|
Report
on Activities - Privacy- Related Issues
Code
of Practice
Under
section 12(1) of the PD(P)O, the Privacy
Commissioner may, for the purpose of providing
practical guidance in respect of any of
the requirements of the PD(P)O, including
those of the data protection principles,
approve and issue codes of practice. The
preparation of such a code may be done by
a particular sector or profession or by
the Privacy Commissioner. Before approving
a code of practice the Privacy Commissioner
is required to consult such representative
bodies of data users to which the code will
apply and such other interested persons
as he thinks fit.
Amendments
to the Code of Practice on Consumer Credit
Data
Following
the consultation exercise conducted in May
2001, the Privacy Commissioner approved
revisions to the Code of Practice on Consumer
Credit Data on 8 February 2002. The revisions
took effect on 1 March 2002.
The
revised Code provides better protection
to an individual's credit data and allows
relaxation on certain data retention and
disclosure requirements. The rationale adopted
is that any relaxation would not go beyond
that which is strictly necessary to promote
better credit assessment. The revisions
also alleviate certain operational difficulties
encountered by the consumer credit industry.
The revisions are in the following areas.
| a) |
Relaxation
on data retention and use. Extension
of the permissible retention period
of credit application data by a credit
reference agency from 90 days to 5 years,
and extension of retention period of
file activity data from 12 months to
5 years. Use of these historical data
for consumer credit scoring is allowed
but release of these data by a credit
reference agency to credit providers
is limited to data compiled over the
most recent two years of the 5-year
period. |
| |
|
| b) |
Additional
safeguards. Restrict access to an
individual's credit data by a credit
provider only in situations involving
the grant, review or renewal of consumer
credit. In relation to default data
of a discharged bankrupt, a credit reference
agency is required to delete such default
data from its records within 5 years
of the date of the discharge. Furthermore,
public records about an individual's
bankruptcy, e.g. any declaration or
discharge of bankruptcy appearing on
official records, should not be retained
for more than 8 years from the relevant
declaration. |
Draft Code of Practice on Monitoring and
Personal Data Privacy at Work
On
8 March 2002, the PCPD issued a consultation
document relating to a draft Code of Practice
on Monitoring and Personal Data Privacy
at Work. Organizations from both the public
and private sector were invited to submit
their comments on the draft provisions of
the Code, as were members of the public.
The primary purpose of the Code is to provide
practical guidance to employers who engage
in practices that monitor and record the
activities and behaviour of employees at
work. The provisions of the Code seek to
strike a balance between the business interest
of employers and the privacy interest of
employees.
The
development of the Code was a considered
response to several factors. First, it was
a recommendation of the Privacy Sub-Committee
of the Law Reform Commission ("the
LRC") in its consultation paper entitled
"Civil Liability for Invasion of Privacy"
published in August 1999. The view adopted
by the LRC to support the recommendation
is that an employee's expectation of privacy
in his activities in the workplace had to
be balanced against the employer's need
to keep the workplace, and his employees'
activities, under surveillance for legitimate
business purposes.
Secondly,
technological developments and reduced costs,
notably of surveillance software, have made
monitoring systems affordable to virtually
all employers. The natural consequence of
this is that employee monitoring has become
more pervasive in Hong Kong and, some would
argue, more invasive of the privacy of the
individual at work.
Thirdly,
the findings of the PCPD's 2001 Opinion Survey
indicated that 63.6% of the 485 respondent
organizations had installed at least one
type of employee monitoring device. One
in three had installed two or more devices.
The findings also indicated that only 22.1%
of organizations surveyed had notified employees
of their practices by drafting and disseminating
a written employee monitoring policy. When
respondent organizations were asked if they
would support PCPD efforts to develop a code
of practice on monitoring, 77.6% were in
agreement with this suggestion. Less than
10% were opposed to it.
Having
given careful consideration to these factors,
the PCPD decided to promulgate the draft
Code that, at least initially, would cover
the most common forms of monitoring found
in Hong Kong. These involve practices that
relate to E-mail monitoring, computer usage
monitoring (including Internet access),
telephone monitoring and CCTV/video monitoring.
The consultation is expected to run until
7 June 2002.
Draft
Code of Practice on the Protection of Customer
Information for Fixed and Mobile Service
Operators
In
January 2002, the PCPD participated in a
joint project with the Consumer Council,
the Independent Commission Against Corruption
and the Office of the Telecommunications
Authority to develop a draft code of practice
for fixed and mobile service operators.
The draft code is intended to be a voluntary
code that sets out good practices that relate
to the protection of customer information.
It is expected that the code will be issued
in June 2002 after consultation with the
fixed and mobile service industry.
   
|
