|
|
|
|
|
|
|
|
|
|
|
|
|
|
Data Breach Notifications and ICT-related complaints at record highs in 2018; Data security as key concern
The Privacy Commissioner summed up the work of his office in 2018
|
|
|
|
|
|
The PCPD received a record number of data breach notifications in 2018, with a number of large-scale data breach incidents arousing wide public concern. A more than two-fold increase in the number of complaints in relation to the use of information and communications technology was also recorded. Amongst them, complaints related to the disclosure or leakage of personal data on the Internet had increased substantially. Both figures reached record highs last year.
|
|
|
|
In view of the rapid development of information technology and the evolution of the global data privacy landscape in recent years, the PCPD is in the process of reviewing the Personal Data (Privacy) Ordinance while proactively promoting privacy management accountability mechanism and data ethics so as to build trust amongst the stakeholders.
|
|
|
|
In 2018, Hong Kong has become a pioneer advocating data ethics in Asia. The PCPD has been advocating complementing compliance with the law by the adoption of data ethics, which are the bedrock for nurturing and flourishing personal data protection in times of change. It is precisely against this background that the PCPD places significant emphasis on the issue of data governance and ethics by advocating Data Stewardship Values, namely "Respectful, Beneficial and Fair".
|
|
|
|
|
- Continue to engage the business sector (especially the SMEs) in implementing the privacy governance mechanisms that fulfill data ethics;
- Strengthen the working relationship with the mainland and overseas data protection authorities, and explain the newly implemented rules and regulations on data protection of other jurisdictions to the local stakeholders for compliance with the requirements;
- Provide advice to the Government on initiatives involving personal data privacy, including making recommendations on the review of the Personal Data (Privacy) Ordinance; and
- Issue guidance materials on Fintech and "de-identification" and publish a booklet on personal data regulations in the mainland for industries and members of the public.
|
|
|
|
|
|
|
|
Privacy Commissioner Mr Stephen Wong delivered a presentation titled "Data Governance in the Hong Kong SAR: Compliance, Accountability and Ethics" at the Data Security and Personal Privacy Protection Summit 2019 organised by the Law and Development Academy of the Peking University (15 January 2019)
|
|
|
|
|
|
|
|
|
|
|
|
Privacy improves business outcomes, Cisco finds
|
|
|
|
97% of businesses reported they received auxiliary benefits from their privacy investments, including competitive business advantage. "Not only is privacy good for business, but good privacy is great for business", Cisco said.
|
|
|
|
|
|
|
|
"You deserve privacy online. Here's how you could actually get it", said Apple CEO Tim Cook
|
|
|
|
In 2019, it is time to stand up for the right to privacy—yours, mine, all of ours. Consumers should not have to tolerate another year of companies irresponsibly amassing huge user profiles, data breaches that seem out of control and the vanishing ability to control our own digital lives.
|
|
|
|
|
|
|
|
Are 10-Year Challenge photos a boon to Facebook's facial recognition technology?
|
|
|
|
The #10YearChallenge was all fun and memes until a tweet moved thousands of people to worry: are we unknowingly helping giant corporations to improve their algorithms for biometric identification and age progression?
|
|
|
|
|
|
|
|
EU's right to be forgotten could come under heavy challenge
|
|
|
|
An advocate general in the European Court of Justice opined that Google should not be mandated to extend the right to be forgotten to users outside the European Union, in the light of the possibility of opening the door to censorship by nations that do not share the EU's enthusiasm for free speech.
|
|
|
|
|
|
|
|
France fines Google $57 million for European privacy rule breach
|
|
|
|
France's data protection watchdog fined Alphabet's Google 50 million euros for breaching European Union online privacy rules, the biggest such penalty levied against a U.S. tech giant.
|
|
|
|
|
|
|
|
|
|
Professional Workshop on Data Protection in Human Resource Management (22 February 2019)
Can an employer collect a photocopy of a job applicant's Hong Kong Identity Card? How long should a company keep the personal data of former employees? Can an employee obtain all the comments in his/her appraisal report? These are some of the frequently asked questions about the application of the Personal Data (Privacy) Ordinance on human resource management.
