Data protection

and
Cybersecurity

1
 Laws and Regulations on Data Protection
 Provisions of Personal Data (Privacy) Ordinance (“PDPO”), Cap

486《個人資料（私隱）條例》

 Six data protection principles of PDPO

 Code of Practice on Human Resource Management

 Code of Practice on Consumer Credit Data

 Code of Practice on the Identity Card Number and Other

Personal Identifiers

 Privacy Guidelines : Monitoring and Personal Data Privacy at

Work
2
 History of the PDPO

 PDPO came into operation in 1996

 Review of the PDPO commenced in 2006

 Octopus Card incident in 2010

 Personal Data (Privacy) (Amendment) Ordinance 2012

 Most of the changes had been effective from 1 October 2012. The
changes relating to direct marketing and the legal assistance
scheme had been effective from 1 April 2013.
 Personal Data (Privacy) (Amendment) Ordinance 2021
 The amendments aim to combat doxxing acts

3
 Objectives of PDPO

 Covers any data relating directly or indirectly to an

individual (data subject) and applies to any person or

organization (data user). Employers are required to
maintain employment-related personal data.

 Ensure compliance of the PDPO and the 6 data

protection principles (DPP)

 Protect the privacy interest of individuals

4
 Office of the Privacy Commissioner for Personal Data
個人資料私隱專員公署

 To develop and promote a culture of protection and respect for individual's

privacy in relation to personal data

 To promote the protection and respect for personal data privacy through

publicity and education

 To facilitate lawful and responsible use of personal data by providing

guidance and best practices

 To monitor and supervise compliance through effective enforcement

 To maintain the efficacy of the regulatory regime through continuous review

and enhancement, taking into account global standards for the protection of
personal data privacy.
5 Source: http://www.pcpd.org.hk
 Definition - Personal Data
Personal data means any data:-
(a) relating directly or indirectly to an individual ;
(b) from which it is practicable to ascertain directly or indirectly the identity
of an individual; and
(c) in a form in which access to or processing of the data is practicable.
Examples - Name, age, HKID card number, telephone number, address, sex,
salary, occupation, nationality, photos, medical records, employment records
of an individual, etc.
(Case : Chow Kei Leung and The Privacy Commissioner of Personal Data (2010))

Data user (資料使用者)

 a person who, either alone or jointly or in common with other persons,
controls the collection, holding, processing or use of the data.
Data subject (資料當事人)
 a person who provides personal data to the data user

6
 Data subjects’ rights under PDPO
Six Data Protection Principles (DPP)  give data subjects certain
rights, including certain rights:
 to be informed of whether a data user holds their personal data;
 to access their personal information;
 to object to certain processing causing substantial damage or distress;
 to rectify their personal data they consider to be inaccurate;
 any charge for providing a copy of personal data to a data subject should not
be excessive;
 data subjects may complain to the Privacy Commissioner for Personal Data
for any breach and claim for damages through civil proceeding;
 To inform the data subject at the time of collection of his data whether the
data will be used for direct marketing; and
 When using data for direct marketing for the first time, to inform the
individual of his “opt-out” right free of charge and stop using data for direct
7
marketing if he opts out.
 Exemptions to PDPO
 A general exemption for personal data held for domestic or

recreational purposes;

 Exemptions from access requirement for certain employment

related personal data and relevant process; and

 Exemptions from compliance requirements, e.g. crime

prevention; security and defence, statistics and research,

assessment or collection of any tax or duty; news activities;
legal proceeding; due diligence exercise; emergency situations;
protecting a data subject’s health, etc.
8
 Application for Exemptions

 The protection on privacy needs to strike a balance between

privacy and press freedom.
Case: Eastweek Publisher Limited and Other v. The Privacy Commissioner of
Personal Data [2000])

 Although the freedom of the media is of fundamental

importance to our society, the unfair means of collection of
personal data for news reporting purpose may also violate the
data protection principles.

