Embed Size (px)
Citation preview
Education University of Hong Kong 19 January 2018
Introduction to the
Personal Data (Privacy) Ordinance
Personal Data (Privacy) Ordinance
• 1st comprehensive data protection law in Asia
• EU Directive 1995 : Member
states, when pursuing economic activities with other countries/ regions, shall consider whether there is any equivalent “personal information protection legal framework” in place locally
•
2
1) business perspective - to facilitate business environment, maintain Hong Kong as a financial and business hub
2) human rights perspective – to protect the privacy right of individuals
Legislative Intent
Personal Data (Privacy) Ordinance
• enacted in 1995 • core provisions came into effect on 20 December
1996 • Personal Data (Privacy) (Amendment) Ordinance
2012 effective from 1 October 2012 except for “direct marketing” and “legal assistance” provisions which took effect on 1 April 2013
Objective
• protect the privacy right of a “data subject” in respect of “personal data”
• general privacy issues are not protected
What is “Personal Data”?
“Personal data” (個人資料) means any data -
(a) relating directly or indirectly to a living individual;
(b) from which it is practicable for the identity of the
individual to be directly or indirectly ascertained; and
(c) in a form in which access to or processing of the data is
practicable
“Data” (資料) means any representation of information
(including an expression of opinion) in any document
Examples of Personal Data
• name
• telephone number
• address
• identity card number
• date of birth
• occupation
• account information
• ……
Performance
Appraisal
Report
Who is the “Data Subject”?
• Data subject is a living individual who is the subject of the personal data concerned
• Under the Ordinance, a person who passed away is not a data subject
Who is the “Data User”?
• Data user is a person who, either alone or jointly with other persons, controls the collection, holding, processing or use of personal data
6 DPPs
• Core spirits of the Ordinance • Cover the whole lifecycle of personal data from
collection, retention, use, security to destruction • Data users must comply with the 6 DPPs
Principle 1 – Purpose & Manner of Collection
• must be related to the data user’s functions or activities
• data collected should be adequate but not excessive
• the means of collection must be lawful and fair
All practicable steps should be taken to notify data subjects of
the following:
a) the purposes of data collection;
b) the classes of persons to whom the data may be transferred;
c) whether it is obligatory or voluntary for the data subject to
supply the data;
d) where it is obligatory for the data subject to supply the data,
the consequences for him if he fails to supply the data; and
e) the name or job title and address to which access and
correction requests of personal data may be made.
Principle 1 – Purpose & Manner of Collection
ABC University
Undergraduate Admission
Personal Information Collection Statement
The personal data collected in this application form will be used by the ABC University for
selection for admission, award of entrance scholarships, and communications on admission-related matters.
Personal data marked with (*) on the application form are regarded as mandatory for
selection purposes. Failure to provide these data may influence the processing and outcome of your application.
It is our policy to retain the personal data of unsuccessful applicants for future admission
purpose for a period of six months. In case of application for admission to a programme jointly organised by the University and a partner institution, your personal data may be transferred to the partner institution concerned for the aforesaid purposes.
Under the Personal Data (Privacy) Ordinance, you have a right to request access to, and to
request correction of, your personal data in relation to your application. If you wish to exercise these rights, please complete our "Personal Data Access Form" and forward it to our Data Protection Officer by [contact details].
Example of PICS
Purpose Statement
Classes of transferees
Obligatory or optional to provide
data
Access & correction
right
design the layout of PICS (including font size, spacing and use of
appropriate highlights) in an easily readable manner
present PICS in a conspicuous manner, e.g. in a stand-alone notice
or section
use reader friendly language, e.g. simple words
provide further assistance to customers such as help desk or
enquiry service
should not state the purpose of use and class of transferees in
general and vague terms
Personal Information Collection Statement Practical Tips
“Guidance Note on Preparing
Personal Information
Collection Statement and
Privacy Policy Statement”
Principle 2(1) – Accuracy of Personal Data
• take all practicable steps to ensure the accuracy of personal data held by them
Principle 2(2) – Retention of Personal Data
• destroy data after the purpose of use is satisfied (i.e. reasonable time)
• adopt contractual or other means to prevent any personal data transferred to the data processor from being kept longer than is necessary for processing of the data
Principle 3 – Use of Personal Data
• personal data shall not, without the prescribed consent of the data subject, be used for a new purpose
“New purpose” means any purpose other than the
purposes for which they were collected or directly related purposes
• Allow a “relevant person” to give prescribed consent for
the data subject under specified conditions
Principle 4 – Security of Personal Data
• take all practicable steps, to safeguard personal data against unauthorised or accidental access, processing, erasure, loss or use
• security in the storage, processing and transmission of data
• adopt contractual or other means to prevent unauthorized or accidental access, processing, erasure, loss or use of the data transferred to the data processor for processing
source: https://goo.gl/EKtTxl
source: https://goo.gl/eGb6zn
source: https://goo.gl/di5uvn
Data Breach
Data Breach Handling
Data Breach Handling
Data Breach Handling
Data Breach Handling
Data Breach Handling
Handling of Data Breaches & Compliance Investigations
Principle 5 – Information to be Generally Available (Transparency)
shall provide:
1) policies and practices in relation to handling of personal data
2) the kinds of personal data held
3) the main purposes for which personal data is used
Principle 6 – Access to Personal Data
• Data subject is entitled to request access to and correction of his personal data
• Data user shall respond within 40 days • Data user may charge a non-excessive fee
Use of Recording Devices and Disclosure of Data
• If no collection of personal data, the data protection principles (“DPPs”) would not be engaged at all
• Eastweek Publisher Limited and Another v Privacy Commissioner for Personal Data [2000] 2 HKLRD 83
A magazine took pictures of the complainant while walking in the street, and published her picture with unflattering comments on her style of dress
Ribeiro JA: “It is, in my view, of the essence of the required act of personal data collection that the data user must thereby be compiling information about an identified person or about a person whom the data user intends or seeks to identify.
