PAPER FOR LEGISLATIVE COUNCIL
PANEL ON HOME AFFAIRS
MEETING ON 14 JUNE 1999
WORK OF THE PRIVACY COMMISSIONER'S OFFICEINTRODUCTION
This paper provides an overview of the current work of the Privacy Commissioner's Office ("PCO") in monitoring, supervising and promoting compliance with the Personal Data (Privacy) Ordinance (Cap. 486) ("the Ordinance").
2. The Ordinance was enacted in August 1995 to protect the privacy of individuals in relation to personal data. It also serves to safeguard the free flow of personal data to Hong Kong from overseas jurisdictions that have similar laws. The Ordinance establishes a legal regulatory regime for the control of the collection, holding, processing and use of personal data. Responsibility for monitoring, supervising and promoting compliance with the Ordinance is conferred on the Privacy Commissioner for Personal Data ("the Privacy Commissioner"). To enable the Privacy Commissioner to carry out his statutory functions (a full list of which is given in Annex A
), the PCO was set up in 1996 with an initial establishment of 32. The PCO came into full operation with the commencement of the core provisions of the Ordinance on 20 December 1996.
3. Notwithstanding substantial increases in workload (see the section on complaints and enquiries below), the PCO's permanent establishment has increased by only two posts, to 34, since commencement of operations. The PCO has had to cope with the increased workload by streamlining procedures, giving a lower priority to self-initiated activities and engaging temporary staff. As can be seen from the organization chart at Annex B
, the PCO is divided into two divisions: the Operations and Administration Divisions and two sections, the Legal and Promotion and Public Education Sections.
COMPLAINTS AND ENQUIRIES
4. The rate at which complaints are being received has increased substantially over the past two years. From the start of operations on 20 December 1996 to 31 March 1999, some 723 formal complaints of possible breaches of the Ordinance were received. In 1998-99, there were 418 such complaints. Compared with 1997-98 (253 cases), this represents a 65% year on year increase in the complaint caseload.
5. Of the 723 complaints received up to 31 March 1999, 671 cases have been closed. Of these, 185 cases were screened out due to a lack of prima facie evidence. Of the remaining 486 closed cases, 72 cases were found to be unsubstantiated after inquiries with the parties complained against, 61 cases were withdrawn by the complainants, 11 cases were unresolved due to loss of contact with the complainants, 223 cases were resolved through mediation and 119 cases were resolved after formal investigation. Of the 119 formal investigations, there were 62 cases in which contraventions of the requirements of the Ordinance were found. Up to 31 March 1999, the PCO had issued 147 advisory/warning notifications and 14 enforcement notices to parties complained against to direct them to take remedial actions to comply with the requirements of the Ordinance. In addition, 15 cases have been referred to the Police for follow-up action as they involved possible criminal offences under other ordinances.
6. Up to 31 March 1999, there had been eleven appeals to the Administrative Appeals Board ("AAB") against decisions of the Privacy Commissioner. Three of these cases were appeals by complainants against decisions of the Privacy Commissioner not to serve enforcement notices on the parties complained against and one was an appeal by a data user against a decision to serve such notice on it. The remaining seven cases were appeals against decisions of the Privacy Commissioner not to carry out investigations pursuant to complaints. Of the five appeal cases heard up to 31 March 1999, the AAB found in favour of the Privacy Commissioner in four of them. One application for judicial review of a decision of the Privacy Commissioner has been made (HC AL No. 98 of 1998). The application was made by Eastweek Publisher Ltd. against a finding of a contravention of the Ordinance. The hearing of the application was adjourned on 15 March 1999 and is due to resume on 16 September 1999.
7. As with complaint cases, the enquiry workload also increased substantially in 1998-99. From 20 December 1996 to 31 March 1999, a total of 35,968 enquiries were received. In 1998-99, there were 19,994 enquiries. Compared with 1997-98 (13,551 cases), this represents a 50% year on year increase in the enquiry caseload. At present, there is a backlog of some 30 enquiry cases pending written responses from the Office.
8. The following charts provide breakdowns of the enquiries and complaint workload from 20 December 1996 to 31 March 1999:
9. The following table provides a comparison of the performance measures for various activities in 1997-98 and 1998-99. Figures for items (1) and (3) are only available from January 1999 as they were not captured in previous years.
