During the course of the year the management reviewed in detail the way in which PCPD resources have been deployed. This exercise resulted in the adoption of a more exacting approach towards major projects to ensure that they contribute both in terms of output and outcome. At the same time we have also managed to maintain the consistency and quality of service we offer to the community, measured against our service pledges. The fact that we have largely been able to fulfil these obligations is a tribute to the professionalism of the PCPD's staff. It is appropriate therefore to take this opportunity to acknowledge their dedication and flexibility not just in terms of their involvement in serving the personal data privacy interests of the general public but increasingly, in terms of elevating the profile of the PCPD in regional and international arenas. There can be no doubt that the reporting year saw a significant commitment to privacy initiatives at both levels and this has resulted in the PCPD winning the respect of our colleagues in the global privacy community.

As we move closer to the tenth anniversary of the PCPD's commencement of operations we are heartened by the support we have received from the community and the way in which that support has translated into tangible privacy achievements. As we look to the future it is increasingly evident that privacy and technology will be inextricably linked in terms of the challenges technology creates for privacy. For many in the privacy community technology remains a double-edged sword, one that has a growing propensity to threaten personal data privacy. Advances in technologies such as biometrics, radio frequency identification [RFID] and the growing application of smart cards serve to remind us that there is no room for complacency. We continue to remain vigilant at the PCPD and strengthen our resolve to protect personal data privacy rights.

We also intend to consolidate our involvement in international initiatives because of the significance of the privacy issues they tend to address e.g. inter jurisdictional co-operative arrangements and transborder data flows. That is, seeking to resolve those issues that arise from circumstances in which personal data collected in Hong Kong is transferred offshore for processing, marketing or account management purposes. Indeed, the PCPD is currently an active player in an APEC privacy project which has set itself the task of developing a Privacy Framework. The purpose of the Framework is to permit the transfer of data that is essential to conducting E-business while at the same time guaranteeing a minimum level of protection for personal data once transferred out of the jurisdiction in which it is collected.

For several years now the PCPD has invested resources in educating young people about privacy and privacy-related issues. Previous programmes directed towards this target audience have encompassed games, competitions, amateur theatre productions etc. as a means of creating awareness. These activities have proved to be very popular with children and young people which is encouraging. If we can successfully capture the imagination of primary school children, secondary school students and young adults then they will attach value to privacy and internalize that value, just as they have done with environmentalism and other social issues. In this way the importance attached to privacy will grow with them as they continue their education and development, ultimately becoming the next generation of workers and employers in Hong Kong.

A key feature of the strategies we have devised has been to involve young people in thinking about everyday privacy issues, rather than merely lecturing them on the subject. We have had a great deal of success with two programmes in particular. The first of these is called "Telling you my Secret" which is a privacy entertainment show that targets primary school pupils. The show, which features a celebrity presenter, has already been staged at 50 primary schools in Hong Kong and we intend to stage it in more schools in the future. The second programme is structured around a Privacy Protection Drama Show that targets a general audience. The show is produced and performed by members of the Artiste Training Alumni Association who have responded with enthusiasm and creativity to the challenge of conjuring up privacy scenarios and writing amusing scripts to illustrate privacy issues.

It is also appropriate that mention be made in this Overview of the progress we have made in terms of two related activities: Privacy Impact Assessment and Privacy Compliance Auditing. During the course of the year the PCPD appointed an Operations Division officer whose principal task is to promote compliance among data users with the provisions of the Personal Data (Privacy) Ordinance ("the Ordinance"). To facilitate the attainment of this objective, we have commenced a major new initiative. This is designed to ensure, through self-assessment procedures and independent audits, that data management practices are compliant.

Our research indicates that the PCPD has been instrumental in raising awareness levels among data users over the past eight years such that many larger organizations and government departments are well versed in the responsibilities placed upon them by the Ordinance. However, the level of complaints cases we receive continues to grow, with the majority of violations occurring among private sector data users. The message that we are receiving is that it is necessary for the PCPD to move to a higher level in terms of seeking material improvements in compliance. Our strategy therefore is to supplement existing efforts by marketing, and seeking to popularize, the related concepts of Privacy Impact Assessment and Privacy Compliance Auditing.

