Hong Kong s Personal Data (Privacy) Ordinance

Similar documents
Building Trust in the Cloud Era - Protect, Respect Personal Data

University Privacy Campaign. Introduction to the Personal Data (Privacy) Ordinance

A Regulator s Perspective on Accountability and How to Incentivise It

Introduction to the Personal Data (Privacy) Ordinance

Introduction to the Personal Data (Privacy) Ordinance

Introduction to the Personal Data (Privacy) Ordinance

Developing and Implementing Data Protection Law: Malaysia and Beyond

Hong Kong Accountability Benchmarking Micro-Study. Nymity Accountability Workshop 10 June 2015, Office of the PCPD, Hong Kong

Adkin s Privacy Information Notice for Clients, Contractors, Suppliers and Business Contacts

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

Policy & Procedure Privacy Policy

LC Paper No. CB(2)851/17-18(03)

20/09/2013. Global Privacy and Data Protection: Practical Risk Assessment and Governance. Topics

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

World Wide Jobs Ltd t/a Findmyexpert.com Privacy Policy 12 th April 2018

2017 RIMS CYBER SURVEY

1. Muscat & Co Mortgage Solutions Ltd - Privacy Notice

As set out in the Hong Kong ID card, or any relevant identification document referred to in 1(g) above.

Government data matching and the Privacy Act 1988 (Cth)

Shaw Privacy Policy. 1- Our commitment to you

AUSTRALIA Building Digital Trust with Australian Healthcare Consumers

TABLE OF CONTENTS. Page

GENERAL PRIVACY POLICY

DATA PRIVACY & PROTECTION POLICY POLICY INFORMATION WE COLLECT AND RECEIVE. Quality Management System

Upcoming PIPEDA Changes What is changing and what to do about it

Motorola Mobility Binding Corporate Rules (BCRs)

GDPR: A QUICK OVERVIEW

Spectrum Wellness Privacy Statement

This website is managed by Club Systems International on behalf of the Hoburne and Burry and Knight Groups.

KIN GROUP PTY LTD PRIVACY POLICY

Plus500UK Limited. Website and Platform Privacy Policy

ADMA Briefing Summary March

Privacy Policy. We may collect information either directly from you, or from third parties when you:

The people team manage recruitment, retention and HR functions. The facilities team oversee the management of Countrywide buildings and sites

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

Safeguards on Personal Data Privacy.

PRC Cyber Security Law --- How does it affect a UK business? Xun Yang Of Counsel, Commercial IP and Technology

Elders Estates Privacy Notice

Privacy Policy GENERAL

Developments in Global Data Protection & Transfer: How They Impact Third-Party Contracts

What is the website's privacy policy?

Disruptive Technologies Legal and Regulatory Aspects. 16 May 2017 Investment Summit - Swiss Gobal Enterprise

POMONA EUROPE ADVISORS LIMITED

New Guidance on Direct Marketing. Presented by : Ms Margaret Chiu, Legal Counsel 22 January 2013

Polemic is a business involved in the collection of personal data in the course of its business activities and on behalf of its clients.

PRIVACY POLICY. 3.1 This policy does not apply to the collection, holding, use or disclosure of personal information that is an employee record.

2014 Luxury & Fashion Industry Conference for Multinationals

Guidance on Preparing Personal Information Collection Statement and Privacy Policy Statement

ENISA s Position on the NIS Directive

Website and Marketing Privacy Policy

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

WEBSITE PRIVACY POLICY

Data Protection Policy

Islam21c.com Data Protection and Privacy Policy

INNOVENT LEASING LIMITED. Privacy Notice

PCO Data Protection and Privacy Policy

Data Breach Notification: what EU law means for your information security strategy

Personal Data & Privacy Policy Statement

You can find a brief summary of this Privacy Policy in the chart below.

CURTIS BANKS LIMITED. Privacy Information Notice. curtisbanks.co.uk

Last updated 31 March 2016 This document is publically available at

Talenom Plc. Description of Data Protection and Descriptions of Registers

Care Recruitment Matters Limited Privacy Notice

LCU Privacy Breach Response Plan

Jeff Wilbur VP Marketing Iconix

General Data Protection Regulation: Knowing your data. Title. Prepared by: Paul Barks, Managing Consultant

Safaricom Data Privacy Statement

DATA PROTECTION AND PRIVACY POLICY

Coastal Babysitters Privacy Policy

encrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest?

