Hong Kong – “Privacy Management Programme –
A Best Practice Guide”
Does your organization manage personal data as part of its corporate governance program? If not, it is something to consider.
In January this year, the Privacy Commisioner for Personal Data (“PCPD”) launched the “Privacy Management Programme – A Best Practice Guide” (“Guide”). The Guide shifts the focus from compliance to accountability as companies are being urged not just to ensure that they comply with mandatory legal obligations but to also manage, handle and be accountable for, customer and employee personal data in accordance with good corporate governance principles.
A Privacy Management Programme (“PMP”) is not a legal requirement under the Personal Data (Privacy) Ordinance (“PDPO”), but the PCPD advocates that data users should embrace personal data privacy protection at the highest levels of management and apply it as a business imperative throughout the organisation.
The Guide is not legally binding, but failure to comply with the provisions may be taken into account by the PCPD when investigating whether there has been a breach of the PDPO. As a result, it is important for organisations to be familiar with and embrace the new guidance.
The Guide is divided into 2 parts.
Part A outlines the baseline fundamentals of a PMP. The key components of a PMP are organisational commitment to a privacy respectful culture (including appointing a data protection officer and establishing an internal reporting mechanism) and programme controls to ensure compliance with the PDPO (e.g. maintaining a personal data inventory, conducting periodic risk assessments, organising training sessions for employees and devising a data breach handling procedure).
Part B discusses how to maintain and improve a PMP to ensure ongoing effectiveness, compliance and accountability. For example, the organisation should develop an oversight and review plan to keep the PMP on track and up to date, and periodically monitor its programme controls and revise where necessary.
The full text of the Guide can be found on the PCPD’s website at:
In This Issue
Privacy News and Cases
23rd Floor, One Pacific Place
88 Queensway, Hong Kong
14th Floor, Hutchison House
10 Harcourt Road
Central, Hong Kong
Tel: +852 2846 1888
Fax: +852 2845 0476
Suite 3401, China World Office 2
China World Trade Centre
1 Jianguomenwai Dajie
Beijing 100004, PRC
Tel: +86 10 6535 3800
Fax: +86 10 6505 2309
Unit 1601, Jin Mao Tower
88 Century Avenue, Pudong
Shanghai 200121, PRC
Tel: +86 21 6105 8558
Fax: +86 21 5047 0020
2 Baker & McKenzie | June 2014
PRC – Consumer Data Protected in China
More comprehensive consumer rights particularly with respect to personal data protection and additional responsibilities for online operators came into effect with amendments to the PRC Consumer Protection Law that became effective on 15 March 2014. The law significantly improves protection of consumer rights in their personal data, requiring that consumer personal data should be handled as follows:
collection and use of consumer personal data should be lawful, fair and necessary;
consumers should be informed of and consent to the purposes, scope and manner of data collection and use;
operators should publicise their personal data collection and use practices and keep the consumer personal data strictly confidential;
personal data should be secure and adequate measures taken to prevent data leakage or loss;
remedial steps are required where data leakage or loss occurs;
commercial messages should only be sent to consumers with their consent or at their request.
Infringements of the law could lead to civil liability, fines of up to RMB500,000 or in serious cases the business could be shut down and its licence revoked.
The personal data protection provisions under the amended PRC Consumer Protection Law are along similar lines as those found in the Decision of the Standing Committee of the National People’s Congress on Strengthening the Protection of Network Information passed in December 2012. The provisions represent the continuing trend in China to regulate the collection and use of personal data.
Privacy News and Cases
“Privacy Implications for Organisational Use of Social Network” Information Leaflet
With the increasing use of social networks by businesses, the PCPD has published an information leaflet on “Privacy Implications for Organisational Use of Social Network”. Like the Guide, the information leaflet is not binding but sets out useful examples as to what the PCPD sees as best practice when organisations use social networks for business purposes. Organisations should review their use of social networks to understand whether their current practices comply with the information leaflet.
The leaflet outlines how organisations can safeguard personal data privacy when using social networks to promote their business and the circumstances in which personal data may be collected in a social network environment. It also provides recommendations on good privacy practices when using social networks for marketing, customer services, human resources management and network analytics, and sets out the relevant requirements to be observed under the PDPO. Key takeaways from the leaflet include:
June 2014 | Baker & McKenzie 3
aggregated information collected from social networks may identify an individual and therefore will constitute personal data and the PDPO may apply.
organisations should be transparent with their privacy policies and practices, particularly if data is to be used for marketing or to monitor employees.
Organisations using social networks for recruitment or candidate screening should consider whether the information obtained from the social network is reliable, and can legitimately be taken into account in hiring decisions.
The full text of the information leaflet can be found on the PCPD’s website at: www.pcpd.org.hk/english/publications/files/sn_organisational_e.pdf.
