Presentation on theme: "Personal Data Protection and Security Measures"— Presentation transcript:
1Personal Data Protection and Security Measures November 2014
2Data privacy breaches do happen … Who will be the next? Deceitful data collection caseSix banks involved selling of data of 600,000 customersNumber of complaints in Hong KongData leakage of 8000 students caseContactless smart card operator caseHospital caseBank retention of data 99 years casePolice Notebook CaseMagazine caseGovernment office employee video caseGovernment authority in healthcare casePapers dump caseFitness centre caseFitness Centre CaseCalifornia Fitness Collected Excessive Personal Data from Membership Applicants in Contravention of the Privacy Law5 December 2013Code of Practice on Consumer Credit DataConsultation paperEnactment of Personal Data (Privacy) (Amendment) Ordinance 2012Enactmentof PDPOCode of Practice on HR ManagementLegislative Council Brief Personal Data (Privacy)(Amendment) Bill 2011Guidelines on employee monitoringDURS Consultation PaperCommencementof PDPOCode of Practice onthe Identity Card(Source:
3Agenda 1 Data Privacy Regulations and Requirements 2 Information Security Measures3Privacy Management Program and Data Inventories4Practices in the University5Case Study
41. Data privacy regulations and requirements ‘Personal data’ means any data -(a) relating directly or indirectly to a living individual;Indirect relationship; RemotenessDirect relationship; Triviality(b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; andPracticable = reasonably practicableTake into account all relevant data controlled by the party in questionTotality of such data(c) in a form in which access to or processing of the data is practicable.Form refers to the physical shape, structure, type, etc. of the data in question
61. Data privacy regulations and requirements (cont’d) JUPAS Personal Information Collection Statement
71. Data privacy regulations and requirements (cont’d) Practical TipsPICS should not be too vague or wide in scopeRemember to put PICS in exit interviews/ alumni contact formsCollect as little personal data as possibleAllow certain personal data to be voluntarily collectedHKID is considered to be sensitive personal data
81. Data privacy regulations and requirements (cont’d) Ensure that information collected are adequate but not excessive Collection of personal data relevant to recruitment exerciseWhat personal data should be collected for recruitingWork experience, job skills, competencies, academic/professional qualifications, good characters and other attributes required for the jobWhat should an employer collect regarding ID cardsEmployer should not collect a copy of the identity card of a job applicant during the recruitment process unless and until the individual has accepted an offer of employmentRegarding job applicant’s family data what should be asked?Should only ask about a job applicant’s family data when assessing conflict of interest and if there actually is the need. (mpf, insurance)Should outside activities be recorded?Recording the details of a candidate’s outside activities and interest must be excessive unless the employer can demonstrate that such details is relevant to the inherent requirements of the job
91. Data privacy regulations and requirements (cont’d) Practical tipsData retention policyHouse keeping of personal data such as sInform data subject or get consent if personal data will be retained forever
101. Data privacy regulations and requirements (cont’d) Ensure that personal data are accurateEnsure that personal data are retained only for the amount of time necessary to complete the purpose.What are some good ways to ensure that employee data is accurateEmployers can implement a reminder system to ask employee to report changes of their personal data. An employer can also consider providing employees with copies of employment-related data at regular intervals and invite them to report on any changes that need to be madeWhat should we do with personal data of job applicants that are rejectedAccording to the Code of Practice on Human Resource Management, personal data of unsuccessful applicants may be retained for a period of up to two years from the date of rejecting applicants and should then be destroyed. They should also provide unsuccessful job applicants the opportunity to request the destruction of their data if they do not wish them to be used for this purpose.
