PCO Office of the Privacy Commissioner for Personal Data, Hong Kong imagebanner image
Privacy Policy StatementSearchSite DirectoryText Only VersionChinese  
image
About PCPD
image
The Ordinance
image
PCPD Activities
image
Information Centreimage
Privacy Zone for Youngsters (Games)
image
Publications and Videos
image
Enquiries and Complaints
image
Case Notes
image
Contact Us
image
Annual ReportCode of Practice & Explanatory BookletConsultation Document/Report
NewsletterGuidance Note & Fact SheetLeaflet & FormOpinion Survey
OthersInvestigation Report / Inspection ReportInformation Book
image

Publications and Videos
Newsletter

 

Subscribe Now!!

PRIVATE THOUGHTS (on-line version)
(Newsletter of the Office of the Privacy Commissioner for Personal Data, Hong Kong)
August 2000 Issue No.4

2000 Opinion Survey Results Released

The PCPD's annual opinion survey on attitudes towards and the implementation of the Personal Data (Privacy) Ordinance has recently been completed. The survey was conducted by the Social Sciences Research Centre of the University of Hong Kong.

The survey was the fourth annual opinion survey commissioned by the PCPD. It was aimed at providing the PCPD with information on public attitudes towards privacy issues and organizations' compliance with the Ordinance to assist the PCPD in setting priorities in its work ahead. The survey consisted of two parts: a telephone survey of 1,569 individuals and a questionnaire survey of 485 organizations.

One subject of particular concern to the PCPD was the increasing use by employers in Hong Kong of surveillance facilities to monitor their employees in the workplace, and a set of questions in this area was included in the survey of organizations. The survey found that 64% of the respondent organisations had installed at least one type of surveillance facilities in the workplace, which included closed circuit TV (48%) and devices for monitoring employees' computer use (27%), web-browsing (23%), phone (22%) and e-mail (21%). However, only 18% of these organizations had formulated a written policy on such activities.

The PCPD is of the view that organizations operating surveillance facilities in their workplace should have a written policy on such activities and should communicate it to their staff. To give practical and more detailed guidance to employers operating surveillance facilities in the workplace, the PCPD plans to issue a code of practice in this area, a draft of which is expected to be released for public consultation next year.

The survey also found that the percentage of organizations which considered that the Ordinance would have long term benefits to an organization continued to increase. Such benefits included improvements in customer and employee relations, data management and the public image of an organization.

With respect to the survey of the general public, similar to the surveys in the past three years, privacy, as a social policy issue, was given an average rating of 7.6 out of 10 in terms of importance. Privacy was considered as less important than air pollution and employment, roughly the same as food hygiene, but more important than health services, care for the elderly and sex discrimination.

As regards the use of the Inimageternet, the survey found that 44% of the respondents had made use of the Internet for personal purposes, out of which 52% gave a rating of 8 or more on a scale of 0 to 10 to indicate their concern on privacy with respect to purchasing on the Internet. The most important causes of concern were "money loss due to interception of your credit card number" (84%), "misuse of personal data by third parties" (72%) and "little knowledge about the background of the sellers on the Internet" (55%).

In addition, among those respondents using the Internet for personal purposes, 85% of them objected to receiving unsolicited commercial e-mails (spams). This percentage nearly doubled the corresponding percentage (43%) in the 1999 survey. Most of the respondents (60%) considered that such e-mails wasted their time and some (25%) were not happy that their e-mail address was being used without their consent.

Complaint Cases

Taking of photographs by a magazine

The complainant complained to the Privacy Commissioner that, when she was walking in the streets on a certain day, her photograph was taken by a photographer acting for a magazine, without her knowledge or consent. The photograph was subsequently published in the magazine, accompanied by unflattering comments on her dress style. The matter caused embarrassment and inconvenience to the complainant among her clients and colleagues.

After an investigation of the case, the Commissioner decided that the magazine contravened data protection principle 1 of the Ordinance as the personal data of the complainant in her photograph were collected through unfair means. The magazine subsequently lodged an application to the Court of First Instance for an order of certiorari quashing the Commissioner's decision. The trial judge upheld the Commissioner's decision, but mentioned in his judgment his serious doubt about whether the photograph in question amounted to the complainant's personal data. The magazine appealed. The Court of Appeal reversed by 2 to 1 the decision in the Court of First Instance, and quashed the Privacy Commissioner's finding of contravention.