Case : Face Magazine Limited and The Privacy Commissioner of Personal

Data (2012) and Sudden Weekly Limited and The Privacy Commissioner of
Personal Data (2012)

9
 Six Data Protection Principles (“DPP”) of PDPO - Schedule 1

 Principle 1 – Purpose and Manner of Collection of Personal Data

(收集目的及方式)

 Principle 2 – Accuracy and Duration of Retention of Personal Data

(準確性及保留期間)

 Principle 3 – Use of Personal Data (資料的使用)

 Principle 4 – Security of Personal Data (資料的保安)

 Principle 5 – Information to be Generally Available (透明度)

 Principle 6 – Access to Personal Data (查閲及改正)

10
 Principle 1 – Purpose and Manner of Collection of
Personal Data
Purpose : lawful

 Data : necessary, adequate and not excessive

 Means of collection : lawful and fair

1. On or before collection, data subject (資料當事人) should be

informed:
- Whether obligatory to supply data and consequence

- (a) purpose of use, (b) classes of transferee

2. On or before 1st time use, data subject should be informed of

the right to request access and correction.
11
Examples of Principle 1
• Unlawful means of collection – unauthorized access of another person’s bank
account records or credit card information is an unlawful means of collecting
personal data.
• Unfair means of collection - if a company collects the job applicant’s personal
data by recruitment, but in the end, no recruitment is made, then that
company is using an unfair means of collecting personal data.
• Related to function or activity - a bank should only collect information in
relation to the provision of financial services to their customers, while hospital
should only collect information in respect of the provision of medical services
to their patients.
• Adequate but not excessive in relation to that purpose – for the purpose of
salary payment, employers may need to collect the bank account number of
their employees. However, employers should not collect other information
unrelated to this purpose, such as the amount of bank deposits of their
employees.
• (Case : California Fitness and The Privacy Commissioner of Personal Data
(2013))
12
 Principle 2 – Accuracy and Duration of Retention of
Personal Data
Personal data should be accurate, up-to-date and kept not longer than
necessary.
Examples of Principle 2
 Up-to-date – when the bank customers notify their banks of change of
address, the bank should as soon as practicable update their data to ensure
that the new address would be used in all future correspondences with the
customers.
 Accurate – when outward mails are always returned, the bank should stop
using those addresses immediately until the relevant data are accurate.
 Accurate – require a data subject to use BLOCK CAPITAL LETTER when filling
in a Form.
 Kept no longer than necessary – for unsuccessful job applications,
employers should inform the applicants concerned of the retention period of
their data. Such data should not kept for more than two years.
13
 Principle 3 – Use of Personal Data

Unless the data subject gives prescribed consent on use of

personal data for a new purpose, otherwise the personal data
should be used for the purpose for which they were collected.
Examples of Principle 3
 If an organization openly posts the resume of a job applicant on
its notice boards, this may be tantamount to changing the use
of data.
 Organization should
 only use the resume of the applicant for recruitment purpose
only
 not disclose the personal data of the job applicants to other
staff members.
14
 Principle 4 – Security of Personal Data

Requires appropriate security measures to be applied

to personal data (including data in a form in which

access to or processing of the data is not practicable).

15
 Examples of Principle 4
1. Ensure staff processing the data are trained
2. Take reasonable steps to ensure reliability of employees who get access to
personal data
3. Only authorized personnel should lock files in a secured cabinet
4. Use sealed envelop for transmission of personal data
5. Use dedicated fax machine to fax confidential documents
6. Confidential documents should be shredded before disposal
7. Use encryption, confidential mailbox and passwords for electronic storage
and transmission
6. If data processing are outsourced to third parties  need the data
processor to offer guarantee
7. Devise an action plan to deal with security breaches
8. High security measures on sensitivity data such as identity card number,
bank account data, health data, credit card data, etc.
16
 Principle 5 – Information to be Generally Available

Openness by data user  personal data policies and

practices are made known to the public in respect of

the kinds of personal data they hold and the purpose for

which personal data are used

17
Examples of Principle 5
• Privacy Policy Statement
• A general statement of an organisation’s privacy policy and
practices that applies to the organisation’s collection,
holding and use of recorded information about individuals as
a whole.
• It encompasses information such as accuracy, retention
period and security of the data as well as measures in
relation to data access and data correction requests.

• Under the PDPO, organisations are required to ensure that their

policies and practices can be ascertained by other persons.

