Implementation of Privacy Act in Victoria, Australia

In Australia, roughly one-quarter of the population lives in the state of Victoria. That equals to about 5 million people, 70 per cent of who are residents of Melbourne, the capital city.

Beginning September 1, 2002, Victorians have been able to make privacy complaints under the Information Privacy Act. Since then, the Office of the Victorian Privacy Commissioner, based in Melbourne, has received an average of about 280 enquiries a month.

Mr. David Taylor (right) and Privacy Commissioner Mr. Raymond Tang at PCPD.

"Australia and Hong Kong have much in common. But chief among them is the growing public awareness of individual privacy rights," David Taylor, the director of privacy awareness of the Office, known as Privacy Victoria, said.

According to Taylor, the development of privacy rights among Australians started with the Federal Privacy Act, which covered the civil service, such as the tax office, national-health service, social welfare and foreign affairs, since 1988. After December 21, 2001, the legislation was extended to private companies with annual turnover of over A$3 million. A year later, those companies with turnover of less than A$3 million a year that used personal information for their business were required to comply with the Act as well.

Taylor, who has been with Privacy Victoria for 18 months, said that, while the legislation has led to an increase in the number of complaints, a number of important developments also contributed to the boost in public awareness. In Australia, for example, a number of private companies operate tenancy databases. They collect information about "bad tenants"-people who have defaulted on rent payments or left a property in bad condition. Real estate agents and landlords check these databases first to find out whether prospective tenants are amongst those included in the database.

"Of course, there is pressure to get off the database because it can be difficult to find a place to rent if your name is on it. Some renters complain there is not much of an effort to ensure the accuracy of information," he said.

Another privacy development was the installation of cameras in taxis. The aim was to protect taxi drivers against theft as well as to prevent cases of assault on female passengers. Privacy Victoria has consulted with the government to ensure that only authorized people could access the data collected by the cameras and they should be destroyed when no longer required.

One of the more controversial privacy issues was the ongoing debate over a national identity card, known as the Australia Card. "In the mid-1980s, we were thinking about an Australia Card but people did not want it. After the events of September 11, there were voices calling for an identity card but it was politically difficult for the government. Hong Kong's Smart ID card is different because the culture is different," he said.

Taylor also commended Hong Kong for the implementation of the Code of Practice on Consumer Credit Data, which, he pointed out, "is a good mechanism for protecting privacy. It offers banks as well as the government a benchmark for compliance".

As for his own work in promoting privacy awareness in Australia, Taylor said that Privacy Victoria set up a Privacy Victoria Network having learned of the success of the Data Protection Officers' Club in Hong Kong. The network now has about 150 privacy officers and meets three times a year.

Privacy Victoria has been particularly active in sponsorships. Two high profile events held last year, although somewhat unusual sponsorships were Melbourne Spring Fashion Week and the Big Day Out music festival. Privacy Victoria sponsored a swimwear show during the fashion week to highlight the kinds of personal information that were gathered when people shopped. The event promoted greater awareness of the need to keep this information private, Taylor explained.

Platypus - a shy and discrete creature. It's a natural symbol for the idea of privacy in Australia

The annual Big Day Out music festival attracts some 45,000 young people to Melbourne. This year, Privacy Victoria sponsored the portable toilets featuring message about privacy.

Other sponsored events included the partnership with Tennis Victoria. Privacy Victoria gave its support to tennis carnivals throughout the state and participated in a Play Tennis Day. There were also sponsorship agreements with both the Men and Women Lawn Bowls Associations to provide them with about 500,000 scorecards and additional publicity about privacy.

Australia's most unique animal, the platypus, has also come under Privacy Victoria's sponsorship. At the Royal Melbourne Zoo, information signs were placed at the platypus house and the image of the animal is also used in materials for publicizing privacy awareness to children.

Privacy Victoria is currently conducting a survey amongst secondary school students to gauge their understanding of privacy issues and will compare the results with those of the youth privacy survey conducted by the Hong Kong Federation of Youth Groups and the Office of the Privacy Commissioner for Personal Data in 2002.

E-Learning Module and Online Assessment by Cathay Pacific Airways Limited

It is easy to forget about the importance of protecting personal information when you are flying at 30,000 feet above the ground. But airlines constantly generate detailed passenger lists and flight information that contains a lot of personal data. Simply throwing them away in the trash is not enough to ensure that the information is protected and not misused. In fact, the proper way to dispose of these lists is to put them in an envelope and send them back to the head office where they are destroyed properly and safely.

At Cathay Pacific Airways Limited, getting this message across to its roughly 11,000 employees could be a mammoth undertaking. But, thanks to a little ingenuity, Hong Kong's flagship carrier has made learning about the practical applications of the Personal Data (Privacy) Ordinance in the workplace both fun and interactive.

According to Jenny Got, a business trainee at Cathay's personnel department, an e-learning module was launched in March to facilitate the online training and testing of all staff in their understanding of the requirements of data protection.

The launch was kicked off with a month-long privacy campaign featuring three roadshows at the airport in Chek Lap Kok. Posters, publicity material and informative pamphlets were put on display and souvenirs were distributed for staff to learn more about the Ordinance and a lucky draw was held to boost staff awareness of the need to protect personal data. By the end of June, about 10,000 staff had already passed the testing of the module but the original deadline of mid-July has been extended to accommodate those who were on leave.

"Cathay came up with the idea for the e-learning module based on its own internal privacy policies and manuals but we did refer to the Ordinance," Got said.

Staff visiting the web site can choose from four different interactive learning modules depending on the kind of access they have to people's personal information. One module is designed for cockpit and cabin crew, another for employees with access to customer data, one for those with access to employment-related data and another one for managers/supervisors who can access both customer and employment-related data.

"Cathay has designed personal information learning modules with different questions depending on the area of work of the staff. This is a cost-effective method as it differentiates among different types of employees. Staff only need to take it once but, in future, there may be regular updates to accommodate changes in legal requirements or Cathay's practices," she said.

Miss Jenny Got and Privacy Commissioner Mr. Raymond Tang at PCPD's Data Protection Officers' Club plenary meeting in July.

As not all employees will encounter the same situations, devising an online learning module that differentiates among them helps target staff training. It is also flexible enough to allow learning and testing at anytime, Got added. In future, new recruits will be required to pass the assessment as well. In the meantime, employees can engage in such interactive learning at their own pace when they want to learn more about the protection of personal data privacy.

The growing success of Cathay's online learning module has not escaped the attention of companies unsure of how to educate their staff on the Personal Data (Privacy) Ordinance. According to Got, the module can easily be adapted by any company to suit its own internal customer and employment guidelines as Cathay has already developed the basis of the system. For interested companies, not necessarily from the airline industry, customizing the module is relatively simple and is far less expensive and time-consuming than developing one themselves.

"It's more suitable for those companies with large numbers of staff as the cost incurred is minimal. Having said that, Cathay Pacific would endeavour to collaborate with any organizations on the implementation of such interactive training to equip their staff with sufficient knowledge of the applicable data privacy requirements," Got said.

Hilarious Drama Educates Public on Privacy Protection

During the summer months, the PCPD joined hands with the Artiste Training Alumni Association (ATAA) to disseminate the message of personal data privacy through a lively on-stage drama entitled "Private Affairs". The hilarious drama was about a man, who appeared to be deeply in love with his wife, only to be discovered as a big liar by his good friend accidentally.

The play explored a number of privacy issues encountered in daily life and the audiences were taught ways to protect their own personal data in a pragmatic manner.

The drama shows were performed at the Leighton Hill Community Hall (7 August), Sai Ying Pun Community Complex Community Hall (14 August), Henry G. Leong Yaumatei Community Centre (4 September) and Sha Tin Town Hall (15 September).

The PCPD is pleased that the drama shows were well received by over one thousand audiences. Feedback was overwhelmingly positive. Driven by the success of this project, the PCPD will explore similar entertaining channels to further promote the message of personal data privacy in order to build a harmonious society where everyone respects each other's privacy.

Private and confidential

Guests of honour Ms. Shelley Lee, JP, Permanent Secretary for Home Affairs (middle of the top Photo) and Mr. Yang Ti-liang, GBM, JP,Former Chief Justice and Executive Councillor (right of the bottom photo) presented prizes to winning teams.

A woman yelling at her husband, a girl shouting at her brother, another girl banging on the door and an old man holding a peeled banana - these are scenes from Privacy?, one of the winning entries in the "Privacy Protection in Action: TV Advertisement Competition".

Jointly organized by the Office of the Privacy Commissioner for Personal Data and the Hong Kong Federation of Youth Groups, the competition required participants to produce a one-minute TV advertisement that aims to raise awareness of privacy among young people.

Winners of the secondary school category and the open category displayed creativity and a great sense of humour in spreading the message about privacy protection.

Three sixth formers from Buddhist Wong Wan Tin College won the secondary school category with their advert Privacy?, while four Year 2 journalism students from the Chinese University of Hong Kong won the open category.

Each winning team was awarded a notebook computer, a $5,000 scholarship and a certificate.

" My first impression is that the entries in the secondary school category are as good as those in the open category," said one of the judges, Dr Francis Cheung Wing-ming, registrar of the Hong Kong Institute of Education.

"All final entries reflect the creativity of the new Hong Kong generation and a good understanding of the concept of privacy protection."

Privacy? shows how people violate others' privacy in daily life. The peeled banana symbolizes invasion of privacy. "I happened to be eating a banana when I was thinking about the ad," said Cindy Cheong Ho-yan, one of the team members. "We talked about it and thought that if someone invades our privacy, we will be left naked, like a peeled banana."

The winning advert in the open category expresses invasion of privacy in a more abstract way. Two people are playing Jenga, and the blocks collapse in the end.

"Jenga represents the structure of society and the stacking of the wooden blocks represents invasion of privacy. Continuous invasion of privacy results in the collapse of society," explained Hengky Li Wai-shing, one of the team members.

The competition attracted a total of 57 entries. After initial screening, 30 teams were selected to attend seminars and workshops on privacy protection and film-making techniques.

Both winning teams said they gained a better understanding of privacy protection after taking part in the competition.

"Most of us are used to listening to phone conversations of family members at home. But now I close my room door when someone is on the phone to give them some privacy," said Livia Li Wai-nga, a member of the winning secondary school team.

To see the winning TV commercials, go to www.pcpd.org.hk.

(Source: 7 July, 2003 South China Morning Post)

Increase in Identity Theft in the U.S.

A survey commissioned by the US Federal Trade Commission ("FTC") in March and April showed that 27.3 million Americans have been victims of identity theft in the last five years, including 9.9 million people in the last year alone. According to the survey, last year's identity theft losses to businesses and financial institutions totaled nearly US$48 billion and consumer victims reported US$5 billion in out-of-pocket expenses.

The FTC is the US consumer protection agency. Since 1998, the FTC has had an Identity Theft Program to assist identity theft victims and provide guidance on how to resolve the problems, provide law enforcement training, maintain a nationwide database of ID theft complaints available to law enforcement and refer complaints to criminal law enforcement agencies, and provide business and consumer education.

The survey found in the past 12 months that 3.23 million consumers discovered that new accounts had been opened, and other frauds such as renting an apartment or home, obtaining medical care or employment, had been committed in their name. In those cases, the loss to businesses and financial institutions was US$10,200 per victim. Individual victims lost an average of US$1,180. Where the thieves solely used a victim's established accounts, the loss to businesses was US$2,100 per victim. For all forms of identity theft, the loss to business was US$4,800 and the loss to consumers was US$500, on average.

According to the survey results, approximately 5 million victims in the last year, discovered that they were victims of identity theft by monitoring their accounts. Approximately 2.5 million people reported that they were alerted to suspicious account activity by companies such as credit card issuers or banks. Others reported that they first learned when they applied for credit and were turned down.

While most identity thieves use consumer personal data to make purchases, the survey reports that almost 1.5 million people in the last year reported that their personal data was misused in nonfinancial ways, such as to obtain government documents.

(Source: www.ftc.gov)

Want to know more about the Code on Consumer Credit Data ?

The second revision of the Code of Practice on Consumer Credit Data ("The Code") came into effect on 2 June 2003. From then to November, the PCPD has received over 400 public enquiries, 82% from individuals and 18% from the financial industry, on various aspects of the Code. 30% of the questions put forward by individuals are in relation to credit reports. It indicates that members of the public are very concerned about their credit report, which is natural because it may impact upon their credit applications. On the other hand, over 30% of the enquiries raised by the financial industry are about the scope of the Code as well as privacy compliance measures and notification to customers. To ensure that the community is made aware of the new provisions of the Code, we have abstracted some of the most frequently asked questions as below and hope that it would further enhance your understanding of the Code.

Q1:	How can I contact the credit reference agency (CRA) to obtain my own credit report?
A:	You may check contact details of the CRA from your credit provider and then approach it directly to obtain a copy of your own credit report. Under normal circumstances, a service charge will be incurred for using this service. Under the Code, a credit provider has the right to choose any CRA at its own discretion. However, the major CRA operating in Hong Kong is called "TransUnion Information Services Ltd" (www.transunion-hk.com).
Q2:	I am aware that residential mortgage loan data are not reportable to a CRA unless currently an outstanding material default occurs. However, can a credit provider access the CRA database when it considers residential mortgage loan application?
A:	The revised Code allows credit providers to access to the CRA database for both positive and negative data when they consider a new grant of credit. Under the Code, mortgage loan application falls within the term of 'new grant of credit', which means that a credit provider will be able to access the CRA database to obtain a credit report relating to the person who apply for a mortgage loan.
Q3: :I am applying for a personal loan with Bank A which I have obtained a credit card facility. Can Bank A (1) access the CRA database to obtain my full credit report ? (2) make use of the information in my credit report to review my credit card facility, such as, increase my credit limit, during the 24-month transitional period? A (1) Yes. Bank A can obtain your credit report from the grant of your personal loan application. This is the purpose for which the data are to be used. (2) During the transitional period, the credit report obtained from (1) above will show positive and negative data about the accounts you hold. Such data so obtained should not be used to assess your credit card facility for an increase in credit limit. Restriction is placed on the use of positive data for increase in credit limit during the transitional period. The proper way for Bank A is to make a "review" access to obtain a credit report which contains negative data only.
Q4:	If I act as a guarantor to my friend's loan from a bank, will the bank disclose my role as a guarantor to the CRA?
A:	Yes, the bank may report to a CRA the information about you when you act as a guarantor in a loan. A credit provider may provide credit data collected from the borrower, including account general data, to a CRA. As stated in Schedule 2 of the Code, account general data comprise "capacity of the individual (whether as a borrower or guarantor)".
Q5:	Does the Code cover the scenario of an individual being the guarantor for a corporate loan?
A:	Yes. The definition of "consumer credit" does not restrict the purpose of the credit facility, but makes reference to the user of the facility only, i.e. whether it is granted to and for the use of an individual, or to and for the use of another person for whom an individual acts as a guarantor. As the meaning of the word "person" includes not only a natural person but also a legal person (e.g. a limited company), a corporate loan guaranteed by an individual will thus fall within the definition of "consumer credit" under the Code.

For further details of the Code on consumer credit data, please visit the PCPD website at www.pcpd.org.hk.

First Plenary Meeting

The Club's first meeting was held on 2 July 2003 at the Hong Kong Convention and Exhibition Centre.

Two special guests were invited to speak on two distinctive aspects of personal data privacy on promotion and training.

For the very first time, the Club invited an overseas speaker to share with our members the work of privacy protection in a different jurisdiction. Mr. David Taylor, Director, Privacy Awareness from the Office of the Victorian Privacy Commissioner, took the opportunity to introduce the Australian privacy legislation, highlighting the work on increasing public awareness on privacy protection.

Despite the cultural differences, it was interesting to find that both Australia and Hong Kong have set the same objectives - that instilling the culture of respecting each other's privacy among the younger generation is of paramount importance.

The PCPD also had the pleasure of Miss Jenny Got, Business Trainee of the Cathay Pacific Airways, to demonstrate its new e-Learning Module and Online Assessment programme. This is a new initiative designed for enhancing employees' knowledge about personal data privacy in a cost-effective way via the Internet at anytime and anyplace.

Data Protection Workshops

Two series of privacy workshops entitled "Protection of Employees' Personal Data" and "A New Approach to the Consumer Credit Data Code" were carried out exclusively for members in October and November.