Our Ref: PCPD(O)26/155/126 PD(P)AC Paper No. 01/14

Transcription

1 Our Ref: PCPD(O)26/155/126 PD(P)AC Paper No. 01/14 Minutes of the 40 th Meeting of the Personal Data (Privacy) Advisory Committee held at 13/F, 248 Queen s Road East, Wan Chai, Hong Kong at 10:30 a.m. on 12 November 2013 Present Mr Allan CHIANG, Privacy Commissioner (Chairman) Ms Shirley HA (Member) Mr Billy HUNG (Member) Mr Jimmy KWOK (Member) Mr SIU Sai-wo (Member) Mr David WAN (Member) Ms Winnie YEUNG (Member) Mrs Philomena LEUNG, Principal Assistant Secretary for Constitutional and Mainland Affairs (Member) In Attendance Mr Michael CHUNG, Chief Corporate Services Manager (Secretary) Absent with apologies Ms Susanna SHEN (Member) The Chairman welcomed Mr Jimmy KWOK, Mr David WAN and Ms Winnie YEUNG as Members. All of them had been provided with a copy of the Rules of Procedures for the Personal Data (Privacy) Advisory Committee prior to the meeting. (I) To approve the minutes of the last meeting held on 7 June 2013 (Paper No. 10/13) 1.1 The Committee confirmed the draft minutes of the last meeting held on 7 June

2 (II) To consider matters arising from the minutes of the last meeting Identification of suitable vacant government office premises for allocation to the PCPD 2.1 In response to the Chairman s enquiry on the updated position regarding identification of suitable vacant government office premises for the PCPD, Mrs Philomena LEUNG said that the Government Property Agency ( GPA ) had reconfirmed that at present there was no suitable vacant government office space available for allocating to the PCPD. She also learnt from GPA that no office space in new government office buildings being planned could be spared. 2.2 The Chairman informed members that negotiation with the landlord for renewal of the lease of the PCPD accommodation, which would expire at the end of January 2014, was underway. (III) To note the report on Section 39 cases (Paper No. 11/13) 3.1 The Chairman presented to members the Comparison of Case Intake and Output between the periods from January to October 2013 and January to October 2012 which was tabled at the meeting, and said that there had been an upsurge in both complaint and enquiry cases in He highlighted that 1,567 complaint cases and 21,742 enquiry cases were received from January to October 2013, representing an increase in 58.4% and 36.2% respectively when compared to the same period in The number of complaint and enquiry cases received in the 10- month period had already reached and exceeded the estimated full year figures provided to the government at the beginning of the year. 3.2 The Chairman further said that a total of 1,518 complaint cases were completed in the reporting period, which represented a 45.4% increase in output compared with the same period in The improvement in operational efficiency was achieved by internal re-deployment of staff resources, simplification of work procedures, flexible case handling and proactive case management. However, this marked increase in output still fell behind the sharp increase in complaint caseload. 2

3 3.3 The Chairman briefed members that under section 39(3) of the Personal Data (Privacy) Ordinance (the Ordinance ), a refusal notice should be served not later than 45 days after receiving the complaint. Owing to resource constraint and increase in complaint caseload, this requirement could not be fully met in all cases handled. During the reporting period, only 61% of the cases were served refusal notices within 45 days. 3.4 One member enquired about the average time taken to settle a complaint case. The Chairman explained that one of the targets for handling public complaints was that 88% of complaint cases were closed within 180 days of receipt. For the year 2013, it was estimated that the average time taken to settle a simple complaint case was 44 days, and the time taken to settle a complicated complaint case was 200 days, which was better than the achievement of 219 days in He said that as a result of the Octopus incident in 2010 and a series of major privacy intrusions in recent years, PCPD had been tackling a perennial backlog problem. With the recent stabilised staff turnover rate and efforts made to enhance operational efficiency, it was envisaged that the backlog situation would improve. While there had not been a real increase in government subvention for , he hoped that additional resources could be allocated to the PCPD by the government for , commensurate with the increasing workload in recent years. 3.5 In response to the enquiry from a member on the performance in handling enquiry cases, the Chairman said that PCPD s target was to give a substantive reply to 95% of written enquiries within 28 working days of receipt, and 96% was achieved during the reporting period. 3.6 One member enquired about the recruitment exercise that had been launched by the PCPD recently. Mr Michael CHUNG briefed the meeting that in order to cope with the ever-increasing workload, a recruitment exercise for various grades was launched commencing July 2013, and a total of about 1,000 applications were received. The Chairman said that outstanding English and Chinese communication skills and an analytical mindset were key attributes. There were good career opportunities for the right candidates as the privacy profession was burgeoning. He appealed to members to promote PCPD in order to attract more high quality candidates to join PCPD. 3

