|
|
|
|
|
|
|
|
Personal Data Privacy Governance in the Government
The PCPD, together with a consultancy firm for Privacy Management Programme (PMP), organised a training workshop on 8 October 2018 to assist government bureaux and departments to develop their own PMP according to their operational needs. The Workshop was attended by over 100 government officers from about 40 bureaux and departments. Coming from the first batch of bureaux and departments in developing PMP, representatives of the Constitutional and Mainland Affairs Bureau, the Hongkong Post and the Environmental Protection Department shared the challenges encountered and lessons learnt during the implementation of PMP.
|
|
|
|
We offer training sessions on PMP. You can find details on our PMP - webpage and email us for any enquiries.
|
|
|
|
|
|
|
|
|
|
The Privacy Commissioner welcomed the representatives of government bureaux and departments to the PMP training workshop.
|
|
|
|
|
|
|
|
|
|
|
|
What does a fair algorithm actually look like?
|
|
|
|
While algorithms may be increasingly responsible for making decisions that impact people’s daily lives, they are not bound by any obligation to explain results. To combat bias and “black box” algorithms, many have called for increased transparency and accountability.
|
|
|
|
|
|
|
|
EU privacy chief expects first round of fines under new law by year-end
|
|
|
|
Regulators are set to exercise their new powers by handing out fines and even temporary bans on companies that breach a new EU privacy law, with the first round of sanctions expected by the end of the year.
|
|
|
|
|
|
|
|
How did Canada fare on privacy in the USMCA?
|
|
|
|
Canadian commentators have raised alarm over provisions relating to data localisation and privacy in the United States Mexico Canada Agreement on international trade.
|
|
|
|
|
|
|
|
|
|
Privacy Commissioner Contacted Facebook for Information on the Hacking Incident, Compliance Check Continues (3 October 2018)
|
|
|
|
|
Privacy Commissioner Initiates Compliance Check on Facebook Security Breach (29 September 2018)
|
|
|
|
|
|
Seminar on "How to Construct Comprehensive Privacy Management Programme"
Exclusively for DPOC members! Limited seats available!
|
|
|
|
|
|
The PCPD has recently issued the "Best Practice Guide on Privacy Management Programme", which is a "2.0 version" of the 2014 issue. This seminar will take you through the concrete examples, charts, templates of questionnaire and checklist in the Guide to help you construct a comprehensive Privacy Management Programme in your organisation.
|
|
|
|
Don't miss this chance to get the latest development of PMP. Limited seats are available. Enrol now!
|
|
|
|
|
|
|
|
|
|
Professional Workshop on Recent Court and Administrative Appeals Board Decisions (26 October 2018) Limited seats available!
This workshop examines some recent decisions of the Hong Kong Court and Administrative Appeals Board which serve as legal authorities and practical examples in solving problems frequently encountered in compliance work. There will be in-depth discussion and up-to-date knowledge transferred to participants on the interpretation of commonly used provisions of the Personal Data (Privacy) Ordinance.
|
|
|
|
|
|
|
|
Professional Workshop on Data Protection in Human Resource Management (9 November 2018) Limited seats available!
Human resource practitioners handle a large amount of employee data in the course of their work. The collection, use and retention of employee data carry significant legal responsibilities and risks. It is therefore a great challenge for human resource practitioners to meet the requirements under the Personal Data (Privacy) Ordinance and the Code of Practice on Human Resource Management.
Especially designed for human resource practitioners, this workshop examines the good practices in handling personal data in each phase of the employment process.
|
|
|
|
|
|
|
|
Introduction to the Personal Data (Privacy) Ordinance Seminar (Oct - Dec 2018)
This seminar can familiarise you with the key elements of the Personal Data (Privacy) Ordinance, in particular your obligations as data users and your rights as data subjects.
Outline:
- A general introduction to the Personal Data (Privacy) Ordinance
- The six data protection principles
- Direct marketing
- Offences & compensation
|
|
|
|
|
|
|
|
DPOC has always been an effective platform where members can share good practices and learn from each other. We cordially invite members to share your strategies and practices in data protection by contributing articles and/or photos of your successful initiatives to us. Please click "Share with us" to let us know your good practice!
|
|
|
|
|
|
|
|
|
|
Revised “Guidance for Mobile Service Operators”
Mobile service operators handle enormous amount of customers’ personal information. This revised guidance sets out some illustrations and good practices for compliance with the Personal Data (Privacy) Ordinance.
|
|
|
|
|
|
|
|
Data Protection Principle 6 - Access to Personal Data
Data access request made by a Complainant on behalf of his son to a primary school
The Complaint
The Complainant on behalf of his son made a data access request (the DAR) to a primary school requesting copies of all the information pertaining to his son's application for admission to the primary school for two consecutive school years.
The primary school replied to the Complainant that it could provide the information relating to his son's application for only the current school year. As for the documents for the last school year, they had been destroyed in accordance with the school's usual practice. The Complainant suspected that the primary school had withheld the documents to which he was entitled, so he complained with the PCPD.
