Speech by Privacy
Commissioner at the special meeting of Legislative Council Panel on
Home Affairs
The Privacy Commissioner for Personal Data, Mr. Roderick B Woo, spoke
at the special meeting of Legislative Council Panel on Home Affairs
today (July 4). The script of his speech is appended below: -
Madam Chairman and Honorable Members,
The latest edition of the international journal “Privacy Laws &
Business” has a lengthy article on Hong Kong. It begins with the
sentence “It is not easy these days being Hong Kong’s Privacy
Commissioner.” It goes on to say that “In the last three months,
Privacy Commissioner Roderick B Woo, who oversees Hong Kong’s
implementation of the Personal Data (Privacy) Ordinance, has issued at
least 15 public statements (in fact there have been 26 since the
beginning of the year) dealing with the incidents, appeared before the
Legislative Council and, for the first time, invoked his office’s power
to inspect personal data systems.” Later in the article, it says
“Woo and others say that Hong Kong – once a leader in private data
protection, as one of the first jurisdictions outside Europe to have a
data protection law – now needs to review and update its 12-year-old
law to take into account new technologies and new realities. Woo
points to the efforts of Canada, New Zealand and Australia, which have
begun reviewing their data ordinances in the past several years.”
When I sent in my proposals for a comprehensive review of the Ordinance
last year, I said in my letter to the Secretary for Constitutional and
Mainland Affairs, “I request for expedition of the legislative
amendment process by the Government. Like other privacy
commissioners in overseas jurisdiction, I can see the increasing
invasion of personal data privacy posed by the overwhelming
technological advances. Hong Kong will be seen to be regressing
in its effort to protect data privacy if the Ordinance cannot keep pace
with changes and development that are taking place.”
In another letter to the Secretary in February this year, I drew
attention to the fact that since our presenting the amendment
proposals, “things have happened which highlight the pressing need for
legislative reform” and I concluded my letter saying “I think it is
high time that Government do take proactive steps to expedite the
legislative amendments process.”
I am aware the CMAB has many concerns and the review of the Ordinance
may involve much work on the part of the government. I was
prepared to wait but with so many other pressing issues on the desk of
the bureau chief, I wonder what his priority list looks like.
The annual subvention granted to my Office had not changed for six
years. In the past, the Commissioner sent in three formal
applications for increase but all RAEs were rejected in total. I
suspect that it was only because of the publicity given to the
increasing number of loss of personal data incidents that I was able to
persuade CMAB to give extra resources this year purportedly not from
the normal government channel but from the funds allocated to CMAB
itself. With the increased funding, I can hire one middle ranking
and two lower ranking staff. This simply is not enough.
The UK Prime Minister, after apologizing to Parliament about the loss
of data containing records on 25 million people by Her Majesty’s
Revenue and Customs, announced at the end of last year “We will give
the Information Commissioner the power to spot check government
departments, to do everything in his and our power to secure the
protection of data. We will do everything in our power to make
sure that data is safe.” Did he blame the Commissioner for the
loss of data? No. Instead, he promised the Commissioner
additional power and additional resources.
The UK Commissioner suggested to the Administration that those “who
knowingly and recklessly fail to comply with DP principles could be
subject to a criminal penalty. He proposes unlimited fines but
would not support custodial sentences.” It was also on this
occasion that the Prime Minister asked the Commissioner to No. 10
Downing Street to discuss matters concerning protection of personal
data.
Will your Privacy Commissioner receive an invitation to meet the Chief
Executive in the present climate? I think it highly
unlikely. Why? Well, in all my letters addressed to the
Secretary for Constitutional and Mainland Affairs, I have yet to
receive a letter from him. The reply letters and matters for
discussion have invariably been attended to by his senior staff.
As I said, I wonder and this Council may also wonder how serious the
government is in helping the Privacy Commissioner to deal with the
increasing number of data loss incidents. It must allocate
sufficient resources to tackle the problems.
In a recent coverage of my inspection of the Hospital Authority’s
patient data system, a Hong Kong newspaper reported that in exercising
my power of inspection for the first time, I could only spot check one
hospital out of the 40 odd public hospitals under the management of
HA. At one time, I had to deploy more than half of my staff in
the exercise. In fact, I had to find four eminent experts as
volunteers to help. The press report said that faced with an
influx of cases, the investigations which need to be done have to take
turns.
This fairly sums up the current situation, an embarrassing situation no
doubt. I find that there is an increasing public expectation and
without the resources and with the current legislation, I find it hard
to close the expectation gap unless the government acts and acts
promptly to give me help.
END