A Regulator s Perspective on Accountability and How to Incentivise It

Similar documents
Hong Kong s Personal Data (Privacy) Ordinance

Building Trust in the Cloud Era - Protect, Respect Personal Data

Hong Kong Accountability Benchmarking Micro-Study. Nymity Accountability Workshop 10 June 2015, Office of the PCPD, Hong Kong

Data Security Standards

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

ENISA s Position on the NIS Directive

UAE National Space Policy Agenda Item 11; LSC April By: Space Policy and Regulations Directory

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

LC Paper No. CB(2)851/17-18(03)

MNsure Privacy Program Strategic Plan FY

University Privacy Campaign. Introduction to the Personal Data (Privacy) Ordinance

Developing and Implementing Data Protection Law: Malaysia and Beyond

An Overview of ISO/IEC family of Information Security Management System Standards

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

PROJECT BACKGROUND AND RATIONALE

GDPR: A QUICK OVERVIEW

Call for Expressions of Interest

The GDPR Are you ready?

Data Protection System of Georgia. Nina Sarishvili Head of International Relations Department

encrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest?

Mitigation Framework Leadership Group (MitFLG) Charter DRAFT

COBIT 5 With COSO 2013

Introduction to the Personal Data (Privacy) Ordinance

Data Breach Notification: what EU law means for your information security strategy

Directive on Security of Network and Information Systems

UK-led international standards for BIM

Package of initiatives on Cybersecurity

Client Services Procedure Manual

= = = = = = Promotion and Public Educaton

2017 Cyber Incident & Breach Readiness Webinar Will Start Shortly

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Cybersecurity in Asia-Pacific State of play, key issues for trade and e-commerce

UAE Space Policy Efforts Towards Long Term Sustainability of Space Activities Agenda Item 4; COPUOS June 2017 By: Space Policy and

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

Better Privacy Through Identity Management:

Pilot Study on Big Data: Philippines. World Telecommunications/ICT Indicators Symposium (WTIS) November 2017 Hammamet, Tunisia

Government data matching and the Privacy Act 1988 (Cth)

2017 RIMS CYBER SURVEY

Transparency & Trust: A guide for landlords & tenants to data protection and privacy

July 13, Via to RE: International Internet Policy Priorities [Docket No ]

Security and Privacy Governance Program Guidelines

falanx Cyber ISO 27001: How and why your organisation should get certified

Coastal Babysitters Privacy Policy

EGM, 9-10 December A World that Counts: Mobilising the Data Revolution for Sustainable Development. 9 December 2014 BACKGROUND

Legal and Regulatory Developments for Privacy and Security

Department of Justice Policing and Victim Services BUSINESS PLAN

Architecture and Standards Development Lifecycle

The United Republic of Tanzania. Domestication of Sustainable Development Goals. Progress Report. March, 2017

General Data Protection Regulation: Knowing your data. Title. Prepared by: Paul Barks, Managing Consultant

Global Statement of Business Continuity

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Cyber Risks in the Boardroom Conference

21 August 2015 (Friday) 2:00-5:00 p.m. Venue: N106 N108, 1/F The Hong Kong Convention and Exhibition Centre, 1 Expo Drive Wan Chai, Hong Kong

International Nonproliferation Export Control Program (INECP) Government Outreach for Enterprise Compliance

Transit Bus Safety and Security Program

Assessment of the progress made in the implementation of and follow-up to the outcomes of the World Summit on the Information Society

NATIONAL INFRASTRUCTURE COMMISSION CORPORATE PLAN TO

Networking Session - A trusted cloud ecosystem How to help SMEs innovate in the Cloud

RESOLUTION 179 (REV. BUSAN, 2014) ITU's role in child online protection

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Data Governance Quick Start

Adkin s Privacy Information Notice for Clients, Contractors, Suppliers and Business Contacts

Promoting accountability and transparency of multistakeholder partnerships for the implementation of the 2030 Agenda

RESOLUTION 179 (REV. BUSAN, 2014) ITU's role in child online protection

Position Description. Engagement Manager UNCLASSIFIED. Outreach & Engagement Information Assurance and Cyber Security Directorate.

As set out in the Hong Kong ID card, or any relevant identification document referred to in 1(g) above.

