Presentation is loading. Please wait.

Presentation is loading. Please wait.

Personal Data Protection and Security Measures November 2014.

Similar presentations

Presentation on theme: "Personal Data Protection and Security Measures November 2014."— Presentation transcript:

1 Personal Data Protection and Security Measures November 2014

2 Page 2 Privacy Seminar for HKU Deceitful data collection case Enactment of PDPO Commencement of PDPO Code of Practice on Consumer Credit Data Code of Practice on the Identity Card Code of Practice on HR Management Magazine case Government office employee video case Guidelines on employee monitoring Government authority in healthcare case Number of complaints in Hong Kong Hospital case Data privacy breaches do happen … Who will be the next? DURS Consultation Paper Enactment of Personal Data (Privacy) (Amendment) Ordinance 2012 Contactless smart card operator case Six banks involved selling of data of 600,000 customers Papers dump case (Source: Consultation paper Legislative Council Brief Personal Data (Privacy)(Amendment) Bill 2011 Bank retention of data 99 years case Data leakage of 8000 students case Police Notebook Case Fitness centre case

3 Page 3 Privacy Seminar for HKU Agenda 1 Privacy Management Program and Data Inventories 3 4 Practices in the University Data Privacy Regulations and Requirements 2 Information Security Measures 5 Case Study

4 Page 4 Privacy Seminar for HKU 1. Data privacy regulations and requirements ► ‘Personal data’ means any data - ► (a) relating directly or indirectly to a living individual; ► Indirect relationship; Remoteness ► Direct relationship; Triviality ► (b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and ► Practicable = reasonably practicable ► Take into account all relevant data controlled by the party in question ► Totality of such data ► (c) in a form in which access to or processing of the data is practicable. ► Form refers to the physical shape, structure, type, etc. of the data in question

5 Page 5 Privacy Seminar for HKU Unless the data subject gives consent, his/her personal data should only be used for the purposes for which they were collected or a directly related purpose Data Storage Data Usage / Transfer Data Maintenance Data Collection Data Destroy This provides for the lawful and fair collection of personal data and sets out the information a data user must give to a data subject when collecting personal data from the subject (see PICS sample on next page) DPP1: Collection DPP3: Use This provides that personal data should be accurate, up-to-date and kept no longer than necessary DPP2: Accuracy and Retention This requires appropriate security measures to be applied to personal data (including data in a form in which access to or processing of the data is not practicable) DPP4: Security Safeguards This provides for openness by data users about the kinds of personal data they hold and the main purposes for which personal data are used This provides data subjects with the rights of access to and correction of their personal data DPP5: Transparency of Policies and Practices DPP6: Access and Correction 1. Data privacy regulations and requirements (cont’d)

6 Page 6 Privacy Seminar for HKU 1. Data privacy regulations and requirements (cont’d) JUPAS Personal Information Collection Statement

7 Page 7 Privacy Seminar for HKU ► Practical Tips ► PICS should not be too vague or wide in scope ► Remember to put PICS in exit interviews/ alumni contact forms ► Collect as little personal data as possible ► Allow certain personal data to be voluntarily collected ► HKID is considered to be sensitive personal data 1. Data privacy regulations and requirements (cont’d)

8 Page 8 Privacy Seminar for HKU Ensure that information collected are adequate but not excessive Collection of personal data relevant to recruitment exercise ► What personal data should be collected for recruiting ► Work experience, job skills, competencies, academic/professional qualifications, good characters and other attributes required for the job ► What should an employer collect regarding ID cards ► Employer should not collect a copy of the identity card of a job applicant during the recruitment process unless and until the individual has accepted an offer of employment ► Regarding job applicant’s family data what should be asked? ► Should only ask about a job applicant’s family data when assessing conflict of interest and if there actually is the need. (mpf, insurance) ► Should outside activities be recorded? ► Recording the details of a candidate’s outside activities and interest must be excessive unless the employer can demonstrate that such details is relevant to the inherent requirements of the job 1. Data privacy regulations and requirements (cont’d)

9 Page 9 Privacy Seminar for HKU ► Practical tips ► Data retention policy ► House keeping of personal data such as s ► Inform data subject or get consent if personal data will be retained forever 1. Data privacy regulations and requirements (cont’d)

10 Page 10 Privacy Seminar for HKU Ensure that personal data are accurate Ensure that personal data are retained only for the amount of time necessary to complete the purpose. ► What are some good ways to ensure that employee data is accurate ► Employers can implement a reminder system to ask employee to report changes of their personal data. An employer can also consider providing employees with copies of employment-related data at regular intervals and invite them to report on any changes that need to be made ► What should we do with personal data of job applicants that are rejected ► According to the Code of Practice on Human Resource Management, personal data of unsuccessful applicants may be retained for a period of up to two years from the date of rejecting applicants and should then be destroyed. They should also provide unsuccessful job applicants the opportunity to request the destruction of their data if they do not wish them to be used for this purpose. 1. Data privacy regulations and requirements (cont’d)

