Privacy Commissioner's Overview

" Today, data privacy has become a vital element in many social issues and corporate governance. It reflects not only the higher level of awareness but also the higher level of expectation of privacy rights as an established human right in our community. "

Without any fanfare, my Office celebrated its 10th anniversary this year. We are unique in Asia, since there is no other independent regulatory body protecting individuals' privacy in relation to personal data collected and used in the private as well as the public sectors. It is imperative for me to liaise with and be part of the international gathering of privacy and information commissioners. It is only by remaining an active player in the international and regional level of commissioners that my Office can keep abreast of developments in personal data protection work in different parts of the world.

It was therefore with great pleasure that I hosted the 26th Asia Pacific Privacy Authorities (APPA) Forum in Hong Kong in November 2006. Membership of this Forum during the reporting year included the privacy authorities in New Zealand, Australia, various Australian states and South Korea. Canada and the state of British Columbia are new members.

Hong Kong is a member economy in the Asia Pacific Economic Co-operation (APEC) which aims to sustain the economic growth of the region. In recent years, there is a growing realization within APEC that member economies will benefit from the development and use of electronic commerce. Accordingly the Electronic Commerce Steering Group (ECSG) was set up. E-commerce cannot hope to prosper unless personal data can be secured and for this reason, a Data Privacy Subgroup was formed under ECSG. The Hong Kong Government considers that this Office is best equipped to represent Hong Kong in this Subgroup and has asked that successive Commissioners to be its representative. My predecessor and I have contributed to the formulation of a set of data privacy framework which has now been endorsed by the ministers of the various member economies in APEC. There is still a lot of work to be done in creating legal, regulatory and policy environments in the APEC region that are predictable, transparent and consistent. The ultimate goal should be consistent with this Office's functions and responsibilities in protecting personal data, particularly when they are transported across borders. It is without doubt that the success of the Data Privacy Subgroup will eventually contribute to the e-commerce and the economic growth of Hong Kong and other member economies in APEC.

It is all too apparent that online data leakage is on the rise. In 2006, my Office handled a record number of cases involving such leakages. Following the Independent Police Complaints Council (IPCC) incident where personal data of some 20,000 citizens who had lodged complaints against police officers were leaked, my Office decided to launch an "Information Security Enhancement Campaign" with the co-operation of three substantial IT professional organizations, viz. Information Systems Audit and Control Association (HK Chapter) ("the ISACA"), Internet Professional Association ("the iProA"), Hong Kong Institute of Engineers ("the HKIE"). The campaign's objective was to promote data privacy awareness among IT professional. The campaign included a large-scale public seminar which was exceedingly well attended by experts from IT security bodies, government departments, financial institutes, and telecommunication companies.

My Office is convinced that more practical assistance should be given to specific industries which by the nature of their work handle a large quantity of personal data. In so doing, we can give practical guidance which has realistic application to the practitioners in such industries. We picked the hotel industry first even though it has hitherto enjoyed a very good reputation. From year to year, Hong Kong hotels handled vast quantities of visitors' personal data, not to mention their staff's. The campaign was also intended to enhance the good name of Hong Kong as a popular tourist destination. In our effort to wage a successful campaign, we were fortunate enough to secure the staunch support and co-operation of the Hong Kong Hotels Association. The Campaign received overwhelming responses and over a period of 6 months more than 44 hotels took part in the activities organized by this Office. While I intend to organize more campaigns with other selected industries, the education of the younger generation has not been overlooked. I am confident that our two-prong approach will prove to be highly successful and cost-effective.

My predecessors had considered the publication of a book detailing our regulatory experience and the stance of the Privacy Commissioner in applying the six Data Protection Principles of the Personal Data (Privacy) Ordinance. Notwithstanding the fact that the Commissioner is not empowered under the Ordinance to give definitive interpretation of the provisions of the Ordinance, I decided that there were obvious benefits in the Commissioner stating openly the criteria, principles and circumstances in which his Office has applied the provisions of the Ordinance. I proceeded cautiously and before the text was finalized, I sent the draft manuscript to selected academics, legal professionals, organizations and institutions for their comments. I am grateful for the time and helpful suggestions many of them had kindly given me. "Data Protection Principles in the Personal Data (Privacy) Ordinance - from the Privacy Commissioner's perspective" is the only book of its kind in Hong Kong and has been well received. This book is a joint effort of members of the staff of my Office, past and present, and without their research, writing and preparation, the publication of this book would not have been possible. A debt of gratitude is owed to them.

I note that in the year under review, while the number of enquiries had remained constant, there had been a noticeable increase in the number of complaints received. Even as we examined the content of the enquiries, they were much more sophisticated than before. We also received and entertained from the public sector many enquiries of some complex nature. I am glad my Office was able to provide assistance to them in a timely fashion because normally government departments and government-related organizations would consult government lawyers instead of an independent body in relation to legal issues.

Last year there were 3 successful convictions of offences under the Ordinance. The penalties demonstrated that the Court would not tolerate any malpractice on the part of data users in handling personal data. Still, I am inclined to take a more proactive approach to prevent rather than cure the problems. To ensure compliance of the law among organizations, in particular those who manage large quantities of personal data, I consider the implementation of the Data User Registration Scheme. This Scheme is provided for in Part IV of the Ordinance but so far has not been put into operation. Under the Scheme, data users are required to submit the types of personal data they hold and the purposes for which they are held. A more transparent system in making such information available on a central register to which the public has access will bring benefits to society as a whole. I hope the proposal to kick start this Part of the Ordinance can be tabled and discussed at the Legislative Council in good time.

In the past decade, Hong Kong has experienced many unprecedented economic and social changes that impact upon our life considerably. This rapidly evolving landscape has also put the Personal Data (Privacy) Ordinance to a test. Today, data privacy has become a vital element in many social issues and corporate governance. It reflects not only the higher level of awareness but also the higher level of expectation of privacy rights as an established human right in our community.

With the aid of technological advancement, the use of biometric identification systems e.g. fingerprint scanner is prevailing in schools and workplaces, which has begun to generate debates and raised privacy concerns. In discharging my investigatory role in an impartial manner, I caution myself not to have any bias or prejudice regarding any form of new technology. I intend to keep a firm hand on privacy protections measures which data users are required by law to take. These should include the consideration of adopting privacy impact assessments, less privacy intrusive alternatives which are equally effective, options made available to data subjects, consent of data subjects and adequate security measures.

Having been in force for over ten years, the Ordinance needs to be reviewed since the subject matters of "personal data", "privacy" and related issues are still in an evolutionary stage around the globe. Our internal working group formed in 2006 has undertaken a comprehensive review of the Ordinance to ensure that our ultimate proposals are capable of updating the law in coping with the protection of personal data privacy right in the 21st Century and can meet the heightened public expectations. The work is in its final stages. It is my hope that the public will be generous in giving its considered responses during the course of the public consultation which should take place before long.

Roderick B. Woo
Privacy Commissioner for Personal Data, Hong Kong