Department of Management Services REQUEST FOR INFORMATION

A Modern European Data Protection Framework

Big data privacy in Australia

Information kit for stakeholders, peak bodies and advocates

Growing Communities for Co-Creation : How Employees and Customers/Users Collaborate To Increase Adoption and Retention

A PRE-WORKSHOP TUTORIAL ON THE APEC CROSS-BORDER PRIVACY RULES AND THE APEC PRIVACY RECOGNITION FOR PROCESSORS

SWIFT Response to the Committee on Payments and Market Infrastructures discussion note:

Tools & Techniques I: New Internal Auditor

ANZPAA National Institute of Forensic Science BUSINESS PLAN

The MovingLife Project

FOUNDED GOAL of New ORGANIZATION. CLEAR Annual Educational Conference Getting the Most Out of CLEAR. St. Louis October 3-5, 2013

ACE Corporate Plan. Mission. Vision

CAPM TRAINING EXAM PREPARATION TRAINING

BHConsulting. Your trusted cybersecurity partner

Level 4 Diploma in Computing

Innovative Climate Finance Mechanisms for Financial Institutions in Fiji, Pakistan, Indonesia and Sri Lanka

POWER AND WATER CORPORATION POLICY MANAGEMENT OF EXTERNAL SERVICE PROVIDERS

Background Note on Possible arrangements for a Technology Facilitation Mechanism and other science, technology and innovation issues

Creation and Evolution of the Colombian DPA

Canada s Anti-Spam Law ( CASL ): It s the Law on July 1, 2014 questions for directors to ask

Breach Notification Assessment Tool

Chartered Membership: Professional Standards Framework

Deanship of Academic Development. Comprehensive eportfolio Strategy for KFU Dr. Kathryn Chang Barker Director, Department of Professional Development

EISAS Enhanced Roadmap 2012

3/13/2015. COSO Revised: Implications for Compliance and Ethics Programs. Session Agenda. The COSO Framework

European Code of Conduct on Data Centre Energy Efficiency

Privacy Policy GENERAL

Future-Proof Security & Privacy in IoT

Digital government toolkit

PROTECT YOUR DATA AND PREPARE FOR THE EUROPEAN GENERAL DATA PROTECTION REGULATION

United4Health session Regulatory Framework Trends & Updates. Nicole Denjoy COCIR Secretary General Wed. 7 May 2014, Berlin (Germany)

The Integrity of Personal Data: Some Topical Issues & Implications of PDPO for Business

TDWI Data Governance Fundamentals: Managing Data as an Asset

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

Transcription:

Centre for Information Policy Leadership (CIPL) Workshop in collaboration with the Singapore Personal Data Protection Commission Implementing Accountability 26 July 2018 A Regulator s Perspective on Accountability and How to Incentivise It Stephen Kai-yi Wong, Barrister Privacy Commissioner for Personal Data, Hong Kong, China 1

Presentation Outline 1 Hong Kong Privacy Management Programme 2 Engaging the Data Controllers (SMEs) 3 Data Ethics and Trust 2

1 1 Hong Kong Privacy Management Programme 3

Hong Kong Privacy Management Programme Initiated by the Hong Kong Privacy Commissioner Not a legal requirement Corporate governance responsibilities Top-down business imperative Data protection policies & procedures in place A paradigm shift 4

Paradigm Shift Accountability Approach Compliance Approach Passive Reactive Remedial Problem-based Handled by compliance team Minimum legal requirement Bottom-up Active Proactive Preventive Based on customer expectation Directed by top-management Reputation building Top-down 5

PMP Fundamental Principles Top-Down Organisational Commitments Topmanagement commitment and buy-in Setting up of a dedicated data protection office or officer Establishing reporting and oversight mechanism 6

PMP 7 Practical Programme Controls 7

PMP Ongoing Assessment and Revision Develop an Oversight and Review Plan Assess and Revise Programme Controls 8

Carrots or Sticks? Deterrence and punishment had limited effects Maximum fine for DM conviction cases - US$4,000 only! No power to impose administrative fines Promoting accountability through PMP 9

Organisations Sharing Training Privacy Impact/Compliance Assessment Conducted by the Government on specific projects e.g. SMART ID, e-health System, etc. 10 10

