Privacy and cybersecurity are converging

2018 has been the year of privacy. Arguing that there will be convergence between privacy and cybersecurity, Andrew Burt, chief privacy officer and legal engineer at Immuta, suggests that legal and privacy personnel will become more technical, and technical personnel will become more familiar with legal and compliance mandates.

Who should be responsible for protecting our personal data?

Half the world’s population is online and leaving behind an ever-growing digital footprint. Cybersecurity is an increasingly severe risk for companies and individuals. What can we do to protect users and businesses, and who should take charge?

Think twice before you share our faces online, say children

Study reveals parents are less savvy than their offspring about the perils of posting family photos. According to a survey of over 16,000 pupils, over 55% said they would not upload news about, or images of, their children to their social media feeds if they were in their parents’ shoes.

Popular apps share data with Facebook without users' consent, report claims

Privacy International, a UK-based campaign group, found that at least 21 out of 34 popular Android apps collect detailed and, at times, sensitive user data and share it with Facebook.

CVs containing sensitive information of over 202 million Chinese users left exposed online

A security researcher has stumbled over an unsecured MongoDB database server that contained highly detailed CVs for over 202 million Chinese users.

Professional Workshop on Data Protection in Banking/Financial Services (23 January 2019)

This workshop is designed for banking and financial personnel who wish to acquire knowledge on the requirements under the Personal Data (Privacy) Ordinance in different aspects of the banking and financial services and the practical ways to deal with them effectively in their daily operation.

Highlights of Course Outline:

• Code of Practice on Consumer Credit Data
• Accuracy of customers' contact information
• Outsourcing the processing of personal data

Professional Workshop on Recent Court and Administrative Appeals Board Decisions (28 January 2019)

This workshop examines some recent decisions of the Hong Kong Court and Administrative Appeals Board which serve as legal authorities and practical examples in solving problems frequently encountered in compliance work. There will be in-depth discussion and up-to-date knowledge transferred to participants on the interpretation of commonly used provisions of the Personal Data (Privacy) Ordinance.

Highlights of Course Outline:

A thorough discussion of the following decisions made by the High Court of Hong Kong and the Board:-

• HKSAR v Hong Kong Broadband Network Limited (HCMA 624/2015)
• HKSAR v Leung Chun-kit Brandon (HCMA 49/2016)
• AAB 17/2015 and AAB 18/2016
• AAB 42/2016
• AAB 40/2016

Introduction to the Personal Data (Privacy) Ordinance Seminar (January - June 2019)

To raise public's awareness and understanding of the Personal Data (Privacy) Ordinance, the PCPD organises introductory seminars on the Ordinance regularly. These seminars can familiarise you with the key elements of the Ordinance, in particular your obligations as data users and your rights as data subjects.

Outline:

• A general introduction to the Personal Data (Privacy) Ordinance
• The six data protection principles
• Direct marketing
• Offences & compensation

Privacy Commissioner releases inspection report on personal data systems of private tutorial services industry to encourage organisations in enhancing data stewardship and sharing mutual fairness, respect and benefit with customers (28 December 2018)

Privacy Commissioner Mr Stephen Wong (front row, second from right) delivered a presentation titled “Hong Kong’s Unique Attribute: Free Flow of Information and Data Protection” at the “Greater Bay Area and One-Country-Two-Systems” Seminar organised by the Centre for Hong Kong and Macau Studies, Tsinghua University and China Law Society (21 December 2018)

2018 Best Practice Guide on Privacy Management Programme

Since 2014, Privacy Commissioner has advocated that organisations should develop their own Privacy Management Programme to embrace personal data protection as part of their corporate governance responsibilities and apply them as a business imperative throughout the organisation, starting from the board room.

This revised Best Practice Guide on Privacy Management Programme is a "2.0 version" of the 2014 issue, with more concrete examples, charts, templates of questionnaire and checklist for reference which aims at assisting organisations in constructing a comprehensive Privacy Management Programme.

