A Long Road Ahead

Several topics on privacy have been raised for discussion in the community recently. Cases involving the leaking of personal data on the Internet have, of course, aroused most concern. As a regulator on personal data privacy, my Office took immediate action on our own initiative to probe into the matters, and actively handled the complaint cases.

When these cases came to light, the community is suddenly aware that the impact of personal data privacy can be so far-reaching. It is without doubt a very important task to work out remedies to help these affected individuals, but the ways to enhance the community's awareness of protection of personal data are also worth pondering. At this stage, there is still a lack of awareness of protection of personal data in many organizations, especially when their employees and clients have not been affected. A misconception is that the enforcement of personal data privacy is resource consuming with no direct benefit. But in fact, the formulation of privacy policy is absolutely a low-cost and beneficial job. Apart from fulfilling the corporate responsibility and complying with the requirements of the Ordinance, organizations can win the trust and confidence of other people. All the organizations that are involved in handling of personal data, no matter data of customers or employees, should regard the protection of personal data as one of the core duties of the management level, and undertake to protect personal data privacy.

In this respect, my Office is studying the implementation of two correlate procedures, "Privacy Impact Assessment" and "Privacy Compliance Audit", by organizations to protect personal data properly. The technology driven by the Internet is making progress at a tremendous pace; data can be transmitted in a very short time. As it will be difficult to remedy after a problem has occurred, organizations should review and improve the procedures of handling personal data and the security measures as early as possible.

In handling of cases involving disclosure of personal data on the Internet, the Office has gained wide recognition in the work of personal data protection from the community. However, these cases are negative examples. What I do hope is that the public, through education and training, can gradually take up the protection of personal data as a basic social responsibility, just like abiding by the rule of not littering spontaneously. Recently, the Office has introduced an educational DVD, which teaches primary students the virtue of "protecting privacy and respecting others" through stories and songs. Over 200 school principals, teachers, students and parents have attended the premiere. I was deeply impressed when I saw children learning and pondering conscientiously, and school principals, teachers and parents giving cordial support. Educating the public in the protection of personal data is a long journey. We know that we cannot reap the fruits of our actions in a few days, or even years. Nevertheless, as long as we get the recognition and support of the community, the efforts of the Office will not be in vain.

Though educating children is important, educating adults is a task that cannot be delayed because the people who are handling our personal data can have a direct impact on our privacy rights. The Office will introduce self-study courses providing practical guidance to different industries, such as hotel and property management. They can therefore apply what they have learnt in the workplace to protect their personal data as well as others.

Roderick Woo, Privacy Commissioner for Personal Data

May 2006

BLAZING A NEW TRAIL

Compliance with the Personal Data (Privacy) Ordinance can be introduced in a fun and interactive way. Administrators of Sony tell you how small reminders for employees can achieve a big mission. Mr. Motohiko Isetani, Director & Chief Financial Officer of SONY Corporation of Hong Kong Ltd.

At the headquarters office of Sony Corporation of Hong Kong Ltd in Causeway Bay, the décor is befitting of a multinational company whose mission is to bring technology closer to people. A cyber looking lift lobby with stark white laminated walls leads to an automatic glass door. In our meeting, staff members make use of the myriad of its products — such as computers, MP3 recorders, projectors and laser pointers, in their presentation.

Innovation, after all, is a core value of the company's business. And while the company continues to beat the market with newer and better technological products, they haven't forgotten the most important aspect of their business — customer service. An integral part of providing that service to their consumers, according to Chief Financial Officer and Director of the Board, Mr. Motohiko Isetani, is to ensure that each person's personal data is treated with the utmost care. "The handling of personal data is an important issue in our company, and a vision that is shared by everyone in our worldwide network," he says. "We don't just aim to be an innovative company, we want to be a trustworthy partner for our customers and our business associates."

Promotion premiums with PIM message for SONY's staff

In Hong Kong alone, the Sony office handles the personal data of over 1 million customers, be their in the form of information retained for warranty purposes, marketing database and mailing lists. As an active member of the Data Protection Officers' Club ("DPOC"), Sony is one of many leading companies in Hong Kong taking a proactive role in informing and ensuring compliance of all their employees with the Personal Data (Privacy) Ordinance ("the Ordinance"). "First of all, I can say based on our corporate philosophy, we regard privacy protection as our important corporate social responsibility," Mr. Isetani continues. "Worldwide, we are in possession of an enormous amount of customer data and we constantly try to improve and introduce new security measures, because in this competitive market, we do not want to undermine the trust of our customers."

Trust, according to Mr. Isetani, is difficult to build and easy to loose. In July 2000, Sony first formulated a set of global principles and a policy to handle personal data in Japan. A separate department was set up to assist with the setting up of a general privacy policy, and to ensure compliance across all their offices around the world. Regular meetings allow representatives from these offices to convene and discuss various issues and exchange their views.

Mr. Isetani, who had previously worked in Sony Europe HQ, says that the activity in Hong Kong fills the important role of being the success model in compliance in Southeast Asia. "In Tokyo, everyday I read about personal information being leaked, through my experience, setting up a policy and ensuring compliance may take a lot of efforts on our part, but we also have to think about the positive aspect to this — and that is the trust of our customers — and this aspect is very important to our top level management."

Interesting computer games specially designed to remind staff of personal data privacy by Sony.

In this respect, Sony's success story is in that with some efforts and ingenuity, ensuring compliance among their several hundred employees is an ongoing, and active task. Such a task, however, need not be a burden on the company. In fact, Sony has devised a fun and effective way.

Ms Candy Wong, Senior Manager of Sony's Legal Division, who is also the Responsible Officer of Internal Organization of Personal Information Management (PIM), explains the approach taken by her company.

All employees receive mandatory training in the handling of personal data, regardless of the nature of their job. PIM is made up of representatives from every department, from sales, customer call centres, warehouse, human resources to legal, for regular meetings."In doing so, we come together and share any insights and address issues so that these members can inform their respective departments," Ms Wong says. Each year, PIM holds a series of activities, which is in line with the theme of the promotional of personal data protection.

Taking out several premiums, such as a mouse pad, a thermal cup, plastic folders and pens, Ms Wong points out that these can be an inexpensive but effective way of getting reminders across to employees."These items are used by employees on a daily basis," she says."While it is impossible for us to monitor each individual at all times, these premiums, emblazoned with messages regarding the handling of personal data, reminds employees when they are at their desks." According to Ms Wong, developing habits such as logging off computers, and not allowing files of customers to remain exposed, are easy ways to ensure that no personal data of customers go to the wrong hands."This requires diligence on a day to day basis," she says."The spending on these premiums is very little, but they carry a big message," Mr. Isetani adds.

Ms. Candy Wong, Senior Manager, Legal Office (PIM Responsible Officer)

"We treat it like an informational campaign," Ms Wong explains. Various mediums, from posters to animated messages to mini-games designed by computer technicians enable employees to get involved in personal data privacy management in a fun and interactive way.

For example, competitions, such as e-PIM detector, crossword puzzle competition with an aim to promote the issue encourages employee participation by offering prizes."People pay more attention when the message is not just drilled into them, such games offers entertainment while reinforcing our messages," Ms Wong says. In addition, they also introduce various animated messages, which remind staff how to handle daily PIM related matters. The company's intranet system also contains an interactive platform where staff can share PIM experiences they learn from daily life or the media. Bi-annually internal audit is also one of the key works of PIM especially when there are newly implemented local codes or guidelines issued by the Privacy Commissioner's Office or new global information security policy of Tokyo HQ.

Through these efforts, Ms Wong is confident about the high level of awareness of the company's staff the campaign has achieved."We now have a very mature system. Through communications with the DPOC and Sony PIM officers in other regions, we are always assured of support in learning about the latest news regarding the Ordinance and experiences," Ms Wong says.

Complaint Case - Successful conviction

In December 2005, a financial institution was convicted of breaching section 34 of the Personal Data (Privacy) Ordinance ("the Ordinance" and was fined $5000. Contravention of section 34¹. of the Ordinance is an offence under section 64(10) of the Ordinance.

The case originated from a complaint against the financial institution ("Company A") and its associated company ("Company B") for using the complainant's ("Miss C") personal data (name and mobile phone number) by making marketing calls to her repeatedly.

In 1999, Miss C entered into a hire purchase agreement with Company A for the purchase of an electrical appliance. In 2003 and 2004, Company A and Company B continuously telephoned Miss C for marketing purpose despite her repeated requests for cessation of such marketing calls.

Miss C lodged her first complaint to the Privacy Commissioner's Office in June 2004. The case was resolved through mediation upon both Company A and Company B undertaking not to make further marketing approaches to Miss C.

Notwithstanding this in February 2005, Miss C received a promotional letter jointly issued by Company A and Company B. Miss C made a second complaint to the Privacy Commissioner's Office. In reply to this complaint, Company A admitted that the promotional letter was sent to Miss C inadvertently resulting from an oversight by its staff, and undertook to delete Miss C's name from its database permanently. Soon after giving the undertaking, Company A gave Miss C another telemarketing call despite they claimed to have permanently deleted her name from its database.

The Privacy Commissioner concluded that the reoccurrence of the incidents was suspected to have contravened section 34 of the Ordinance and therefore referred the case to the Police for prosecution. This successful conviction has sent a clear message to the public that the requirements of the Ordinance, especially those for section 34 are not to be taken lightly.

¹Section 34 (1) of the Ordinance requires that: a data user who - (a) has obtained personal data from any source (including the data subject); and (b) uses the data for direct marketing purposes, shall- (i) the first time he so uses those data after this section comes into operation, inform the data subject that the data user is required, without charge to the data subject, to cease to so use those data if the data subject so requests; (ii) if the data subject so requests, cease to so use those data without charge to the data subject.

Investigation report

The Privacy Commissioner published an investigation report on a self-initiated case involving covert monitoring at work on 8 December 2005. The case involved the installation of pinhole cameras by Hongkong Post in the working areas at the Cheung Sha Wan Post Office (CSW Office) for crime detection purpose in the wake of a series of stamp theft cases.

Taken into consideration all the relevant circumstances that emerged during the investigation, the Privacy Commissioner concluded that Hongkong Post had contravened Data Protection Principles ("DPP") 1(1), 1(2) and 5 of Schedule 1 to the Personal Data (Privacy) Ordinance ("the Ordinance").

It was found that the dimension and extensiveness of the monitoring activity carried out was out of proportion to attaining the purpose of collection of personal data. The practice of covert monitoring was in the circumstances of the case excessive for its functions and activities and contravened DPP1(1). As there was no evidence showing that the use of covert means was absolutely necessary and that use of other overt means would necessarily frustrate the purpose of collection, the universal and continuous covert monitoring without a definite plan or policy for its duration was perceived as unfair and unreasonable, contravening the requirements of DPP1(2). On the basis that Hongkong Post did not have a personal data privacy policy in place in respect of video monitoring of employees, it had contravened the requirements of DPP5.

Upon completion of the investigation, the Commissioner issued an enforcement notice to Hongkong Post directing it to immediately cease the practice; completely destroy the records; formulate a general privacy policy in relation to video monitoring activities; and regularly communicate the privacy policy to staff and implement effective measures to ensure compliance. Hongkong Post has positively responded to the investigation and complied with the requirements of the enforcement notice.

The Report has provided practical recommendations for employers' consideration when they intend to undertake covert monitoring. For details of the Report, please visit our website (www.pcpd.org.hk).

A new face and new place

In our continuous strive to ensure the maximum percentage of our funding goes into public service, the Privacy Commissioner's Office is pleased to announce the relocation of our office to 248 Queen's Road East, Wanchai. Our telephone number (2827 2827) and fax remain unchanged. By moving our premises, the Privacy Commissioner's Office is able to save $150,000 in rental fees per month based on a 5-year term.

At the same time, we proudly unveil our new corporate logo, created by renowned graphic designer Mr Kan Tai-keung. The new logo, composed with the letters "P" and "D" represents the first letters of our commission's main focus — "personal" and "data", as in the Personal Data (Privacy) Ordinance. Between the two letters is an outline of a human figure, symbolizing members of the public communicating with the office for assistance in protecting their personal data privacy rights. Our new corporate logo highlights the importance of harmony in our society — which is in line with our mission in promoting a notion of mutual respect in the community.

Appointment of Deputy Privacy Commissioner for Personal Data

Deputy Privacy Commissioner for Personal Data Mrs. Bonnie Y.L. Smith met the press on her first day of work with Privacy Commissioner for Personal Data Mr. Roderick Woo.

The Privacy Commissioner for Personal Data, Mr. Roderick Woo, is pleased to announce the appointment of Mrs. Bonnie Y. L. Smith as the Deputy Privacy Commissioner for Personal Data.

Before joining the Privacy Commissioner's Office, Mrs. Smith has served with the Hong Kong Police Force for over 30 years in a number of postings. Her last position was Assistant Commissioner, Information Systems. She has extensive experience in the areas of staff management, information system, formulation and implementation of strategic planning. "I am confident that Mrs. Smith will lead the Office towards a more successful future by taking a more proactive approach in the handling of complaints as well as social issues that impact on personal data privacy." Mr. Woo said.

Mrs. Smith officially joined the Commissioner's Office on the 25th of April. In her new role, Mrs. Smith's chief responsibilities will be the handling of public enquiries and complaints, finance and administration.

Web Care Campaign
2005

The Commissioner's Office official website (www.pcpd.org.hk) has won again the silver prize of Web Care Campaign 2005, organized by the Internet Professional Association. The objectives of the campaign is to bridge digital divide in society so that everyone will have equal opportunities in sharing the benefits brought about by advanced information technology.

Survey of Youth Attitudes & Perceptions Towards Personal Data Privacy

In 2002, the Hong Kong Federation of Youth Groups (HKFYG) and the Commissioner's Office jointly conducted the first privacy survey to gauge young people's attitudes to privacy issues in general. In order to discover how rapid changes in technology impact young people's perceptions of personal data privacy, a sequel to the first survey, entitled "Survey of Youth Attitudes & Perceptions Towards Personal Data Privacy", was undertaken in October 2005. The survey was designed to measure young people's perceptions of the following: (1) protection of personal data privacy in an environment of rapid technological change; (2) young people's methods of protecting personal data privacy when seeking employment; and (3) general views on the importance of personal data privacy.

The survey reveals that while respondents (aged between 15-29) do not view e-mail, electronic medical records databases or CCTV monitoring in public places as especially intrusive in nature, they are nonetheless vigilant when it comes to protecting their personal data privacy in other aspects of daily life, in particular when seeking employment.

Privacy Commissioner Mr. Roderick Woo, (right) and Mr. James Mok, Supervisor (Research & Leadership) of Hong Kong Federation of Youth Groups released the survey findings at a press conference on 20 March 2006.

The survey also revealed that young people exercised considerable vigilance in protecting their personal data when applying for a job. 86.1% of respondents said that they would not send their CV to an organization that did not disclose its identity in the recruitment advertisement. Only 15.2% of respondents found it acceptable to provide a copy of their HKID card when applying for a job.

Where the importance of personal data privacy is concerned, the survey revealed that respondents perceived the issue of such privacy as approximately equal to other major socim issues in Hong Kong. 87.3% of the respondents claimed that they were aware of the Personal Data (Privacy) Ordinance but when asked to evaluate their knowledge of the Ordinance on a scale of 0-10, the average score was only 5.21.

The survey reveals that young people in Hong Kong are concerned about personal data privacy. To help them better acquaint themselves with the provisions of the Ordinance, the Commissioner's Office will map out a comprehensive strategy to enhance their knowledge in this respect.

The survey is available from the Office's website at http://www.pcpd.org.hk.

"Telling You My Secret" Educational DVD

Over 200 primary school students and teachers attended the launching ceremony. They shared their understanding and experience in "Respect Others and Protect Privacy" in a lively atmosphere.

The Privacy Commissioner's Office launches its first educational DVD targeting primary school students with an aim to instill the notion of respecting personal data privacy amongst the younger generation in a lively way.

Between 2004 and 2005, the Office staged a privacy show — "Telling You My Secret" in 50 primary schools for over 10,000 students. Interactive activities integrating music, magic shows, puppet shows, drama and games were carried out by children's entertainer Harry Wong to educate children in ways to protect the personal data privacy of themselves, their family and friends in everyday life. Parents and teachers expressed their interests and appreciation at this event. In order to further promote awareness of respecting personal data privacy amongst the primary school students of Hong Kong, a DVD on the privacy show was produced by the Commissioner's Office so all Hong Kong youngsters would learn of the importance of protecting and respecting personal data privacy through lively interactive means.