4 3.7 For relieving the sustained increase in workload, some members made the following suggestions:- (i) secondment of staff on an ad hoc or project basis from outside organisations such as law firms or audit firms, with the assigned work to be confined to policy research to eliminate potential conflict of interest between the regulator role of the PCPD and the position of the organisation as a data user; (ii) outsourcing of some consultation and policy research work related to the Information Technology area to law firms; and (iii) inviting applications to undertake temporary policy research work from foreign students who had just completed their master programme studies in relevant disciplines. The Chairman thanked members for their suggestions which he would follow up as appropriate. 3.8 Members noted the comparison of case intake and output between the periods from January to October 2013 and January to October 2012, and the report on section 39 cases without further comments. (IV) To note the report on investigation cases (Paper No. 12/13) 4.1 The Chairman briefed members on four investigation reports that were published on 13 August 2013 and 24 October 2013 respectively. Disclosure of litigation and bankruptcy information collected from the public domain to users of a smartphone application 4.2 In the first case, at least 12 persons had formally lodged a complaint to the PCPD that smartphone users could search their litigation, bankruptcy and company directors data via a smartphone application known as Do No Evil (the App ) operated by a database operator, Glorious Destiny Investment Limited ( GDI ). The App was launched in 2012 with a database of 2 million records of civil and criminal litigation as well as bankruptcy cases. After installing the App, users could search if such records existed for a target person. The search results could show the 4

5 target person s name, partial identity card numbers, address, court type, action number, nature of civil case, criminal charge, company directors data and more. After investigation, it was revealed that GDI s data was collected from different sources, including the Judiciary, the Government Gazette, the Official Receiver s Office ( ORO ), and the Companies Registry. 4.3 The Chairman pointed out that after one year of operation, the App had more than 40,000 downloads and more than 200,000 search requests. He elaborated that the data subjects concerned could be harmed unknowingly if the data was used, for example, for checking their employability or creditworthiness. Importantly the App s database was invalid and inaccurate. First, as different people could share the same name or had similar names, it was problematic to ascribe the data to a target individual according to his name. Second, a person involved in litigation could be perfectly innocent but the database did not as a rule include the court's decision in his favour. Third, bankruptcy was normally discharged after four to eight years, while the Rehabilitation of Offenders Ordinance prevented unauthorised disclosure of a previous minor conviction, provided the offender had not been reconvicted for three years. 4.4 PCPD concluded that the use of personal data obtained from the public domain for due diligence review and background check was inconsistent with the original purpose of data collection and making the data publicly available, thereby contravening Data Protection Principle ( DPP ) 3 in Schedule 1 to the Ordinance. Considering the large number of people affected and the severity of the privacy intrusion, PCPD had served an Enforcement Notice on GDI, directing it to cease disclosing the litigation and bankruptcy data it held to the App users. GDI had complied with the Enforcement Notice. 4.5 The Chairman said that a legislator for the IT constituency and the Wireless Technology Industry Association had expressed concern on PCPD s handling of the Do No Evil case. It was alleged that his determination on the Do No Evil case served to stifle technology innovation, dampen the development of the creative industries and in particular, the SMEs. 5

