Following is a question by the Hon Emily Lau and a written reply by the Secretary for Constitutional and Mainland Affairs, Mr Stephen Lam, in the Legislative Council today (May 21):
In the press release issued on February 19 this year regarding the circulation of nude photos of artistes on the Internet, the Office of the Privacy Commissioner for Personal Data (PCO) stated that there was a pressing need for the authorities to consider amending the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO) by making it an offence to, without the consent of a data user, intentionally obtain or disclose the personal data held or leaked by the data user or sell the personal data so obtained. In addition, in reply to a question raised by a Member of this Council on February 20 this year, the authorities advised that making non-compliance with the data protection principles an offence would have a significant impact on civil liberty as a data user would face criminal liability for an inadvertent act or omission. In this connection, will the Executive Authorities inform this Council:
(a) whether they know if the PCO has conducted public consultation on the proposal to amend the PDPO; if it has, of the outcome of the consultation; if not, the reasons for that;
(b) whether the authorities will appoint independent persons to review the PDPO and provide an objective analysis;
(c) whether they have assessed if the PCO has adequate resources and power to investigate and handle the several recent incidents in which equipment and devices containing personal data were lost; and
(d) as the authorities have advised that even with the imposition of an express mandatory legal responsibility on data users to inform the privacy authority and the persons affected when there are problems with the security of data or leakage of the personal data held by them, it cannot prevent data leakage, of the authorities' alternative proposed measures that can prevent data leakage, and whether the authorities will consider the proposal of the PCO to amend the PDPO?
(a) The Government is discussing with the PCO the various issues covered in the review of the PDPO, with a view to mapping out the way forward. At an appropriate time, the public will be consulted if proposals are to be put forth.
(b) As the independent statutory body responsible for implementation of the PDPO, the PCO is in the position to make recommendations to the Administration on the review of the Ordinance. In addition, the Personal Data (Privacy) Advisory Committee established under the PDPO, which comprises the Privacy Commissioner (PC) as Chairman, seven non-official members and one Government representative, advises the PC on matters relevant to the privacy of individuals in relation to personal data or otherwise relevant to the operation of the Ordinance.
(c) In 2008/09, we have provided an additional funding of $2.8 million to the PCO, of which $1.8 million is for strengthening the PCO's manpower in the enforcement of the PDPO by creating three additional posts. The other $1 million is for strengthening the PCO's promotion and educational work to enhance public awareness of personal data protection. The Government has in place a resource allocation mechanism for Government departments and subvented bodies to review regularly their resource requirements. If the PCO needs extra resources, they can submit a bid to the Government under this mechanism.
The PDPO confers upon the PC with powers to inspect personal data systems, and to investigate into complaints and possible contraventions of the Ordinance. The PC has the power of entry on premises for the purposes of an inspection or investigation. The PC may also summon before him any person who, in the PC's opinion, is able to give any information relevant to the suspected contravention, examine such person and require the person to furnish to the PC any evidence relevant to such purposes during an investigation. These powers have enabled the PC to discharge his enforcement functions under the PDPO effectively.
(d) The PCO has conceived certain proposals which may help prevent data leakage. They include, inter alia, creating a new offence against persons who knowingly or recklessly, without the consent of the data user, obtain or disclose or procure for such disclosure personal data held or leaked by the data user, or sell or offer to sell the data so obtained. As these proposals will have far reaching implications on the IT industry, public and private organisations as well as the community as a whole, we will first have to discuss the feasibility of these proposals with the PCO and to consider whether there is sufficient justification for criminalising such actions, before deciding on the way forward.
Ends/Wednesday, May 21, 2008