Facebook
Slideshare
RSS| Warning: IPv4 address space depletion date is close. The last block of IPv4 address will be allocated on Feb 20, 2011. After that, no more new IPv4 address block can be allocated. We have to re-allocate from existing addresses. | 警告: IPv4 位址空間的枯竭日期將至。預計在 2011年2月20日,最後一個 IPv4 網段派出,之後再沒有新的網段,衹可能有在現存位址內調配。 |
| Action Required: We are pushed to migrate to IPv6 inevitably. Yes, plan it if you have not, although you are late. | 建議行動: 我們唯一的出路是遷移至 IPv6 位址空間。對,如果你還未計劃 IPv6 遷移, 應該要立即起步,雖然你己經遲了。 |
We need ACTION NOW! | 請立即行動! |
Jan 10, 2011
IPv4 Depletion Count Down -- Feb 20, 2011
Jan 4, 2011
Jan 2, 2011
悼 司徒華
支聯會主席 司徒華先生於2011年1月2日病逝,享年79歲。
華叔貢獻一生予中國及香港民主運動,死前仍不忘「平反六四,現在革命尚未成功;建設民主,同志仍須努力」。華叔是錚錚漢子,說話句句鏗鏘,我們會永遠懷念您,繼續為中國民主開放前途努力,請您在天之靈安息。
Jan 1, 2011
IT Voice Response to PDPO Review (II): On the Consultation
We had set the stage in the previous article, explaining the the foundation of our opinion.
Now we go to the subject matter of our response in more detail. If you have any comment we welcome that very much.
RESPONSES TO THE PUBLIC CONSULTATION
Now we go to the subject matter of our response in more detail. If you have any comment we welcome that very much.
RESPONSES TO THE PUBLIC CONSULTATION
1. Give the Privacy Commission material power to enforce
- The PCPD presently has powers to investigate suspected contraventions of the PDPO, issue enforcement notices and inspect personal data systems. However, the current PCPO has very a limited power. Non-compliance with the six data protection principles is not a criminal offence.
- The Privacy Commissioner (PC) can only server an enforcement notice to the party concerned. Furthermore, the serve further requires the PC believing that the concerned party will repeatedly abuse. The Octopus leakage case has exposed the weakness of the current legislation. Serious breach did occur but PCO could not serve an enforcement notice because it was not established that Octopus would repeat the abuse.
- We propose the ordinance be amended to waive the requirement of belief of a repeated abuse for issue of enforcement notice.
- We support a heavier sanction for data users who repeatedly contravene an enforcement notice.
2. Regulation of Data Users and Data Processors
- The government proposal proposed to strengthen the contractual terms between data users and data processors. We consider this approach is insufficient and cannot respond to the abundant breach incidents, many of which were proved to be related to outsourcing or sub-contracting.
- Taking information security and privacy management as a holistic approach, we agree that data processors and sub-contractors of data processing should be accountable as data users when they are processing personal data.
- We agree that specific obligations should be imposed on the data users by requiring them to take specific security measures when contracting out the processing of personal data to third parties.
- At the same time, the scope of inclusion should be clearly defined and restricted to penalize only negligent parties but not ignorant parties. There are cases where service providers have no knowledge of whether they are holding personal data. Just take some examples,
Ÿ data processors of test data who are not informed that test data given by careless data users are real personal data
Ÿ Internet service providers and online service provides who are only providing conduits or platforms for data communication and storage do not know the nature of data passing through the conduits or stored in the platform
Ÿ Web hosting service providers who are only providing storage and application for clients to host data do not have knowledge of the type of data stored on the servers
- Some overseas legislation put data processors under same responsibility as data users in regulation. If Hong Kong possesses a legislative regime including data processors, we are in a more competitive position in acting as a global service hub. However, before we can take on this advantage, we should have a good way to differentiate the “should be regulated” population” from the “innocent population”. We are disappointed that the Government proposal had not made a good discussion on this area and would alert that it may not be a mature occasion to put forth a widespread direct regulation. Furthermore it will impact the fundamental principle “free flow of information”.
- We propose the government considering indirect regulation as an intermediate measure. Data users must establish with data processor the responsibility to ensure data is:
(a) only used for the purpose for which it was provided to them;
(b) secure and safeguarded; and
(c) erased once no longer required.
- We, of course, would be very open to direct regulation if a clear and granular definition can be made.
3. Data Breach Notification should be Mandatory
- We maintain that the right to be informed of personal data breach is a human right. The notification is essential to the victim to take proper mitigation measures.
- The current government proposal suggests a Voluntary Notification Scheme. Such scheme only puts those corporations who practice disclosure in disadvantageous position in the market. With such negative incentive, the scheme is destined to failure.
- The ultimate solution should be mandatory data breach notification.
- The Government should set up a time table to implement mandatory data breach notification by phases. The implementation should start with Government regulated sectors (e.g. financial institutions, hospitals, telecommunication) while general business start with voluntary regime. In say, 3 to 5 year time, the law should cover all businesses. This approach is a balance between the need to protect individuals' privacy right and to calm down the worries of the business on the uncertainties of the disclosure
- The Government proposal lacks the detail of reporting requirement, for example, how to prevent unreasonable delay of notification, format and manner of notification to make it user friendly.