Blind Recruitment Advertising
Employers in Hong Kong need to reveal their identities in job advertisements following the issue of enforcement notices to 48 local employers who had improperly used anonymous “Blind Ads” to collect the personal data of job applicants. The PCPD said that Blind Ads were an unfair means of collecting personal data and could be exploited as an unscrupulous means to acquire personal data for direct marketing and even for fraudulent purposes.
The PCPD stressed that employers should refrain from placing Blind Ads for recruitment purposes, adding that, “where there was a genuine need for employers to conceal their identities when advertising for job vacancies, they may resort to Blind Ads but use them to solicit job applicants’ enquiries rather than personal data.” The content of advertisements must be carefully considered to avoid unfair collection.
First Prosecution Under the Unsolicited Electronic Messages Ordinance
The Office of the Communications Authority (“OFCA”) prosecuted a commercial facsimile sender for contravening an enforcement notice under the Unsolicited Electronic Messages Ordinance (“UEMO”), Hong Kong’s “anti-spam” law. This is the first prosecution since the law came into force in 2007.
In this case, the sender had been sending commercial facsimile messages which did not contain an unsubscribe statement to telephone numbers already registered in the “do-not-call” register. The sender failed to comply with an enforcement notice that had been issued requiring it to stop sending the faxes. OFCA conducted a raid operation to collect further evidence and laid charges against the sender for contravening the enforcement notice.
Entertainment Magazines Continue Their Fight for the Right to Take Covert Photos
Whether Hong Kong’s data protection law provides a right to privacy is being challenged by local Hong Kong entertainment magazines Sudden Weekly and Face Magazine who are appealing enforcement notices issued against them by the PCPD. The magazines’ appeals were dismissed by the
4 Baker & McKenzie | June 2014
Administrative Appeals Board (“AAB”) in January 2014, and the magazines have sought leave from the High Court to apply for judicial review to quash the decisions of both the PCPD and AAB. The High Court has not yet determined whether to allow the judicial review to proceed.
In February 2012, the PCPD found the magazines had breached Hong Kong data privacy law when they obtained, through systematic surveillance and the use of telephoto equipment, revealing and intimate photos of local televisions stars. The PCPD issued enforcement notices ordering them to destroy the photos and to implement internal guidelines to monitor the collection of personal data by covert and long-distance photography.
The magazines appealed to the AAB on grounds that the deadlines for compliance with the enforcement notices were unreasonable, there was a public interest in the collection and publication of the photos, that the collection was fair, and that the PCPD was not empowered to require the magazines to implement open-ended guidelines monitoring their collection of personal data.
The PCPD has said in relation to the cases that, “The right to freedom of speech and expression have to be balanced with the equally important fundamental right of privacy.” He has also called on the Hong Kong Government to introduce new legislation to balance the two rights. Critics suggest the PCPD has no legal basis for the decision.
Collection of Employee DNA Data Excessive
Excessive collection of data is again the focus of the PCPD with the request by a Hong Kong employer for blood samples to investigate an incident in the work place. The PCPD reiterated that collection of DNA data is only justifiable in very serious circumstances and less privacy intrusive means should be adopted where possible. An enforcement notice to cease collection of blood samples was issued in this case.
Introduction of the Electronic Health Record Sharing System Bill into Legislative Council
The Electronic Health Record Sharing System Bill was introduced into the Legislative Council on 30 April 2014. Under the Bill, a legal framework is formulated for the establishment of the Electronic Health Record Sharing System (“System”) which will facilitate the more effective sharing and use of health-related data and information of consenting individuals.
An electronic health record (“eHR”) is a record in electronic format that contains an individual’s health-related data or information, such as diagnosis, adverse reactions/allergies, medications, medical procedures, vaccination records and laboratory test results. The System seeks to establish a platform for health-care providers (e.g. hospitals and clinics) which can upload/access the eHR of a consenting individual for health care purposes, with a view to streamlining health care across the territory.
If the Bill is passed within this legislative session, the Government aims to commence operation of the System by the end of this year at the earliest.
To find out more about how our Privacy and Data Protection Group can add value to your business, please contact:
+852 2846 2137
+852 2846 2411
+852 2846 1787
+852 2846 1521
This publication has been prepared for clients and professional associates of Baker & McKenzie. Whilst every effort has been made to ensure accuracy, this publication is not an exhaustive treatment of the area of law discussed and no responsibility for any loss occasioned to any person acting or refraining from action as a result of material in this publication is accepted by Baker & McKenzie. If advice concerning individual problems or other expert assistance is required, the services of a competent professional adviser should be sought.
Please contact Emily Lui by telephone +852 2846 2131 or email: firstname.lastname@example.org should you wish your details to be added, amended or deleted from our mailing list.
©2014 Baker & McKenzie. All rights reserved. Baker & McKenzie International is a Swiss Verein with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a “partner” means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an “office” means an office of any such law firm.
This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.