11 Page 11 Privacy Seminar for HKU ► Practical tips ► Privacy clauses with data processors ► Placements, internships and special classes ► Get consent from students if for additional purposes ► Direct Marketing 1. Data privacy regulations and requirements (cont’d)

12 Page 12 Privacy Seminar for HKU Ensure that personal data are only used for the purposes mention in DPP1 ► Can an employer enter into an agreement with a credit card company to offer a credit card with special terms and conditions for its employee ► Unless the employer obtained prescribed consent, the employer should not use the employee’s data and pass them to the credit card company for marketing of the card. ► Can an employer transfer documents regarding an employee’s medical claim to its insurer ► This is a directly related purpose to the original purpose for which claim documents are collected. ► Can an employer transfer documents to the inland revenue department? ► This is a statutory requirement for disclosure and should be transferred. 1. Data privacy regulations and requirements (cont’d)

13 Page 13 Privacy Seminar for HKU Ensure that personal data are secure ► When transferring personal data to third parties, what are some examples of protecting personal data ► When mailing out documents, keep it in a sealed envelope addressed to the recipient and marked “Private and Confidential”. If it is transmission, security protection software should be use such as encryption. ► What are some ways to protect electronic files of job applicants ► Database comprising personal data of job applicants should be accessible only by a secure password on a need to know basis. 1. Data privacy regulations and requirements (cont’d)

14 Page 14 Privacy Seminar for HKU 1. Data privacy regulations and requirements (cont’d) 14 Data Leakage Prevention (“DLP”) Project ► Encryption of USB flash drive before any write access to the device ► Access to the USB flash drive will be protected by password and data stored in the device will be encrypted ► The software is available for download by all staff after logon into HKU portal under the DLP Project web site. ► Mandatory for all PCs that are within scope of the DLP Project ► Step by step guide, FAQs and download the software at

15 Page 15 Privacy Seminar for HKU Ensure that Privacy Policy Statement are easily accessed ► A PPS should be made available to anyone, in an easily accessible manner, whether the personal data is collected by the data user in the physical world or in the online world ► If a data user operates a website, it is recommended that a web version of the PPS be made available by means of a prominent link at the top or at the bottom of the home page and every page of the website. ► PPS should be linked directly ► What goes into a good PPS ► Collection of personal data from minors ► Cookies ► Retention of Personal Data ► Handling of sensitive personal data ► Disclosure of personal data ► Protection measures ► Outsourcing Arrangement ► Transparency ► Access and Correction ► Answering enquiries about privacy policy and practices 1. Data privacy regulations and requirements (cont’d)

16 Page 16 Privacy Seminar for HKU Ensure that Data Access Request is performed according to procedure ► Create a Data Access Request Form ► Check the identity of the requestor ► Response to a DAR within 40 days ► Log book ► Reasonable Fee ► Give the requestor a written notification with reasons if cannot comply with a DAR within 40 days 1. Data privacy regulations and requirements (cont’d)

17 Page 17 Privacy Seminar for HKU 2. Information Security Measures ► Data Classification - Identify / Manage / Protect Data ► Three Levels of Classification ► Public ► Open to Public ► No Restriction on Access ► Sensitive ► Official Use Only ► Protection due to proprietary, ethical or privacy considerations ► Restricted ► Protected by regulations, policies or contractual agreements ► Unauthorized access may cause financial or reputational loss to HKU Public Sensitive Restricted

18 Page 18 Privacy Seminar for HKU 2. Information Security Measures (Cont’d)

19 Page 19 Privacy Seminar for HKU 2. Information Security Measures (Cont’d) ► Practical Tips ► Work Station ► Complex Password ► Enable login password and screen saver password ► Logout ► Avoid using public computer to access confidential files ► Physical Security ► Storage ► Encryption ► Backup ► Removable Storage ► Encryption ► Erase data after use ► Store sensitive data only when it is absolutely necessary

20 Page 20 Privacy Seminar for HKU 2. Information Security Measures (Cont’d) ► Practical Tips ► Cloud Storage ► Privacy and confidentiality ► Data Retention ► Exposure of data ► Data Encryption ► Social Network ► Privacy and Security Settings ► Manage your friends ► Mobile Security ► Enable Screen Lock ► Encrypt data ► Install mobile security apps

21 Page 21 Privacy Seminar for HKU Privacy Management Program (PMP) ► PCPD has advocated that identified sectors (banking, insurance, telecommunications and insurance) should develop and maintain a PMP (for the promotion of accountability) ► To ensure that appropriate policies and procedures are in place to promote good privacy practices in the following areas (Feb 2013): Organization commitment, program controls, monitoring and annual review of program control effectiveness, and assessing and updating program controls. ► 35 companies had pledged in Feb 2014 to implement the PMP. 3. Privacy Management Program and Data Inventories

22 Page 22 Privacy Seminar for HKU Privacy Management Program (PMP) (Cont’d) ► Organization commitment ► Program controls ► Personal information inventory ► Policies ► Risk assessment tools ► Training and education requirements ► Breach and incident management response protocol ► Service provider management ► External communication ► Monitoring and annual review of program control effectiveness ► Assess and update program controls as necessary 3. Privacy Management Program and Data Inventories (Cont’d)