4. Regulation of personal data cross the border
- Currently PDPO has not enacted Section 33 to order data user to take all reasonable precautions and to exercise all due diligence to ensure that the personal data will not be collected, held, processed or used in a place outside Hong Kong in any manner which, if that place were Hong Kong, would be a contravention of a requirement under the Ordinance.
- The Council of Europe's 1981 Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data[1] and the Organization for Economic Cooperation and Development (OECD) Guidelines Governing the Protection of Privacy and Trans-border Data Flows of Personal Data[2] set out specific rules covering the handling of electronic data across the border.
- The PDPC had informal discussions with the EU over the question of the adequacy of data protection under the EU Data Protection Directive, but has not received a formal reply. Hong Kong will likely not be deemed adequate before the enactment of Section 33 of the Ordinance.[3]
- Many countries, especially in Asia , have developed or are currently developing laws in an effort to promote electronic commerce. These countries recognize that consumers are uneasy with the increased availability of their personal data, particularly with new means of identification and forms of transactions. These countries recognize consumers are uneasy with their personal information being sent worldwide. Privacy laws are being introduced as part of a package of laws intended to facilitate electronic commerce by setting up uniform rules. Rise of off-shore data repository, e.g. cloud computing, software-as-a-service makes regulation of trans-border data flow of personal data more essential than before.
- Many countries are adopting new laws or updating older laws based on the Council of Europe Convention No. 108 and the EU Data Protection Directive in order to ensure that trade will not be affected by the requirements of the European Union Directive.
- The Madrid Privacy Declaration[4] urges countries that have not ratified Council of Europe Convention 108 together with the Protocol of 2001 to do so as expeditiously as possible;
- We are of the view that our PDPO should be compared against international standard. PDPO should enact Section 33, to comply with the EU requirement and OECD guideline. The compliance is vital for Hong Kong to stay competitive and allow outsourcing business to capture the international market.
5. Unauthorized Obtaining, Disclosure and Sale
- We support to make it an offence if a person obtains personal data without the consent of the data user and discloses the personal data so obtained for profits or malicious purposes.
- We remind that there are precedence of personal data transfer to third party via data users’ manipulated minor text of terms and conditions. The law must make it clear that transfer of personal data to third party must inform data subject in clear text and the scope of use of personal data must not exceed the scope of use by data user, or else explicit agreement must be made.
6. Regulation of Direct Marketing
- The legislation should mandate that data users or their representative have legal obligation to disclose the source of personal data as requested by data subjects. The PDPO should provide more user education to inform the public they have such right.
- We support raising the penalty level for misuse of personal data in direct marketing.
7. Set up Personal Data Breaches Database
- The PDPC should implement the privacy data breach database immediately. It was a plan never realized since year 2000. The PDPC and the Government should be blamed for their failure. The database provides useful information for general public on the profile of privacy protection profile of organizations, statistics and trend analysis and eventually for data privacy awareness education. PDPC should set herself as a model to encourage individual organizations to maintain their own corporate privacy data breach database.
8. Training and Awareness Education is most effective preventive measures
- We regarded preventive measures like training and awareness education a critical success factor for PDPO. Taking good experience of EOC and ICAC, Government should provide sufficient funding to PDPO to expand their reach the corporations, schools and the community.
IT Voice Response to PDPO Review (I): Taking Personal Data Breach Seriously
IT Voice has been following up this issue and had submitted a response paper during the 2009 review.
In 2010, the Government published a legislative proposal to follow up the review in 2009. IT Voice again submitted our opinions from a perspective of the public interest and IT professionals. The opinion paper has two parts. In part I we restate the foundation of our opinion.TAKING PERSONAL DATA BREACH SERIOUSLY
1. Data breach has become a "norm" in Hong Kong . Not only are corporations leaking personal data of their staff or customers, the case of Octopus leakage showcased an organized trade of personal data among service providers.
2. These breaches have aroused extreme concerns of the citizens on the privacy of their personal data, and the causal damage or risk of damage due to the leakages. They have also lost confidence on public institutions and enterprises on protection of their personal data.
3. The reputation of Hong Kong as a safe and friendly trading hub and financial centre is largely damaged by these incidents.
4. The Octopus leakage case has exposed the insufficiency of current legislation in enforcing service providers to inform affected victims, and providing Privacy Commission to prosecute abusing parties.
5. With the rise of mobile computing, social network services and cloud computing paradigms, more and more data are put on the publicly accessed infrastructures scattered globally and managed by third party service providers. The threat of data breach is increasing and the sufficiency of the privacy law is subjected to more vigorous challenge.
6. Developed economies are developing more advanced privacy laws to protect personal privacy and extending the coverage to transfer of data across the border. These reforms are for protection of privacy as a human right as well as securing the economies' status as a privacy safe place for cross border businesses.
7. IT Voice recognizes the importance of balancing business interests and individuals’ rights. When dealing with the context of personal data privacy in Hong Kong , we also take into account the weaker consumer community as compared to the businesses and the lack of class action in litigation. When we make our comments on the review, we keep in mind the proper balance of power and we take the common good of the citizens as the highest priority.
8. The enactment of the PDPO 15 years ago was a monument of Hong Kong Hong Kong to withstand technological changes and global competitions in the coming decade.
IT Voice Response to PDPO Review (I): Taking Personal Data Breach Seriously
Subscribe to:
Posts (Atom)