Tailor-made for human resource practitioners, this workshop would discuss common questions and good practices in handling personal data in human resource management.
|
|
|
|
|
|
|
|
|
|
Practical Workshop on Data Protection Law (26 February 2019)
The numerous massive data breach incidents involving various sectors in 2018 once again reminded us of the importance of understanding the Personal Data (Privacy) Ordinance and the compliance with it. For those who are charged with the responsibility in advising on compliance with the Personal Data (Privacy) Ordinance, or simply would like to find out more about it, this is the workshop you should go for. Data Protection Principles, court cases such as Chan Yim Wah Wallace v New World First Ferry Services Limited [2015] HKEC 762 and recent Administrative Appeals Board cases would be discussed.
|
|
|
|
|
|
|
|
|
|
Ethical Accountability Framework for Hong Kong, China
This report proposes three Data Stewardship Values including "Respectful, Beneficial and Fair" as well as two assessment models, namely "Model Ethical Data Impact Assessment" and "Process Oversight Model", to assist organisations to implement data ethics in their daily operations, and to fully reap the benefits of the data-driven economy while protecting and respecting the fundamental rights (including the right to privacy), interests and freedoms of individuals.
|
|
|
|
|
|
|
|
Data Protection Principle 4 - Security of personal data
A law firm sent a letter about a data subject's private affairs to a general email address of the data subject's workplace, resulting in disclosing the letter to a third party
The Complaint
A law firm, acting on behalf of the complainant's husband, sent a letter regarding the complainant's divorce, which was underway, to a general email address of her workplace.
According to the law firm, it initially sent the letter to the complainant's personal email address but received no response. It subsequently sent the letter to the general email address of the complainant's office, which had been obtained from the Internet. It clearly marked "Private and Confidential" in the subject heading of the email. Being unable to confirm other means of contact of the complainant from the information provided by her husband, the law firm had not contacted the complainant to ascertain whether she would personally check the emails received through the general email address of her office, before sending the email to her. The law firm explained that it sent the letter to the complainant through the general email address of her office in the hope of getting her prompt response.
|
|
|
|
|
Outcome
If the law firm needed to send the letter containing intimate data to the general email address of the complainant's office, it should ascertain in advance if the complainant personally checked the emails received via that office email address, or send the letter encrypted. The PCPD considered that the law firm had failed to take all practicable steps to ensure that the complainant's personal data was protected against unauthorised or accidental access, hence in breach of Data Protection Principle 4.
After the PCPD's intervention, the law firm undertook that when they had to deliver documents containing personal data or sensitive information to others under similar circumstances in future, they would communicate with the recipient in advance or encrypt the message.
|
|
|
|
|
|
|
|
Q: What is online tracking?
A: Website operators/owners often collect information regarding their users' online interaction with the websites. Information such as user's identity, display and/or language preference, web pages visited, items purchased, and transactions performed may be collected and recorded.
|
|
|
|
|
Q: What are the main reasons that online behavioural tracking may be a concern for website users?
A: The reasons are:
- Website users' information or browsing habits are often collected by the website operator/owner without website users' knowledge or consent;
- Website users' information or browsing habits may even be collected by a third party without website users' knowledge or consent;
- The collected information may be transferred to other parties by the website operators/owners or the third party without website users' knowledge or consent;
- Information about a website user collected from one website may be combined with information collected from other websites or sources about that user, thus building his/her profile without his/her knowledge;
- The purpose of collecting the information is not made clear to the website users. Even if this has been made clear, website users are not offered the option to opt out of the use.
|
|
|
|
|
Q: What are the recommended practices to organisations on using cookies?
A: Where cookies are used to collect behavioural information, the following additional best practices are recommended:
- To pre-set a reasonable expiry date for cookies;
- To encrypt the contents of cookies whenever appropriate; and
- Not to deploy techniques such as Flash/zombie/super cookies that ignore browser settings on cookies unless organisations can offer an option to website users to disable or reject such cookies.
|
|
|
|
|
|
|
|
|
|
You can find a series of educational videos here promoting awareness of data privacy protection.
|
|
|
|
|
|
|
|
|
|
Look for useful guidance notes, information leaflets and other materials by topics.
|
|
|
|
|
|
For enquiry, please contact us.
Address: Room 1303, 13/F, Sunlight Tower, 248 Queen's Road East, Wan Chai, Hong Kong Tel: (852) 2877 7179
You are receiving our e-Newsletter because you are a current member of the DPOC and it is a membership privilege we provide. If you do not wish to receive the e-Newsletter, please click here to unsubscribe.
|
|
|
|
