Skip to content

DPOC e-Newsletter

Facebook Youtube

Privacy Commissioner Mr Stephen Wong met government officials from Qinghai Province (14 June 2019)

 

 

 

 
 

Privacy Commissioner Mr Stephen Wong delivered a presentation titled “Ethical Accountability Framework in Hong Kong” during the CFRED’s Seventh LegalTech Seminar “Governing Artificial Intelligence: Regional Approaches” (21 June 2019)

 
Download Presentation Material (English only)
 

Privacy Commissioner Mr Stephen Wong delivered a presentation titled “Privacy Issues in Digital Era and Data Ethics as the Solution” during the GSMA Policy Group Meeting (23 June 2019)

 
Download Presentation Material (English only)

Privacy: Not a Door for Bullying and Intimidation, Nor a Sword for Arbitrary Law Enforcement; Not a Shield for Unlawful Acts (23 June 2019)
Read the statement
 

Privacy Commissioner's Response to the Suspected Unauthorised Access to Hospital Authority's Accident and Emergency Information System (Chinese Version Only) (17 June 2019)
Read the statement
 

Respect Others’ Privacy and Public Interest While Having Freedom of Expression (14 June 2019)
Read the statement
 

Direct Marketing Offence Admitted: Beauty Product Company Fined HK$8,000 (18 June 2019)
Read the statement

 

 

Professional Workshop on Data Protection (July - Dec 2019)

 A new series of Professional Workshops on Data Protection (July - December 2019) is now open for enrolment!

Our workshops are specifically designed for various practitioners learning how to comply with the requirements under the Personal Data (Privacy) Ordinance in handling personal data.

 
Course details Enrol now!
 

Professional Workshop on Data Protection in Human Resource Management (17 July 2019)

Can an employer collect a photocopy of a job applicant's Hong Kong Identity Card? How long should a company keep the personal data of former employees? Can an employee obtain all the comments in his/her appraisal report? These are some of the frequently asked questions about the application of the Personal Data (Privacy) Ordinance on human resource management.

Tailor-made for human resource practitioners, this workshop would discuss common questions and good practices in handling personal data in human resource management.

 
Enrol now!
 

Professional Workshop on Data Protection in Banking/Financial Services (22 July 2019)

This workshop is designed for banking and financial personnel who wish to acquire knowledge on the requirements under the Personal Data (Privacy) Ordinance in different aspects of the banking and financial services and the practical ways to deal with them effectively in their daily operation.

Highlights of Course Outline:

  • Code of Practice on Consumer Credit Data
  • Accuracy of customers' contact information
  • Outsourcing the processing of personal data
Enrol now!
 

Professional Workshop on Recent Court and Administrative Appeals Board Decisions (30 July 2019)

This workshop examines some recent decisions of the Hong Kong Court and Administrative Appeals Board which serve as legal authorities and practical examples in solving problems frequently encountered in compliance work. There will be in-depth discussion and up-to-date knowledge transferred to participants on the interpretation of commonly used provisions of the Personal Data (Privacy) Ordinance.

Highlights of Course Outline:

A thorough discussion of the following decisions made by the High Court of Hong Kong and the Board:-

  • HKSAR v Hong Kong Broadband Network Limited (HCMA 624/2015)
  • HKSAR v Leung Chun-kit Brandon (HCMA 49/2016)
  • AAB 17/2015 and AAB 18/2016
  • AAB 42/2016
  • AAB 40/2016
Enrol now!

Cyber-bullying – What you need to know

This leaflet provides examples of cyber-bullying to remind the members of the public of the privacy and legal issues involved in cyber-bullying, and calls on Internet users to respect the privacy right of others in the cyber world.

Read publication

Protecting competition promotes privacy, antitrust chief says

The U.S., by protecting competition, people can positively be affected on privacy and data protection. Two companies can compete to expand privacy protections for products or services, or for greater openness and free speech on platforms. 
Read more
 

Your Facebook profile can indicate if you have a medical condition, a study finds

People's personality, mental state, and health behaviors are all reflected in social media and all have tremendous impact on health. The study identified language that likely indicated the characteristic behaviour or symptoms of certain diagnoses. For example, the word "drink", "drunk" and "bottle" would possibly be marked as alcohol abuse.

Read more
 

Survey: Human error remains a top cause of data breaches among businesses

Human error stills the cause of many data breaches according to the latest survey in U.S. It revealed that due to lack of training, employees pay less attention to information security policies and procedures.