Privacy and Cookies Policy

Privacy Notice - Stora Enso s Supplier and Stakeholder Register. 1 Purpose

WIT Diverse Campus Services Ltd. Data Protection Policy

Policy Objectives (the Association) Privacy Act APPs Policy Application ACTU The Police Association Website

NSDA ANTI-SPAM POLICY

European Union Agency for Network and Information Security

CNH Industrial Privacy Policy. This Privacy Policy relates to our use of any personal information you provide to us.

Data Protection Privacy Notice

We may change the privacy notice from time to time by amending this page.

PRIVACY POLICY 1. ABOUT THIS POLICY

Canada s Anti-Spam Law ( CASL ): It s the Law on July 1, 2014 questions for directors to ask

Cyber Security Law --- How does it affect the business operations in China? Xun Yang Of Counsel, Commercial IP and Technology

This policy should be read in conjunction with LEAP s Conflict of Interest Policy.

BARTON HALL LTD PRIVACY STATEMENT

General Data Protection Regulation (GDPR) The impact of doing business in Asia

Privacy policy. Definitions and interpretation

Ambition Training. Privacy Policy

Directive on Security of Network and Information Systems

Fritztile is a brand of The Stonhard Group THE STONHARD GROUP Privacy Notice The Stonhard Group" Notice Whose Personal Data do we collect?

Privacy Policy. Information about us. What personal data do we collect and how do we use it?

Within the meanings of applicable data protection law (in particular EU Regulation 2016/679, the GDPR ):

GDPR - Are you ready?

Xpress Super may collect and hold the following personal information about you: contact details including addresses and phone numbers;

M T BUCKLEY & Co Chartered Accountants

A Homeopath Registered Homeopath

NIS, GDPR and Cyber Security: Convergence of Cyber Security and Compliance Risk

The NIS Directive and Cybersecurity in

PRIVACY POLICY COLLECTION OF PERSONAL INFORMATION GENERAL

Transcription:

Asia Privacy Bridge Forum 11 May 2016 Hong Kong s Personal Data (Privacy) Ordinance Fanny Wong Deputy Privacy Commissioner for Personal Data Hong Kong, China

The Personal Data Landscape in Asia 2011 2003 1995 1995 2005 2010 2012 2011 2012 2010 2

The Personal Data (Privacy) Ordinance 1995 stand alone legislation Regulating both the public (government) and private sectors enforced by an independent statutory regulatory body the Privacy Commissioner for Personal Data (PCPD) 3

Six Data Protection Principles (DPPs) 4

The Amendment Ordinance 2013 The Personal Data (Privacy) Ordinance in 1995 and effective in 1996 Overhauling of the Ordinance initiated in 2007 New provisions (including outsourcing of data processing) unrelated to direct marketing and legal assistance took effect on 1 October 2012 New provisions relating to direct marketing and legal assistance took effect on 1 April 2013 IT advances + rising trend of outsourcing of data processing (IPCC case in 2006) Rapid advancement in IT and widespread use of Internet (online distribution of nude photographs of artistes in 2008) Commonplace of misuse of personal data in business sector (Octopus case in 2010) 5

New Provisions on Direct Marketing Activities Prior to 1 April 2013 : opt out mechanism (s.34) After 1 April 2013 : opt in mechanism, respect data subject s right of self determination (new provision s.35a M) Catalyst cause : inappropriate handling of personal data by Octopus and various large sized organisations such as banks, telecommunications and insurance companies for direct marketing purposes 6

Octopus Card Stored value payment card Payment for public transport underground/train/bus/ferry Corner shops, supermarkets, fast food stores On and off street parking Access to residential and commercial building 7

Octopus Incident 2010 Personal Data collected for the management of Octopus Card Sold Insurance Companies for making Direct Marketing calls without informing their members of such sales 8

