PCPD News

私隱專員公署通訊

•

Issue no. 29

10

PCPD in Action

公署動態

Case in Brief

個案摘要

Data Protection in Property Management

物業管理的資料保障

COVER STORY

專題報道

Mark Your Diary

活動日誌

Resources Updates

資源快訊

Statistics

統計

Glossary

詞彙

Technology Updates

科技新知

Ms JoAnn Stonier

美國萬事達全球行政副總裁、

首席資訊管治及私隱主任

Executive Vice President

Chief Information

Governance and

Privacy Officer,

MasterCard Worldwide, US

Mr Scott Taylor

美國惠普公司副總裁和

首席私隱主任

Vice President and

Chief Privacy Officer

Hewlett-Packard Company, US

Mr Malcolm Crompton

會議主持、

Information Integrity

Solutions Pty Ltd

董事總經理

Moderator of the conference

discussions; Managing Director

of Information Integrity

Solutions Pty Ltd

資訊管治，就是確保機構以統一和全面的方針，使用和保護公司各業務範疇的資訊資產，從而創

造效益，以及為資料的使用制立常規和程序。在萬事達，資訊管治職能包括負責建立一套全面的

程序，優化機構內數據主導的決策過程，在迎合客戶和市場期望的同時，在創新、資訊操守、私隱

和法例規定之間取得平衡。

機構曾推出一個項目，涉及全球超過

22

個網站為提供優惠和市場推廣目的而收集顧客的個人資料。

如何遵從不同地方的資料保障法規；如涉及跨境的推廣，如何處理更為複雜的符規要求；當機構

擬把資料用於比客戶同意的範圍更廣的用途時，如何處理，這些都是機構需要照顧的。為此，萬

事達創出

MasterCard ID

，確保所有網站在收集個人資料方面推行一致的常規，以及容許用戶經中

央系統管理他們的喜好。這系統更可以識別持咭人來自哪個國家，從而保證提供優惠的方式與用

戶知悉的私隱政策聲明和已同意的細則脗合。隨著資料使用方式的演變，這系統更有助企業向客

戶就新的情況徵求同意。

Information governance is the process of ensuring a consistent and comprehensive approach for the use

and protection of the company’s information assets across all business initiatives, in order to create better

efficiencies, practices and processes for data use.

The Information Governance Department at MasterCard is responsible for establishing a comprehensive

process to improve data-driven decisions across the enterprise, balancing innovation, information, ethics,

privacy and regulatory requirements, while meeting customer and market expectations.

For example, there was a global campaign involving the operation of more than 22 websites around the

world that collected personal data for offer fulfilment and marketing purposes. There were several issues to

address: the challenges of complying with different data protection regulations, the additional complexity

of legal compliance in the case of cross-border promotions, and the desired uses of data being broader than

current scope of consent. MasterCard created a MasterCard ID to implement consistent data collection

practices across all sites and enable users to manage their preferences through a centralised infrastructure.

It is also able to recognise the cardholders’ country of origin and thus provide offers in a manner which is

consistent with the privacy notice given and consent the cardholders have given. The system will be used

in the future to obtain additional consents from customers as the use of data evolves.

要實行有效的個人資料私隱管理，機構便需要作出根本的轉變，由關注「法律責任」轉為「問責」。

換言之，機構在作出決定前，必須考慮相應的風險，以法律責任以外的一套道德和價值標準作為

依歸。機構所有員工須責成管理他們掌管的個人資料。

問責的機構應具備完善的系統，藉以評估個人資料私隱方面的風險，減低風險和推行符規的項目，

並持續評估推行的成效。此外，機構應向內部人員和外界的持份者展示它們有能力妥善管理私隱風險。

Effective data privacy management requires a fundamental shift from liability to accountability. This means

that when decisions are made, they take into account the concurrent risks beyond strict liability using

ethics- and value-based criteria. All employees in the organisation are accountable for the stewardship of

the data under their charge.

Accountable organisations should have comprehensive programmes to assess and risk, implement

compliance programmes, and continually evaluate the effectiveness of implementation. In addition,

organisations should stand ready to demonstrate their privacy management capacity to both internal and

external stakeholders and data subjects.

個人資料可謂是新興的資本類別，用得愈多，其價值就愈高。不過，究竟個人資料的私隱和保安，

兩者之間有何分別？簡而言之，資訊保安旨在確保機構妥善地掌管其持有的資產，資料從何處得

來，打算怎樣使用資料，都一清二楚。至於個人資料私隱的保障，前提是上述各項已得到肯定，機

構須多做一步，主動監控，確保機構盡責地處理個人資料。如果你的機構只做到資料保安的水平，

那即是說在私隱管理之路才剛起步。

Personal information is the new asset class – the more you use it the more valuable it is. But what is the

difference between privacy and security with regards to personal information? Security is about assuring

the asset in your organisation is under your control. You must know where you obtain the information, and

what you are going to do with it. Privacy of personal information assumes all of the above is achieved, plus

the active exercise of control to ensure your organisation is handling the personal data responsibly. If you

have only security, then your journey to privacy management has just begun.