MATCHING PROCEDURE APPLICATIONS
||Acknowledgement of complaint within 2 working days of receipt ||95%
||Closing a complaint within 180 days upon receipt
||Acknowledgement of written enquiry within 2 working days of receipt
||Substantive reply to written enquiry within 28 working days of receipt
||Callback to telephone enquiry within 2 working days of receipt ||95%
10. Since the commencement of the relevant provisions of the Ordinance in August 1997, the PCO has received 44 applications for consent to carry out "matching procedures". Of these, 7 applications were for procedures that were generally found on examination not to be "matching procedures" as defined under the Ordinance. Of the remaining 37 applications, 29 have been approved subject to a number of conditions, while 8 applications are still being considered pending further information from the organizations concerned.
11. The Clerk to the Panel has indicated that Members wish to discuss in particular the disclosure of the personal data of Comprehensive Social Security Assistance ("CSSA") recipients to departments or parties other than Social Welfare Department for matching. When such matching meets the definition of "matching procedure" it would, in practice, be necessary for the Privacy Commissioner to give prior consent to the procedure (section 30 of the Ordinance refers). (For information on the definition of "matching procedure" and related matters, please refer to our leaflet "Matching Procedure: Some Common Questions" attached at Annex C
.) To date, the Privacy Commissioner has given approval for two matching procedures involving the use of the personal data of CSSA recipients. The first involves the matching of such data with data held by Immigration Department on travel movements for the purpose of detecting claimants who have ceased to be eligible for CSSA payments due to the length of their absence from Hong Kong. This matching procedure is due for renewal in June 1999. The second was a one-off matching exercise conducted in late 1998 by the Director of Audit to detect the payments of CSSA to inmates of prison facilities who were not eligible to receive them.
12. Recently, the Inland Revenue Department applied for consent to carry out the matching of data of CSSA recipients with individuals in relation to whom dependent parent or grandparent tax allowances have been claimed. On examination, it appears that this may not amount to a "matching procedure" as defined under the Ordinance as any adverse action arising from it would apparently be taken only against the persons claiming the allowances and not the individuals whose data are to be matched (definition of "matching procedure" in section 2 of the Ordinance refers). Confirmation of this is currently being sought from IRD. In such a case, the matching may only be undertaken if it accords with the requirements of data protection principle 3 ("DPP3"), which controls the use of personal data, or failing that, an exemption from DPP3 in Part VIII of the Ordinance. In the above case, Members may wish to note that it is the PCO's view that the procedure would be permissible under the exemption from the requirements of DPP3 in relation to the assessment or collection of any tax or duty and the prevention of dishonesty etc. (sections 58(1)(c), 58(1)(d) and 58(2) of the Ordinance refer).
COMPLIANCE CHECKS AND INSPECTIONS
13. Compliance checks are undertaken by the PCO on its own initiative to promote compliance with the requirements of the Ordinance. A compliance check is undertaken when the PCO identifies a practice of an organization that appears to be inconsistent with the requirements of the Ordinance. In 1998-99 the PCO conducted 24 such checks, the majority of which were in relation to compliance with the Code of Practice on Identity Card Numbers and other Personal Identifiers. Other compliance checks in 1998-99 covered the practices of telecommunication companies in relation to the possible use of inaccurate data of individuals in opening mobile accounts and in their recovery actions of overdue service payments from unrelated parties.
for Members' reference.)
15. One Member of the Panel has asked for a report on the recent incident involving the discovery of Police witness statements at a refuse collection point in Tuen Mun. So far, the involvement of the PCO in this incident has been on the basis of a compliance check. On 4 May 1999, following public disclosure of the incident, the PCO wrote to the Police requesting details of the facts of the case, and the remedial action, if any, that had been taken. The Police replied on 17 May 1999, giving an account of the incident and initial details of remedial action it proposed to take. In response, the PCO has asked some further questions about the case in a letter dated 2 June 1999. Further action by the PCO will depend on the Police's reply to those questions.
16. Under section 36 of the Ordinance, the Privacy Commissioner has the power to inspect personal data systems with a view to making recommendations to promote compliance with the Ordinance either by the data user using the system or the class of data users to which that data user belongs. In order to exercise this power, the PCO has prepared a methodology manual. However, the complaint and enquiry workload is such (see paragraphs 4 to 8 above) that such inspections cannot be carried out with the PCO's existing level of resources. Accordingly, a bid for funds for an inspection team was made in the 1998 RAE. However, this bid was not successful. The PCO now intends to seek funds in the 1999 RAE for a pilot inspection exercise.
17. In the meantime, in order to make use of the material produced in developing the inspection methodology manual, the PCO proposes to issue a compliance checklist for data users to conduct compliance self-assessments. The initial preparation work for the checklist has been completed and guidance and training materials are being prepared. The current plan is to issue a compliance assessment kit, comprising the checklist, guidance materials and training materials, in the last quarter of 1999.
PRIVACY AND TECHNOLOGY
18. As a follow-up to a study on the issues relating to Unsolicited Commercial E-mails ("UCE"), the PCO has recently conducted discussions with representatives of the Internet Service Providers ("ISP") Association. It was agreed that a voluntary industry code for the handling of complaints against UCE senders would be an appropriate measure. The ISP Association has agreed to take the lead in preparing the code and would examine the various technical measures that could be taken by its members to combat UCE. The PCO and the Director-General of Telecommunications will be consulted on the code in draft form. At present, there is no fixed timetable for the release of the code.
CODES OF PRACTICE
19. Pursuant to section 12 of the Personal Data (Privacy) Ordinance ("the Ordinance"), the Privacy Commissioner for Personal Data ("the Commissioner") may approve and issue codes of practice. The purpose of such a code is to provide practical guidance with respect to requirements of the Ordinance. To date, two codes of practice have been approved and issued by the Commissioner: the Code of Practice on the Identity Card Number and other Personal Identifiers, which was issued on 19 December 1997 and generally took effect on 19 June 1998; and the Code of Practice on Consumer Credit Data, which was issued on 27 February 1998 and took effect on 27 November 1998. The PCO is currently finalising a draft Code of Practice for human resources managers on the handling of employment-related personal data, i.e. the personal data of job applicants, current employees and former employees. The current timetable calls for the publication of the draft for public consultation in August 1999. It is intended to allow three months for the public consultation exercise.
1999 PERSONAL DATA PRIVACY SURVEY
20. As in the two previous years, in the first quarter of 1999 the PCO conducted a survey of individuals and organisations to gauge attitudes towards privacy issues in relation to personal data and compliance with the Ordinance. The survey has been carried out by the Social Sciences Research Centre of the University of Hong Kong as in previous years. The survey report is currently being finalized and it is expected that the results will be issued by the end of June 1999.
PROMOTION AND PUBLIC EDUCATION
21. Since the beginning of 1999 the following promotion and public education activities have been undertaken:
PROMOTION AND PUBLIC EDUCATION ACTIVITIES: UPCOMING
- Roadshows at local communities - A series of three roadshows were organized in major shopping centres in Sham Shui Po, Tuen Mun and Kwai Fong from January to March 1999 to raise awareness at the local community level of personal data privacy issues and the PCO. The roadshows attracted approximately 20,000 visitors in total. A total of 20,000 copies of the "Personal Information: Your Privacy Rights Explained" leaflet and 8,000 copies of the "Your Identity Card Number and Your Privacy" leaflet were distributed to the visitors.
- Participation in the Information Infrastructure Expo - The PCO participated in the 1999 Information Infrastructure Expo organised by the Trade Development Council in March with a booth highlighting the theme of "Protecting privacy on the Internet". Approximately 10,000 people visited the PCO booth. A total of 9,000 copies of PCO's various guidelines on protecting privacy on the Internet and 11,000 copies of PCO's other guidance materials were distributed at the Expo.
- Seminars/Talks - Since the beginning of 1999 the PCO has conducted seminars for 18 organisations. A seminar on "Privacy Compliance on the Internet" was held in February 999 to assist organizations hosting websites to improve their practices in relation to personal data collected on-line. A total of 310 participants from 160 organizations participated in this seminar.
- Press activities - Since the beginning of 1999 the PCO has responded to 270 media enquiries and the issue of personal data privacy was discussed in approximately 430 articles in newspapers and magazines.
- 21st International Conference on Privacy and Personal Data Protection - The PCO will host this conference, which is the premier annual event of its kind, in September 1999. There are expected to be about 350 attendees, including all of the data protection and privacy commissioners from around the world.
22. In the next few months, the following new promotion and public education activities are being planned:
- Newsletters - A quarterly newsletter is due to be launched in August or September to inform data users of the latest developments in the work of the PCO in promoting compliance with the application of the Ordinance.
- Privacy Officers' Club - In August/September a network will be established of individuals with responsibility for implementing and co-ordinating compliance with the Ordinance within their organizations. Seminars will be conducted for members of the club at which the PCO's messages will be communicated, and views and experiences shared.
- Mass media campaign - A mass media campaign including Announcements of Public Interest on TV will be launched in the second half of the year to raise awareness of the PCO and its work among the general public.
Office of the Privacy Commissioner for Personal Data