PCO Office of the Privacy Commissioner for Personal Data, Hong Kong imagebanner image
Privacy Policy StatementSearchSite DirectoryText Only VersionChinese  
image
About PCPD
image
The Ordinance
image
PCPD Activities
image
Information Centreimage
Privacy Zone for Youngsters (Games)
image
Publications and Videos
image
Enquiries and Complaints
image
Case Notes
image
Contact Us
image
Annual ReportCode of Practice & Explanatory BookletConsultation Document/Report
NewsletterGuidance Note & Fact SheetLeaflet & FormOpinion Survey
OthersInvestigation Report / Inspection ReportInformation Book
image

Publications and Videos
Leaflet & Form
 

Personal Data Privacy and the Internet - A Guide for Data Users

E-mails carrying personal data on the Internet

Organisations may give their employees access to the Internet for sending and receiving e-mails. Some of these e-mails may contain personal data. DPP4 requires that all practicable steps should be taken to put in place measures for ensuring the integrity, prudence and competence of persons having control of and access to personal data. Section 65 of the Ordinance (which is set out at the end of this Guide) places liability on the employer for any act of their employees done in the course of employment that may have contravened a requirement of the Ordinance unless the employer can provide evidence to prove that precautionary measures have been taken to prevent the employee from doing that act. Adequate policies and procedures should therefore be put in place and staff should be regularly reminded to observe compliance with the requirements of the Ordinance. Areas in which guidelines are needed may include the following:

=>Set a policy on Internet e-mail communication. Not all personal data communicated via e-mail requires the same degree of security. The appropriate degree of security will depend on the sensitivity and volume of personal data communicated. Hence, a first step is to categorise the various kinds of personal data held by the organisation and the circumstances under which the staff are allowed to transmit these data via Internet e-mail. Organisations should also consider restricting the sending of sensitive personal data except by authorised personnel and to implement procedures ensuring that only authorised recipients have access to and custody of Internet e-mails containing sensitive personal data.

=>Consider the use of technological safeguards. If sending sensitive personal data by e-mails is permitted, a practical means to prevent unauthorised interception or access is to encrypt the data before sending. In situations where encryption is not possible, or incoming Internet e-mails contain un-encrypted sensitive personal data or encrypted e-mails are decrypted and read, care should be taken to ensure that the data are stored in a secure location. For example, an organisation that operates its own web server can automatically route incoming Internet e-mails to a pre-determined server directory or confidential mailboxes that can only be accessed by authorised persons. An organisation that chooses an Internet Service Provider (ISP) for hosting their web pages will have to depend on the ISP for security protection. In such a situation, the organisation should examine the measures an ISP has implemented to protect personal data, for example, the availability of server software or hardware that provides adequate protection, before making a commitment to that ISP.

=>Promote a privacy-aware culture in the workplace. Every employee should be aware of the importance of respecting others' privacy rights both as a moral obligation and as a legal requirement under the Ordinance. All personnel involved with personal data should be fully aware of and adequately trained in privacy protection procedures.

Previous PageimageNext Page

  imageNotice/ Copyright 2001 Office of the Privacy Commissioner for Personal Data, Hong Kong. All rights reserved. Disclaimer