• Details of the policy company’s profile or website.

18
 Principle 6 – Access to Personal Data
Data subjects have the rights of access to and correction of their
personal data.
Examples of Principle 6

• Right of Access
• an individual can ask a credit reference agency to provide a copy of his credit
records,
• patients requesting copies of their medical records,
• employees requesting copies of their employment-related records, such as
performance appraisal reports.

• Access and correction requests – the company should accede to the access and
correction requests within a statutory period of 40 days. If the company fails to
process such requests, it has to provide a reply and state the reasons within 40
days.

• Excessive fee – the company should not charge more than the direct cost of
19 complying with the access requests.
 Best Practice – Policy Guideline
 Data are obtained and processed fairly and lawfully, for specified purposes
 Personal data shall be obtained only for one or more specified purpose
 Personal data shall be adequate, relevant and not excessive in relation to
the purpose for which it is processed
 Ensure that they are accurate & up-to-date
 Erase personal data which are no longer necessary
 Kept for not longer than necessary
 In accordance with the individuals’ rights
 Process data in a secure environment
 Take all reasonable steps to ensure that personal data are protected
against unauthorized or accidental access
 Allow data subject to access and correct personal data
 Take all reasonable steps to ensure that a person can be informed of the
kind of personal data and the main purpose of which the company are to
20 be used
 Direct marketing
Under the PDPO, “direct marketing” means
 Offering of goods, facilities or services;
 Advertising of the availability of goods, facilities or services;
 Solicitation of donations or contributions or other purposes, by
means of information or goods sent to any person by mail,
facsimile transmission, electronic mail, or other similar means
of communication where the
 information or goods are addressed to a specific person or
specific persons by name; or
 telephone calls made to specific persons.
21
 Use of Personal Data for Direct Marketing
Written Notification to data subject to obtain consent in writing
and provide the data subject with the written notice on:
 intended use for direct marketing
 the kind of data to be used for direct marketing
 product/services
 cannot use for direct marketing without written consent or no
objection;
 It is prudent to provide such information by way of Personal
Information Collection Statement.
22
 Use of Personal Data for Direct Marketing
Use easily understandable and readable wording.

Example
• Do not use vague and loose terms like “marketing goods and/or
services by us, our agent, our subsidiaries, or our partners”, or
• Bury the information in small print which is difficult to read with
normal eyesight.
• For Personal Information Collection Statement (PICS) 收集個
人資料聲明, it should be written in language that is easy to
understand, presented in a conspicuous manner and printed in a
font size that is easy to read with normal eyesight.
(Case : Wing Lung Bank Limited and The Privacy Commissioner for
Personal Data (2009))
• If oral consent, the data user should send a written confirmation
to the individual within 14 days.
23
 Use of Personal Data for Direct Marketing

Obligation to inform individual of opt-out right. Data subject may

opt-out at any time.

Example
when sending marketing information to a data subject for the first
time, the data user should highlight this opt-out right and provide
a link for the data subject to make the request. (In practice, data
users often include the opt-out clause in all marketing. A data
subject has the right to opt out from direct marketing at any time
notwithstanding consent given previously)

• Maximum penalty for breach – HK$500,000 and imprisonment

for up to 3 years.
24
 Recommended Best Practices for Direct Marketing

• If a data user is unable to meet the written notification and

written consent requirements, it should not use an individual’s
personal data for direct marketing.

• Data user should keep and update the list of individuals who
have opted out from direct marketing and refrain from using
their data for direct marketing.

• Data user should review its internal direct marketing policies

and procedures and to provide appropriate training to its staff,
agents and representatives.
(Case : Richard Herman v AAC (2012))

25
 Provision of Personal Data to Another for Direct Marketing

 Written Notification to data subject and to obtain consent in writing and

provide the data subject: (a) Intended use for direct marketing by Another;
(b) the kind of data to be used for direct marketing by Another; (c) whether
their personal data is to be provided ‘for gain’; (d) the classes of persons to
which the data may be provided; (e) the classes of marketing subjects such
as product/services to be included by Another; (f) data user cannot do so
without data subject’s written consent or no objection and (g) data user
must provide a response channel free of charge to enable data subject to
communicate written consent or no objection.