Practical Difficulties Encountered by Organisations in implementing PMP Lack of budget and resources Lower motivations to implement Lack of Knowledge Lack of competent legal and technical staff DPAs should provide incentives 11

Consultancy Project on Implementation of PMP in Government PMP Training Consultant engaged to facilitate bureaux /departments to implement PMP PMP Manual (To be completed this year) Advice provided by the PCPD 12

Deliverables by the Consultant General Reference Guide PMP Manuals for selected government bureau/departments Workshops Toolkits and training materials 13

PMP Manuals for government departments Cover all components of a PMP Section 1: Overview of the Privacy Management Programme ( PMP ) Organisational Commitment A-1a. Roles and Responsibilities of the Departmental Data Protection Officer and Other Officers Assisting in the Implementation of PMP A-1b. Reporting Mechanism Section 2 Section 3: Overview of the Personal Data (Privacy) Ordinance The tailor-made PMP Programme Controls Ongoing Assessment and Revision A-2b. Policies for Handling Personal Data A-2c. Risk Assessment Tools A-2d. Training and Education A-2e. Breach Handling A-2f. Data Processor Management A-2g. Communication 1. Oversight and Review Plan 2. Review of PMP s Effectiveness 14

PMP Manuals for government departments Understand the bureau/departments reviewing existing policies, guidelines, procedures, etc. interviewing key divisions/sections to understand their operations walkthrough of key privacy controls in place within the data privacy lifecycle Groundwork: Report overview of current status of the PMP detailed findings and recommendations a road map for way forward Worked with the bureau/departments and prepared the PMP Manual tailored templates, outlines/key contents of the policies and procedures, frameworks and protocol references. 15

PMP Manuals for government departments Based on the observations identified Remediate the gaps identified 16

PMP Manuals for government departments Set up of Data Protection Office Specified roles and responsibilities of Data Protection Officer, Personal Data Privacy Officer and Team Coordinator privacy respectful culture 17

PMP Manuals for government departments 18

PMP Manuals for government departments privacy respectful culture Set up of a clear general reporting structure & reporting mechanism with respect to data breach handling 19

PMP Manuals for government departments Team Coordinators Team 1 Team 2 Team 3 General reporting structure Team 4 Team 5 Team 6 Data Protection Officer Personal Data Privacy Officer Directorate Officer Team 7 20

PMP Manuals for government departments Set up of reporting mechanism with respect to data breach handling 21

PMP Manuals for government departments Practical Protocols Specific steps and procedures 22

PMP Manuals for government departments Steps for Personal Data Inventory Review 23

PMP Manuals for government departments Specific steps and procedures Steps for conducting a Privacy Impact Assessment 24

PMP Manuals for government departments 25

PMP Manuals for government departments Tailored templates Data Processor Review 26

PMP Manuals for government departments Practical Protocols checklist to ensure the compliance with PDPO (e.g. Preparation of PICS) 27

PMP Manuals for government departments 28

PMP Manuals for government departments Practical Protocols (e.g. collection of identity card, use of portable electronic storage devices, handling of DAR & DCR) 29

PMP Manuals for government departments Practical Protocols 15 30

PMP Manuals for government departments Comprehensive TRAINING ACTIVITIES 31

2 Engaging the Data Controllers (SMEs) 32

Engaging Through Education Website: PCPD.org.hk 33

Engaging Through Education Thematic Websites www.pcpd.org.hk/childrenprivacy www.pcpd.org.hk/besmartonline 34

Social Media Engaging Through Education www.youtube.com/user/pcpdhksar www.facebook.com/besmartonlinepcpd 35

Engaging Through Education Seminars, talks, speaking engagements: self-organised or upon invitation Industry-specific and individual companies/organisations; chambers and associations Covering both public and private sectors In 2017: Conducted 314 professional workshops, talks, seminars, speaking engagements and meetings with stakeholders, with 25,038 participants 36

Engaging Through Education Industry-specific tools and guidance Guidance Note for Beauty Industry Online Assessment Tool for Retail Operation 37

Industry-specific tools and guidance - at PCPD.org.hk Engaging Through Education 38

