effective approach in implementation of data protection law macao s experiences n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Effective Approach in Implementation of Data Protection Law: Macao’s Experiences PowerPoint Presentation
Download Presentation
Effective Approach in Implementation of Data Protection Law: Macao’s Experiences

Loading in 2 Seconds...

play fullscreen
1 / 49

Effective Approach in Implementation of Data Protection Law: Macao’s Experiences - PowerPoint PPT Presentation


  • 101 Views
  • Uploaded on

Effective Approach in Implementation of Data Protection Law: Macao’s Experiences. Ken Yang Office for Personal Data Protection Macao SAR. Macao at a Glance. Small city with high population density. Size: 29.9 km 2 in 2011 (11.6 km 2 in 1912)

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Effective Approach in Implementation of Data Protection Law: Macao’s Experiences' - lonna


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
effective approach in implementation of data protection law macao s experiences

Effective Approach in Implementation of Data Protection Law: Macao’s Experiences

Ken Yang

Office for Personal Data Protection

Macao SAR

small city with high population density
Small city with high population density
  • Size: 29.9 km2 in 2011 (11.6 km2 in 1912)
  • Population: 560 thousand (About 94% are ethnic Chinese)
  • 60 Km far away from Hong Kong
a special administrative region
A Special Administrative Region
  • In the early 1550s the

Portuguese reached Macao

  • Ruled by Portuguese

Administration before

handover to China

(Dec. 20th, 1999)

  • Like Hong Kong, benefits from the principle of

"one country, two systems".

  • Legal system: civil law system
macao world heritage the historic center of macao
Macao WORLD HERITAGEThe Historic Center of Macao
  • the perfect crossroad for the meeting of East and West cultures
slide8

Passed: August 2005

  • Entry into force: February 2006
  • It covers both public and private sectors
  • It covers automatic data processing, as well as systematic manual processing
  • It relates to the EU Directive
  • Supervising authority – GPDP
definition of personal data
Definition of personal data
  • any information of any type, irrespective of the type of medium involved, including sound and image, relating to an identified or identifiable natural person
legitimacy of data processing
Legitimacy of data processing
  • the data subject has unambiguously given his consent,
  • or processing is necessary for:

(1) performance of contracts or to take steps prior to entering into a contract;

(2) compliance with a legal obligation;

(3) protecting the vital interests of the data subject who is incapable of giving his consent;

(4) performance of a task in the public interest or in the exercise of official authority;

(5) pursuing the legitimate interestsof the controller not overridden by the interests for fundamental rights, freedoms and guarantees of the data subject.

sensitive data
Sensitive data
  • personal data revealing philosophical or political beliefs, political society or trade union membership, religion, privacy and racial or ethnic origin, and the processing of data concerning health or sex life, including genetic data
legitimacy of data processing additional
Legitimacy of data processing: Additional
  • Data processing is prohibited, except:

(1) authorised by a legal provision;

(2)on important public interest grounds, and authorised by the public authority;

  • the data subject’s explicit consent.
  • Some other derogations defined in the PDPA (Article 7)
suspicion of illegal activities criminal and administrative offences
Suspicion of illegal activities, criminal and administrative offences
  • personal data relating to persons suspected of illegal activities, criminal and administrative offences and decisions applying penalties, security measures, fines and additional penalties
legitimacy of data processing additional1
Legitimacy of data processing: Additional
  • Defined in Article 8 of the PDPA
data quality
Data quality

(1) lawfulness, principle of good faith;

(2) for specified, explicit, legitimate purposes; not incompatible with those purposes;

(3) adequate, relevant and not excessive;

(4) accurate

(5) kept for no longer than is necessary for the purposes

rights of the data subject
Rights of the data subject
  • Rights to information
  • Right of access, rights to rectify
  • Right to object
  • Right not to be subject to automatic individual decisions
  • Rights to indemnification
data security
Data security
  • General security – technical and organizational measures (Article 15)
  • Special security measures (Article 16)
  • Processing by a processor (Article 17)
  • Professional secrecy (Article 18)
transfer of data outside macao
Transfer of data outside Macao
  • The destination shall have a adequate level of personal data protection
  • Derogations:
    • with notification to GPDP
    • Authorized by GPDP
sanctions
Sanctions
  • Administrative offences (fine from MOP $4,000 to MOP $200,000)
  • Crimes (maximum: 4 years imprisonment)
  • Additional penalties (prohibition of processing, blocking, erasure or destruction of data, public warning)
the roles of gpdp
The roles of GPDP
  • Supervision and coordination
  • Establishment of regimes (including issuing guidelines)
  • Handling complaints and enquiries (Both data controllers and data subjects need that)
  • Publicity & Education (Privacy awareness is always important)
  • Analyses & research (There is always something new)
principle
Principle
  • Education first

Considering:

  • History
  • Culture
  • Readiness of data controllers
  • Awareness of the general public
promotion work on public education
Promotion - Work on public education

Targets :

  • data controllers
  • general public
  • youth
means 1 understanding the pdpa
Means 1 – Understanding the PDPA
  • Briefing sessions
  • Seminars
  • Training courses
  • Conferences
from 2007 2011
From 2007-2011
  • Sessions: more than 230
  • Attendees: more than 9000
means 2 publications
Means 2 – Publications
  • Annual Reports
  • Newsletters
  • Booklets and Pamphlets
  • Column stories in

newspaper -

“Privacy & You”

means 3 videos
Means 3 – Videos
  • Video clips competition
  • Advertising videos
means 4 promotional items
Means 4 – Promotional items
  • Distributed in different

occasions

  • Attract different

target population

  • An effective marketing

approach

means 5 website www gpdp gov mo
Means 5 – Website www.gpdp.gov.mo
  • To provide basic knowledge and information
  • To provide case summaries
  • To provide our legal opinions
  • To provide our guidelines
  • To provide translation of international documents
  • In different languages
some statistics
Some statistics
  • Investigations
right to object
Right to object:
  • A bank continued to send SMS to a former client who had exercised his right to object and refuse to receive any marketing messages from the bank. The bank was sanctioned with MOP $4,000 fine.
principle of proportionality
Principle of proportionality:
  • A self-employed decoration contractor X tried to collect unsettled payment from citizen Y in the decoration work of Y’s residence. X held a press conference and disclosed Y’s residential address in full.
slide36
(cont.)
  • This Office held the opinion that X’s disclosure of Y’s residential address in full was a violation of the principle of proportionality, and imposed a MOP $4,000 fine on X.
  • For Y’s complaint against two newspapers on their reports with his residential address in full, this Office held the opinion that the freedom of press was protected by Publication Law, Y could only lodge his compliant to court by civil litigation.
notification
Notification
  • The controller must notify GPDP in written form within eight days after the initiation of carrying out any wholly or partly automatic processing operation or set of such operations intended to serve a single purpose or several related purposes.
exemptions issued by gpdp
Exemptions issued by GPDP
  • The public authority may authorise the simplification of or exemption from notification for particular categories of processing which are unlikely, taking account of the data to be processed, to affect adversely the rights and freedoms of the data subjects and to take account of criteria of speed, economy and efficiency.
current exemptions
Current exemptions
  • Remunerations, Payments and Welfare Benefits
  • Administration of Employees and Service Providers
  • Non-Profit Legal Person’s Collection of Membership Fees or Contact with Members
  • Billing and Contact Information of Clients, Suppliers and Service Providers
  • Relating to Students
  • Relating to Users of Libraries and Archives
  • Registration of Entries and Exits of Visitors
  • Recruitment
  • Admission of students
major difficulties
Major difficulties
  • The existing data processing when the PDPA came into force
  • Lack of a secondary legislation to define the detail procedures
implementation of the registration scheme notification
Implementation of the registration scheme - notification
  • First of all, “notification” requirements apply to all new data processing after the PDPA’s coming into force.
  • Secondly, GPDP needs to deal with the existing processing.
  • The first stage (completed): progressive implementation in the public sector, issuance of exemptions
  • The second stage: progressive implementation in the private sector – now drafting a secondary legislation
authorization
Authorization
  • The processing of sensitive data
  • The processing of personal data relating to credit and the solvency of the data subjects.
  • Combination / interconnection of data
  • Change of purpose
  • Extending the period of data retention
  • Transferring personal data to destinations outside Macao without adequate level of personal data protection.
slide44

First of all, “authorization” requirements apply to all new data processing after the PDPA’s coming into force immediately. No new data processing requiring GPDP’s authorization should be started without it.

  • Existing ones without authorization by legal provisions should be either stopped or authorized by GPDP.
  • “combination” in public sector is a problem.
combination interconnection of data
Combination/interconnection of data
  • “combination of data” shall mean a form of processing which consists of the possibility of correlating data in a filing system with data in a filing system or systems kept by another or other controllers or kept by the same controller for other purposes
the coordination on interconnections within the public sector
The coordination on interconnections within the public sector
  • Requested all government departments to check whether they had interconnections before the PDPA came into force.
  • If yes, check whether there is a legislation allowing it.
  • If not, they must submit application.
  • Some departments decided to stop the practice, some got our authorization.
coordination guidelines
Coordination – guidelines
  • Protection of Personal Data in the Workplace: Guidelines for Employee Monitoring
  • Processing clients’ data by the employment agencies
  • Using attendance devices of biometric technologies
  • Data retention in public agencies
  • The right to information in indirect collection of personal data.
  • Publication of personal data on the Internet.
code of conduct
Code of conduct
  • A self-regulation model
  • It shall be drawn by the professional associations and other bodies representing some categories of data controller, not GPDP
  • GPDP did encourage some industries to do so, but no successful case yet