111. Data privacy regulations and requirements (cont’d) Practical tipsPrivacy clauses with data processorsPlacements, internships and special classesGet consent from students if for additional purposesDirect Marketing
121. Data privacy regulations and requirements (cont’d) Ensure that personal data are only used for the purposes mention in DPP1Can an employer enter into an agreement with a credit card company to offer a credit card with special terms and conditions for its employeeUnless the employer obtained prescribed consent, the employer should not use the employee’s data and pass them to the credit card company for marketing of the card.Can an employer transfer documents regarding an employee’s medical claim to its insurerThis is a directly related purpose to the original purpose for which claim documents are collected.Can an employer transfer documents to the inland revenue department?This is a statutory requirement for disclosure and should be transferred.
131. Data privacy regulations and requirements (cont’d) Ensure that personal data are secureWhen transferring personal data to third parties, what are some examples of protecting personal dataWhen mailing out documents, keep it in a sealed envelope addressed to the recipient and marked “Private and Confidential”. If it is transmission, security protection software should be use such as encryption.What are some ways to protect electronic files of job applicantsDatabase comprising personal data of job applicants should be accessible only by a secure password on a need to know basis.
141. Data privacy regulations and requirements (cont’d) Data Leakage Prevention (“DLP”) ProjectEncryption of USB flash drive before any write access to the deviceAccess to the USB flash drive will be protected by password and data stored in the device will be encryptedThe software is available for download by all staff after logon into HKU portal under the DLP Project web site.Mandatory for all PCs that are within scope of the DLP ProjectStep by step guide, FAQs and download the software at
161. Data privacy regulations and requirements (cont’d) Ensure that Data Access Request is performed according to procedureCreate a Data Access Request FormCheck the identity of the requestorResponse to a DAR within 40 daysLog bookReasonable FeeGive the requestor a written notification with reasons if cannot comply with a DAR within 40 days
172. Information Security Measures Data Classification - Identify / Manage / Protect DataThree Levels of ClassificationPublicOpen to PublicNo Restriction on AccessSensitiveOfficial Use OnlyProtection due to proprietary, ethical or privacy considerationsRestrictedProtected by regulations, policies or contractual agreementsUnauthorized access may cause financial or reputational loss to HKUPublicSensitiveRestricted
192. Information Security Measures (Cont’d) Practical TipsWork StationComplex PasswordEnable login password and screen saver passwordLogoutAvoid using public computer to access confidential filesPhysical SecurityStorageEncryptionBackupRemovable StorageErase data after useStore sensitive data only when it is absolutely necessary
202. Information Security Measures (Cont’d) Practical TipsCloud StoragePrivacy and confidentialityData RetentionExposure of dataData EncryptionSocial NetworkPrivacy and Security SettingsManage your friendsMobile SecurityEnable Screen LockEncrypt dataInstall mobile security apps
213. Privacy Management Program and Data Inventories Privacy Management Program (PMP)PCPD has advocated that identified sectors (banking, insurance, telecommunications and insurance) should develop and maintain a PMP (for the promotion of accountability)To ensure that appropriate policies and procedures are in place to promote good privacy practices in the following areas (Feb 2013): Organization commitment, program controls, monitoring and annual review of program control effectiveness, and assessing and updating program controls.35 companies had pledged in Feb 2014 to implement the PMP.Privacy Management Program (PMP)Organization commitmentBuy-in from the top, privacy officer, privacy office and reportingProgram controlsPersonal information inventoryPoliciesRisk assessment toolsTraining and education requirementsBreach and incident management response protocolService provider managementExternal communicationMonitoring and annual review of program control effectivenessAssess and update program controls as necessary
223. Privacy Management Program and Data Inventories (Cont’d) Privacy Management Program (PMP) (Cont’d)Organization commitmentProgram controlsPersonal information inventoryPoliciesRisk assessment toolsTraining and education requirementsBreach and incident management response protocolService provider managementExternal communicationMonitoring and annual review of program control effectivenessAssess and update program controls as necessaryPrivacy Management Program (PMP)Organization commitmentBuy-in from the top, privacy officer, privacy office and reportingProgram controlsPersonal information inventoryPoliciesRisk assessment toolsTraining and education requirementsBreach and incident management response protocolService provider managementExternal communicationMonitoring and annual review of program control effectivenessAssess and update program controls as necessary
233. Privacy Management Program and Data Inventories (Cont’d) “An organisation should know what kinds of personal data it holds (for example, personal data of employees, personal data of customers, etc.), how the personal data is being used – and whether the organization really needs it at all”“Every component of an accountable, effective privacy management programme begins with this assessment.” – Privacy Management Programme : A Best Practice Guide
243. Privacy Management Program and Data Inventories (Cont’d)
265. Case StudyCase No.:Employee resignation notice containing excessive dataA company sent fax messages to its customers to inform them of the resignation of an employee.Included in the messages is his identity card number.This was done without the employee's knowledge or consent.Upon enquiry by the PCPD, the company explained that the act was intended to prevent the ex-employee soliciting business from its clients.The Commissioner's views on the matterBreach of DPP4Did not ensure Personal Data were protected from accidental or unauthorized use.Breach of DPP 3.When employee resigns, purpose of notifying customers that he resigned is regarded as a directly related purpose.However, the personal data used for such a purpose should be limited to those data which are sufficient.Disclosing the employee's identity card number is unnecessary.
