@eLaw.com.hk 葉謝鄧律師行

Principle 4 of the Ordinance requires websites to adopt security measures to protect the data that they collect and transmit. Organizations should apply a "harm test" to the personal data they collect and transmit on the Internet so as to implement the appropriate level of security measures.

As a general rule, organizations collecting detailed or sensitive personal details (such as resumes from job applicants or credit card/bank account information for service payments) are required to observe a stringent level of security (such as the use of firewalls or encryption). If transfers of sensitive personal data are not encrypted, web sites should alert users to the risks of transmission and offer alternative secure means to the users for supplying the data. Therefore, when processing sensitive information such as the financial data, medical data or person identifiers of an individual, privacy enhancing technologies must be adopted. In addition to following principle 4 of the Ordinance, there are other reasons why organizations should take measures to ensure the security of online data. A leak of a client's personal data caused by the organization's lax security may easily give rise to civil claims for compensation and criminal prosecution.

Principle 4 of the Ordinance also relates to security measure fro storing personal data Allowing uncontrolled access by Internet surfers to personal data held by an organisation could be in contravention of Principle 4. Again, a "harm test" can be applied. In addition, individuals providing personal data concerned should be fully informed at the outset about the sort of access that others may have to information that they provide.

A cookie is a small computer file that is sent from a web server to a user's computer for future identification when the computer again visits the same web site. In keeping with Principle 1 of the Ordinance, organizations using cookies should inform visitors of this practice in their Privacy Policy Statements and inform visitors that non-acceptance of cookies may affect the functionality of the organizations’ websites.

Data Protection Principle 1 of the Ordinance provides, among other requirements, that personal data shall be collected by means which are fair in the circumstances of the case. Children and young persons are vulnerable and collecting information including personal data directly from them without appropriate parental control and supervision could be regarded as unfair collection of personal data. However, unlike America, Hong Kong does yet not have a specific legislation controlling the collection and use of personal data supplied by under age young people and children.

However, the PCO is of the view that when collecting information from children, an organization must take Principle 1 of the Ordinance into account and ensure that information is collected in ways that are ‘lawful and fair’. Sites aimed at minors are therefore strongly urged to carefully consider their policies for collecting information from young persons, and to involve parents/guardians in the data collection process.

The following links take you to privacy statements for sites aimed at young children:

· www.ctw.org/aboutus/privacy_policy.php#privacy2

· www.yahooligans.com/docs/safety/privacy.html

Notice how these statements provide guidance notes to parents on how to supervise their children when they surf the Internet.

It is quite common for websites to have long-winded privacy policy statements. There are good reasons why this is the case. In order to demonstrate their awareness of and compliance with the six key principles of the Ordinance, most organizations collecting personal data online, usually prepare and make available an easy-to-find privacy policy statement that describes the organizations data privacy protection measures.

A privacy statement usually informs visitors of the organization's privacy policies and its practices in relation to personal data (for example the kinds of personal data collected and held and the main purposes for which the data are used.) Although organizations are not required to post privacy statements on every page of their website, websites are encouraged The Office of Privacy Commissioner to have them posted in a conspicuous place. The privacy policy statement should be set up as a linked page accessible from the home page and other pages from which personal data are collected. Most privacy policies are usually accessed by a link at the bottom part of each page.

The PCO has prepared a booklet called “Preparing Online Personal Information Collection (PIC) Statements and Privacy Policy Statements (PPS)” to help websites comply with the Privacy Ordinance. This is available at www.pco.org.hk

Websites usually collect personal data from online users by asking them to complete forms.

Data Protection Principle 1 of the Ordinance requires organizations to clearly state their reasons for collecting personal data and Principle 3 states that this data can only be used for the reasons stated. Using information for any purposes that have not been stated may be in breach of the Ordinance. Therefore, websites should prepare and make available on-line a Personal Information Collection (“PIC”) Statement setting out the purposes for which the data collected are to be used. The Office of Privacy Commissioner suggests that the PIC Statement be laid out on the same web page as any personal data collection forms. However, the PIC could also be on another page, as long as it carries a clearly visible, well-described link to the page from which information is collected.

There are two main reasons why it is in the interest of organizations to make sure that their web sites comply with the Ordinance:

· Non-compliance with the laws can result in civil claims and criminal prosecutions

· By ensuring the best protection of individual's personal privacy and online safety, they are able to develop trust and confidence with users and potential customers.

The Ordinance consists of six distinctive data privacy principles which in effect are laws on data protection. However, violation of a principle (for example a bank accessing your credit records from a CRA for direct marketing) is not a criminal offence. Violation only triggers the Privacy Commissioner's power to issue an enforcement notice against the offending data user. Investigations into data violations take place before an enforcement notice is issued.

Under section 50(1) of the Ordinance, the Commissioner has the discretionary power to serve on the party complained against an enforcement notice if one of the following conditions is satisfied:

1 The party is found to be contravening a requirement of the Ordinance; or

2 The party is found to have contravened such a requirement in circumstances that make it likely that the contravention will be repeated.

According to the usual practice adopted by PCO, where a contravention is found to have occurred but is not continuing, whether the Commissioner considers it likely for the contravention to be repeated in the future may depend on factors including:

1 whether the contravention found was a first-time or repeated contravention, accidental or deliberate;

2 whether the party complained against is willing to prepare a written undertaking to the Commissioner regarding improvement to its future conduct in such form as the Commissioner deems fit; or

3 whether the party complained against has shown remorse during the course of the investigation by co-operating fully with the PCO, taking appropriate remedial actions, etc.

An enforcement notice is therefore essentially is a warning that tells the offending party that it must comply with the principles of the Ordinance. Continued failure to comply with an enforcement notice makes the violation a criminal offence that can lead to criminal prosecution. So if a bank was mishandling your credit data, and it was issued with an enforcement notice and still failed to cease using your records for direct marketing, it would be committing a criminal offense and prosecution would proceed.

The following link takes you to a fact sheet about the PCO's Code of Practice on Consumer Credit Data use: www.pco.org.hk/english/publications/files/RevisedCCDFactsheet_e.PDFThis fact sheet describes personal information about potential borrowers that banks (and other credit providers) can and cannot give to CRAs (credit reference agencies that assess whether someone is eligible for a loan or credit increase).

According to section 12(1) of the Ordinance, The Privacy Commissioner for Personal Data (also known as "the Commissioner") can issue Codes of Practice "for the purpose of providing practical guidance” to assist data users’ compliance of the Ordinance. Codes of Practice currently cover the collection and use of:

· Data used by Human Resource Management
· Identity card numbers and personal identifiers
· Consumer credit data

There is also a draft Code of Practice that addresses the issues of monitoring and personal data privacy at work. Full text versions of these Codes can be downloaded from: www.pco.org.hk/english/publications/listofpub.html

What happens is a data user does not observe these Codes of Practice? The provisions of the Codes are not legally binding. However, failure to observe a Code of Practice by a data user will weigh unfavourably against the data user in any complaint case before the Commissioner.

Who ensures that the Ordinance is observed?

The Privacy Commission Office (PCO) is an independent statutory body that was set up to oversee the enforcement of the Personal Data (Privacy) Ordinance. It also has the duty of receiving complaints from members of the public relating to any abuse or violation of the principles and carries out investigations into data privacy complaints. The PCO takes enforcement actions against those who are in breach of the Ordinance. The website of the PCO can be accessed at www.pco.org.hk. This site will give you access to the full text of the Ordinance and to several related publications, fact sheets, videos and case notes.