PCPD - 2001-2002 Annual Report

Investigation Report / Inspection Report

Publications and Videos
2001-2002 Annual Report_2

Introduction

Privacy Commissioner's Overview

Raymond Tang
Privacy Commissioner for Personal Data

I was honoured to be appointed Privacy Commissioner for Personal Data in November 2001 and relish the prospect of protecting and advancing personal data privacy rights both in Hong Kong and internationally.

I have been most fortunate in that my predecessor pioneered the cause of personal data privacy in Hong Kong and, in the process, laid a very solid foundation for me to inherit. I think it is fair to say that the citizens of Hong Kong not only enjoy some of the most comprehensive personal data privacy rights of any jurisdiction in the world but that they have a clear awareness of those rights. This suggests to me that the Personal Data (Privacy) Ordinance, and the sustained work of the Privacy Commissioner's Office ("the PCPD"), have created a genuine value for personal data privacy. More importantly, that value is widely acknowledged by society.

This is the PCPD's sixth annual report and covers the period from 1st April 2001 to 31st March 2002. Over the course of the year the PCPD has had to deal with growing volumes of work, notably in the number of enquiries received and complaints processed. As at 31st March 2002 we have dealt with in excess of 93,000 enquiries and nearly 3000 complaints in the six years that the PCPD has been in operation. These statistics tell me at least two things. First, the PCPD is not short of business! Secondly, it is very evident that the citizens of Hong Kong are increasingly willing to exercise their personal data privacy rights. This is gratifying in one sense because it indicates that privacy is now an established human right and, as a lawyer, I would like to see that right freely exercised and impartially enforced in accordance with the law. In another sense though the complaint figures demonstrate that we need to sustain our efforts and motivate data users to become compliant with the law. This is particularly so in the private sector and among small and medium sized enterprises.

My personal view would be that respect for privacy, both in a generic sense and the more specific sense of personal data privacy, is an index of a postmodern and sophisticated society. I think that one measure of my tenure will be the extent to which the PCPD works successfully towards a longer term vision which is that of instilling respect for the privacy of another in a more generic sense. That is, through our strategies and initiatives in the arena of personal data privacy we should be able to leverage our gains and advance privacy per se.

I also want very much to be able to use this vision to encourage data users, in either the private or public sector, to embrace privacy as part of their core culture. In doing so I am conscious of the fact that the PCPD needs to dispel any mis-conception that our Ordinance is in some way a bureaucratic imposition foisted upon data users. Quite the contrary, particularly in the private sector, there are considerable benefits from becoming a privacy-compliant organization.

It is my firm belief that in a highly competitive economy, such as Hong Kong's, respect for personal data privacy can bring competitive advantage to business organizations. Good personal data management practices are worthy of serious consideration because they offer the opportunity to differentiate the product or service in a manner that is valued by the consumer, and that can only be good for business. Indeed, the significance of this argument has already been realized in the USA where larger organizations have taken to appointing a Chief Privacy Officer reporting to the CEO. That may be a little premature for Hong Kong but it is a development that should be contemplated because it signifies that responsibility and accountability have been attached to the management of personal data. This is symptomatic of exercising corporate control, which is part of a larger concept of good corporate governance.

If I may shift the focus of this appeal to the E-Business marketplace there is considerable evidence, including findings from the PCPD's annual data subjects survey, that it is the absence of controls that explains why consumer expenditure online remains such a very small percentage of total consumer expenditure. Survey after survey reveals that consumers in Hong Kong want to control their personal data just as they want to control their personal expenditure. The desire for control is amplified in the online world where transactions are invisible. It is this invisibility that heightens the fears of prospective consumers in terms of unauthorized use of their personal data.

Personal data privacy, hacking and online fraud concerns add up to a lot of concern, and those collective concerns act as an impediment to the expansion of E-Business.

It is also apparent that consumers want E-Vendors to exercise stringent controls on the use of personal data. Again, rather unfortunately, the message that all too frequently comes across is that those in the IT world are more predisposed towards using technology to track and profile consumers than they are to use technology to protect the identity of the consumer. As a consequence it is not surprising that consumer anxieties continue to persist. One way of allaying those fears might be for .hk vendors to take the initiative by drafting and disseminating E-Vendor Codes of Conduct on the protection of personal data privacy rights. Such codes could amount to voluntary self-regulation and would need to be policed by signatories to the Code.

I am pleased to report that during the course of the year a major PCPD project came to fruition. In April 2001 the Code of Practice on Human Resource Management came into effect. This initiative offers a good illustration of the way in which the PCPD works closely with the business community. The Code was a response to a call from HRM professionals to assist them in applying the provisions of the PD(P)O to the management of personal data in the context of recruitment, employment and severance. It was gratifying to be able to assist managers in translating the technical language of the Ordinance into pragmatic guidelines. It was even more gratifying for the PCPD to win the Outstanding Contribution to Human Resources at the Asian HR Awards ceremony in June 2001.

Over the course of the year we have become involved in two major projects: The Code of Practice on Monitoring and Personal Data Privacy at Work, and revisions to the Code of Practice on Consumer Credit Data.

The first of these, the Code of Practice on Monitoring and Personal Data Privacy at Work, was a response to a recommendation made by the Law Reform Commission in a 1999 consultation paper titled Civil Liability for Invasion of Privacy. That recommendation suggested that the PCPD promulgate a code "for the practical guidance of employers, employees and the general public." After considering the recommendations of consultants engaged to report on the experience of other jurisdictions the PCPD completed the draft Code in March for release as a consultation paper.