The Privacy Commissioner's investigation revealed that the primary school had destroyed all documents for the last school year at the time of receiving the DAR. It was discovered that the primary school had in its possession the total scores of the Complainant's son for the current year recorded in a Master Score Record (the Record). However, the primary school failed to provide the Complainant with the total scores of his son for the current school year. The primary school explained that it did not provide the Complainant with a copy of the Record because the Record also contained the names and scores of all applicants, not just the Complainant's son.
|
|
|
|
|
Outcome
The Privacy Commissioner was of the view that the primary school had contravened section 19(1) of the Personal Data (Privacy) Ordinance by failing to provide the requested data contained in the Record on the ground that the primary school was obliged to provide the requested data contained in the Record to the Complainant by omitting other applicants' personal data under section 20(2)(b) of the Personal Data (Privacy) Ordinance.
Nevertheless, after the Privacy Commissioner had explained the requirements under 20(2)(b) of the Personal Data (Privacy) Ordinance to the primary school, it provided the Complainant with a copy of the Record with the personal data of other applicants edited out.
In view of the remedial action taken by the primary school, the Privacy Commissioner considered that the contravention had ceased and there was no likelihood of its repetition. In the circumstances, the Privacy Commissioner decided to put the primary school on warning, but not to serve an enforcement notice on the primary school in consequence of the investigation.
|
|
|
|
|
|
|
|
|
|
|
|
Biometric data could be sensitive data as it often contains an individual's intimate information relating to health, mental condition or racial origin. Wrongful disclosure of biometric data could lead to unintended re-identification of individuals, impersonation, or even discrimination. Here are some tips on handling biometric data.
Q: What are the privacy requirements for dealing with the biometric data collected?
|
|
|
|
A: (i) Establish strong controls for access to, use and transfer of biometric data
Data users should not use an individual’s biometric data for any purpose that is not related to the purpose for which it was originally collected, unless they have the individual’s explicit and voluntary consent to such use, or if such use is exempted, written policy and clear guidance should be devised to ensure the proper use of the biometric data collected, and to prevent unnecessary linkage between the biometric database with other IT systems or databases that may result in the transfer or change of use of the biometric data inadvertently.
|
|
|
|
(ii) Retention of biometric data
|
|
|
|
Data users should regularly and frequently purge biometric data which is no longer required for the purpose for which it is collected.
|
|
|
|
(iii) Ensure data accuracy
|
|
|
|
Data users are required to take all reasonably practicable steps to ensure that the personal data held is accurate.
|
|
|
|
To ensure the accuracy of the biometric recognition system, data users must ascertain and be satisfied that the false acceptance rate and false rejection rate of the biometric recognition system are within reasonable limits, having regard to the size of the population monitored by the system.
|
|
|
|
|
|
Data users are required not to use personal data collected for a new purpose without the express consent of the data subjects.
|
|
|
|
Data users collecting biometric data for one purpose must ensure that it is not being used for another unrelated purpose without obtaining express consent from data subject.
|
|
|
|
|
|
Given the sensitivity of biometric data, it is important that data users guard against any risk of compromising and thieving of the biometric database and that effective security measures are implemented as are reasonably practicable in the particular circumstances.
|
|
|
|
(vi) Duty to make the privacy policy generally available
|
|
|
|
Data users should devise privacy policies and procedures setting out clearly the rules and practices that are to be followed in collecting, holding, processing and using biometric data, and make them known to all parties concerned, such as employees, contractors and/or customers.
|
|
|
|
|
|
Proper training, guidance and supervision have to be given to the staff responsible for the collection and management of the biometric data. Employees who fail to properly carry out their duties in the handling of biometric data should be subject to appropriate disciplinary action.
|
|
|
|
|
|
If contractors are engaged in the handling of personal data, data users must adopt contractual or other means to prevent personal data transferred to the contractor from being kept longer than necessary and from unauthorised or accidental access, processing, erasure, loss or use.
|
|
|
|
|
|
|
|
|
|
EU General Data Protection Regulation
The EU General Data Protection Regulation came into effect on 25 May 2018. Obtain more information about the Regulation.
|
Tips on Encryption
Encryption is an effective way to prevent data from being understood when your computer is hacked or when your Portable Storage Devices are lost.
|
“Be SMART Online” Thematic Website
A one-stop portal to provide useful information and tips to protect personal data on computer and to reduce the risks of online privacy breach.
|
|
|
|
|
|
For enquiry, please contact us.
Address: Room 1303, 13/F, Sunlight Tower, 248 Queen's Road East, Wan Chai, Hong Kong Tel: (852) 2877 7179
You are receiving our e-Newsletter because you are a current member of the DPOC and it is a membership privilege we provide. If you do not wish to receive the e-Newsletter, please click here to unsubscribe.
|
|
|
|