Data Protection Principle 6 - The right of data access request is restricted to obtaining a copy of the specified personal data, not a copy of the document containing the personal data

The Complaint

The complainant was a member of the teaching staff of a university. He applied for re-appointment beyond retirement age. However, his application was declined by the university. He later submitted a data access request to the university for a copy of the documents in relation to the assessment of his application. The university complied with the request by providing him with a copy of the personal data concerned.

The complainant noted from an integrated report (the Report) among the documents provided by the university that a meeting in relation to his application was held by the university. Despite that the Report already contained a summary of the meeting, the complainant considered that the university should have provided him with a copy of the minutes of the meeting (the Minutes). He therefore complained to the PCPD against the university.

Outcome

Under section 18(1)(b) of the Personal Data (Privacy) Ordinance, an individual may make a request for access to his personal data held by a data user. In judicial review Wu Kit Ping v. Administrative Appeals Board HCAL 60/2007, the Judge ruled that the right of a data subject under section 18(1)(b) of the Ordinance was accessing a copy of his personal data, not a copy of the document containing his personal data.

The PCPD considered that the Report provided by the university to the complainant had already included the personal data of the complainant contained in the Minutes. Given that the university had already provided the complainant with his personal data contained in the Minutes, the university did not contravene the requirement of the Ordinance for not having provided him with a copy of the Minutes.

Q: What are the legal requirements that a data user must comply with when collecting personal data directly from a data subject?

A: Data Protection Principle (DPP) 1(3) specifies that a data user, when collecting personal data directly from a data subject, must take all reasonably practicable steps to ensure that:

a. the data subject is explicitly or implicitly informed, on or before the collection of his personal data, of whether the supply of the personal data is voluntary or obligatory (if the latter is the case, the consequence for the individual if he does not supply the personal data); and

b. the data subject is explicitly informed:

• on or before the collection of his personal data, of the purpose for which the personal data is to be used and the classes of persons to whom the personal data may be transferred; and

• on or before the first use of the personal data, of the data subject’s rights to request access to and correction of the personal data, and the name (or job title) and address of the individual who is to handle any such request made to the data user.

Q: What are Personal Information Collection Statement and Privacy Policy Statement, and how are they different?

A: A Personal Information Collection Statement (PICS) (or its equivalent) is a statement given by a data user for the purpose of complying with the notification requirements under DPP1(3) of the Personal Data (Privacy) Ordinance. While the Ordinance does not require the notification to be given in writing, it is a good practice for the requisite information to be provided to the data subjects in writing in the interests of transparency and to avoid possible misunderstanding between the parties. 

A Privacy Policy Statement (PPS) (or its equivalent) is a general statement about a data user’s privacy policies and practices in relation to the personal data it handles. It is a good practice to have a PPS in written form to effectively communicate the data user’s data management policies and practices despite the Ordinance is silent about the format or presentation of a PPS.

For the purpose of complying with DPP1(3), a PICS should be provided to a data subject by a data user on or before collecting personal data directly from that data subject.

On the other hand, in order to fulfil the requirements of openness and transparency under DPP5, a PPS is required AT ALL TIMES if a data user controls the collection, holding, processing or use of personal data. Typically the PPS covers a wider scope and, in addition to some of the core elements of the PICS, may include other privacy related policies and practices such as data retention policy, data security measures, data breach handling, the use of special tools such as cookies on websites.

Extended Reading:

Guidance on Preparing Personal Information Collection Statement and Privacy Policy Statement

Secure Socket Layer (SSL)


Make good use of SSL to protect online information.

Motion Graphic Videos – 6 Data Protection Principles  

Understanding how the 6 Data Protection Principles represent the core of the Personal Data (Privacy) Ordinance covering the life cycle of a piece of personal data.

DPOC e-Newsletter Reader Survey


We want to hear your thoughts and feedback so that we can improve the e-Newsletter. Please complete the survey.

For enquiry, please contact us.
Address: Room 1303, 13/F, Sunlight Tower, 248 Queen's Road East, Wan Chai, Hong Kong         Tel: (852) 2877 7179

You are receiving our e-Newsletter because you are a current member of the DPOC and it is a membership privilege we provide. If you do not wish to receive the e-Newsletter, please click here to unsubscribe.