The project was taxing in that it presented the PCPD with the challenge of having to accommodate multiple interests. The first of these pertain to the rights of managers to manage the assets and resources of the business. The second set of interests relates to the rights of employees to be treated with dignity and have their personal data privacy rights respected in the workplace. In trying to strike an equitable balance between these rights the draft code was framed around two important principles, those of transparency and proportionality.

In my view this project is representative of the type of challenge that is a recurrent feature of our work namely, reconciling distinct sets of interests without compromising them. The PCPD's responsibilities are well defined in the Personal Data (Privacy) Ordinance and it is our duty to discharge those responsibilities with a high degree of professionalism. We would also regard ourselves as being a leading advocate of privacy rights in the HKSAR. However, having said that, we are conscious of the fact that we need to temper any 'purist' position on privacy-related matters by endeavouring to accommodate other interests. Only by so doing will we be able to generate good policies: by definition good policies are policies that work. Arriving at pragmatic solutions therefore necessitates consensus and it is our aim to utilize this approach to decision making when formulating policy. In effect this means that in any absolute sense privacy rights should not assume supremacy over other rights, for example, the public interest.

This brings me to an illustration of this point and the modus operandi that we have chosen to adopt in relation to a second major project the PCPD have become involved with.

In the latter part of 2001 the financial services sector began to face problems that grew more severe as each month passed. The problems are complex in their origin although economic adversity is the commonly ascribed cause. The problem was the level of default on outstanding credit card and loan balances and the burgeoning numbers of those filing for bankruptcy. After extensive discussions between government departments/agencies and representatives of the financial sector the proposal put forward was that there should be a revision of the current provisions of the Code of Practice on Consumer Credit Data. The proposal currently under consideration is that there should be some relaxation of the sharing of positive credit data by the banks to a credit reference agency ("CAR") for the purposes of credit reporting and credit scoring.

The collection of personal data is a necessary fact of modern life; an inextricable aspect of a globalised society, and the PCPD freely acknowledges this. The proposal put forward involves sensitive privacy issues although it should be said that positive credit data is shared in other jurisdictions such as the USA and UK. The evidence of those jurisdictions is that where positive credit data is shared between a bank and the CRA there are demonstrated benefits for the borrower with a good record of credit worthiness. These benefits range from exclusive access to new products and services and tiered pricing on interest charges. The challenge therefore is to find a solution that will adequately safeguard privacy interests, assist financial institutions, and in so doing best serve the public interest and Hong Kong's economic recovery.

In looking to the future I believe that the PCPD will likely confront complex issues e.g. public surveillance cameras, smart cards, biometrics and centralized medical records databases, which will demand solutions of the nature I have described. I also believe that at some stage in the relatively near future Hong Kong will have to give serious thought as to how it is going to manage privacy and freedom of information issues. In some jurisdictions Commissioners have already been appointed that wear both hats, that of Privacy Commissioner and Information Commissioner. To some this may seem a conflict of interests but it may well signal a redefinition of privacy in the broader context of freedom of expression and freedom of information.

I think that I would best describe the next five years as marking a developmental phase in the evolution of the PCPD. This may necessitate considering new options such as broadening the remit of the Personal Data (Privacy) Ordinance to accommodate privacy issues not currently addressed by the provisions. Any such review of the fundamental role and function of the PCPD would have to be well grounded. However, it is apparent that there is something of a frustrated demand in that certain privacy-related issues are not currently being addressed by any government department or statutory agency. This means that the only options open to aggrieved individuals are to tolerate invasions of their privacy or to seek redress by taking civil action. Either option seems a less than satisfactory state of affairs. Alternatively, the role of the PCPD may have to be redefined to accommodate an information portfolio. This combination of functions seems to be an emergent trend in Europe. We will have to wait and see how that trend develops and what the implications are for Hong Kong.

Certainly, as the trans-border flow of personal data increases with the resurgence of world economies Hong Kong will have to ensure that privacy interests are adequately protected. This means that Section 33 of the Ordinance, which is the only section that has yet to come into effect, will have to be revisited. Section 33 deals with trans-border data flows that are subject to strict European Union regulations. In essence those regulations stipulate that to trade with any European Union member State a non-member State will have to apply for 'adequacy' of its privacy legislation vis-a-vis EU directives. Alternatively, a non-member State will have to have in place some sort of privacy regimen that in principle meets EU directives on the protection of personal data. Non-compliance on the part of a non-member State to meet the EU's 'adequacy' requirements could mean the imposition of sanctions. Those sanctions may impede trade between the EU and non-member States where that trade necessitates the transfer of personal data across borders.

Before concluding I would like to re-emphasize a point made earlier. It is abundantly clear that the citizens of Hong Kong value their privacy rights. Not even the events of the 11 September in New York and Washington have diminished the determination to preserve and protect this aspect of human rights in Hong Kong. My interpretation of that position is that privacy rights are robust and that there has been a measured response to sustaining that resilience. This is both laudable and a credit to the community and the Administration in that they have resisted any knee jerk reaction.

In conclusion there are many weighty issues to be resolved in the medium term if Hong Kong is to retain its worldwide reputation as a place where personal data privacy rights are protected and respected. Indeed, there is a need for constant vigilance because privacy is a moving target rather than a finite entity. However, I am fortunate in being able to lead a dedicated team as we embark upon the next phase of the PCPD's development. I believe we have the collective experience and commitment to ensure that privacy rights in Hong Kong continue to be upheld and command the respect of other jurisdictions around the world that we have good working relationships with.