Read more
 

Senators want tech companies to put a price on your personal data

New legislation in U.S. aims to make technology companies disclose the dollar value of personal data. Companies with more than 100 million monthly active users would have to file an annual report on the value of the user data they collected and any deals they have with third parties for that info in accordance with the act.

Read more
 

AI experts call to curb mass surveillance

AI experts see the need of monitoring the AI application, but regulation should come as broad guiding principles rather than specific rules laying out in detail what businesses and researchers can and cannot do.

Read more

Q: What are the legal requirements that a data user must comply with when collecting personal data directly from a data subject?

A: Data Protection Principle (DPP) 1(3) specifies that a data user, when collecting personal data directly from a data subject, must take all reasonably practicable steps to ensure that:

a. the data subject is explicitly or implicitly informed, on or before the collection of his personal data, of whether the supply of the personal data is voluntary or obligatory (if the latter is the case, the consequence for the individual if he does not supply the personal data); and

b. the data subject is explicitly informed:
  • on or before the collection of his personal data, of the purpose for which the personal data is to be used and the classes of persons to whom the personal data may be transferred; and
  • on or before the first use of the personal data, of the data subject’s rights to request access to and correction of the personal data, and the name (or job title) and address of the individual who is to handle any such request made to the data user.

Q: What are Personal Information Collection Statement and Privacy Policy Statement, and how are they different?

A: A Personal Information Collection Statement (PICS) (or its equivalent) is a statement given by a data user for the purpose of complying with the notification requirements under DPP1(3) of the Personal Data (Privacy) Ordinance. While the Ordinance does not require the notification to be given in writing, it is a good practice for the requisite information to be provided to the data subjects in writing in the interests of transparency and to avoid possible misunderstanding between the parties. 

A Privacy Policy Statement (PPS) (or its equivalent) is a general statement about a data user’s privacy policies and practices in relation to the personal data it handles. It is a good practice to have a PPS in written form to effectively communicate the data user’s data management policies and practices despite the Ordinance is silent about the format or presentation of a PPS.

For the purpose of complying with DPP1(3), a PICS should be provided to a data subject by a data user on or before collecting personal data directly from that data subject.

On the other hand, in order to fulfil the requirements of openness and transparency under DPP5, a PPS is required AT ALL TIMES if a data user controls the collection, holding, processing or use of personal data. Typically the PPS covers a wider scope and, in addition to some of the core elements of the PICS, may include other privacy related policies and practices such as data retention policy, data security measures, data breach handling, the use of special tools such as cookies on websites.

Extended Reading:

Guidance on Preparing Personal Information Collection Statement and Privacy Policy Statement

Data Protection Principle 4 - Security of personal data

A law firm sent a letter about a data subject's private affairs to a general email address of the data subject's workplace, resulting in disclosing the letter to a third party

The Complaint

A law firm, acting on behalf of the complainant's husband, sent a letter regarding the complainant's divorce, which was underway, to a general email address of her workplace.

According to the law firm, it initially sent the letter to the complainant's personal email address but received no response. It subsequently sent the letter to the general email address of the complainant's office, which was obtained from the Internet. It clearly marked "Private and Confidential" in the subject heading of the email. Being unable to confirm other means of contact of the complainant from the information provided by her husband, the law firm had not contacted the complainant to ascertain whether she would personally check the emails received through the general email address of her office before sending the email to her. The law firm explained that it sent the letter to the complainant through the general email address of her office in the hope of getting her prompt response.

Outcome

If the law firm needed to send the letter containing intimate data to the general email address of the complainant's office, it should have ascertained in advance if the complainant personally check the emails received via that office email address, or send the letter encrypted. The PCPD considered that the law firm had failed to take all practicable steps to ensure that the complainant's personal data was protected against unauthorised or accidental access, and hence was in breach of Data Protection Principle 4.

After the PCPD's intervention, the law firm undertook that when they had to deliver documents containing personal data or sensitive information to others under similar circumstances in future, they would communicate with the recipient in advance or encrypt the message.

 

Data Breach Notification


An online page with relevant guidance notes and functions for submitting data breach notification to the PCPD.
Learn More
 

Online Assessment Tool – Retail

How the retail industry should protect personal data privacy? Start testing yourself now!

 
Learn More

For enquiry, please contact us.
Address: Room 1303, 13/F, Sunlight Tower, 248 Queen's Road East, Wan Chai, Hong Kong         Tel: (852) 2877 7179

You are receiving our e-Newsletter because you are a current member of the DPOC and it is a membership privilege we provide. If you do not wish to receive the e-Newsletter, please click here to unsubscribe.


Copyright

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.