275. Case Study (Cont’d) Case No.: 2006014 Employee complained her employer logged in her computer collecting cookies without notifying herAn organization allows its employees to have access to computers for work related activities. The employee was assigned a user name and a password that was set by herself.The employee’s supervisor ask for the employee’s password, stating it’s for “emergency use”Supervisor then logon to the employee’s computer by using the password and collected the employee’s browsing data. The Supervisor then use it as evidence that the employee has been playing online games during office hour.The employee complain to the commissioner about the supervisor’s collection of the employee’s cookiesContravention of DPP1Cookies are personal data as it contained information (english name) to identify the individual and the cookies were gathered to address the individual’s suspected breach of regulations.The collection of cookies by the supervisor logging into the computer with the password was inconsistent with the original purpose of collecting the employee's passwordThe employee would not expect her supervisor to collect the cookiesAction Taken: Organization has to stop using employees' passwords to log in their computers and access their browsing history, unless their prior consent was obtainedContravention of DPP5The Organization had not clearly notified the employee of the purpose of employee monitoring, the monitoring activities that might be taken, or the use of the data collectedAction Taken: Organization has to put in place monitoring and security policies and remind its employees of the policies
285. Case Study (Cont’d) Case No.: 1998123 Use of data obtained from Land Registry for direct marketing purpose.The following question had been asked in this enquiry case:Q: We are a bank. We have obtained the list of Transacted Property addresses which are issued by Land Registry. We intend to use those Transacted Property address for direct marketing purposes, that is for credit card promotion and we will also inform the occupants of those transacted property addresses that we will, without any charge to them, cease to use those data if they so requests. We would therefore request for your opinion on whether we can use the transacted property addresses list for our coming direct marketing campaign?Privacy Commissioner Preferred View and CommentsSuch data are not collected or disclosed by the Land Registry for the purpose of direct marketing and hence their use for this purpose would require the prior consent given voluntarily of the individuals who are the subjects of the dataIndividuals with whom you do not have a past banking relationship may be surprised to receive a direct marketing approach from you and may query how you obtained their contact detailsResult in a negative consumer reaction
295. Case Study (Cont’d) Case No.: 2006010 Online data leakage of personal data of policyholder of an insurance companyA database containing personal data of about 600 policyholders of an insurance company been leaked and was accessible by the public on the Internet via a website.The agent uploaded and stored the concerned personal data in a web file server at his homeThe data was therefore accessible to unauthorized persons through the Internet search engine. Contravention of DPP4Caused by the inappropriate giving of access to the personal data to the insurance agent.Although the insurance company claimed to have established guidelines and control procedures to restrict the access and transfer of policyholders' personal data by insurance agents, PCPD found that the alleged controls were substantially inadequateAction by the Privacy CommissionerThe insurance company has to specify clearly the circumstances under which processing of policyholders' personal data out of office premises are allowed