Summary of the Court of Appeal's decision:

  • While a photograph of an individual may constitute the personal data of that individual, in order for the taking of that photograph to amount to the collection of personal data, certain other elements must be present.
  • Specifically, the Court of Appeal said: "It is ... of the essence of an act of personal data collection that the data user must thereby be compiling information about an identified person or about a person whom the data user intends to or seeks to identify."
  • In this case, the magazine did not know and was not in the least interested in the identity of the complainant. On that basis, the magazine did not collect the personal data of the complainant and data protection principle 1 was therefore not engaged at all.
  • The Court of Appeal drew a distinction between a person's so-called "information privacy", as opposed to the person's "personal privacy" (i.e. his rights against all forms of intrusion into his private sphere). Only the former is protected under the Personal Data (Privacy) Ordinance, whereas the facts of this case falls under the latter.
  • The Court of Appeal also made it clear that in some situations, the taking of photographs by the press would amount to the collection of personal data. For example, where a newspaper compiles a dossier about a known individual which includes photographs from which he or she may be identified, such photographs will constitute his/her personal data collected by the newspaper.

The Commissioner decided to accept the Court of Appeal's decision and subsequently amended its complaint handling policy to take into account the decision.

Tech Talk

Personal Data Privacy and E-commerce

The advent of Internet as a global medium has seen the phenomenal growth of millions of Internet users who log on to Internet for information, communications and electronic commerce. However, accompanying this novel phenomenon are significant issues of trust and confidence of the consumers in doing business on the Internet. Consumers are concerned with the suppliers' identity, integrity of information, validity of electronic contract, as well as data privacy and security. Such trust and confidence issues have a significant and negative impact on electronic commerce from reaching its promised potentials.

In Hong Kong, personal data are legally protected by the Personal Data (Privacy) Ordinance ("the Ordinance"). From the perspective of compliance in cyberspace activities with the Ordinance, our office adopts a basic premise that: "What is illegal off-line is also illegal on-line".

Below are some typical examples of possible infringement of the Ordinance in Internet activities:

  • No personal information collection (PIC) statement with on-line data collection by web sites. If a web site collects personal data on-line, e.g. membership enrolment or a business transaction, the data collection form should be accompanied by a statement stating the purpose for such data collection.
  • No display of data privacy policy statement with web sites. Given that there would be very little if any face-to-face contact with consumers, it is recommended that a data privacy policy statement be displayed on web sites which collect personal data.
  • Data collection without consent. Cookies, a technological tool used by web sites to track consumer visits for marketing purposes, could be collecting personal data. The use of cookies without the consumer's knowledge or consent could be regarded as an unfair collection.
  • Collecting personal data from children. Some web sites targeting children's patronage collect data from minors for a variety of purposes. A process with which data are collected from children but without parental involvement could be regarded as unfair.
  • Security of data held in web sites. Personal data collected should be kept secure from unauthorized or accidental access, use or disclosure, by appropriate and adequate security measures. A typical consumer concern is related to his credit card information.
  • Spamming. Unsolicited direct marketing e-mails should have an "opt-out" clause which allows the recipient to notify the direct marketing company from sending further similar e-mails. The absence of an "opt-out" clause is an offence under the Ordinance, and sending further direct marketing e-mail subsequent to an opt-out request is also an offence.

It is the Government policy to establish Hong Kong as an information society and a global player in electronic commerce. Apart from building our physical and business inimagefrastructure, ensuring trust and confidence of our consumers would enhance our effective reach for this goal. Complementing the regulatory requirements of the Ordinance, the PCPD is working with various parties to implement self-regulatory initiatives pertinent to the protection of data privacy. It has been working closely with the Hong Kong Society of Accountants with its launch of the WEBTRUST seal in 2000 for local web sites, the display of which at a web site provides assurance to consumers of its compliance with a set of auditable principles and procedures which protect consumers' interests including data privacy. The PCPD has also worked with the Hong Kong Internet Service Providers Association (HKISPA) and the Office of the Telecommunications Authority (OFTA) on the development of a Spamming Code of Practice for compliance by the ISPsin Hong Kong to reduce the amount of spamming activities which are regarded by many as nuisance and privacy intrusive. Through the active promotion of the requirements of the data protection principles and the Ordinance for incorporation into the implementation plans for electronic businesses and services, consumers are encouraged to embrace the new economy with confidence and trust.

Common Q & As

image

I am a customer of the mobile services of a telecommunications company. I received a discount card from the company and was entitled to purchase a new mobile phone at a discount price. When I presented the card to a branch office, a staff member requested to make a photocopy of my identity card. I have indicated as his company's customer I had already provided a copy of my identity card when I applied for the company's services. The staff member, however, insisted to photocopy my identity card, claiming that it was required under his company's policy. Can the staff member in this situation collect a copy of my identity card ?

image
Data Protection Principle 1 of the Ordinance requires that personal data collected by data users shall be adequate but not excessive in relation to the purpose of collection. The PCPD has also issued a "Code of Practice on the Identity Card Number and other Personal Identifiers", governing the collection of ID card numbers and copies of ID cards. Collection of a copy of the ID card in the above case does not fall within the circumstances in which the collection of copies of ID cards is permitted under the Code. The staff member, therefore, should not photocopy your identity card.

image
I hold a savings account in a bank. Recently, the bank issued a newly-designed account passbook to me, in which my full name, identity card number and specimen signature were displayed clearly. Does the practice of the bank contravene the Ordinance ?

image
Data Protection Principle 4 of the Ordinance requires that all reasonably practicable steps should be taken by a data user to ensure that personal data held by the data user are protected against unauthorized or accidental access, processing, erasure or other use. However, a bank account passbook is kept by the bank account holder himself and the bank merely provides the customer with his own personal data. There is no contravention of Data Protection Principle 4 of the Ordinance

PCPD Activities

Code of Practice on Human Resources Management
(HRM) to be issued soon

The PCPD will issue in September 2000 the Code of Practice on Human Resources Management for the protection of personal data privacy in relation to HRM practices. The Code will govern the collection, retention, use, security and other aspects of handling of personal data by HRM practitioners. Having considered the comments received during the public consultation period from September to December 1999, the PCPD has decided that the Code will apply to all employers irrespective of size. Another key issue in the Code is the retention of personal data by employers. As distinct from the draft Code which set different retention periods for various classes of personal data, current consideration is leaning towards the retention periods for personal data being simplified with two major categories: (i) in general, employers should be permitted to retain the personal data of unsuccessful job applicants no longer than 2 years after the rejection of the candidates; and (ii) unless there are other legal requirements, or there is a subsisting purpose for so doing, personal data of former employees should not be retained by employers for a period of longer than 7 years.

PCPD issued guidance on electioneering activities

On 10 June, Mr Tony Lam, Deputy Privacy Commissioner for Personal Data, attended the "Briefing Session for Candidates of the 2000 Legislative Council Election Committee Subsector Elections" orgainzed by the Electoral Affairs Commission to brief candidates of the 2000 Legco Election on the collection and use of personal data of prospective voters for electioneering purposes. The PCPD also issued a guidance note: "Guidance on Electioneering Activities", which can be found on the PCPD web site at www.pcpd.org.hk

imagePCPD issued guidance notes to telecommunication companies

Since the commencement of the Ordinance in December 1996 up to June 2000, among the complaints received by the PCPD, 157 cases were against telecommunication companies. The industry ranks second after the financial sector in terms of the number of complaints received by the PCPD. The majority of the complaints are against mobile phone service operators. To reflect its concern to the industry, the PCPD met with representatives of the Telecom Association of Hong Kong and major industry players in July 2000. In addition, the PCPD also issued guidance notes to mobile phone service operators to assist them in complying with the requirements of the Ordinance. The guidance notes can be found on the PCPD web site at www.pcpd.org.hk.

Resources provided by the PCPD:

  • A series of four TV docu-dramma episodes co-produced by the PCPD and the Radio Television of Hong Kong (RTHK) were broadcast in May to June 2000. The episodes portray scenarios of the application of the Ordinance to common situations in our everyday life. Video tapes of the TV series in Cantonese are available on loan from the PCPD.
  • The PCPD established the Data Protection Officers' Club in February 2000. The aim of the Club is to provide a channel for the PCPD to effectively communicate its views to organizations and to receive feedback from organizations on the implementation of the Ordinance. Individuals who are involved with implementing and co-ordinating compliance measures with the Ordinance within their organizations are welcome to join the club.
  • The PCPD organizes for the public introductory seminars on the Ordinance twice every month. Tailored seminars for individual organizations can also be arranged upon request. Please call 2827 2827 or visit the PCPD web site at www.pcpd.org.hk for more details of the above items.
 
PCPD News old issues
 
Back to top
 
  imageNotice/ Copyright 2001 Office of the Privacy Commissioner for Personal Data, Hong Kong. All rights reserved. Disclaimer