Collection of Personal Data
Any collection of personal data?
Installation of CCTV in a community centre which recorded the
complainant’s activities without his knowledge (AAB No. 5/2011)
Complainant’s neighbour's installation of CCTV which would possibly capture images of the
complainant and his family entering or leaving their premises
(AAB No. 50/2014)
Any collection of personal data?
Employer use CCTV to monitor and record the
attendance of their employees?
Record students’ performance during
placement for assessment
Case Sharing 1
Case:
• Two Complainants were dissatisfied that their employer had
invaded their privacy by collecting their personal data through the
covert recording device without their knowledge
• Two complainants were summarily dismissed by the employer on
the ground of unauthorised absences from duty
• Employer learnt from the images captured by the covert recording
device that the Complainants were respectively found to have
stayed for a long time in the staff changing room of the Estate
while they were on duty
Case Sharing 1 (Con’t)
• Explanation by the employer: the installation of the covert recording
device was for security purpose
• Privacy Commissioner’s finding:
• the real purpose was to monitor the performance of its
employees when they were on duty
• had contravened the requirements under DPP1(2) which
required the data must be collected by means which were lawful
and fair
• the seriousness of unauthorised absences from duty did not
justify the Company in conducting covert monitoring, which was
highly privacy intrusive
Case:
Data Leakage Incident on CCTV Footage
of a local university
• Purpose of circulating the screenshots:
– to find out if a certain banner was posted by the University’s students and if so, to provide counselling service
– the act of posting such a banner appeared to violate the General Code of Student Conduct to conduct further investigation
Case Sharing 2
• A security officer of the University’s security centre ascertained from campus CCTV footage that the banner was posted by two males
• Two screenshots were made on the security officer’s mobile and sent to a Whatsapp Group that consisted of the senior management of the University
• Some members of the Group forwarding the two screenshots to others
Case Sharing 2 (con’t)
• Installing of CCTV
– original purpose: for security reason
– current purpose: for disciplinary action
Any change of use of the CCTV footage?
• Exemption applied – S58: the personal data used for investigation and punishment of seriously
improper conduct was exempt from DPP3
• No contravention of DPP3
Case Sharing 2 (con’t)
Case Sharing 2 (con’t)
• Though there was no contravention of DPP3, the University failed to take reasonably practicable steps to safeguard the two persons’ personal data
• Contravened DPP4
• Remedial actions taken by the University:
– set out in the Group that members are required to maintain confidentiality
– devise CCTV monitoring policies and procedures
– devise detailed guidelines for the CCTV operating staff
where collection of personal data is involved, notification should be
given to the party concerned
footage and recordings should be deleted as soon as practicable once
the purpose of collection is fulfilled
footage and recordings can only be used for the purposes for which
they were collected or a direct related purpose
security measures should be in place to prevent unauthorised access
to the footage and recordings
make sure the policies and guidelines devised should be
communicated to and followed by relevant staff
compliance checks and audits have to be carried out regularly
Practical tips for the usage of recording devices
Guidance
www.pcpd.org.hk//english/resources_centre/publications/files/GN_CCTV_Drones_e.pdf
Direct Marketing Regulatory Regime • 2012 Ordinance review exercise
• New direct marketing regime came
into force on 1 April 2013
• Part 6A of the Ordinance, section 35A – 35M
• Direct marketing activities under the Ordinance include such activities made to specific persons by mail, fax, email and phone
Direct marketing does not include unsolicited electronic messages sent to:
Direct Marketing Regulatory Regime
Unsolicited Electronic Messages Ordinance
45
Provide “prescribed information” and response channel for data subjects to elect whether to give consent Notification must be easily understandable
Consent should be given explicitly and voluntarily “Consent” includes an indication of “no objection”
Intends to use or provide personal data to others for direct marketing
Provides personal data
Direct Marketing Requirements
Data User 資料使用者 Notification
通知
Data Subject 資料當事人
Consent 同意
46
Use of Personal Data in Direct Marketing Provide Personal Data to another person for Use in Direct Marketing