Octopus Incident 2010 9

Problems Revealed in Octopus Incident & the Remedies in New Direct Marketing Provisions Problems revealed Newmeasuresagainstdata users No requirement for opt in at the collection stage (Not even an opt out option in the Octopus Incident) Personal data was shared with business partners for monetary gains without obtaining data subject s prescribed consent Insignificant fine for breach of optout request (repealed) : maximum fine of HK$10,000 Must take specified actions and obtain data subject s express consent before using personal data for direct marketing Must take specified actions and obtain data subject s consent before such transfer to third party for direct marketing Maximum penalty for breach: fine of HK$1,000,000 and 5 years imprisonment (transfer personal data for direct marketing for gain); HK$500,000 and 3 years (for others) 10

New Provisions on Outsourcing of Personal Data Processing (DPPs 2 & 4) Issues to be dealt with Data processor s unnecessary retention of personal data obtained from data user New requirements If a data processor is engaged, whether within or outside HK, data user must adopt contractual or other means to prevent: unnecessary retention by the data processor (DPP 2) Commonplace of unauthorised or accidental access, processing, erasure, loss or use of personal data transferred to data processor unauthorised or accidental access, processing, erasure, loss or use of data transferred for processing purposes (DPP 4) 11

Impact on Business Public awareness (direct marketing and data processing): before 1 seminar / month for 60 people after demand on talks rocketed average 8 10 seminars /month targeting more specialised audience (finance, HR, IT, insurance, and direct marketing industries) Public s increased awareness of their rights to personal data privacy more complaints to the business and to PCPD(HK) 12

Impact on Business Increased use of Privacy Impact Assessments (PIAs) by organisations: government PIAs included in government projects that involve personal data (Transport Department new speed camera; Immigration Department smart ID card) private sector sizable companies Public s increased awareness: of their rights to personal data privacy resulting in more complaints to the business and to PCPD(HK) 13

Relevant Enforcement and Survey Activities of the PCPD (HK) 2010 2011 2012 2013 2014 2015 Complaints received 1,179 1,486 1,213 1,792 1,702 1,971 Enquiries received 18,000 18,680 19,053 24,161 17,328 18,456 Regular opinion surveys on individuals and organisations : 1998, 1999, 2002, 2010, 2013, 2014, 2015 14

Stakeholders Engagement on Topical Issues 2001/2002/2008/2011 Code of Practice on Consumer Credit Data for Credit Reference Agencies and Credit Providers 2002 Employee Monitoring and Personal Data Privacy at Work 2006 Property Management Practice 2006 Hotel Management Practice 2006 Youth Attitude 2007 Use of the Internet by Youths 2008 Estate Agency Practice 2009/2010 Ordinance Review 2011 Property Management Practice 2012 Insurance Industry Practice 2013 Retail Industry Practice 2014 Banking Industry Practice 2015 Protection of Personal Data in Public Registers 2016 Electronic Health Record Sharing System 15

Publications issued by the PCPD (HK) Code of Practice & Guidelines Code of Practice on Consumer Credit Data Code of Practice on Human Resource Management Code of Practice on the Identity Card Number and Other Personal Identifiers Privacy Guidelines: Monitoring and Personal Data Privacy at Work 16

Publications issued by the PCPD (HK) Guidance Notes Best Practice Guide for Mobile App Development Collection and Use of Personal Data through the Internet Points to Note for Data Users Targeting at Children Guidance for Data Users on the Collection and Use of Personal Data through the Internet Guidance on CCTV Surveillance and Use of Drones Guidance on Collection and Use of Biometric Data Guidance on Data Breach Handling and the Giving of Breach Notifications Guidance on Electioneering Activities Guidance on Personal Data Erasure and Anonymisation Guidance on Personal Data Protection in Cross border Data Transfer Guidance on Preparing Personal Information Collection Statement and Privacy Policy Statement Guidance on Property Management Practices Guidance on the Proper Handling of Customers' Personal Data for the Banking Industry Guidance on the Proper Handling of Customers' Personal Data for the Insurance Industry Guidance on the Proper Handling of Data Correction Request by Data Users Guidance on the Use of Portable Storage Devices Guidance on Use of Personal Data Obtained from the Public Domain New Guidance on Direct Marketing Personal Data Privacy : Guidance for Mobile Service Operators Privacy Management Programme: A Best Practice Guide Proper Handling of Data Access Request and Charging of Data Access Request Fee by Data Users 17