• Use easily understandable and readable wording

• Data subject may revoke the consent at any time (opt-out)

• Maximum penalty for breach – HK$1,000,000 and imprisonment for up to 5

years (for gain); HK$500,000 and imprisonment for up to 3 years (otherwise
26
than for gain).
 Recommended Best Practices for Provision of Personal
Data to Another

• Data user should consider whether it will provide personal data of its
customers and other individuals to another person for use of that other
person in direct marketing.

• If a data user is unable to meet the written notification and written consent
requirements, it should not provide an individual’s personal data to another
person for use in direct marketing.

• Data user should keep and update the list of individuals who do not consent
or have revoked.

• Data user should review and update its internal policies and procedures and
to provide appropriate training to its staff, agents and representatives.

27
 Disclosure of Personal Data Obtained without Consent

 Offence to disclose personal data without data subject’s

consent:

 with intention to obtain gain, or cause loss to the data

subject; or

 disclosure causes psychological harm to data subject.

 Maximum penalty : HK$1 million and 5 years of imprisonment.

28
 The Personal Data (Privacy) (Amendment) Ordinance
2021

 Effective 8 October 2021

 Objectives

 Criminalization of doxxing acts

 Empowering Privacy Commissioner to carry out criminal

investigations and institute prosecutions for doxxing and

related offences
 Conferring Privacy Commissioner the statutory powers to

demand cessation of disclosing doxxing messages

29
 The Personal Data (Privacy) (Amendment) Ordinance
2021
 Section 64(3A) – first tier offence

A person who (i) discloses any personal data of a data subject without the relevant
consent of the data subject; and (ii) has an intent to or is being reckless as to whether any
specified harm would be, or would likely be, caused to the data subject or any family
member of the data subject, is liable on summary conviction to a maximum penalty of a
fine at level 6 (i.e. HK$100,000) and to imprisonment for 2 years.

 Section 64(3C) – second tier offence

A person who (i) discloses any personal data of a data subject without the relevant
consent of the data subject; (ii) has an intent to or is being reckless as to whether any
specified harm would be, or would likely be, caused to the data subject or any family
member of the data subject; and (iii) the disclosure causes any specified harm to the data
subject or any family member of the data subject, is liable on conviction on indictment to
30 a maximum penalty of a fine of HK$1,000,000 and to imprisonment for 5 years.
 The Personal Data (Privacy) (Amendment) Ordinance
2021

Specified harm refers to:

 Harassment, molestation, pestering, threat or intimidation to

the person;

 Bodily harm or psychological harm to the person;

 Harm causing the person reasonably to be concerned for the

person’s safety or well-being; or

 Damage to the property of the person.

31
 Code of Practice on Human Resource Management
 Effective on 1 April 2001

 Apply in three areas : recruitment, current employment and former

employees’ matters.

Recruitment
 Adequate but not excessive
 Cannot collect a copy of HKID of job applicant
 Integrity checking should be for the purpose of suitability or relevant to
the job
 Health condition should be an inherent requirement of a job / medical
exam
 Unsuccessful applications may be retained for a period of 2 years from the
date of rejecting applicant
32
 Code of Practice on Human Resource Management –
Current employment
 Collect additional personal data for employment purpose
 PICS  Example: staff benefits, payroll, performance appraisal,
promotion, career development.
 Disciplinary proceedings
 Obtain employee’s consent for disclosing personal data to third parties
(avoid excessive disclosure)
 Monitor the third parties to protect personal data

Former employees’ matters

 Keep personal data up to 7 years
 If public announcement is made, should not disclose HKID number of a
leaving employee
 Should not provide a reference to a third party without consent of the
33
employee
 Code of Practice on Consumer Credit Data
 Effective in February 1998, revised in January 2013.
 Credit reference agencies (“CRA”) provide consumer credit data (i.e. individual
personal data collected) to credit providers (e.g. banks, finance companies)
for consumer credit purposes.
 Apart from using consumer credit data for credit assessment purpose, credit
provider may use consumer credit data for debt collection purpose.
 The Code permits credit providers to provide the customers’ name and
contact information, the nature of the credit and the amount to be recovered
to their appointed debt collection agencies for collection against an individual
in default.
 Consumer credit data are prohibited from direct marketing purpose.
 A breach of the Code by a data user will give rise to a presumption against the
data user in any legal proceedings under the PDPO.

34
 Code of Practice on the Identity Card Number and other
Personal Identifiers

 Effective on June 1998.

 Apply to both ID card number and copies of the ID card.

 Apply to other identifiers that uniquely identify individuals, e.g.

passport numbers, employee numbers, examination candidate

numbers and patient numbers, etc.

35
 Identity Card Number
 As a general rule, no right to compel an individual to provide an ID card
number unless authorised by law. Before you collect and retain ID number,
should:
1. Consider alternatives to collecting ID card numbers.
2. Check whether your collection of ID card numbers comes under one or other of the
circumstances where this is permitted in the code (e.g. keeping ID numbers of
employees).
3. Check whether the way you collect ID card numbers ensures that they are truly the
ID card numbers of the individuals providing them (e.g. ID card physically provided
in person).
4. Check that you use ID card numbers only for one or other of the purposes permitted
by the code (e.g. a bank may use the ID card number as a key to link the records
relating to a particular customer)
5. Check that you are NOT publicly displaying or disclosing ID card numbers with the
names of the ID card holders and that you are NOT issuing cards such as staff cards
with ID card numbers printed on them (e.g. lucky draw announcement in
newspaper).
6. Check that you do not keep records of ID card numbers for longer than is necessary
36 to fulfill the purpose for which they were collected.
 Copy of Identity Card
 As a general rule, no right to compel an individual to provide a copy of an ID card unless
authorised by law. Before you collect and retain ID copy, please:-

1. Check whether your collection of copies of ID cards comes under one or other of the
circumstances where this is permitted in the code (e.g. collect ID copy from employees).
2. Make sure that your collection of copies of ID cards does NOT come under one or other
of the circumstances where this is specifically NOT permitted in the code (e.g. collect ID
copy during job application status).
3. Check that you use ID card numbers only for one or other of the purposes permitted by
the code (e.g. a bank may use the ID card number as a key to link the records relating to
a particular customer)
4. Check that you are NOT publicly displaying or disclosing ID card numbers with the
names of the ID card holders and that you are NOT issuing cards such as staff cards with
ID card numbers printed on them (e.g. lucky draw announcement in newspaper).
5. Check that you do not keep records of ID card numbers for longer than is necessary to
fulfill the purpose for which they were collected.

37
Employee Monitoring at Workplace

 It is common practice for employer to monitor employees’

activities at work such as CCTV monitoring, telephone recording e-
mail monitoring or Internet browsing monitoring.
(Case : Chung Agnes and The Privacy Commissioner of Personal Data (2006))

 The Office of the Privacy Commissioner had issued Privacy

Guidelines : Monitoring and Personal Data Privacy at work
(http://www.pcpd.org.hk/english/data_privacy_law/code_of_practices/files/monguide_e.pdf).

 Focus on telephone monitoring, e-mail monitoring, internet

monitoring and video monitoring.

38
 Evaluating the Needs of Employee Monitoring

 3As – Assessment, Alternatives, Accountability

 Assessment of the risks of employee monitoring and the

benefits derived from monitoring

 Alternatives to employee monitoring and other options

which are of less privacy intrusive

 Accountability of the employer when employer collect

personal data from employee monitoring

39
 Managing Personal Data collected from Employee
Monitoring

 3Cs – Clarity, Communication and Control

 Clarify the purposes and the circumstances which conduct

employee monitoring

 Communicate with employees the nature and reasons for

monitoring

 Control over the holding, possessing and use of

monitoring records
40
 Privacy Policy on Employee Monitoring
Purposes of monitoring
 to facilitate efficient business operation, e.g. responding to
customers’ feedback/needs
 to maintain a stable e-mail service environment for
communications
 to provide information for management to ensure the proper
utilization of the company’s resources

