses the personal data privacy concerns arising from tracking and monitoring through electronic devices, and provides the best practice recommendations on Privacy Impact Assessment.

 

Read information leaflet

Data Protection Principle 1 - Collection of personal data

Excessive collection of customers’ personal data by a veterinary clinic when selling pet food

The Complaint

A cat owner was requested to provide his full name, telephone number and Hong Kong Identity Card (HKID) Card Number when he purchased cat food from a veterinary clinic. He had bought cat food from the clinic before, but he was not required to provide any personal data on previous occasions. He had never visited the clinic for his cat either. He felt that the collection of his personal data, in particular his HKID Card Number, was excessive for the sole purpose of purchasing cat food.

Although the cat food bought by the owner was not special diet pet food that required a prescription from a veterinarian, the clinic stated that it wished to be able to identify the cat owner and follow up with him on the health condition of the cat in the future.

Outcome

As a HKID Card Number is sensitive personal data, it should not be collected lightly. A data user may only collect a HKID Card Number from an individual in the circumstances permitted under the Code of Practice on the Identity Card Number and other Personal Identifiers prescribed by the Privacy Commissioner. As the clinic could not justify its collection of the complainant’s HKID Card Number under the Code of Practice, the Privacy Commissioner held that the clinic had contravened Data Protection Principle 1(1). During the investigation, the clinic ceased the practice of collecting customers’ HKID Card number and destroyed the records that it had previously collected from pet owners. Hence, the Privacy Commissioner decided not to serve an enforcement notice, but issued a warning to the clinic reminding it to comply with the Ordinance in the collection of personal data.

Extended Reading:

Code of Practice on the Identity Card Number and other Personal Identifiers: Compliance Guide for Data User

Q: Why is a Privacy Impact Assessment (PIA) useful?

A: A PIA is useful in:

  • enabling the decision-maker to adequately consider the impact on personal data privacy before undertaking the project
  • directly addressing the privacy problems identified in the process and providing solutions or safeguards at the design stage
  • providing benchmarks for future privacy compliance audit and control
  • being a cost-effective way of reducing privacy risks
  • providing a credible source of information to allay any privacy concerns from the public and the stakeholders

Q: When should a PIA be undertaken?

A: A PIA should be undertaken by data users in both the public and the private sectors to manage the privacy risks arising from a project that involves:
  • processing (whether by the data user itself or by an agent appointed by the data user) or the building up of a massive amount of personal data;
  • the implementation of privacy-intrusive technologies that might affect a large number of individuals; or
  • a major change in the organisational practices that may result in expanding the amount and scope of personal data to be collected, processed, or shared.

Q: What are the key components that a PIA includes?

A: A PIA generally includes the following key components:
  • Data processing cycle analysis;
  • Privacy risks analysis;
  • Avoiding or mitigating privacy risks; and
  • PIA reporting.

Extended Reading:
Information Leaflet: Privacy Impact Assessments

Tips on Wi-Fi 



Take a look at the steps showing how to connect to Wi-Fi hotspots safely

Administrative Appeals Board's Decision  


The Administrative Appeals Board (AAB) hears and determines appeals lodged against PCPD’s enforcement decisions.

AAB may confirm, vary or reverse PCPD’s decisions. It has given PCPD its permission to publish on PCPD website its decisions delivered after open hearings.

Case Notes



An archive of outcomes of selected appeals, complaints and enquiries that illustrate the interpretation and application of the provisions of the Personal Data (Privacy) Ordinance.
More
More
More

For enquiry, please contact us.
Address: Room 1303, 13/F, Sunlight Tower, 248 Queen's Road East, Wan Chai, Hong Kong         Tel: (852) 2877 7179

You are receiving our e-Newsletter because you are a current member of the DPOC and it is a membership privilege we provide. If you do not wish to receive the e-Newsletter, please click here to unsubscribe.


Copyright | Disclaimer