Publications issued by the PCPD (HK) Information Leaflets A Guide for Data Users Compliance with Data Access and Correction Requests About the Office of the Privacy Commissioner for Personal Data, Hong Kong An Overview of the Major Provisions of the Personal Data (Privacy) (Amendment) Ordinance 2012 Care for Patients Protect Their Personal Data Cloud Computing Compliance Guide for Employers and Human Resource Management Practitioners Human Resource Management: Some Common Questions Matching Procedure : Some Common Questions Offence for disclosing personal data obtained without consent from the data user Online Behavioural Tracking Outsourcing the Processing of Personal Data to Data Processors Personal Data (Privacy) Ordinance and Electronic Health Record Sharing System (Points to Note for Healthcare Providers and Healthcare Professionals) Personal Data Privacy Protection: What Mobile Apps Developers and their Clients should know Privacy Impact Assessments Privacy Implications for Organisational Use of Social Networks Understanding the Code of Practice on Human Resource Management Frequently Asked Questions About Recruitment Advertisements 18

Industry specific Privacy Campaign launched in January 2015 theme = Developing Mobile Apps: Privacy Matters co organised by 10 leading trade associations; supported by 10 ICT professional/academic institutions 19

Data Protection Officers Club provide practising data protection officers with a platform for advancing their knowledge experience sharing training 20

Data Protection Officers Club 700 600 500 400 300 200 100 0 267 Number of DPOC members since establishment 539 21

Professional Compliance Workshops 77 workshops were held with over 2100 participants in 2015 Workshop topics in 2016 Data Protection and Data Access Request Data Protection in Banking/Financial Services Data Protection in Direct Marketing Activities Data Protection in Human Resource Management Data Protection in Insurance Data Protection in Retail Operation Legal Workshop on Data Protection Practical Workshop on Data Protection Law Privacy Management Programme 22

Support for Small Medium Enterprises self training module on protection of personal data for SMEs 23

Online Resources online training platform Code of Practices / Guidelines, Guidance Notes, Information Leaflets 24

Privacy Management Programme (PMP) encourage organisations to embrace personal data privacy protection as part of their corporate governance responsibilities and apply it as a top down business imperative throughout the organisation 25

Privacy Management Programme (PMP) from Compliance to Accountability: Hong Kong Government 25 insurance companies 9 telecommunications companies 5 organisations from other sectors all pledged to implement PMP 26

Consultation on Implementing PMP in the Public Sector November 2015 to facilitate three HK Government bureaux/departments to implement PMP Deliverables (toolkits and training) will be beneficial to organisations (public or private) implementing PMP 27

Paradigm Shift Compliance approach: passive reactive remedial problem based handled by legal/compliance minimum legal requirement bottom up Accountability approach: active proactive preventative based on customer expectation directed by top management reputation building top down 28

Effect of Paradigm Shift Enforcement and compliance + Accountability = Trust Culture (Protect and Respect) Liability Asset 29

Change of Business Attitude A research and consultation study on Hong Kong Accountability Benchmarking Micro Study conducted in early 2015 Purpose: to understand the current status of how privacy is being managed in Hong Kong 30

Change of Business Attitude Participating organisations (PMP pledged organisations and members of the PCPD s Data Protection Officers Club) have: implemented activities that focus on legal compliance requirements and a specific Code of Practice (HR Management) issued by PCPD(HK) invested heavily in privacy and data protection measures related to technical and security measures, records retention, data privacy notices and policies, requirements for processors, and managing and responding to access requests 31

Change of Business Attitude further developing the privacy management programme in training and awareness; managing third party risk; access requests, inquiries and complaints; expanding privacy impact assessments programmes and implementing privacy by design procedures; and testing incident and breach protocols a higher percentage of organisations in Hong Kong implementing personal data inventory and data classification 32

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback