Paper for Provisional Legislative Council
Panel on Information Policy
Meeting on 27 February 1998
by
Office of the Privacy Commissioner for Personal Data
Hong Kong

Guideline on Privacy and The Internet

Introduction

The rapid development of the Internet has made an abundance of information easily accessible on-line to everyone who has a connection to it. But this development raises significant privacy issues. These issues relate to the risks associated with the collection, use and security of personal data when one surfs the Internet for fun, information, or to obtain goods or services. These concerns have a serious dampening effect on the further development of the Internet, particularly on electronic commerce.

Electronic Commerce

Electronic commerce, conducting business over the information superhighway, is growing at an phenomenal rate. Its many recognised advantages include a new channel of doing business which brings in new revenue, particularly with small and medium enterprises (SMEs) which could now access global markets easier and cost-effectively. New and innovative businesses also are mushrooming, e.g. search companies with specialised databases, WEB design and marketing companies, multi-media interactive services.

There is a significant road block to the seemingly unstoppable momentum in harnessing the potentials of the information superhighway. This stumbling block is to do with ensuring trust and confidence of both the consumers and the businesses. A European Union document on Electronic Commerce summaries this concern admirably : 1

"For electronic commerce to develop, both consumers and businesses must be confident that their transaction will not be intercepted or modified, that the seller and the buyer are who they say they are, and that transaction mechanisms are available, legal and secure. Building such trust and confidence is the prerequisite to win over businesses and consumers to electronic commerce. Yet many remain concerned about the identity and solvency of suppliers, their actual physical location, the integrity of information, the protection of privacy and personal data, the enforcement of contracts at a distance, the reliability of payments, the recourse for errors or fraud, the possible abuses of dominant position - considerations which are heightened in cross-border trading."

According to the January 1997 Eurobarometer survey on "Information Technology and Data Protection", two third of respondents are worried about trails of personal data that are left behind when using digital information networks.

Hong Kong Scene

Current estimates indicate in Hong Kong there are about 400,000 Internet users, 4,000 to 5,000 enterprise websites and 40,000 to 50,000 individual homepages.

Given the understanding that

  1. Internet users generally are not aware of the inadequacy of security in the Internet infrastructure,

  2. Organisations with websites might not be fully aware of the requirement of the "Personal Data (Privacy) Ordinance" in the operations of these websites, and

  3. The heightening of privacy awareness for both individuals and organisations would assist the positive growth of Internet usage and electronic commerce.

The Privacy Commissioner for Personal Data has recently issued two sets of guidelines on the protection of personal data privacy on the Internet, providing guidance to organisations and individuals respectively.

The guidelines for individual Internet users aim to raise individuals’ awareness of the privacy risks on the Internet and give them guidance on how to protect their privacy by suggesting precautionary actions that can be taken. The guidelines for organisations assist them to comply with the commonly applicable requirements of the Personal Data (Privacy) Ordinance to the collection, display and transmission of personal data over the Internet.

To protect one's privacy on the Internet, an individual is advised to pay attention to the following:

    · Consider configuring the computer system to alert him/her whenever there are privacy risks on-line e.g. setting options in an Internet browser to display a message each time one enters or leaves a secure zone and to ask for one's permission before a "cookie" is accepted;

    · Before an individual provides any personal data on-line, he/she should be sure about the identity of the site and can check whether the site has any on-line privacy policy and personal information collection statement, including information on the purposes for which personal data are collected by the organisation that operates the site;

    · When an individual is transmitting sensitive personal data on the Internet, he/she should consider using privacy protective tools to encrypt the data;

    · Adults should teach and guide their children when they use the Internet;

    · If an individual is annoyed by directing marketing e-mails from a Hong Kong-based organisation, he/she has the right under the Personal Data (Privacy) Ordinance to "opt out" from receiving further marketing e-mails from that organisation;

    · If the individual shares his/her computer with somebody else, he/she should disconnect promptly after surfing, clear the e-mail folders and avoid leaving an electronic trace in the computer by clearing the temporary storage areas, for example, the "cache", "followed links" and "history" areas.

Organisations collecting, displaying or transmitting personal data over the Internet should pay attention to the following:

    · They should be open about their policies and practices in relation to personal data e.g. by preparing a personal data privacy policy which is easy to access on-line;

    · If they collect personal data from individuals on the Internet, they should provide a "Personal Information Collection" statement on-line setting out the purposes for collecting the data, the classes of persons to whom the data may be passed and the individual's rights to request access and correction of his/her personal data;

    · They should provide for secure transmission of sensitive personal data on the Internet, e.g. by encrypting such data;

    · They should provide an "opt-out" choice to individuals in any direct marketing E-mails and comply with any opt-out requests they receive;

    · They should promote a privacy-aware culture among their employees involved in the design and operation of the web site.


"A European Initiative in Electronic Commerce", COM(97)157, April 1997, http://www.ispo.cec.be/Ecommerce.