Privacy Commissioner Mr. Roderick Woo (right), renowned DJ, Mr. Francis MAK Yun Sau (middle) and Mr. Harry Wong officiated at the launching ceremony of the "Telling You My Secret"educational DVD.

The Privacy Commissioner for Personal Data Mr. Roderick Woo, Mr. Harry Wong and renowned DJ, Mr. Francis MAK Yun Sau officiated at the launching ceremony of the "Telling You My Secret" educational DVD on 30 March 2006. They together with over 200 school heads, teachers, students and parents present at the ceremony viewed the DVD — "Telling You My Secret". They also had thoughts on and shared their understanding and experience in "Respect Others and Protect Privacy" in a lively atmosphere under which the means of protecting personal data privacy can be promoted in an entertaining way.

The Office will be distributing this educational DVD to schools and students as teaching materials soon.

Interesting game designed for easy understanding of data protection was well received

Education & Careers Expo 2006

To convey the message on the protection of personal data privacy to youngsters and job seekers, the Commissioner's Office participated in the "Education & Careers Expo 2006" held from 23 to 26 February. The staff of the Commissioner's Office also delivered a talk on "Protect job seekers' personal data privacy" during the Expo. The Expo attracted around 200,000 visitors.

One of the major jobs of Rebecca is organizing activites for members of Data Protection Officers' Club.

As the Corporate Communications Division of the Office, our goal is to communicate and promote the message of protection of personal data privacy to the public and to foster the attitude of respecting privacy within the community.

My name is Rebecca, and I am a Corporate Communications Officer. I am going to introduce my work in the Corporate Communications Division of the Office in this issue. I remember when I first joined the Office, an important project was to set up the "Data Protection Officers' Club" to invite professionals tasked with the responsibility of implementing and co-coordinating measures to protect personal data to join the Club. As a channel for two-way communications, the Club provides them information to comply with the requirements of the Personal Data (Privacy) Ordinance ("the Ordinance").

The Club has now been set up for over 5 years, during which various kinds of activities have been arranged for the members, including regular plenary meetings, gatherings, workshops, etc. We continue to devote our resources to provide our members the most updated information, as each meeting is dedicated to a particular aspect of the Ordinance.

I have faced a lot of challenges in my work. It is memorable that my colleagues and I performed a dramatic play in a recent Club meeting based on an actual complaint case, stimulating the members to respond to and consider the compliance of the requirements of the Ordinance in the field of property management. We spent a lot of efforts from the selection of an appropriate case topic to the writing of script. It is very encouraging to see that the members actively participated in the discussion on that day and gave positive comments.

I would also like to take this opportunity to express my heartfelt thanks to the organizations who have extended their support to the Club. In our promotion work on the compliance of the requirements of the Ordinance and the protection of personal data privacy, their support and cooperation are particularly important. Currently, over 70 organizations have joined the Club for five consecutive years and this gives me a sense of achievement. They all agree that the Club assists them with compliance with the requirements of the Ordinance. Through them, we have achieved our goals.

If your organization has not joined the "Data Protection Officers' Club" yet, you are cordially invited to join us. I look forward to welcoming you to our next activity.

Luncheon Gathering and Plenary Meeting

Over 100 members attended the luncheon gathering plus plenary meeting for the 2005-2006 membership year at the Hong Kong Convention & Exhibition Centre on 5 January 2006. The Privacy Commissioner, Mr. Roderick Woo, took the opportunity to brief members on this Office's latest news and activities.

At the meeting, a new initiative was introduced to discuss the handling of personal data in the context of property management through an interactive game. The Privacy Commissioner's Office is honoured to have Mr. Suen Kwok Lam (middle), President of the Hong Kong Association of Property Management Companies and Mr. Jimmy Mak (left), Director & GM (Operations) of Main Shine Development Limited attend the event and shared their valuable opinions. This Office's Chief Personal Data Officer, Mr. K.T. Chan (right) also shared the views with members. Many members found the format of the discussion lively and enjoyed expressing their views on privacy issues.

Statistics on Complaints & Enquiries