At this point in time it would be fair to state that neither of these concepts are well understood among the majority of data users. Privacy Impact Assessment is an evaluative mechanism that has broad-based applications in both the private and public sectors. Essentially it is a systematic process that evaluates a project, proposal or new policy in terms of its impact upon privacy. To be effective Privacy Impact Assessment needs to be an integral part of any project planning process, rather than a casual afterthought. It is that mentality the PCPD will seek to encourage. Perhaps the best example of a high profile Privacy Impact Assessment conducted in the public sector in Hong Kong is that undertaken by the Immigration Department prior to issuing the smart identity card.

In comparison, a Privacy Compliance Audit is a methodical and independent assurance process that seeks to elicit and evaluate evidence in order to verify whether the practices of a data user are carried out in conformance with clearly stated privacy standards. In Hong Kong those standards would probably be benchmarked against the Ordinance. For example, a data user might conduct a Privacy Compliance Audit to ascertain whether data management procedures within the organization comply with the provisions of a Code of Practice issued by the PCPD, or fall short of those standards. Where the latter turns out to be the case the Privacy Compliance Audit will identify the deficiencies and indicate how any variance between current practices and benchmark practices may be eliminated.

This compliance initiative will commence with the PCPD issuing a set of Guidance Notes on Privacy Impact Assessment and Privacy Compliance Auditing as a means of informing data users, and the community more generally, of the merits of engaging both techniques to enhance privacy compliance. At this stage we feel that it would be appropriate to target both data users and data subjects because the latter could well influence the former in terms of adopting either of these assessment techniques, notably in the public sector. Our intention is to concentrate upon this sector initially because major government projects could involve considerable quantities of personal data being collected from a large proportion of the population e.g. the HKID smart card and possibly electronic road pricing. Important public sector projects would attract media attention and public debate which would facilitate the diffusion process. The example of the public sector could then be used to persuade the private sector to follow suit. Support for Privacy Impact Assessment and Privacy Compliance Auditing is most likely to occur where the PCPD can effectively demonstrate the benefits to be derived from applying these techniques and by showing that they outweigh the costs incurred. Indeed, a solid case can be made out in financial terms by examining the costs of undertaking either form of assessment and comparing them with the costs, financial or otherwise, of not doing so.

The Outlook

Mention was made in the 2003-2004 Annual Report of the 'surveillance society' i.e. the application of technologies that make the location and movement of individuals instantly accessible to authorized, and more alarmingly, unauthorized persons. We already live in what has been termed the electronic "dossier society" in which governments, agencies of government and private sector organizations known more about the preferences, habits, attitudes and behaviours of entire populations than they ever have in the past. It is realistic to expect that trend to grow. Although it would be an exaggeration to paint a doomsday scenario in terms of the erosion of personal data privacy it is incumbent upon the PCPD to demonstrate the possibilities, probabilities more accurately, and to convey these to the community.

The convergence between information and communications technologies ("ICT"), biometrics, enhanced GPS capabilities, location monitoring, the profusion of public place surveillance cameras and the like all point to a society in which the capacity to collect more personal data, and by extension, know more about intimate details of the individual, is no longer a piece of science fiction. Given that the surveillance society knows no geographic boundaries, we should join with colleagues in other jurisdictions and work with international bodies to adopt common policy positions and protocols that address the way in which personal data privacy may best be protected against increasingly intrusive technologies.

In the year ahead we will therefore be working to strengthen our ties with counterparts in other jurisdictions and continue to contribute to privacy initiatives taken by organizations such as APEC. In an increasingly interconnected world it is essential that the PCPD develops good working relationships with colleagues in other jurisdictions and that these efforts be supplemented by the Hong Kong SAR Government working with other governments to build alliances that will ensure that privacy rights are neither encroached upon nor diluted. Our belief is that we are likely to accomplish more, at less cost, if we work closely with those agencies entrusted with the protection of privacy in other jurisdictions rather than seeking to strike out on our own.

On the domestic front we remain committed to the values that have characterized the PCPD to date: the provision of quality services to the community; consolidating personal data privacy protection; and good working relations with public and private sector organizations and the media. In spite of the challenges that confront us as a small organization we are confident that the PCPD will continue to develop privacy-enhancing policies that serve the best interests of both data subjects and data users.