6 4.6 One member asked whether it would be a contravention of the Ordinance if an entertainment news reporter obtained personal data of artistes from courts and then reported it in the press. The Chairman said that exemptions under the Ordinance applied for publishing of data as news and in the public interest, but whether publication was in the public interest would have to be determined on the merits of each case. Another member commented that this privacy issue involved a delicate balance against freedom of the press. 4.7 One member opined that the issue had to be examined by considering firstly, whether the App had caused nuisance to the persons affected and secondly, whether it was legitimate to ban the App because of its technology-based convenience of use. The Chairman said that PCPD s determination was technology-neutral. The App had in effect created a new purpose of use of the data in the public domain, different from the original purpose of collection of the data, thus contravening DPP3 of the Ordinance. He explained that in the case of the Judiciary, for example, the purpose of making the data publicly available was to facilitate litigants, witnesses and members of the public to attend designated courts at the right time, and to ensure open justice. He emphasised that the purposes of making records publicly available by government authorities did not include supporting a commercial venture to assist general consumers to use the data to check out an individual behind his back, and this was grossly unfair and privacy-intrusive. 4.8 One member expressed concerns about the effect of the case on the free flow of information and access to public records. The member opined that search of public records should not be constrained by the capacity of the enquirer and the purpose of accessing the data. The Chairman pointed out that the data searchable by the App was deficient in accuracy, validity and comprehensiveness. Where the target person involved in criminal litigation cases was finally acquitted or the civil claim against him was not substantiated, the App would not always update or clarify the situation and hence users would be misled. Moreover, the search result inevitably revealed all persons in the database with the same name. Hence innocent target persons could be mistaken as the litigants or bankrupts shown on the records. He also considered it unfair to put the onus to data subjects concerned to correct their personal data. 6

7 4.9 The member viewed that the implication of the case might go beyond data privacy, and the Ordinance should define more clearly about public domain exemption. The Chairman said that in the public consultation exercise on the review of the Ordinance conducted in , the Administration had considered providing for a new exemption from DPP3 for personal data available in the public domain. The proposal was not pursued as the Administration considered that it could result in abusive use of public domain information (including data from accidental or deliberate leakages). The Chairman further said that in fact there was no blanket public domain exemption in other common law jurisdictions, except perhaps Singapore. However, the relevant provisions under the Singapore Personal Data Protection Act would only come into force in July 2014, and there was uncertainty as to how it would be applied in practice. The Chairman stressed that the determination of the case was based on the specific facts and circumstances of the complaints and further cases would have to be determined based on their merits The member further asked whether there would be review on the existing Government policy or the Ordinance. Mrs Philomena LEUNG responded that the Administration had conducted a full-scale review of the Ordinance in and a public consultation exercise. One of the issues under review and on which the public were consulted was whether personal data available in the public domain should be exempted from DPP3. Only a few expressed views were received on this proposal. They either opined that the exemption proposal should not be pursued or had no comment on the proposal. As a result, the Administration did not include this exemption in the Personal Data (Privacy) (Amendment) Bill 2011 (the Bill ). When the Bill was discussed by the Legislative Council, no exemption proposal was made. As the Bill had just been passed in 2012, the Administration did not have any plan to conduct a further review for the time being In response to the questions from some members, the Chairman said that GDI was found to have breached the Ordinance for the reason that it had used the personal data obtained from the public domain for purposes which was not consistent with nor directly related to the original purpose of the data collection. If the personal data obtained from the public domain was to be provided to a law firm for legal proceedings; for 7

8 establishing, exercising or defending legal rights; or for the detection or prevention of crime; exemption from DPP3 would apply. The question was less concerned with the collection of personal data from the public domain but more about the data s re-use. Regarding the question of whether retention of bankruptcy records by GDI had contravened the Ordinance, the Chairman said that DPP2 provided that data users should not retain the personal data longer than was necessary for the purpose for which the data was collected One member agreed that the disclosure of inaccurate, incomplete and incomprehensive data obtained from the public domain by GDI should be prohibited, and Apps developers should have the responsibility to comply with the requirements under the Ordinance. He expressed that there should be a balance between the need to protect personal data privacy and the right to access and exploit public records. He was of the view that the Ordinance which was formulated in early days might not have been able to cater for technology advancement over the years and present needs, and hence there should be further consultation and discussion on the issue at an appropriate time. Data Leakage through Repeated Loss of Police Notebooks and Fixed Penalty Tickets 4.13 In the second case, there were 11 data breach incidents that come to PCPD s notice during the period from October 2011 to January 2013 concerning loss of police notebooks ( notebooks ) and copies of fixed penalty tickets ( FPTs ) by different police officers In view of the HKPF's deficiencies in its procedures in safeguarding the notebooks and FPTs identified in two of the 11 incidents and the notable deficiencies in its supervision and monitoring systems highlighted in one of these two incidents, PCPD concluded that the HKPF had contravened DPP4 for failing to take all reasonably practicable steps to protect the personal data contained in these documents against accidental loss. An Enforcement Notice was served on the HKPF directing it to (a) establish supplementary security procedures to plug the loopholes identified, and (b) tighten up its supervision. 8