Conditions of use of e-mail facility

 company allows a reasonable and responsible use of e-mail
facility for personal purposes so long as this does not interfere
with the company’s normal business operations and complies
with the company’s present regulations.
41
 Privacy Policy on Employee Monitoring
Circumstances under which monitoring may take place
 Company may access the contents of all work-related e-mails

at any time for purpose of maintaining smooth business

operations
 during the absence of staff

 in emergency situations

 Company reserves the right to log all out-going and in-coming e-

mails (company’s property), including the contact addresses of

the sender/recipient, date, time and message header

42
information, etc.
 Privacy Policy on Employee Monitoring

Purpose for which monitoring records may be used

 Use of information – not for advertisement and just for internal

management purpose only
 Mention any restrictions upon the handling of monitoring
records, management and compliance with security, right of
access, and retention requirements.
 State the duration of record keeping
 Security – locked by password and only authorized person can
access the data
 List the consequences of violation of this policy, e.g. leading to
disciplinary action, termination of employment, etc.
43
Technology and data privacy
No requirements on use of search engines, cookies, online tracking or
behavioural advertising.
May adopt privacy-enhancing technologies, e.g. encryption or hashing (to
maintain data confidentiality); robots exclusion protocol (to prevent search
engines from indexing websites); anti-robot verification (to stop databases from
being downloaded in bulk by automation).

PCPD published 'Online Behavioural Tracking' (revised in April 2014), which

provides the recommended practice for organisations that deploy online tracking
on their websites; organisations should pre-set a reasonable expiry date for the
cookies, encrypt the contents of the cookies and do not deploy techniques that
ignore browser settings on cookies.

PCPD also published the Guidance for Data Users on the Collection and Use of
Personal Data through the Internet (revised in April 2014)

Source:Yuet Ming Tham, ‘ The Privacy, Data Protection and Cybersecurity Law Review: Hong Kong’
44
Technology and data privacy
PCPD published the information leaflet 'Cloud Computing' in November 2012.
The revised information leaflet (July 2015) on Cloud Computing  (i) advise
cloud users on privacy, assessment of benefits + risks of cloud services and
implications for safeguarding personal data privacy.; (ii) advise organisations on
types of assurances or support they should obtain from cloud service providers
to protect the personal data entrusted to them.

PCPD published ‘Tips for Using Fintech’ in March 2019 – advise users in
protecting their personal data privacy in the use of fintech and recommends
good practices for fintech providers or operators.

HKMA issued a circular in May 2019 on the Use of Personal Data in Fintech
Development to encourage authorised institutions to adopt and implement the
Ethical Accountability Framework (EAF) for the collection and use of personal
data issued by the PCPD

Source:Yuet Ming Tham, ‘ The Privacy, Data Protection and Cybersecurity Law Review: Hong Kong’
45
 Technology and data protection
 PCPD published ‘Guidance on the Ethical Development and Use of
Artificial Intelligence’ in August 2021 to facilitate healthy development and
use of AI in Hong Kong and assist corporations in complying with the
Personal Data (Privacy) Ordinance in the development and use of AI.
 Personal data is used in the development and use of AI

 Artificial Intelligence (AI) technologies involve the use of computer

programmes and machines to mimic problem-solving and decision-making

capabilities of human beings

 AI applications  image recognition, speech recognition, chatbots, data

analytics and automated decision-making or recommendation

 Organisations using AI  business corporations (e.g. banks, health care

providers), government departments and public bodies.

Source: Guidance on the Ethical Development and Use of Artificial Intelligence (PCPD)
46
 Technology and data protection
Risks of AI
 Challenges to privacy and protection of personal data (which is involved in AI

development and use) due to increase amount of big data generated

 Data protection risks of AI intersect with the potential ethical impact of AI

 Individuals’ rights, freedom and interests are being impacted by AI’s

automated decisions as their personal data are analysed by the AI system

 AI may undermine human rights (including privacy right), human dignity,

individual autonomy and fairness.

