Office of the Privacy Commissioner for Personal Data
The Office of the Privacy Commissioner for Personal Data (PCPD) is a Hong Kong statutory body enforcing the Personal Data (Privacy) Ordinance.
| 個人資料私隱專員公署 | |
| Statutory body overview | |
|---|---|
| Formed | 1 August 1996 |
| Jurisdiction |  Hong Kong |
| Headquarters | 12/F, Sunlight Tower, 248 Queen's Road East, Wanchai |
| Minister responsible |
|
| Deputy Minister responsible |
|
| Key document |
|
| Website | www |
 |
|
Politics and government of Hong Kong |
|
Related topics Hong Kong portal |
| Office of the Privacy Commissioner for Personal Data | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| Traditional Chinese | 個人資料私隱專員公署 | ||||||||
| |||||||||
Description
The Privacy Commissioner is charged with securing the privacy of individuals. The office is headed by the Privacy Commissioner for Personal Data, Ada Chung.[1]
The office is divided into six divisions: Complaints Division, Compliance Division, Legal Division, Policy and Research Division, Communications and Education Division, and Corporate Support and Enquiries Division.[2] It has investigatory and enforcement powers, and publishes best practices and other guidance to organizations and the general public.[1] It is a member of various multinational organizations, including the Global Privacy Assembly (GPA), the APEC Cross-border Privacy Enforcement Arrangement (CPEA) and the Global Privacy Enforcement Network (GPEN).[3]
Personal Data (Privacy) Ordinance
The purpose of this ordinance is to protect the privacy rights of a person in regard to his personal data, ie the Data Subject. The ordinance was passed in 1995.[4]
Data subject refers to :
- the information which relates to a living person and can be used to identify that person and
- it exists in a form in which access or processing is practicable
Examples of data subject protected by this ordinance include name, address, phone number, identity card number, photo, medical record and employment records. The data user, who collects, holds, or process this data is liable for any unlawful or wrongful use of this data.[5]
List of Privacy Commissioners for Personal Data
- Stephen Lau Ka-man (1 August 1996 – 31 October 2001)
- Raymond Tang Yee-Bong (1 November 2001 – 31 July 2005)
- Roderick Woo Bun (1 August 2005 – 31 July 2010)
- Allan Chiang Yam-wang (1 August 2010 – 3 August 2015)
- Stephen Wong Kai-yi (4 August 2015 – 3 September 2020)
- Ada Chung Lai-ling (since 4 September 2020)
2021 Amendments and Extension of Powers
Reforms to the Personal Data (Privacy) Ordinance, enacted in 2021, gave the PCPD new powers to investigate and prosecute suspected doxxing crimes.[6] Maximum fines are HK$100,000 and 2 years imprisonment, up to HK$1,000,000 and 5 years imprisonment for cases involving harm to victims.[7] In December 2021, it made its first arrests under the new powers, alleging two suspects published information about persons with whom they had a financial dispute.[8]
Reported data privacy issue of public concern
2010 Octopus sold personal data of customers for HK$44m
In 2010, it was reported that Octopus Card issuer has made HK$44 million in the past 4+1⁄2 years by selling cardholder data. This was disclosed in a special hearing conducted by the personal data privacy commissioner. Octopus Holdings chief executive Prudence Chan Bik-wah said she wished to 'sincerely apologise' to affected cardholders.[9]
2010 Six banks transfer personal data for marketing purposes
In August 2010, the Hong Kong Monetary Authority publicly disclosed that CITIC Bank International, Citibank, Fubon Bank, Industrial and Commercial Bank of China, Wing Hang Bank, and Wing Lung Bank were guilty of transferring customer data to unaffiliated parties for marketing purposes. In a separate investigation, the privacy commissioner for personal data concluded that the actions of some of the banks were equivalent to the sale of personal data.[10]
2017 Notebooks containing HK voters data was stolen
The Registration and Electoral Office reported in March 2017, right after the chief executive election, that they have lost 2 laptop computers containing 3.7 million voters personal information. This could be one of the most significant data breaches ever in Hong Kong, consider the city population is less than 8 million.[11]
HK Leaks
Since 2019, a website called HK Leaks has published personal information on more than 2,000 pro-democracy figures. When asked in August 2021 about if the site violated any laws, the PCPD said it would not comment on individual cases, and repeated the same response in May 2023.[12]
References
- "What We Do".
- "Organisation Chart".
- "External Connection". www.pcpd.org.hk. Retrieved 10 April 2023.
- Chapter 486 Personal Data (Privacy) Ordinance. Extracted 2018-06-06
- The Ordinance at a Glance. Extracted 2018-06-06
- "Hong Kong's personal data protection reforms : Clyde & Co". www.clydeco.com. Retrieved 6 April 2023.
- "Doxxing Offences". www.pcpd.org.hk. Retrieved 10 April 2023.
- Cheng, Selina (14 December 2021). "Hong Kong's privacy watchdog makes first ever arrest over doxxing". Hong Kong Free Press. Retrieved 10 April 2023.
- SCMP report - Octopus sold personal data of customers for HK$44m 2010-07-27. Retrieved 2018-06-06
- Chiang, Allan (15 December 2011). "Transfer of Customers' Personal Data by CITIC Bank International Limited to unconnected third parties for direct marketing purposes" (PDF).
- Laptops containing 3.7 million Hong Kong voters’ data stolen after chief executive election. SCMP reported 2017-03-28. Retrieved 2018-06-06
- Grundy, Tom (22 May 2023). "Hong Kong doxxing site targeting journalists, activists still online almost 2 years after authorities alerted". Hong Kong Free Press HKFP. Retrieved 22 May 2023.