The Right of Making Data Access Requests

In this computer age, our personal data are recorded in various systems in our daily lives or work. Sometimes, people may worry if they will suffer losses when there are errors in such data, e.g. applications for mortgage loan are rejected due to inaccurate data in consumer credit reports. In fact, there is no need to worry. Under the Personal Data (Privacy) Ordinance ("the Ordinance"), an individual has the right to make a request to be informed by a data user, e.g. government department or private organization, whether the data user holds his personal data and to be supplied with a copy of such data. If errors are spotted, requests for correction of data can be made.

It is very simple to make a data access request. When the Data Access Request Form (OPS003) issued by the Privacy Commissioner is completed by the data subject or a relevant person, it can be directly sent to the data user concerned, which then has the duty to respond within 40 days after receiving the request. When completing the form, requestor should specify clearly and in detail the personal data requested. Description of the data should be as specific as possible in order to facilitate the data user in complying with the request.

From April 2006 to March 2007, the PCPD received 85 complaints about data access and data correction requests. Three types of common misunderstanding are found in these cases:

The first is about reply. The Ordinance imposes a strict obligation upon the data user to comply with the request within 40 days after receiving it. Even if it has justifications to refuse compliance, e.g. if it is not supplied with sufficient information to enable it to locate the personal data requested, it should still give a written reply within the time limit, stating the reasons for refusal.

The second is about payment. People are usually dissatisfied when a data user imposes a fee for complying with a data access request. In fact, the Ordinance allows a data user to impose a fee that is not"excessive". What is"not excessive"? Although the Ordinance is silent on what is"excessive" fee, the Privacy Commissioner finds it against the legislative interest that the provision be used by the data user to make profit, much worse if it is used to deter a data subject from exercising his data access right. In general, a data user should only charge for the labour cost and actual expenses incurred in the process of data searching, retrieving and copying.

The third is about the personal data of a third party. Since a data subject is only entitled to access his own personal data, a data user should ensure that in complying with a data access request, personal data of third parties are not disclosed unless consent is obtained. A data user may achieve this by omitting the names, or other identifying particulars of those third parties.

In recent years, the Administrative Appeals Board have heard and decided various cases in relation to data access request. With the benefit of these decisions, the Privacy Commissioner has amended the Data Access Request Form (OPS003) so that the public and data users alike can clearly know the scope of a data access request under the Ordinance, as well as their rights and responsibilities. The new form was gazetted on 4 January and will be effective on 1 April. Copies will be available from the office of the PCPD or various District Offices, or can be downloaded from the website of the PCPD (www.pcpd.org.hk) from that day onwards.

More Fruitful Outcomes

In reviewing our work done in the area of personal data protection last year, I am gratified to note that the level of awareness of personal data protection was very high. There are of course many reasons for this, but I am satisfied that my Office had made a significant contribution in helping to promote that awareness.

The numbers of complaints and enquiries remained constant. This comes as no surprise because the Ordinance has been in place for more than ten years. The statistics do not however show that the enquiries from the private sector as well as those from government departments and government-related agencies had become more complex and sophisticated than ever before. The enquirers clearly demonstrated that they had more than a passing knowledge of the provisions of the Personal Data (Privacy) Ordinance.

Reportedly more than 160 million copies of personal data were stolen or missing on the internet in the USA in 2007. This represented a drastic triple increase from the previous year. We may console ourselves that locally no large volumes of personal data were mishandled in the same period, but we cannot be complacent. Hong Kong must continue to give serious attention to personal data protection.

My colleagues and I are expected to play many roles. One of these is that of a promoter and educator. In 2007, we regularly held training seminars. All of these were exceedingly well attended. The message that we put out from year to year is that personal data should be handled with due care by both the data users and the data subjects. Much of it is common sense, e.g. bank statements should be shredded and not just thrown away if they are not longer wanted. We had tried to communicate with individual industries that handled large volumes of personal data. The Hotel Privacy Campaign was a resounding success. So were the training sessions for IT professionals and managers on protecting personal data in the electronic media which were held in conjunction with other concerned professional groups. We will certainly continue in that direction.

We are expected to handle complaints from the public, and make investigations in appropriate circumstances. These investigations had in the past led to some well-publicized reports. We also continue to initiate compliance checks. Sometimes it would appear that these were luxuries items because of the limited resources we were given, much of which had to be assigned to the work related to actual complaints. In an ideal world situation, compliance checks should be given as much importance, if not more.

Another role which we are expected to play is that of an enforcer. Even though the legislation does not give me power to prosecute offenders under the Ordinance, I do issue, where appropriate, Enforcement Notices (ENs). The purpose of issuing ENs is to require the offending data users to do and or not to do certain things so as to achieve compliance with the six Data Protection Principles. We also referred a number of cases to the Police for them to prosecute. In 2007, there were three successful convictions of offences which were all related to inappropriate use of personal data for direct marketing.

My hopes for 2008 include doing more promotion and training work (because prevention is better than cure); assisting the Administration to update the Ordinance (because data protection is still in an evolutionary stage); and making more compliance checks with additional resources.

The PCPD held the Privacy Awareness Week 2007 with members of the Asia Pacific Privacy Authorities (APPA), including Privacy Commissioners of Australia, Hong Kong, New Zealand, and the Australian States of the Northern Territory, New South Wales and Victoria. The event took place from 26 August to 1 September, 2007. Under the theme of"Privacy is Your Business", the event featured various activities designed to help raise personal data protection awareness in the region.

In Hong Kong, the PCPD arranged a series of interesting and meaningful events:

Mr. Roderick Woo, the Privacy Commissioner for Personal Data, and Miss Do Do Cheng, the Privacy Ambassador, launched the Privacy Awareness Week.

Mr. Woo also announced the results of a survey on the "Attitudes of Young People towards Disclosure of Personal Data on the Internet". To better understand the use of blogs and social networking websites by young people, especially their views on the disclosure of personal data on the Internet, the PCPD commissioned the Quality Evaluation Centre of City University of Hong Kong to conduct the survey in July 2007. A total of 500 young people in Hong Kong aged between 12 and 24 were interviewed. The results found more than half of the respondents, or 55.3%, who wrote blogs or had personal web pages disclosed their personal data on the Internet. Although 62% of them worried that the disclosure would raise privacy concerns, only 48% used online security to safeguard their personal data. The survey also indicated that young people are concerned about personal data privacy on the Internet. The PCPD will plan education and promotion strategies to better their understanding of this issue.

In light of the recent leaks of personal data on the Internet, the PCPD invited Mr. Sean Lin, SIP of the Hong Kong Police Force, and Ir. Dr. K.P. Chow, Center Associate Director of Centre for Information Security and Cryptography at the University of Hong Kong, to talk to the Data Protection Officers' Club members about how best to handle personal data electronically.

Mr. Lin drew particular attention to transmitting personal data by Wi-Fi. Dr. Chow spoke about the responsibilities of data users in online data security and how to avoid leaking data.

Young people like to communicate via the Internet. Although this is fast and convenient, personal data may be easily disclosed. To remind young people of the importance of personal data privacy, the PCPD invited renowned writer Mr. Ong Yi Hing and DJ Mr. Francis Mak to share their views on creative writing and privacy. The audience was asked to think carefully before providing their personal data or their friends' personal data on the Internet. After the seminar, an enlightening discussion and debate about "There is no privacy protection in the cyber world"took place with the Hong Kong Federation of Youth Groups and the Hong Kong Girl Guides Association.

Ms. Connie Lau, Chief Executive of Hong Kong Consumer Council (left), Mr. Alexandre Ho, President of Executive Committee of Macau Consumer Council (middle) and Ms. Shirley Lung, Corporate Communications Manager of the PCPD (right) shared views with participants.

Members of the Data Protection Officers' Club met with consultants of the Macau Consumer Council and business representatives on 30 August to exchange their views and experiences on effective ways to protect personal data. Although the privacy ordinances of Hong Kong and Macau differ, the common goal remains the protection of personal data privacy.

One of the joint activities of the Privacy Awareness Week was a writing competition aimed at encouraging secondary students in the region to examine the importance of privacy protection. Entries included poetry, prose, internet blog entries, diary entries, radio interview scripts, academic essays and word art about the theme, "privacy is your business".

There were a total of 244 entries from Hong Kong and Macau. Using a "treasure box" as a metaphor for privacy to illustrate that things in the box are very important, Yeung Kuen (Precious Blood Secondary School) from Hong Kong won the second-place regional prize and came in first for the Hong Kong and Macau award. Erica Hei-Yuan Chan from Australia and Briony Bennett from New Zealand were the winner and second runner-up respectively of the regional prize. In the Hong Kong and Macau area, Chiu Ka Yi (Po Leung Kuk No.1 W.H. Cheung College) and Chan Weng Sam, Sammy (Colegio de Santa Rosa de Lima, English Secondary (Macau)) were the first and second runners-up, respectively. The five merit award winners were Cheng Ka Man (Po Leung Kuk No.1 W.H.Cheung College); Vanessa Green (South Island School); Lam Ka Ian, Cindy (Colegio de Santa Rosa de Lima, English Secondary (Macau)); Yeung Chun Hon (Christ College) and Ng Tat Lam (CNEC Christian College).

Deputy Privacy Commissioner for Personal Data, Mrs. Bonnie Smith (middle), talked about the protection of personal data privacy to young people at a live radio programme at Radio Television Hong Kong.

More Fruitful Outcomes

With the development of technology, an increasing number of organizations use fingerprint scanners for recording attendance, giving access to facilities, security control or other purposes. In order to assist data users to comply with the relevant requirements of the Ordinance and as a useful reference in their consideration of fingerprint collection, the PCPD has published a new guidance note, titled "Personal Data Privacy: Guidance on Collection of Fingerprint Data".

Fingerprint data are very sensitive personal data. Due care should be taken in collecting and using them. A data user shall have sufficient reasons to justify that collection of fingerprint data is necessary for its lawful function or activity and that only adequate but not excessive personal data is collected.

To facilitate compliance with the collection limitation principle, a data user is encouraged to undertake an assessment process by first examining the extent of privacy intrusiveness of the proposed act or practice in question and then consider whether there are sufficient safeguards in place to mitigate the adverse privacy impact brought by such act or practice. Insofar as it is practicable to do so, a data subject should be given other less privacy intrusive options to choose from. When consent is purportedly obtained from the data subjects on collection of their fingerprint data, Privacy Commissioner warns against collection of these data from tender age and the need to dispel any reasonable doubt on undue influence when special relationship exists.

The guidance note can be downloaded from the PCPD website (www.pcpd.org.hk). Copies are also available from the PCPD at 12/F., 248 Queen's Road East, Wan Chai, Hong Kong.

Familiarization Visit to the Cathay Pacific City

During a visit to Cathay Pacific City on 1 November 2007, DPOC members had the chance to share and exchange with one another valuable data protection experiences. Mr. Albert Wong, Manager Personnel Strategy & Relations, and Ms Anthea Leung, Assistant Personnel Manager at Cathay Pacific, also highlighted an online training module to members.

DPOC members were invited to comment on the visit:

"……Mr. Albert Wong, Manager Personnel Strategy & Relations, also shared with us a specially designed on-line learning unit, which teaches new staff of different grades (e.g. cabin crew and management) how to handle personal data." Ms Janet Chu Customer Services Officer, Chevron Hong Kong Limited

"…….While touring around the magnificent complex of Cathay Pacific City, club members chatted and shared their views in a most relaxing and effective atmosphere." Ms May Yu Community Relations Manager, Main Shine Development Ltd.

Please visit the PCPD website (http://www.pcpd.org.hk/english/activities/activitiesupdate.html) for viewing members' original articles.

Introduction to the Personal Data (Privacy) Ordinance Seminar