 Organisations that use AI may lose consumers’ trust

47Source: Guidance on the Ethical Development and Use of Artificial Intelligence (PCPD)
 Technology and data protection
Ethics in the development and use of AI
• Organisations should embrace good data ethics in their operation, and in

the development and use of AI  accountable and ethical use of AI

• Guidance notes relating to the use of AI published by Global Privacy

Assembly (2020), OECD (2019), European Commission (EU, 2019), UNESCO

(2020), Japan (2019) and Singapore (2019).

• EU proposed to legislate the use of AI in April 2021

• Hong Kong - Guidance on the Ethical Development and Use of

Artificial Intelligence’ (August 2021)  providing guidance on privacy and

ethical practice in development and use of AI  innovation and wider use of
AI
48
Source: Guidance on the Ethical Development and Use of Artificial Intelligence (PCPD)
 Technology and data protection

‘Guidance on the Ethical Development and Use of

Artificial Intelligence’ (2021) covers:

 Three data Stewardship Values

 Seven Ethical Principles for AI

 Four major business processes

Source: Guidance on the Ethical Development and Use of Artificial Intelligence (PCPD)
49
 Technology and data protection
Guidance on the Ethical Development and Use of Artificial
Intelligence’

Three data Stewardship Values

 Being respectful to the rights, interests and reasonable expectations of

stakeholders

 Being beneficial by providing benefits and minimizing harm to stakeholders

 Being fair by avoiding unjust bias and unlawful discrimination

50
Source: Guidance on the Ethical Development and Use of Artificial Intelligence (PCPD)
 Technology and data protection
Guidance on the Ethical Development and Use of Artificial
Intelligence’
Seven ethical principles for AI
 Accountability – orgainisations should be responsible for what they do and

should provide sound justifications for their actions

 Human oversight – the level of human involvement in the operation of AI

should be proportionate to the risks and impact of using AI

 Transparency and interpretability – organisations should disclose their

use of AI and the relevant policies to stakeholders while striving to improve

the interpretability of automated and AI-assisted decisions

 Data privacy – effective data governance should be put in place to protect

individuals’ personal data privacy in the development and use of AI

51
Source: Guidance on the Ethical Development and Use of Artificial Intelligence (PCPD)
 Technology and data protection
Guidance on the Ethical Development and Use of Artificial
Intelligence’
Seven ethical principles for AI
 Fairness – unjust bias and unlawful discrimination should be avoided in the

use of AI

 Beneficial AI – the use of AI should provide benefits and minimize harm to

stakeholders

 Reliability, robustness and security – AI systems should operate reliably,

should be resilient to errors and protected against attacks

Source: Guidance on the Ethical Development and Use of Artificial Intelligence (PCPD)
52
 Technology and data protection

Guidance on the Ethical Development and Use of Artificial

Intelligence’
Practice Guide - Four major business processes
 Establish AI strategy and governance

 Conduct risk assessment and human oversight

 Execute development of AI models and management of AI systems  need

to re-assess risks when there are significant changes

 Foster communication and engagement with stakeholders  fine-tune AI

systems to address stakeholders’ concerns

Source: Guidance on the Ethical Development and Use of Artificial Intelligence (PCPD)
53
Cybersecurity and data breaches
Cyberattack - data breaches and number of
individuals affected
2018 – Marriott Hotel (383m); Twitter (330m); Facebook (140m); Uber
(57m); Cathay Pacific (9.4m).
2019 – Capital One (Bank)(160m); Zynga (Online game developer)(218 m);
Facebook (419m).
2020 – Estee Lauder (440m); Microsoft (250m); Instagram, TikTok, Youtube
(235m); Marriott Hotel (5.2m).
2021 – Facebook (533m); LinkedIn (500m); Clubhouse (1.3m); Air India
(4.5m)
2022 – Harbor Plaza Hotel (>1.2m guests); Hong Kong Technology Venture
Company Limited (HKTV) (4.38m registered customers); Marriott Hotel in
Baltimore (confirmed data breach on 6 July 2022 – to notify 300-400
individuals)
54
 Cybersecurity and data breaches

Consequences of data breaches

•Reputation of the company is being damaged

•Loss of customers

•Loss of intellectual property

•Online vandalism

•Financial loss

•Ransoms

55
Cybersecurity and data breaches

Cyberattack

Data breach  A suspected breach of data security of personal

data held by a data user, by exposing the data to the risk of
unauthorised or accidental access, processing, erasure, loss or use.

