|
|
|
|
Privacy Awareness Week (PAW), an annual promotional campaign jointly organised by the PCPD and other members of the Asia Pacific Privacy Authorities, took place between 6 and 12 May 2019. Themed Compliance with Privacy Law, Data Ethics in Action, PAW 2019 aimed at encouraging organisations to put data ethics in action in order to gain customers' or stakeholders' trust in data protection. Let us take a look at the activity highlights:
|
|
|
|
|
|
Symposium on "Data Ethics in Action"
Organised by the PCPD on 9 May, the Symposium on "Data Ethics in Action" was the flagship event of DPOC's new membership year 2019-20. Over 150 DPOC members and organisation representatives participated in the Symposium.
Our guest speakers, Mr Albert Hak-keung WONG, the Chief Executive Officer of Hong Kong Science & Technology Parks Corporation, Ms Diana CESAR, Chief Executive, Hong Kong, The Hongkong and Shanghai Banking Corporation Limited and Mr Sunny Yiu-tong CHEUNG, the Chief Executive Officer of Octopus Holdings Limited shared their insights and experience in putting data ethics in action and building trust with stakeholders in relation to data privacy.
|
|
|
|
|
|
Radio drama series: property management practices and protection of personal data
Property management practitioners and members of owners' corporations collect and use sheer amount of personal data. To enhance the culture of protecting and respecting personal data privacy in property management industry, a four-episode radio drama series titled "Privacy Clubhouse", voice-acted by well-known broadcasters, was broadcast on Commercial Radio 881.
Have missed the broadcast? No worries! You can catch it up on the PCPD's website.
|
|
|
|
|
|
|
Privacy Commissioner's interview on "On a Clear Day" (在晴朗的一天出發)
In interviews on 7 and 8 May with Mr Stephen Chan (陳志雲) in his current affairs programme on Commercial Radio, the Privacy Commissioner Mr Stephen WONG talked about personal data privacy issues in property management and highlighted the importance of data ethics as a worldwide trend.
|
|
|
|
Educational talks to data subjects including senior citizens and students
|
|
|
|
To familiarise senior citizens with the potential data privacy risks, the PCPD collaborated with non-governmental organisations to organise elderly talks in elderly centres to share tips on personal data protection in daily life. Three of the talks were held during PAW. Privacy tips for the elderly were also shared by our Privacy Special Ambassador Ms Candy CHEA (車淑梅) via a short video broadcast on the eElderly website (www.e123.hk).
In addition, a secondary school talk and a public seminar were held during PAW to explain the requirements of the Personal Data (Privacy) Ordinance and the importance of safeguarding personal data online.
|
|
|
|
|
Have your own PAW 2019
Ten DPOC members organised their own PAW activities within their organisations to promote data privacy protection. They are: The Hong Kong Institute of Chartered Secretaries, The Hongkong Electric Co. Ltd, The Hongkong and Shanghai Banking Corporation Limited, Prudential Hong Kong, Immigration Department, The Hong Kong Trade Development Council, The University of Hong Kong, McDonald's Hong Kong, Ant Financial Services Group and Public Finance Limited. Let us give them a big hand!
PAW is a weeklong campaign. But data protection is a long-term commitment. It is never too late to start implementing data protection policies, measures and launching privacy awareness activities.
|
|
|
|
|
|
|
GDPR-related talk (5 June 2019)
Is GDPR a threat to blockchain innovation? The Privacy Commissioner Mr Stephen WONG, together with a panel of industry experts, will discuss the technological and regulatory concerns with respect to GDPR and make comparisons with the Personal Data (Privacy) Ordinance.
Join the talk by using the promotional code "IAPPPCPD" for DPOC members.
|
|
|
|
|
|
Recent Court and Administrative Appeals Board Decisions
(24 May 2019) Limited seats available!
