Following is a question by the Hon Albert Ho and a written reply by the Secretary for Constitutional and Mainland Affairs, Mr Stephen Lam, in the Legislative Council today (February 20):
Schedule 1 to the Personal Data (Privacy) Ordinance (Cap 486) (PDPO) sets out the data protection principles and, among them, Principle 4 requires data users to take all practicable steps to ensure that personal data held by them are protected against unauthorised or accidental access, processing, erasure or other use. However, the Ordinance does not impose an express mandatory legal responsibility on data users to inform the Privacy Commissioner for Personal Data (the Commissioner) and the persons affected when there are problems with the security of data or leakages of the personal data held by them. The Commissioner is reviewing whether contravention of the data protection principles in the Ordinance should be made an offence. In this connection, will the Government inform this Council:
(a) of the number of cases involving problems with security of personal data or leakage of such data which had been brought to the attention of the Commissioner in the past three years and, among them, the number of cases in which the data users took the initiative to inform the Commissioner and the persons affected of the relevant situation;
(b) whether it has studied if the aforesaid legal responsibility should be added to the Ordinance; if so, of the outcome of the study; if not, whether it will carry out such a study; and
(c) of the progress of the above review?
(a) During 2005 to 2007, the Commissioner received 389 complaint cases (46 complaints were related to the same data leakage incident) alleging breach of Data Protection Principle (DPP) 4. Upon formal investigation and as at February 11, 2008, contravention of DPP4 was substantiated in 51 cases, of which 46 cases were related to the same data leakage incident. All the data users in question did not notify the Commissioner of the data security/leakage problem. The data user of the 46 cases in question notified the data subjects affected by the data leakage. Of the remaining five data users, one indicated that they would notify the data users concerned about the data leakage while the others did not make such notifications. For the remaining 338 complaint cases, the Commissioner does not keep statistics on whether the data users concerned notified the Commissioner and the data subjects affected on the data security/leakage problem.
The Commissioner also conducted 69 self-initiated compliance checks on suspected breach of DPP4 during the same period. As the objective of compliance checks is to ensure that an intended act or an act, which may breach/have breached DPP4 would cease immediately, no formal investigations were conducted to establish whether contravention of DPP4 was substantiated. The Commissioner does not keep statistics on whether the data users concerned notified the data subjects concerned on the data security/leakage problem.
(b) As regards the imposition of an express mandatory legal responsibility on data users to inform the privacy authority and the persons affected when there are problems with the security of data or leakage of the personal data held by them, such a mandatory notification requirement does not itself prevent data leakage, although in some situations it may help contain at an early stage the spread of any leakage of personal data, which in turn may minimise the possible damage that the data subjects concerned may suffer.
(c) At present, contravention of Data Protection Principles (DPPs) is not an offence under the PDPO. The Commissioner has undertaken a comparative study of overseas data protection legislation and found that the current provisions under the PDPO are in line with international jurisprudence on privacy legislation. Making non-compliance with DPPs an offence will have a significant impact on civil liberty as a data user would face criminal liability for an inadvertent act or omission.
Ends/Wednesday, February 20, 2008