23 November, 2018
The massive recent leakage of customer personal data by international airlines, along with other alarming data leakage incidents by social media platforms have once again put the issue of data protection in the spotlight.
Data protection is the management and safeguarding of personal data from unauthorised access or use. Nowadays, organisations handle a huge volume of personal and confidential client and customer information in the course of their business operations. While the rapid development and application of smart technologies in the areas of social computing; big data processing; artificial intelligence; and machine learning have made everything faster and smarter, changes to business, communities and society arising from the use of blockchain, fintech and behavioural tracking technologies also raise the risks to individuals’ privacy to an unprecedentedly high level. For instance, according to the Office of the Privacy Commissioner for Personal Data Annual Report 2016-17 (Annual Report), the number of cybercrimes has risen from a few hundred per year in the 1990s to about 6,000 in 2016.
With frequent data breaches resulting in the personal and confidential client and customer information being compromised, clients and customers are increasingly concerned about the welfare of their data privacy with respect to – how and to what extent their data are being controlled, managed, used and secured. Since the collection and dissemination of information from clients and customers rely on the very trust that exists between the organisations (that collect) and the clients and customers (who provide), it is vital that every effort be made to ensure such information never falls into the wrong hands. Accordingly, organisations must ensure every step in the process not only complies with applicable privacy laws, but they must also meet the privacy and security expectations of clients and customers, allowing only those that have the access privilege to use them.
Data protection regime in Hong Kong
The legal regime that applies to data protection plays a significant role and governs the way in which data can be used to market, provide services or run businesses, and specifies how they should be kept. However, in reality whether personal data and information are sufficiently protected will invariably depend on whether the applicable laws are robust enough to ensure adequate compliance.
In Hong Kong, the current data protection regime is governed by the Personal Data (Privacy)
Ordinance (PDPO), which regulates the collection of personal data, their use and disclosure, retention and granting of access to and correction of personal data. Further, there are obligations imposed by the PDPO on data users in the form of six Data Protection Principles (DPP) to ensure data are processed properly. The six DPPs are summarised below:
DPP1 (collection): personal data should be collected by fair means and for lawful purpose, such collection should be necessary but not excessive, and the data subjects must be informed of the purpose of the collection.
DPP2 (accuracy and retention): all personal data should be accurate and not kept any longer than is necessary.
DPP 3 (use and disclosure): personal data should not be used for a different purpose unless with the consent of the data subject.
DPP 4 (security): all practicable steps should be taken to protect personal data collected against unauthorised or accidental access, processing, erasure, loss or use.
DPP 5 (openness): all practicable steps should be taken to ensure the public knows what personal data are held and how they are used.
DPP 6 (access and correction): a data subject should be able to have access to his/her personal data and correct them if inaccurate.
Under the PDPO, an individual who has reasonable ground to believe an act has been committed in breach of the PDPO may lodge a complaint to the Office of the Privacy Commissioner for Personal Data (PCPD or Privacy Commissioner) who may conduct an investigation. If a breach has occurred, the Privacy Commissioner may serve an enforcement notice on the data user requiring him/her to remedy the breach. Breach of the DPPs is not an offence, only failure to comply with an enforcement notice is an offence. The Privacy Commissioner may refer criminal offences to the Hong Kong Police. Despite this, the Privacy Commissioner admitted in the Annual Report that penalties on conviction of offences might not have the deterrent effect one would expect.
Is compliance with the current legal regime sufficient for data protection?
Against the backdrop of digital revolution and evolution of the digital ecosystem, the Privacy Commissioner pointed out in the report titled – “Ethical Accountability Framework for Hong Kong China” issued in October 2018, that the digital revolution and technological developments have challenged data privacy frameworks around the globe, including Hong Kong’s PDPO. Technological advancement and the ever increasing scale of data-processing activities are stretching the adequacies of the underlying data protection principles enshrined in the PDPO such as “notice and consent”, “use limitation”, and “transparency”.
In the wake of the airline breach, the former Privacy Commissioner commented that many organisations in Hong Kong are still treating data protection either with indifference or simply leaving things to chance. They failed to proactively establish and maintain a comprehensive privacy management programme, and only take remedial steps when an incident of data breach occurs.
Clearly, in order for businesses and organisations to continue to collect and take advantage of the use of personal data, it is no longer sufficient to conduct their operations in ways that only meet the minimum regulatory requirements.