This workshop (to be conducted by experienced lawyers of the PCPD) examines some recent decisions of the Hong Kong Court and Administrative Appeals Board in relation to the Personal Data (Privacy) Ordinance. There will be in-depth discussion and up-to-date knowledge on the interpretation of commonly used provisions of the Ordinance.
|
|
|
|
|
|
Professional Workshop on Privacy Management Programme (4 June 2019)
The results of recent incidents of the massive data breach by different organisations revealed that it is of paramount importance for organisations to adopt holistic and encompassing Privacy Management Programme to ensure that robust privacy policies and procedures are in place. This workshop will guide you through the key features of "Privacy Management Programme – A Best Practice Guide". Participants will be able to understand the baseline fundamentals and components of a Privacy Management Programme and how to maintain and improve it on an ongoing basis.
|
|
|
|
|
|
Privacy Commissioner officiated at the Hang Seng University of Hong Kong's 2019 (9th) Junzi Corporation Kick-off Ceremony (3 May 2019)
At the ceremony, the Privacy Commissioner Mr Stephen WONG said that more and more corporations were using big data and artificial intelligence in advancing their businesses in a data-driven economy, while customers' expectation on personal data protection kept rising. Thus, they should incorporate data ethics as part of corporate data governance alongside meeting the requirements of laws, namely being respectful, beneficial and fair and to adopt appropriate protection measures for handling personal data.
This not only could gain customers' confidence and demonstrate the corporations' commitment to personal data protection and accountability, but could also enhance reputation and competitiveness. This is also an important element of "Junzi Corporation" (君子企業).
|
|
|
|
|
|
Privacy Commissioner was invited to be a judge of the "Hong Kong Inter-Collegiate Debate Competition 2019" co-organised by RTHK and Hong Kong Federation of Students (26 April 2019)
|
|
|
|
|
Hong Kong Lawyer May 2019 issue: Facial Recognition and CCTV surveillance
The Court of Appeal's decision in Eastweek Publisher Ltd & Anor v Privacy Commissioner for Personal Data [2000] 1 HKC 692 is always known to be one of the landmark decisions on the interpretation of Data Protection Principle 1 in Schedule 1 to the Personal Data (Privacy) Ordinance. In this article, the Privacy Commissioner Mr Stephen WONG examines the decision and the impact of time and technology on this landmark case.
|
|
|
|
|
|
Data Ethics for Small and Medium Enterprises (SMEs)
Personal data belongs to customers, not organisations. To protect personal data privacy and enhance customers' confidence, SMEs are encouraged to handle personal data pursuant to three core values of data ethics, namely "respectful", "beneficial" and "fair". These values make good business sense.
|
|
|
|
|
|
Microsoft – IDC Study: Artificial Intelligence adoption to increase rate of innovation and employee productivity gains by more than double by 2021
As Hong Kong progresses on the digital transformation journey, 40% of organisations in Hong Kong have embarked on their AI journeys, similar to the Asia Pacific situation. 74% of the management level respondents polled agreed that AI is instrumental for their organisation's competitiveness. However, only 73% business leaders have yet to implement plans to help their employees' to acquire the right skills.
|
|
|
|
|
Europe's sweeping privacy rule was supposed to change the internet, but so far it's mostly created frustration for users, companies and regulators
The European Union's General Data Protection Regulation (GDPR) gave numerous new privacy rights to consumers. But the law's effectiveness in its first year is questionable, as some EU states struggle to staff regulatory offices, consumers become blind to an avalanche of privacy pop-up notices and companies struggle with new internal data bureaucracies.
|
|
|
|
Facial recognition wrongly identifies public as potential criminals 96% of time, figures reveal
Facial recognition technology has misidentified members of the public as potential criminals in 96% of scans so far in London, new figures reveal. The Metropolitan Police said the controversial software could help it hunt down wanted offenders and reduce violence, but critics have accused it of wasting public money and violating human rights.
|
|
|
|
The privacy paradox: why do people keep using tech firms that abuse their data?
Whenever researchers or opinion pollsters ask people if they value their privacy, they invariably respond with a resounding "yes". But the privacy paradox arises from the fact that they continue to use the services that undermine their privacy. It is thus important to understand why in order to tackle the menace of targeted advertising.
|
|
|
|
|
|
|
Q: When customers place orders via a mobile app, can the organisation use the customers' personal data to send marketing information to them without seeking customers' consent?
A. Yes
B. No
|
|
|
The correct answer is B.
Data collected from customers who place orders via mobile apps can be used only for handling purchase orders. If organisations intend to use the data to send marketing information, they must obtain their customers’ prior consent, and the data can be used only for the classes of products or services agreed to by the customers.
|
|
|
Q: If an organisation engages an outsourcing agent to develop or operate a mobile app, which of the following is the appropriate policy for personal data retention?
|
|
|
A. Adopt contractual or other means to require the outsourcing agents to delete the personal data under specified circumstances and within a specified period.
B. Allow the outsourcing agents to decide how long to keep the personal data.
C. Allow the outsourcing agents to keep the data in their servers permanently.
|
|
|
The correct answer is A.
If organisations engage outsourcing agents to handle personal data on their behalf, they should adopt contractual or other means to prevent the personal data from being kept by outsourcing agents longer than is necessary.
|
|
|
|
|
|
|
Data Protection Principle 2(2) - Accuracy and duration of retention of personal data
Retention of an employee's unsatisfactory employment records by an employer over 7 years
The Complaint
The complainant was an estate agent. He left his job when his employer, a property agency (the Company), was dissatisfied with his performance. Since then, the Company had retained records of the complainant's unsatisfactory performance. When the complainant rejoined the Company 10 years later, he learnt from his colleagues that the Company had once intended not to employ him again due to his poor performance in the past. The complainant left the Company again and complained to the PCPD against the Company for retaining his personal data related to his first-time employment for too long. He also alleged that the Company revealed to his colleagues its intention of not employing him again.
|
|
|
|
|
Outcome
The Company explained to the PCPD that it was common for property agents to rejoin their companies after departure. It therefore permanently retained former employees' personal data, including job performance records, for consideration of employment in future.
DPP2(2) stipulates that all practical steps must be taken to ensure that personal data is not kept longer than is necessary for the fulfillment of the purpose (including any directly related purpose) for which the data is or is to be used. As for continued retention of personal data of former employees, paragraph 4.2.3 of the Code of Practice on Human Resource Management (the Code) issued by the PCPD stipulates that the employer should not retain such data for a period longer than 7 years from the date the former employee ceases employment with the employer unless there is a subsisting reason that obliges the employer to retain the data for a longer period or the former employee has given prescribed consent for the data to be retained beyond 7 years.
After the PCPD's intervention, the Company revised its retention policy, which now states that the personal data of former employees should generally not be retained for more than 7 years. In case the Company needs to handle a court case related to an ex-employee or fulfill its obligations under an employment contract, the personal data concerned would be retained until the purposes are achieved.
During the investigation, the Company destroyed the complainant's employment records (including the performance records) collected in his employment a decade ago. As for the allegation against the Company for disclosure of its decision of blacklisting the complainant, it was found unsubstantiated.
Lesson Learnt
Upon the end of employment relationship following the departure of an employee, the employer should destroy the employee's personal data within a reasonable period of time. The longer the personal data is kept, the less accurate it may become. If employers assess an application for re-employment with reference to the outdated personal data, it would be unfair to the prospective employee. Employers as data users are obliged to handle personal data in a fair and ethical manner. The PCPD calls on employers to review their data retention policy for former employees, so as to comply with the requirements under the Personal Data (Privacy) Ordinance and the Code.
|
|
|
|
EU General Data Protection Regulation (GDPR)
It has been almost a year since the EU GDPR went into effect. Let us have a quick recap on what it is about.
|
|
|
|
|
Complaint Case Notes
Summaries of the outcome of selected complaint cases are provided in this section to allow individuals and organisations to learn more about the application of the Personal Data (Privacy) Ordinance in a variety of situations.
|
|
|
|
For enquiry, please contact us.
Address: Room 1303, 13/F, Sunlight Tower, 248 Queen's Road East, Wan Chai, Hong Kong Tel: (852) 2877 7179
You are receiving our e-Newsletter because you are a current member of the DPOC and it is a membership privilege we provide. If you do not wish to receive the e-Newsletter, please click here to unsubscribe.
|
|
|
Copyright
Disclaimer
The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.
|
|