1. The data user intends to use the personal data of the data subject for direct marketing
1. The data user intends to provide the personal data of the data subject to another person for use by that person in direct marketing
2. The data user may not so use the data unless the data user has received the data subject’s consent to the intended use
2. The data user may not so provide the data unless it has received the data subject’s written consent to the intended provision
3. The kinds of personal data to be used 3. The provision of the data is for gain (if it is to be so provided)
4. The classes of marketing subjects in relation to which the data is to be used
4. The kinds of personal data to be provided
5. The response channel 5. The classes of persons to which the data is to be provided
6. The classes of marketing subjects in relation to which the data is to be used
7. The response channel
Prescribed Information
“Consent” includes an “indication of no objection”
Return the signed form but did not check the box indicating objection = consent
Opt-out Right
• a data user must notify data subject of his opt-out right when using his personal data for the first time in direct marketing, irrespective of whether the personal data is obtained directly from him or from other sources
• a data subject may at any time request a data user to cease to use his/her personal data in direct marketing
• a data user must, without charge, cease to use the personal data concerned upon request
• there is no restriction as to the manner in which the data subject shall exercise his opt-out right
Direct Marketing Requirements
• must comply with the data subject’s opt-out request without charge [section 35G]
• criminal sanctions if data user fails to comply with requirements of notification, consent and opt-out requests
50
Maximum Fine (HK$)
Maximum Imprisonment
Non-Compliance 500,000 3 years
Non-Compliance if the personal data is provided to third party for its use in direct marketing in exchange for gain
1,000,000 5 years
Higher Penalties for Non-Compliance
Guidance
51
Offences
• Contravention of DPP is not an offence. The Commissioner may serve an
enforcement notice on the relevant data user directing the data user to
remedy the contravention.
• Non-compliance with an enforcement notice commits an offence and
carries a penalty of a fine at $50,000 and imprisonment of 2 years.
• Same infringement of the second time commits an offence and carries a
penalty of a fine at $50,000 and imprisonment of 2 years
• Repeated non-compliance with enforcement notice carries a penalty of
a fine at $100,000 and imprisonment of 2 years, in case of a continuing
offence, a daily fine of $2,000
• Section 64 provides that “A person commits an offence if the person discloses any personal data of a data subject which was obtained from a data user without the data user’s consent –
a) With an intent – 1) to obtain gain in money or other property, whether
for the benefit of the person or another person; or 2) to cause loss in money or other property to the data
subject; or b) the disclosure causes psychological harm to the data
subject. • Max penalty: a fine of $1,000,000 and 5 years’ imprisonment
Offences
Compensation
• New section 66B : Privacy Commissioner can grant
assistance to data subject in respect of these legal
proceedings (effective date will be on 1 April 2013 )
Code of Practice
• Identity Card Number and other Personal
Identifiers
• Human Resource Management
• Consumer Credit Data
Guidelines and leaflets
• Information Leaflet: An Overview of the Major
Provisions of the Personal Data (Privacy)
(Amendment) Ordinance 2012
• Information Leaflet: Outsourcing the Processing of
Personal Data to Data Processors
• Information Leaflet: Offence for disclosing personal
data obtained without consent from the data user
Guidelines and leaflets
• New Guidance on Direct Marketing
• Monitoring and Personal Data Privacy at Work
• Guidance on Collection and Use of Biometric Data
• Guidance on CCTV Surveillance and Use of Drones
• Guidance on Data Breach Handling and the Giving of
Breach Notification
• Guidance on the Use of Portable Storage Devices
• Guidance for Data User on the Collection and Use of
Personal Data through the Internet
• Guidance on Personal Data Erasure and
Anonymisation
• Proper Handling of Data Access Request and Charging
of Data Access Request Fee by Data Users
Guidelines and leaflets
Contact Us
Hotline - 2827 2827
Fax - 2877 7026
Website - www.pcpd.org.hk
E-mail - [email protected]
Address - 12/F, 248 Queen’s Road East, Wanchai, HK
![second supplemental ordinance [Ordinance]](https://img.pdfslide.us/doc/110x75/624f64d15eb5d005704c21d1/second-supplemental-ordinance-ordinance.jpg)