9 4.15 In light of the findings of the investigation, PCPD advised the HKPF to undertake a general review of HKPF s equipment and uniform used for holding or conveying police documents in order to safeguard personal data from unauthorised access or accidental loss. PCPD further suggested that the HKPF should step up its training, incentive and disciplinary programmes to promote compliance with the HKPF s policies and procedures in relation to privacy and data protection. Data Leakage of Police Documents through Foxy 4.16 The third case was the investigation into the leakage of HKPF s documents on the Internet via Foxy in two incidents. It was found that in the first incident, the data leakage was caused by Foxy installed in the computer of an applicant for a position in the HKPF, and that the HKPF was not responsible for the leakage of the personal data of that job applicant In the second incident, it was revealed that a police officer had since 2007 occasionally used his private USB thumb drive to download documents to his own computer and occasionally used the computer for work purpose, all without the approval of the HKPF. The police officer sold the computer in mid The HKPF considered that the leaked documents could have been recovered from the hard disk after sale of the computer, and the data was leaked subsequently PCPD considered that the data security improvement measures adopted by HKPF in 2009 were robust enough to safeguard personal data. The data leakage was caused by the acts and omissions attributable to the police officer, in contravention of the HKPF s standing instructions. PCPD also considered that all practicable steps had been taken by HKPF to safeguard personal data, and saw no justification to serve an Enforcement Notice on the HKPF directing it to step up its efforts in this regard However, PCPD urged the HKPF to go beyond fulfilling the minimum requirements of the Ordinance and strive for further means to safeguard data with a view to preventing recurrence of similar incidents. PCPD had recommended the HKPF to (i) promote its Personal Computer Cleaning programme to help police officers check and delete the 9

10 personal data/confidential data on their own computers, (ii) set up enquiry hotlines to offer assistance to police officers who wish to seek help on an anonymous basis, and (iii) promote case sharing and exchange of experience among police officers to enhance the awareness of personal data protection and the serious consequences that may ensue as a result of data leakages on the Internet. Data Leakage of Hospital Wastes Containing Personal Data 4.20 The fourth case was the investigation into the two media reports on 29 June 2012 and 3 September 2012 respectively that hospital wastes of the Pok Oi Hospital ( POH ) and Our Lady of Maryknoll Hospital ( OLMH ) containing patients data were found abandoned on the street outside a shredding factory of Confidential Materials Destruction Limited ( CMDS ) in Fanling, the waste disposal service provider appointed by the Hospital Authority ( HA ) since Based on the evidence revealed in PCPD s investigation, especially HA s observations made during two inspections of CMDS shredding factory, PCPD was of the view that the abandoned waste items, namely, POH s thermal ribbon and OLMH s medical appointment slips, were in all likelihood items that had been processed by CMDS at its Fanling factory. By virtue of section 65(2) of the Ordinance, HA remained accountable for any unauthorised or accidental access of personal data contained in the abandoned waste in these incidents. In any event, HA admitted liability as principal for the incidents In respect of HA s own responsibility as data user under DPP4, several areas of deficiency and omission were identified. There was no contractual requirement to ensure that the number of bags of thermal ribbon waste was checked to prevent accidental loss and that the waste was shredded to the extent that the personal data contained therein could not be readily recognised or recovered. HA Head Office had also denied responsibility for centrally monitoring the inspections carried out by hospitals and had not carried out any audit that it was entitled to under the contract between HA and CDMS to cover the whole handling process of HA hospital wastes. 10