Industries engaged: Engaging Through Education Mobile apps developers Beauty industry Property agents Retail sector Insurance Property management Telecommunications 39

www.youtube.com/user/pcpdhksar 40

Privacy Campaign for SME Guidance Note for SME A new toolkit dedicated for SME will be published Revamp the online selftraining module for SME Engage SME chambers and associations 41

Engaging Through Promotion Media promotion In 2017: Press releases: 30 Responses to media enquiries: 217 Media interviews: 54 42

Engaging Through Promotion Op-ed articles 43 43

Engaging Through Promotion Publications - Topic-specific - Industry-specific 44

Engaging Through Exchanges and Dialogues Data Protection Officers Club Established in year 2000 Over 550 members from public and private sectors A platform for members to share and exchange views 45

Engaging Through Exchanges and Dialogues Data Protection Officers Club Seminars, sharing sessions, visits, etc. 46

Engaging Through Exchanges and Dialogues Data Protection Officers Club Dedicated website and e-newsletter 47

Engaging Through Exchanges and Dialogues Work hand in hand with data controllers for issues/data breaches Example: data breaches by travel agents 48

Engaging Through Exchanges and Dialogues Meetings with chambers, trade associations and professional bodies; conduct seminars and sharing sessions Hong Kong General Chamber of Commerce Chinese General Chamber of Commerce Chinese Manufacturers' Association of Hong Kong American Chamber of Commerce in Hong Kong British Chamber of Commerce in Hong Kong Hong Kong Association of Banks Hong Kong Monetary Authority Hong Kong Institute of Chartered Secretaries Hong Kong Institute of Human Resource Management 49

Engaging Through Exchanges and Dialogues Meetings and exchange of views with multinational corporations/associations for the latest developments/initiatives with privacy implications Facebook: Revised privacy setting; education programmes Microsoft: seminars on privacy related topics Alibaba PayPal Visa Google GSMA 50

Engaging Through Exchanges and Dialogues Hong Kong Federation of Insurers (HKFI): Proposed database for insurance claims HKFI is considering to set up a central database to combat fraud. Historical claims data will be contributed to this central database by the participating insurers. HKFI and PCPD have been in dialogue on this proposed initiative. HKFI has taken into account PCPD s comments and has built in privacy by design in the setup of the proposed database. DATABASE 51

3 Data Ethics as a Solution 52

Data Ethics and Trust Data Ethical Obligations No Surprise to Consumers No Harm to Consumers 53

Promoting Ethics - Legitimacy of Data Processing Project New technologies (e.g., BD, AI, ML) revolutionise the ways in which data is collected, processed and/or used Background Ubiquitous collection and innovative use bring challenges to data protection Growing public expectations for data ethics Growing consensus that notice and consent principle is not fully effective 54

Project Background Project commenced in April 2018 PCPD commissioned a US consultancy to steer the Project 3 in-person meetings in Hong Kong Involving 23 businesses from different sectors 55

Project Objectives What does ethical data processing mean? Fair data processing what would the standards be to describe what being fair means? What is the direct or indirect linkage between fair/ethical data processing and legal requirements, and what aspects of ethical data stewardship go beyond the law? What are the motivators for business to adopt the principles and standards and utilise ethical data impact assessments? 56

Participating Organisations 4 banks 2 telecommunications companies 2 transportation companies 1 public utilities company 1 healthcare services provider 1 insurance company 1 credit reference agency 2 trade associations 9 organisations from other sectors 57

Methodology In-person meetings 2 in-person meetings between the US consultancy and the participating organisations: understanding the level of maturity or capability of privacy programs within Hong Kong business community; sharing of practical experience of the participating organisations in adopting / implementing accountability and data ethics; discussing the data stewardship accountability elements and values, business specific principles that support the values, and ethical data impact assessment 2 in-person meetings (and email discussions) between the US consultancy and PCPD on project approach and issues 1 in-person meeting among all parties to be held in August 2018 Teleconferences 2 teleconferences between the US consultancy and participating organisations subsequent to the in-person meetings to follow up on the comments gathered at the meetings 58

Deliverables by the Consultancy 59

PCPD s Strategic Focus Engaging Incentivising Compliance Accountability Ethics/ Trust/ Respect Culture 60 60

salamat 61

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback