Modern technologies allow the public easy transfer of private information to intended recipients. However, there is a simultaneous risk of leaking and abuse of such personal data.
"There's growing awareness of the importance of privacy," says Allen Ting, acting chief privacy compliance officer, Office of the Privacy Commissioner for Personal Data Hong Kong (PCPD). "The commercial sector and public bodies are data users who literally hold the key to a vast information database. As such, they must exercise the utmost integrity during data processing and usage, while remaining responsible for the safekeeping of such data."
PCPD was established as an independent statutory body, with a mission to protect the privacy of individuals' personal data through promotional campaigns, education and the supervision of compliance with the Personal Data (Privacy) Ordinance (the Ordinance), which came into effect in December 1996.
The executive arm of PCPD comprises the operations, legal, corporate communications, compliance and administration divisions. The operations division focuses on complaint investigations whereas the corporate communications division deals with public promotions and education. In contrast, the compliance division takes a proactive approach in carrying out compliance checks whenever necessary and answering enquiries from members of the public ranging from data users, data subjects and even law firms.
"When certain malpractices have been identified, we would carry out a compliance check and if necessary, issue letters of caution to the parties concerned advising them to take remedial action to prevent further data leakage or repetition of such matters," Mr Ting says. "Should a data user fail to comply with our request, we would initiate a full-scale investigation and if the situation warrants, issue an enforcement notice." For the fiscal year 2005/2006, PCPD carried out a total of 131 compliance checks, of which 15 were related to government departments and statutory bodies.
Mr Ting notes that the most common breach nowadays is related to the misuse of personal data. Companies use the data for purposes other than those originally intended, without seeking prior consent from their clients or customers — the data subjects.
"Companies or people who are not familiar with the six data protection principles set out in the Ordinance may find themselves breaching the requirements of the Ordinance without knowing it. However, we don't mean to criminalise but instead encourage voluntary compliance," Mr Ting stresses.
The fast-evolving IT sector poses a challenge to privacy protection work. "Don't upload personal data onto the Internet unless it's absolutely necessary," Mr Ting advises. "Online platforms such as personal homepages or blogs encourage information sharing. The downside is that there is no way a data subject can monitor the 'free flow' of such information."
Recent leaks of digital data from IT-dependent companies have alarmed industry players who are now more cautious, particularly about data transmission and storage. In light of this, PCPD suggested a privacy compliance audit be conducted to ensure that the requirements of the Ordinance were met. Mr Ting adds that excessive or inappropriate collection of data is unacceptable. "For example, an employer may collect information such as a job applicant's work experience and academic results," he says. "Other personal particulars such as account numbers of their spouses are unnecessary."
In the face of future challenges, continuously equipping staff with the necessary skills and knowledge is of paramount importance. PCPD has a range of training programmes in place. These include entry level orientation and in-house training to improve technical and soft skills such as complaint handling. Also in the pipeline is a knowledge management system, which will allow effective experience sharing to better facilitate learning for all PCPD staff.
Around 50 dedicated staff members handled an impressive 14,156 enquiries and 972 complaint cases during the fiscal year 2005/2006. As the public's privacy awareness grows, PCPD's workload will increase.
"A personal data officer follows through an entire case, starting from conducting the initial research, and in some cases carrying out a full-scale investigation, until a final decision is made by the Privacy Commissioner," Mr Ting explains.
Hard work is essential but the job brings great satisfaction. Candidates are welcome to join the privacy protection arm provided they have an inquisitive mind and sophisticated analytical skills. While some legal knowledge would be useful, Mr Ting points out that talent from a variety of academic or professional fields is also welcome. "People from different disciplines can bring new insights and help widen our organisational perspective," he says.