allan chiang, s.b.s. privacy commissioner for personal data 8 july 2013
DESCRIPTION
Asian Privacy Scholars Network Conference. Balance between Access to Public Domain Information and the Protection of Personal Data. Allan Chiang, S.B.S. Privacy Commissioner for Personal Data 8 July 2013. Sources of Public Domain Information. Companies register Land register - PowerPoint PPT PresentationTRANSCRIPT
1
Allan Chiang, S.B.S.Privacy Commissioner for Personal Data
8 July 2013
Asian Privacy Scholars Network Conference
Balance between Access to Public Domain Information and the Protection of Personal Data
2
Sources of Public Domain Information
Companies register Land register Register of vehicles SFC’s register of licensed persons and
registered institutions Notice of intended marriage Register of voters
3
Judiciary’s daily cause list
Judiciary’s cause book
Government gazette
Telephone directory
Professional or business directory, listing or notice
Sources of Public Domain Information
4
Correction:
Personal data, be it publicly available or not,
is subject to protection under the PDPO
Myth: Public Domain Information is Open to Unrestricted Use
5
Use Limitations
DPP3: unless the data subject has given prior consent, personal data shall be used for the purpose for
which they were originally collected or a directly related purpose
6
Personal Data in Public Domain still Subject to PDPO
Government confirmed LRC’s view“putting personal data in the public domain does not make the data available for use for any purpose”
Hon Chu JA in Re Hui Kee Chun, CACV 4/2012DPP3 “is directed against the misuse of personal data and it matters not that the personal data involved has been published elsewhere or is publicly available”
7
Implications of Unfettered Use of Data
Privacy intrusion in general
Insufficient or no control over data security,
accuracy, retention
Function creep, e.g. direct marketing, profiling
Identity theft, stalking and surveillance etc.
8
Use Limitations
DPP3: unless the data subject has given prior consent, personal data shall be used for the purpose for
which they were originally collected or a directly related purpose
9
Use Limitations
Original purpose: explicit SFC’s register: Security & Futures Ordinance
“ For the purposes of enabling any member of the public to ascertain whether he is dealing with a licensed person or a registered institution in matters of or connected with any regulated activity and to ascertain the particulars of the licence or registration of such person or institution (as the case may be), the register shall be made available for public inspection…”
10
Original purpose: explicit
Government telephone directory: an explicit use restriction to the effect that the information (government officials’ names and contact details) is not intended to be used for direct marketing activities and the information should not be transferred for commercial gains
Use Limitations
11
Use Limitations
Original purpose: implied Register of vehicles is established under
the Road Traffic (Registration and Licensing of Vehicles) Regulation “to provide for the regulation of road traffic and the use of vehicles and roads (including private roads) and for other purposes connected therewith”
Hence permitted use of personal data should relate to traffic and transport matters
12
Use Limitations
Directly related purpose Data subject’s reasonable expectation:
Assessed on a case by case basis
Take into account specific context of data collection and sensitivity of data
Will a reasonable person in the data subject’s situation finds the data re-use unexpected, inappropriate or otherwise objectionable based on the context of the data collection?
13
Vehicle owner
Company director
Property owner
Hypothetical Scenarios for DPP3 Application
14
Privacy rightsOther rights
Public interests
15
Exemptions from DPP3 under PDPO
Section 52 (domestic purposes)
Section 58 (crime) Section 59 (health)
Section 60B (legal proceedings)
Section 61 (news) Section 62 (statistics and research)
Section 63 (emergency situation)
16
Protection Measures: Examples of Good Practice
Vehicle owners particulars Administrative measures to remind applicants
that personal data is provided for traffic and transport-related matters
Applicants asked to declare purpose of use of personal data sought
17
Protection Measures: Examples of Good Practice
Land registry Massive download of data not possible
Marriage registry Notice amended in 2005 to include less data than
those supplied by the marrying parties
Register of voters Use of personal data for any purpose other than
a purpose related to the election is an offence under the Electoral Affairs Commission Regulation
18
Protection Measures: Examples of Good Practice
Government telephone directory An explicit use restriction to the effect that
the information (government officials’ names and contact details) is not intended to be used for direct marketing activities and the information should not be transferred for commercial gains
19
Protection Measures: Examples of Failures
Vehicle owners particulars Irrespective of whether a purpose of use of data is
indicated and what purpose is indicated, C for T has to comply with the request
Company register Unfettered public access to company directors’
HKID and residential addresses
Land registry Unfettered public access to property owners’
identity card numbers and signatures
20
Way Ahead
Education
Enforcement
Legislation
21
Thank You