23 Page 23 Privacy Seminar for HKU ► “An organisation should know what kinds of personal data it holds (for example, personal data of employees, personal data of customers, etc.), how the personal data is being used – and whether the organization really needs it at all” ► “Every component of an accountable, effective privacy management programme begins with this assessment.” – Privacy Management Programme : A Best Practice Guide 3. Privacy Management Program and Data Inventories (Cont’d)

24 Page 24 Privacy Seminar for HKU 3. Privacy Management Program and Data Inventories (Cont’d)

25 Page 25 Privacy Seminar for HKU 4. Practices in the University 25 ► The Privacy Policy Statement: ► Code of Practice: (portable storage devices, incident handling / reporting and other guidelines) ► Data Collection Statement ► Statutory Data Access / Correction Request Process ► University Data Protection Officer and Personal Data Protection Coordinators ► Information Technology Services (advice / security measures / guidelines / training information): protection protection ► Central Compliance Team (compliance/monitoring)

26 Page 26 Privacy Seminar for HKU Case No.: Employee resignation notice containing excessive data ► A company sent fax messages to its customers to inform them of the resignation of an employee. ► Included in the messages is his identity card number. ► This was done without the employee's knowledge or consent. ► Upon enquiry by the PCPD, the company explained that the act was intended to prevent the ex- employee soliciting business from its clients. The Commissioner's views on the matter ► Breach of DPP4 ► Did not ensure Personal Data were protected from accidental or unauthorized use. ► Breach of DPP 3. ► When employee resigns, purpose of notifying customers that he resigned is regarded as a directly related purpose. ► However, the personal data used for such a purpose should be limited to those data which are sufficient. ► Disclosing the employee's identity card number is unnecessary. 5. Case Study

27 Page 27 Privacy Seminar for HKU Case No.: Employee complained her employer logged in her computer collecting cookies without notifying her ► An organization allows its employees to have access to computers for work related activities. The employee was assigned a user name and a password that was set by herself. ► The employee’s supervisor ask for the employee’s password, stating it’s for “emergency use” ► Supervisor then logon to the employee’s computer by using the password and collected the employee’s browsing data. The Supervisor then use it as evidence that the employee has been playing online games during office hour. ► The employee complain to the commissioner about the supervisor’s collection of the employee’s cookies Contravention of DPP1 ► Cookies are personal data as it contained information (english name) to identify the individual and the cookies were gathered to address the individual’s suspected breach of regulations. ► The collection of cookies by the supervisor logging into the computer with the password was inconsistent with the original purpose of collecting the employee's password ► The employee would not expect her supervisor to collect the cookies ► Action Taken: Organization has to stop using employees' passwords to log in their computers and access their browsing history, unless their prior consent was obtained Contravention of DPP5 ► The Organization had not clearly notified the employee of the purpose of employee monitoring, the monitoring activities that might be taken, or the use of the data collected ► Action Taken: Organization has to put in place monitoring and security policies and remind its employees of the policies 5. Case Study (Cont’d)

28 Page 28 Privacy Seminar for HKU Case No.: Use of data obtained from Land Registry for direct marketing purpose. The following question had been asked in this enquiry case: Q: We are a bank. We have obtained the list of Transacted Property addresses which are issued by Land Registry. We intend to use those Transacted Property address for direct marketing purposes, that is for credit card promotion and we will also inform the occupants of those transacted property addresses that we will, without any charge to them, cease to use those data if they so requests. We would therefore request for your opinion on whether we can use the transacted property addresses list for our coming direct marketing campaign? Privacy Commissioner Preferred View and Comments ► Such data are not collected or disclosed by the Land Registry for the purpose of direct marketing and hence their use for this purpose would require the prior consent given voluntarily of the individuals who are the subjects of the data ► Individuals with whom you do not have a past banking relationship may be surprised to receive a direct marketing approach from you and may query how you obtained their contact details ► Result in a negative consumer reaction 5. Case Study (Cont’d)

29 Page 29 Privacy Seminar for HKU Case No.: Online data leakage of personal data of policyholder of an insurance company ► A database containing personal data of about 600 policyholders of an insurance company been leaked and was accessible by the public on the Internet via a website. ► The agent uploaded and stored the concerned personal data in a web file server at his home ► The data was therefore accessible to unauthorized persons through the Internet search engine. Contravention of DPP4 ► Caused by the inappropriate giving of access to the personal data to the insurance agent. ► Although the insurance company claimed to have established guidelines and control procedures to restrict the access and transfer of policyholders' personal data by insurance agents, PCPD found that the alleged controls were substantially inadequate Action by the Privacy Commissioner The insurance company has to specify clearly the circumstances under which processing of policyholders' personal data out of office premises are allowed 5. Case Study (Cont’d)

30 Page 30 Privacy Seminar for HKU Q&A

Download ppt "Personal Data Protection and Security Measures November 2014."

Similar presentations

Ads by Google