Henry Chang, IT Advisor 13 Dec 2010

1. PCPD’s Views to the Report on Public Consultation on Review of the Personal Data (Privacy) Ordinance ICT, Personal Data Privacy and Review of the Personal Data (Privacy) Ordinance Hong Kong Computer Society Henry Chang, IT Advisor 13 Dec 2010

2. Legislative Review Timeline Dec 2007 PCPD proposed 50+ legislative amendments to the Government Aug 2009 The Government released the Consultation Document on Review of the Personal Data (Privacy) Ordinance (PD(P)O) with 44 proposals Nov 2009 PCPD presented a Submission to Consultation Document on Review of the PD(P)O Oct 2010 The Government released the Report on Public Consultation on Review of the Personal Data (Privacy) Ordinance with 37 proposals

3. The Government’s Key Proposals • Direct Marketing and Related Matters • Reasonably specific, understandable and readable Personal Information Collection Statement (PICS) • Opt-out regime • Raised penalty of non-compliance to enforcement notice: up to $500K fine and 3 years imprisonment • Unauthorised Sales of Personal Data • Data subject must be informed in writing of the kinds of personal data to be sold and to whom • Opt-in or opt-out regime to be consulted • Disclosure for Profits or Malicious Purposes of Personal Data Obtained without Data User’s Consent

4. The Government’s Key Proposals • Data Processors • Indirect regulation by way of requiring data users to use contractual means to ensure their data processors to comply with the law • Personal Data Security Breach Notification • To introduce a voluntary breach notification system • Legal Assistance to Data Subject • To empower PCPD to provide legal assistance to aggrieved data subjects

5. PCPD’s Views to the Report • PCPD welcomes the 37 proposals • IT-Industry related (but not targeting the IT industry) • Direct Regulation of Data Processors • Sensitive Personal Data • General • Direct Marketing Regime • Sanctioning Power

6. Direct Regulation of Data Processor [Proposal 5] • Data Processor is the only party in the personal data ‘lifecycle’ that is not regulated • Proposed regulations are [Report: 3.6.7 a, b and c] : • Respect the purpose and retention to which the personal data is entrusted; • Reasonably practicable steps to ensure security/protection • Overseas jurisdictions have data processors directly regulated • Issue of Transborder personal data flow from jurisdictions with stronger legislation • Not a direct offence but subject to enforcement notice

7. Sensitive Personal Data [Proposal 38] • PCPD original proposal was to • Create a category of ‘sensitive personal data’ • In line with other jurisdictions: racial/ethics origins, political affiliations, religious beliefs and affiliations, trade union memberships, health information, sexual life and biometrics • Require express consent for their collection and use [Report 4.2.4 a] • Exemptions apply [Report 4.2.4 b - g] • Major overseas jurisdictions have classification and protection of sensitive personal data • Issue of Transborder personal data flow from jurisdictions with stronger legislation

8. Direct Marketing Regime [Proposal 1] • An ‘opt-in’ regime will give the basic right of self-determination back to the public; or • To establish and Do-not-call register for person-to-person calls • Data user must disclose the source of personal data upon requests from data subjects

9. Sanctioning Power • Granting criminal investigation and prosecution power to PCPD[Proposal 39] • Empowering PCPD to award compensation to aggrieved data subjects[Proposal 40] • Empowering PCPD to impose monetary penalty on serious contravention of data protection principles[Proposal 42]

10. Q&A