Privacy management programme – a global trend for organisations
As a result of the significant increase of new privacy risks, data and privacy protection is currently undergoing a state of change. There is a growing trend among privacy regulators around the world to advocate and promote a more proactive accountability-based privacy management programmes (PMP) as a tool for building up accountability, as opposed to the mere compliance with existing data protection laws.
The accountability principle was first introduced by the Organisation for Economic Co-operation and Development (OECD) in its 1980 Privacy Guidelines and subsequently updated in 2013 with the introduction of a number of new concepts such as PMP and security breach notification. The OECD Guidelines have shaped many regulatory frameworks around the world, including the data protection regime in Hong Kong.
The term “accountability” in relation to privacy is succinctly defined in the “Getting Accountability Right with a Privacy Management Program” Guide jointly issued by the Privacy Commissioners of Canada, Alberta and British Columbia, as “the acceptance of responsibility for personal information protection.
An accountable organisation must have in place appropriate policies and procedures that promote good practices which, taken as a whole, constitute a privacy management program. The outcome is a demonstrable capacity to comply, at a minimum, with applicable privacy laws. Done properly, it should promote trust and confidence on the part of consumers, and thereby enhance competitive and reputational advantages for organisations.”
On 16 August 2018, the PCPD issued the revised Best Practice Guide on Privacy Management Programme (Best Practice Guide) which aims at assisting organisations in setting up a comprehensive PMP that incorporates the concept of accountability. The Privacy Commissioner said, “With the growing public expectations for privacy protection, organisations should go further than merely treating personal data protection as a compliance issue. Constructing a comprehensive PMP not only can build trust with customers, but also enhance the organisation’s reputation as well as competitiveness…. Obviously, the adoption of accountability approach in handling personal data through implementation of PMP becomes a global trend for organisations.”
The Best Practice Guide provides recommendations and guidelines for organisations to construct a more robust and comprehensive PMP which requires commitment by organisations on programme control and ongoing review. The major emphases are summarised as follows:
1. Organisational commitment
- Senior management commitment is key to a successful PMP
- Organisations must designate someone who is responsible for the PMP
- Organisations need to establish internal reporting mechanism and clearly show the reporting structure and procedures for reporting
2. Programme controls
Organisations should:
- know what personal information they hold, how it is being processed, and document the information in the personal data inventory
- develop internal policies that address obligations under the law. These policies need to be made available to employees
- conduct periodic risks assessments and privacy impact assessment to ensure that organisations are in compliance with the PDPO
- provide employees with up-to-date training and education tailored to specific needs
- have a procedure in place and a person responsible for managing personal information breach
- have procedures for ensuring compliance with the law by service providers
- have procedures for informing employees and customers of their personal data policies and practices
3. Ongoing assessment and revision
- Organisations should develop an oversight and review plan to help keep their PMP on track and up to date
- The effectiveness of programme controls should be monitored, periodically audited, and where necessary, revised
Conclusion
The increase in privacy breaches has raised the privacy and security expectations of business clients and customers over the collection, holding, processing and use of their personal data. Organisations must therefore implement adequate security measures to protect the personal data of their clients and customers. An accountability-based model for handling personal data is a more proactive and preferred approach and has now become the global trend. In line with this trend, the European Union’s (EU) General Data Protection Regulation (GDPR), which came into force on 25 May 2018, introduced a number of new features into the data protection regime including accountability, that is, organisations must follow various obligations in order to demonstrate data protection compliance, such as the appointment of data protection officers; mandatory personal data breach notification, and data portability and new obligations on processors, etc. In relation to this, Hong Kong businesses will be bound by the GDPR if they have an establishment in the EU, or outside the EU if they offer goods or services to or monitor EU citizens.
In view of the public concerns about the recent airline data leakage and the public's call for stricter regulation on data protection for organisations, the Privacy Commissioner expressed on 3 November that a review of the PDPO is underway and recommendations will be submitted to the government within months.
The impact from the GDPR is far reaching and is likely to affect Hong Kong businesses in due course resulting in amendments to the PDPO. As such, organisations and HR professionals should understand and appreciate that conducting business operations merely to meet the minimum legislative requirements is no longer sufficient. Instead they should implement a more proactive accountability-based PMP as a tool to strengthen their privacy protection measures. A comprehensive PMP will help organisations to identify and address data breaches and leakage at an early stage, and avoid financial loss and reputational damage in the long run. At the same time, organisations will be able to demonstrate to the regulatory authorities and their clients and customers that they have a robust PMP in place in the event of a compliance investigation.
For further information, please contact:
Cynthia Chung, Partner, Deacons