Dec 2, 2009

IT Voice Responeded to review of the Personal Data (Privacy) Ordinance

IT Voice had submitted our response to the review of Personal Data (Privacy) Ordinance, i.e. PDPO. This article provides a highlight of 3 of the 21 responses. The full paper can be downloaded at here.

IT Voice agreed that we need to balance business interests and individuals' rights. At the same time we need to take into account the Hong Kong context, with a weak consumer community and the lack of class action in litigation.

Regulation of Data Processors and Sub-contracting Activities
  • specific obligations should be imposed on the data users by requiring them to take specific security measures when contracting out the processing of personal data to third parties.
  • the scope of inclusion should be clearly defined and restricted to penalize only negligent parties but not ignorant parties. Internet service providers and online service provides who are only providing conduits or platforms for data communication and storage do not know the nature of data passing through the conduits or stored in the platform.

Personal Data Security Breach Notification
  • We propose the mandatory notification of personal data security breach. Voluntary disclosure practices will not create a fair playing field for organizations and will not be effective
  • We propose that large data breach be reported to PCPD who should keep a database of data breach of previous 7 years for public enquiry.
  • The notification of breach should be implemented in two phases according to risk level and nature of business. Government, public institution, critical infrastructure, financial and regulated industry should implement first while other sectors follow in second phase which is 3 years after start of first phase

Territorial Scope of the PDPO
  • IT Voice urged Government to enact Section 33 of PDPO which provide that cross border personal data flow be cover by PCPO as they are in HK
  • PDPO should be compared to international standard. Enactment of Section 33 is in line with The Council of Europe's 1981 Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data and the Organization for Economic Cooperation and Development (OECD) Guideline
  • The Madrid Privacy Declaration urges countries that have not ratified Council of Europe Convention 108 together with the Protocol of 2001 to do so as expeditiously as possible
  • The compliance is vital for Hong Kong to stay competitive and allow outsourcing business to capture the international market.

No comments: