Privacy Commissioner Publishes Investigation Report on the Incident of Intrusion into Hong Kong Broadband Network’s Customer Database (21 February 2019)

Commercial Radio Programme (在晴朗的一天出發) - Interview with Privacy Commissioner Mr Stephen Wong: Review of the Personal Data (Privacy) Ordinance (1 February 2019) (Cantonese Programme)

RTHK Programme (千禧年代) - Interview with Privacy Commissioner Mr Stephen Wong: The Work of PCPD in 2018 (1 February 2019) (Cantonese Programme)

Most people just click and accept privacy policies without reading them — you might be surprised at what they allow companies to do

When you download a new app or start a new online account you probably click to agree to the privacy policy without ever reading it. But what you don't read may surprise you. Many companies are gathering loads of personal data and could be sharing that info.

Facial Recognition Technology Exists in "Legal Vacuum and Should Face Regulation"

Innovative facial recognition technology has long been criticised for potentially breaching our human rights. Now, new research has delivered a fresh blow to the innovative security product which was designed to catch criminals walking the streets.

2018 report shows the real danger of everyday data breaches

Identity Theft Resource Center's "2018 End of Year Data Report" shows that data breaches are very much an everyday occurrence. The report shows that breaches are down 23% from 2017, but stolen records are up 126% from the previous year. This happens because we sometimes inadvertently make things easier for hackers trying to steal our information.

Lawyers from Asian countries discuss need for stronger privacy laws

Lawyers and policy makers from several Asian countries discussed the nature of protection granted to privacy rights by laws in their respective jurisdictions in the second session of the LAWASIA Human Rights Conference held in New Delhi.

Safer Internet Day: Commission announces next steps to keep children safe online

On 5 February, Safer Internet Day, the European Commission has announced the creation of new Expert Group on Safer Internet for Children, which will help improve coordination and cooperation between EU Member States and propose concrete actions that can be taken to keep children safe when using the internet.

Practical Workshop on Data Protection Law (26 February 2019)

The numerous massive data breach incidents involving various sectors in 2018 once again reminded us of the importance of understanding the Personal Data (Privacy) Ordinance and the compliance with it. For those who are charged with the responsibility in advising on compliance with the Personal Data (Privacy) Ordinance, or simply would like to find out more about it, this is the workshop you should go for. Data Protection Principles, court cases such as Chan Yim Wah Wallace v New World First Ferry Services Limited [2015] HKEC 762 and recent Administrative Appeals Board cases would be discussed.

Professional Workshop on Data Protection and Data Access Request (7 March 2019)

Are you aware that you can make a request to obtain a copy of your personal data held by an organisation? As part of that organisation, do you know the legal obligation in relation to such a request?

This workshop will examine in detail those requirements and offer guidance on how to handle Data Access Requests. Participants will learn how to avoid pitfalls.

Data Protection in Digital Revolution

The development of digital technologies brings us convenience and business opportunities. It may, however, pose challenges and risks to data privacy on the other hand. Seemingly some of the emerging technologies are stretching their limits and are posing challenges to the underlying principles of data protection upon which the legislation is based. This article illustrates the impact of technological advancement and the evolving privacy laws around the world.

(This article is contributed by Mr Stephen Ka-yi WONG, the Privacy Commission for Personal Data to "Hong Kong Lawyer", the official journal of the Law Society of Hong Kong.)

Data Protection Principle 3 - Use of personal data

A property management company should not have referred a resident to a mental health service organisation by disclosing the resident’s personal data without consent

The Complaint

The Complainant had received a home visit from a mental health service organisation, during which he agreed to join the organisation as a member and use its services. The organisation later wrote a report on the Complainant's mental condition. As the report mentioned the details of disputes between the Complainant and his neighbour, the Complainant believed that the data was supplied to the organisation by the management company of his housing estate. Hence, the Complainant complained to the PCPD against the management company for disclosing his personal data to the organisation without his consent.

According to the management company, as the Complainant had a number of disputes with his neighbour, it believed that the organisation might provide appropriate service to the Complainant. Hence, it referred the Complainant to the organisation, which then paid the Complainant a visit at his home. The management company admitted that it had, without the Complainant’s prescribed consent, supplied the Complainant’s background information to the organisation when making the referral.

Outcome

In view of the disputes between the Complainant and his neighbour, the management company wishfully assumed that the organisation could intervene to provide the Complainant with appropriate assistance and hence improve the situation. However, the management company had not considered the Complainant’s will before referring him and disclosing his personal data to the organisation. The Privacy Commissioner was of the view that the referral did not relate to the original purpose of collection of the Complainant’s personal data by the management company (i.e. for handling disputes among residents of the housing estate), and the management company had not obtained the Complainant’s prescribed consent before disclosure, thus the act of the management company violated Data Protection Principle 3.

After the PCPD’s intervention, the management company gave written guidelines and verbal instructions to its staff, requiring them to obtain written consent from residents before transferring or releasing residents’ personal data to any third party.

Extended Reading:

Guidance on Property Management Practices

Q: Why is a Privacy Impact Assessment (PIA) useful?

A: A PIA is useful in:

• enabling the decision-maker to adequately consider the impact on personal data privacy before undertaking the project

• directly addressing the privacy problems identified in the process and providing solutions or safeguards at the design stage
• providing benchmarks for future privacy compliance audit and control
• being a cost-effective way of reducing privacy risks
• providing a credible source of information to allay any privacy concerns from the public and the stakeholders processing (whether by the data user itself or by an agent appointed by the data user) or the building up of a massive amount of personal data; the implementation of privacy-intrusive technologies that might affect a large number of individuals; or a major change in the organisational practices that may result in expanding the amount and scope of personal data to be collected, processed, or shared.

Q: When should a PIA be undertaken?

A: A PIA should be undertaken by data users in both the public and the private sectors to manage the privacy risks arising from a project that involves:

• processing (whether by the data user itself or by an agent appointed by the data user) or the building up of a massive amount of personal data;
• the implementation of privacy-intrusive technologies that might affect a large number of individuals;
• or a major change in the organisational practices that may result in expanding the amount and scope of personal data to be collected, processed, or shared.

Q: What are the key components that a PIA includes?

A: A PIA generally includes the following key components:

• Data processing cycle analysis;
• Privacy risks analysis;
• Avoiding or mitigating privacy risks;
• and PIA reporting.

Extended Reading:
Information Leaflet: Privacy Impact Assessments

Data Breach Notification

An online page with relevant guidance notes on submitting data breach notification to the PCPD.

Tips on Log-in Information

Understand what precautions to take to protect your user name and password. Look for useful guidance notes, information leaflets and other materials by topics.

For enquiry, please contact us.
Address: Room 1303, 13/F, Sunlight Tower, 248 Queen's Road East, Wan Chai, Hong Kong         Tel: (852) 2877 7179

You are receiving our e-Newsletter because you are a current member of the DPOC and it is a membership privilege we provide. If you do not wish to receive the e-Newsletter, please click here to unsubscribe.

Copyright

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.