11 4.23 On the basis that the contract was inadequate to ensure proper and complete shredding of thermal ribbons, and HA had not competently managed the contract, PCPD concluded that HA had contravened DPP4 for having failed to take all reasonably practicable steps to ensure patients personal data were protected against unauthorised or accidental access PCPD had served an Enforcement Notice on HA, directing it to make reasonable endeavour to retrieve and destroy the abandoned hospital wastes identified in the two incidents; and to review and revise the hospital wastes disposal process, and implement specified improvement measures Members noted the four investigation reports without further comments. (V) To note the survey on transparency in privacy policy for local smartphone applications (Paper No. 13/13) 5.1 The Chairman briefed members that PCPD, together with 18 other privacy enforcement authorities, participated in May 2013 in a Global Privacy Enforcement Network Internet Privacy Sweep exercise to assess the transparency in the collection and use of personal data online by data users, and published the findings on 13 August The Chairman elaborated that PCPD had selected 60 most popular Hong Kong apps to review the transparency of their Privacy Policy Statement ( PPS ), the types of data commonly accessed by these apps, and the potential privacy risks to users. The survey findings showed that the privacy policy transparency of the apps was generally inadequate. Twenty-four (40%) of the 60 apps selected did not provide any PPS nor contact information for privacy enquiries. Although the remaining 36 apps (60%) provided PPS, they were all provided in the developer's websites and few explained the purpose for accessing each type of data stored on smartphones. In several cases, the PPS was not provided until after the users had installed the apps. Although the law did not prescribe the manner in which PPS should be provided, it was recommended practice to make PPS readily available at the installation interface before or during the app installation. 11

12 5.3 The Chairman further said that most of the PPS was not tailored for the apps in question, but were applicable only to the websites of the app developers/providers in relation to membership applications or visits to those websites. Over 10% of the PPS had presentational problems. In some cases the PPS was provided only in English while the app was in Chinese. In another case, the PPS was 292-line long but was displayed in an eight-line window on the website. 5.4 One member suggested that consideration should be given by PCPD to issue certain standards and guidelines for apps developers to follow. The Chairman said that, to assist data users in complying with the requirements under the Ordinance, the PCPD had issued the information leaflet Personal Data Privacy Protection: What Mobile Apps Developers and Their Clients Should Know and the Guidance on Use of Personal Data Obtained from the Public Domain. PCPD had participated in a seminar organised for ICT practitioners on 30 August 2013 to explain to the participants how the Guidance and the Ordinance applied to mobile apps. Another seminar on this topic would be organised by the PCPD in January 2014, in an attempt to reach out to more people concerned with the issues. It was also planned that a 5-step guide sheet on mobile apps personal data security would be issued jointly with other members of the Asia Pacific Privacy Authorities in April/May The Chairman further said that PCPD would continue to promote compliance with the Ordinance by engagement with the industries and the general public. 5.5 Members noted the survey on transparency in privacy policy for local smartphone applications without further comments. (VI) To note the work progress in promoting Privacy Management Programme (Paper No. 14/13) 6.1 The Chairman said the subject was last discussed at the meeting of 7 February 2013, and recapped that the introduction of the Privacy Management Programme ( PMP ) was an interim alternative to the Data User Returns Scheme ( DURS ). PMP served as a strategic framework of an organisation to build a robust privacy infrastructure supported by an effective on-going review and monitoring process to facilitate compliance with the Ordinance. It also demonstrated the organisation s 12

13 commitment to good corporate governance and building trust with its employees and customers through fair information policies and practices. 6.2 The Chairman updated members that PCPD had been seeking an open pledge from the identified sectors for the DURS to adopt the broad principles of PMP. The Hong Kong Federation of Insurers, the Communications Association of Hong Kong and the Hong Kong Association of Banks had confirmed their support to the broad principles of PMP. The Government aimed to seek top-level clearance before committing to implement PMP by mid-december To promote the implementation of PMP, the Chairman said that a series of programmes would be launched. The promotion programmes included organising a CEO Breakfast Meeting on 17 December The former UK Information Commissioner Mr Richard Thomas, would give a presentation titled Getting it Right Now Privacy and Data Protection Really Matter. CEOs and senior professionals, from mainly the government and the banking, insurance and telecommunications sectors, and other stakeholders, would be invited to attend. The PCPD would also organise a one-day Conference on 11 February 2014 on the theme of Privacy Protection in Corporate Governance. The Conference would be a privacy landmark event in Hong Kong as a panel of distinguished guest speakers including overseas experts from the US, UK and Australia, as well as local practitioners from reputable organisations had been lined up. It would provide a rich programme of the theories and practices of PMP with a varied mix of feature presentations and panel discussions. 6.4 Members noted the work progress in promoting Privacy Management Programme without comments. (VII) Adjournment of meeting 7.1 There being no other business, the meeting was adjourned at 12:30 p.m. Office of the Privacy Commissioner for Personal Data December