A big bravo to the DPOC members who organised their own Privacy Awareness Week (PAW) activities within their organisations to promote data privacy protection. They are:

* Ant Financial Services Group
* China Life Insurance (Overseas) Company Limited
* Immigration Department
* McDonald's Hong Kong
* Prudential Hong Kong
* Public Finance Limited
* Social Welfare Department
* The Hong Kong Institute of Chartered Secretaries
* The Hong Kong Trade Development Council
* The Hongkong and Shanghai Banking Corporation 
   Limited
* The Hongkong Electric Co. Ltd
* The University of Hong Kong

PAW is a weeklong campaign. But data protection is a long-term commitment. It is never too late to start implementing data protection policies, measures and launching privacy awareness activities. Let us work hand in hand to promote a culture of respecting privacy!

Privacy Commissioner Mr Stephen Wong delivered a presentation titled "Privacy Protection and Data Governance in the Internet of Things" at the Seminar on the Internet of Things and Privacy organised by the Hong Kong Academy of Law (5 June 2019)

Privacy Commissioner Mr Stephen Wong delivered a presentation titled "GDPR and Blockchain - Are they compatible?" at the panel discussion on "Is GDPR a threat to Blockchain Innovation?" co-organised by Hong Kong Baptist University, International Association of Privacy Professionals and Institute of Financial Technologists of Asia (5 June 2019)

Privacy Commissioner Mr Stephen Wong delivered a presentation titled "Personal Data Protection in Hong Kong: the law and the system" for the 14th Advanced Programme for Chinese Senior Judges organised by the Centre for Judicial Education and Research of the City University of Hong Kong (24 May 2019)

Cathay Data Breach Incident - Personal data security & retention principles contravened - lax data governance (6 June 2019)

Hong Kong and Singapore sign MOU to strengthen cooperation in personal data protection (31 May 2019)

Hong Kong Lawyer June 2019 issue: Privacy issues of fingerprints scanning

More affordable and efficient fingerprinting hardware and applications are conducive to the wide adoption of fingerprints scanning for attendance record management and access control. In this article, the Privacy Commissioner Mr Stephen Wong discusses recent complaint cases processed by the PCPD to illustrate how organisations can adopt good practices to respect and protect consumers' personal data when using fingerprint scanners.

Guide to Data Protection by Design for ICT Systems

Jointly developed by the PCPD and Personal Data Protection Commission, Singapore, this Guide encourages organisations to pro-actively incorporate data protection considerations when developing ICT systems from the onset. It gives practical guidance on how to apply Data Protection by Design principles for all phases of software development and good data protection practices for ICT systems.

Practical Workshop on Data Protection Law (21 June 2019)

The numerous massive data breach incidents involving various sectors in 2018 once again reminded us of the importance of understanding the Personal Data (Privacy) Ordinance and the compliance with it. For those who are charged with the responsibility in advising on compliance with the Personal Data (Privacy) Ordinance, or simply would like to find out more about it, this is the workshop you should go for. Data Protection Principles, court cases such as Chan Yim Wah Wallace v New World First Ferry Services Limited [2015] HKEC 762 and recent Administrative Appeals Board cases would be discussed.

Professional Workshop on Data Protection in Insurance
(25 June 2019)

Insurance practitioners handle a large amount of customers' personal data in their daily work. The trainer would talk about what insurance practitioners should do to protect customers' personal data when providing insurance services. Core concepts of data protection compliance illustrated by specific scenarios such as collection of customers' medical data, engagement of private investigators in insurance claims and use of customers' data for internal training etc. will be examined.

The Hong Kong Institute of Bankers (HKIB) Annual Banking Conference 2019 (26 September 2019)

The HKIB Annual Banking Conference will focus on the most important digital innovations and policies adjustments in the banking industry ranging from the new national Greater Bay Area masterplan to the latest technological advancements affecting the industry from consumer to banking operations.

The PCPD is the supporting organisation of this Conference. Join the Conference at a special rate by using the early-bird discount for members of supporting organisations.

GDPR year one: three CPOs report back

Apart from large number of data breach notifications and stiff fines, what else has the GDPR brought to companies? Privacy officers of various companies share their perspectives.

Companies' stock value dropped 7.5% after data breaches

After analysing the top three breaches from the past three years, it has found that in the aftermath of a data breach, an average decrease of 7.5% in stock price was a notable repercussion identifiable for publicly traded companies. 

Five ways to create and implement more ethical AI

Artificial intelligence (AI) has opened up a world of possibilities for humanity, but it has also created new challenges to data privacy. Prioritising an ethical approach to AI is an important first step towards building the technology of the future.

Opinion: San Francisco was right to ban facial recognition. Surveillance is a real danger.

Civil rights advocates in US are right to be leery of the technology, given the country's history of political and racial surveillance. Facial recognition systems — like other surveillance technology before it — can disproportionately harm people already historically subject to profiling and abuse, including immigrants, people of colour and political activists etc.

Q: What is a data breach?

A: A data breach is generally taken to be a suspected breach of data security of personal data held by a data user, exposing the data to the risk of unauthorised or accidental access, processing, erasure, loss or use. It may amount to a contravention of Data Protection Principle 4 – security of personal data of the Personal Data (Privacy) Ordinance.

Q: How should a data breach be handled?

A: A data user shall take remedial actions to lessen the harm or damage that may be caused to the data subjects in a data breach. The following action plan is recommended for a data user's consideration:

• Immediate gathering of essential information relating to the breach
• Contacting the interested parties and adopting containment measures 
• Assessing the potential harm
• Considering the giving of data breach notification

Q: What is a data breach notification?

A: A data breach notification is a formal notification given by the data user to the data subjects affected and the relevant parties and regulators in a data breach, and is useful in:

• drawing the affected data subjects' attention to take proactive steps or measures to mitigate the potential harm or damage, for example, to protect their physical safety, reputation or financial position
• allowing the relevant authorities to undertake appropriate investigative or follow up actions consequent to the breach
• showing the data user's commitment to proper privacy management in adhering to the principles of transparency and accountability
• increasing public awareness, for example, in situations when public health or security is affected by the data breaches
  

Q: Is data breach notification mandatory under the Personal Data (Privacy) Ordinance?

A: No. But the PCPD encourages organisations to notify the PCPD and the affected people as soon as possible to minimise the potential harm.

Extended Reading:
Guidance on Data Breach Handling and the Giving of Breach Notifications

Data Protection Principle 3 - Use of personal data

A professional body improperly disclosed to its members the spent conviction of a person who was interested to enter the profession

The Complaint

After many years of his conviction of dishonest conduct, the complainant wrote to a professional body to enquire if he needed to disclose the spent conviction in his intended application for traineeship in that profession.

The law prohibits members of the professional body from knowingly employing a person convicted of an offence of dishonesty without the professional body's permission. To warn its members against employing the complainant without its prior permission, the professional body disclosed details of the complainant's conviction in a circular to its members.

The complainant complained to the PCPD against the professional body for contravention of Data Protection Principle 3 in disclosing his spent conviction to its members without his consent. Separately, he applied for a judicial review, alleging that the professional body's decision to publish his spent conviction was unlawful.

Outcome

The Court held in the judicial review that the publication of the circular disclosing the complainant's spent conviction was unlawful. As far as the complainant's case was concerned, he was simply exploring the possibilities of entering the profession by making enquiries on a matter of principle. There was nothing to show that the complainant was at the material time employed by any of the professional body's members. The Court considered that the complainant should be entitled to the protection under the Rehabilitation of Offenders Ordinance until his intention to join the profession goes beyond merely exploring possibilities.

The professional body complied with the Court decision by deleting the details of the complainant's conviction from the circular. Besides, upon the PCPD's advice on protection of personal data, the professional body, in similar circumstances in future, would only state that the person concerned was once convicted of "a criminal offence involving dishonesty". Any member of the professional body who finds a prospective employee mentioned in the circular may then contact the professional body for details of that person's conviction on a need-to-know basis.

Lesson Learnt
The public policy calls for equal opportunities for rehabilitated ex-offenders to avoid them from being labeled and to help them re-integrate into the community. In this case, the professional body might be keen to protect its members' interests. However, it failed to carefully assess the possible consequences of its actions and consequentially made an unintentional mistake. Such act of the professional body might deprive the complainant of the job opportunities he might deserve. If the professional body had considered upfront the reasonable expectation of the complainant and the possible consequences of its actions, the complaint could probably be avoided.

Be SMART Online Fan Page

Stay tuned for latest data protection issues, news and trends, by visiting PCPD's one-stop portal.

Self-training Module for SME

With real-life examples and interactive quiz, you can build your own privacy plan!

For enquiry, please contact us.
Address: Room 1303, 13/F, Sunlight Tower, 248 Queen's Road East, Wan Chai, Hong Kong         Tel: (852) 2877 7179

You are receiving our e-Newsletter because you are a current member of the DPOC and it is a membership privilege we provide. If you do not wish to receive the e-Newsletter, please click here to unsubscribe.

Copyright

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.