Data Privacy in Hong Kong -- OctopusGate and Beyond
The incident of Octopus selling customer personal information to third parties has aroused Hong Kong people's attention to their own privacy. The question worthy of being raised would be: Are those people who deal with personal data in public or private institutions, whether they are executives or rank-and-file workers, aware of what to do with these data? Do institutions and enterprises know how to deal with personal information in a legal or reasonable way? For the citizens, how can they enforce their right to know and to protect themselves?
First, when people talk about privacy, different people have different interpretation. But under Hong Kong law, the Personal Data (Privacy) Ordinance (PDPO) is applicable only to data that can be used "to effectively determine" the identity of any living person (data subject) in Hong Kong, and the control of the collection, holding, processing or use of such personal data. For example, my identity card number can be used to confirm my identity, and is covered under the Ordinance. Alternatively, if you get a hold of the knowledge that I am alcoholic (assuming I don't want my friends to know about it), even though I may regard this as a “privacy matter,” it would not be something protected by this Ordinance.
Data Protection Principles of the Ordinance
Summarizing the provisions on the handling of personal information by data users, there are six data protection principles (DPP), that basically summarizes the responsibilities of the data users:
(DPP1) Purpose and manner of collection of information: that requires a lawful and fair collection of personal data and user specified data to the data subject when collecting personal information should the information provided by the parties. (For example, are the Octopus terms and conditions in fine prints reasonable and are made known to the customers?)
(DPP2) Accuracy of personal data and duration of retention: personal information must be accurately kept and in an updated manner, and kept no longer than necessary.
(DPP3) Use of personal data: this provides that unless the data subject has given consent, otherwise personal data should only be used for the purposes mentioned or a directly related purpose stated during the collection of the information. (For example, did Octopus customers given informed consent to let Octopus sell these data?)
(DPP4) Data Security: data user is required to take appropriate security measures to protect personal data. (For example, have institutions found to have leaked personal data of their subjects, such as the Hospital Authority, Fire Department, Police Department, and several banks, taken appropriate measures to ensure data security?)
(DPP5) Information to be generally available: data user should state clearly categories of personal data held, and the main use made of the personal data. (For example, Octopus initially did not disclose what information was sold, to whom and for what purposes.)
(DPP6) Access to personal data: this provides that data subjects hold the right of access to and correct their personal data, which are kept by the data user. (For example, there were reported cases where MTR and Octopus were unable to provide transaction data to customers, when the customers made enquiries. Are such incidents violation of this principle?)
Is Corporate Social Responsibility that hard?
These six data protection principles in fact are not difficult to understand. When I worked with an Internet service provider more than 10 years ago, as our company needed to collect customers' personal data, I did a little self-study, and that was sufficient for me to understand how to follow the law. As service providers, we have to care about users' rights and their privacy as if they are our own. That is the most basic corporate social responsibility, I believe.
Unfortunately, the Octopus case may be only the tip of the iceberg. There are many other institutions and enterprises doing similar things.
What has gone wrong?
We already have legislative protection for personal data and there are processes ongoing to review and improve the laws. However, when PDPO went through its long-overdue public consultation in the end of the last year, were people aware? Did the government sufficiently promote that importance of that consultation? There were numerous proposals by the former Privacy Commissioner, Mr Roderick Woo, that were brushed aside by our Government. Subsequently, the Government even appointed a new Commissioner who had a record of making privacy infringement when he headed Hong Kong Post in a previous job.
In the end, we need more than a law to protect us. We need the right attitude toward privacy protection – from Government, institutions, enterprises, media and citizens. Without such a mindset, we would not take the proper steps toward risk management, and respond to the responsibilities and public expectation on properly handling personal data. If we do not act now, it may be too late.
Published in Professional Information Security Association Journal Issue 12 (September 2010)