Out-Law News | 26 Feb 2014 | 10:00 am | 3 min. read
Allan Chiang, Hong Kong's Privacy Commissioner for Personal Data (PCPD) urged businesses to take a whole-business approach to data protection by building privacy management programmes into their corporate governance and making themselves more accountable to clients.
Chiang made his comments at a conference organised by the Office of the PCPD.
"Regulatory experience has shown time and again that privacy and data protection cannot be managed effectively if they are merely treated as a compliance issue, doing the least possible to comply with the legal requirements, but with little or no regard to customers’ privacy expectations," he said. "Instead, we should consider the subject from a broad business perspective, bringing back the concept of customer centricity into the business equation."
The conference was held amid growing public debate about data protection issues in Hong Kong, including about the use of personal data in direct marketing and mobile technology apps.
The PCPD last year received a record number of enquiries and complaints in relation to data protection. The increase follows the introduction of new provisions of new laws governing the use of personal data in direct marketing, which took effect from 1 April 2013.
In 2013 the PCPD dealt with a record high of 24,161 enquiries, an increase of 27% on the previous year. A total of 55% of these related to the use of personal data in direct marketing, with others related to employment issues, data access requests, the collection of Hong Kong identity card numbers or copies and workplace surveillance.
The PCPD also received a record high of 1,792 complaints last year, a 48% increase on 2012. Of these complaints, 78 per cent were made against the private sector, 13 per cent against the public sector or government departments and 9 per cent against individuals.
A review of the PCPD activities last year published in January revealed that in 2013 the PCPD issued 32 warnings and 25 enforcement notices to organisations, compared with 27 warnings and 11 enforcement notices in 2012. It also referred 20 cases to the police for consideration of prosecution, an increase of 33% compared to 2012. Most cases related to suspected contraventions of the new provisions governing direct marketing, Several are still under investigation and none have so far resulted in prosecution.
At the conference Chiang said that the development of a privacy management programme (PMP) is an important part of corporate governance, helping to establish trust between companies and customers.
He said: "Organisations, as responsible corporate citizens, should adopt a paradigm shift from compliance to accountability. To this end, top management’s commitment is required to build and maintain PMP which ensures that privacy is built by design into all initiatives, programmes or services, and data protection is practised throughout the organisation. This proactive approach should lead to a win-win-win outcome for the organisations and their staff as well as customers."
Hong Kong-based information and technology law specialist Peter Bullock of Pinsent Masons, the law firm behind Out-Law.com, said that organisations could expect a tightening up on data protection in the future.
"The Privacy Commissioner has made it plain to legal professionals since the tightening of the Personal Data (Privacy) Ordinance in 2012 that he will adopt a purposive rather than strictly legalistic approach to interpreting data users' responsibilities under the Ordinance. After years of fallow enforcement we can expect a further escalation of data protection enforcement over the coming period," he said.
Last week the PCPD and the Hong Kong Special Administrative Region Government held a ceremony where more than 30 organisations pledged to implement PMP, including key players from the insurance and telecommunications sectors.
The PCPD best practice guidelines on Privacy Management Programmes described the strategy as "of paramount importance" and advocated the development of a robust privacy infrastructure which demonstrates the organisation's commitment to good corporate governance "conducive to building trustful relationships with customers, employees, shareholders and regulators." To achieve this organisations should establish policies and procedures that are in line with the law; should keep data safe based on privacy risk assessment; should develop security breach plans, and should ensure there is internal oversight and review or processes.