Since October 2011, the Hong Kong Office of the Privacy Commissioner for Personal Data has published three “Guidance Notes” to help data users comply with the Personal Data (Privacy) Ordinance (the “Ordinance”). These Notes are not legally binding, nor are they intended to serve as an exhaustive guide to the application of the Ordinance, but they provide good, practical examples and tips that the Commissioner has developed as it has implemented the Ordinance.
This document is intended to “guide organizational data users to manage the security risks of using PSDs and ensure compliance with Data Protection Principle 4 of the Personal Data (Privacy) Ordinance.” It summarizes relevant legal requirements and offers a number of practical tips. We outline some of the key tips below.
- Data users are encouraged to develop policies, practical guidelines and procedures to manage risks associated with the use of portable storage devices, and provide users with proper training. The policies on the use of portable storage devices should address issues such as:
- detecting and avoiding risk;
- preventing unauthorized access;
- keeping pace with changes in technology;
- training staff and establishing consequences for non-compliance; and
- conducting regular reviews and audits.
- Conducting a risk assessment is recommended to facilitate the development of the policies.
- To implement policies, data users should employ technical measures such as end-point security, data loss prevention systems, inventory control and secure data disposal software;
- Data users should adopt a formal data breach handling and notification policy.
The purpose of this document is to “assist data users in complying with the Data Protection Principles while engaging in the collection, display or transmission of personal data through the Internet.”
The Ordinance features six data protection principles that set forth fair information practices with respect to personal data. This document goes through the principles (and Section 34 of the Ordinance regarding direct marketing) giving an overview of the legal requirements of each principle and explaining how they relate to Internet use by data users.
The Commissioner also provides practical examples and advice on how to comply with each of the legal requirements. For purposes of complying with some of the legal requirements, the Commissioner recommends that data users adopt appropriate policies, principles, technical standards and security measures to help ensure privacy and data protection.
Guidance on Personal Data Erasure and Anonymization
This document “provide[s] advice to organizational data users on how to erase personal data property by means of digital deletion and/or physical destruction.” It summarizes the relevant legal requirements under Section 26 and Data Protection Principles 2 and 4 of the Ordinance. In light of the data breach risks associated the disposal of electronic and hard copy records, the Commissioner recommends that data users adopt personal data retention and destruction policies, principles, technical standards, tools and measures to ensure privacy and data protection.
The document also addresses risks associated with outsourcing data destruction to service providers, providing practical suggestions such as ensuring that the service provider is subject to a formal contract. And given that employees may be prone to accessing personal data held by their employers, the document recommends making efforts to raise awareness and providing training on proper data protection practices.
The document also introduces an alternative to anonymization, a process by which personal data is de-identified to the extent that it is no longer practicable to identify individuals directly or indirectly from the data. Once personal data is de-identified in this manner it is no longer subject to the Ordinance.
In conclusion, the Privacy Commissioner’s Guidance Notes offer useful information to help data users address real-life issues concerning the handling of personal data. Data users and others who deal with privacy and data security issues should review the Notes to strengthen and improve their data protection practices.