It is not a statutory requirement for data users to inform the

Privacy Commissioner for Personal Data (PCPD) in Hong Kong
about a data breach incident relating to the personal data held by
them, data users are advised to make notification as a recommended
practice.
56
 Cybersecurity and data breaches
 PCPD’s Guidance on Data Breach Handling and the Giving of
Breach Notifications (2015/2019) recommended to notify:
 affected data subjects;

 law enforcement agencies;

 Privacy Commissioner (a data breach notification form is available on the

PCPD's website);
 any relevant regulators; or

 other parties (e.g. internet companies – Google/Yahoo) who may be able to

take remedial actions to protect the personal data privacy and the interests
of the data subjects affected in removing cache link from search engines.

Source:Yuet Ming Tham, ‘ The Privacy, Data Protection and Cybersecurity Law Review: Hong Kong’
57
 Cybersecurity and data protection
Security of personal data
1. Ensure staff processing the data are trained
2. Take reasonable steps to ensure reliability of employees who get access to
personal data
3. Only authorized personnel should lock files in a secured cabinet
4. Use sealed envelop for transmission of personal data
5. Use dedicated fax machine to fax confidential documents
6. Confidential documents should be shredded before disposal
7. Use encryption, confidential mailbox and passwords for electronic storage
and transmission
6. If data processing are outsourced to third parties  need data processor
to offer guarantee
7. Devise an action plan to deal with security breaches
8. High security measures on sensitivity data such as identity card number,
58 bank account data, health data, credit card data, etc.
Cybersecurity
 Cyber Security and Technology Crime Bureau – handle

cyber security issues and carry out technology crime investigations,

computer forensic examinations and preventions and prevention of
technology crime.

 Cyber Defender platforms – cyber security information website

and three social media channels (Facebook, Instagram account) and

YouTube channel)

Source: Cyber Defender of Cyber Security and Technology Crime Bureau (HK Police Force)
59
Cybersecurity
Cyberattack
Advanced Persistent Threat Attack (APT attack) – A common cyberattack
targeted on specific organisations for stealing their confidential information step by
step via phishing e-mails, phishing websites, watering hole attacks.

Security measures: Install reputable information security software, conduct

system update and scanning regularly; Deploy a multi-layer information security
defense mechanism; Restrict and manage internal sensitive data to establish
monitoring and access policies; Back up the data of the company regularly and do
not connect the backup data to computers; Control and manage employees’ use of
applications on company devices; Educate employees about information.

Source: Cyber Defender of Cyber Security and Technology Crime Bureau (HK Police Force)

60
 Cybersecurity
Cyberattack
Rasomware attack – Ransomware is malicious software that prevents or
restricts a user from accessing a computer system by freezing the computer’s
screen or encrypting the computer files unless a ransom is paid.
Example: An overseas computer manufacturer in 2021was attacked by a hacker
using triple extortion, involving a ransom of nearly 400 million Hong Kong dollars.
The hacker stole the product design plans between the company and its partner.
The company refused to pay ransom, the hacker published its design plans online,
and even extorted payment directly from its partner.
Security measures: Perform regular backups on important data and keep the
backup copies disconnected from the computer; Install the latest patches for
operating systems and software in use; Keep your anti-malware program and
signatures up-to-date; Schedule a regular full scan to detect and guard against
malware attacks; Do not open any suspicious emails or instant messages, as well as
the attachments and hyperlinks inside; Refrain from visiting suspicious websites or
downloading any files from them.
Source: Cyber Defender of Cyber Security and Technology Crime Bureau (HK Police Force)
61
 Cybersecurity
Cyberattack
Phishing attack – Hackers send phishing emails or text messages impersonating
organisations (e.g. financial institutions, public institutions, postage services, online
payment service providers, online retailers or business partners), with links (or QR
codes) directing to phishing websites, and trick recipients to input login passwords,
personal information, credit card details, etc. Hackers may also attach links (or QR
codes or files) in the messages. If the recipients click on the links or open
attachments, their devices may be infected by malware.
Security measures
•Do not open unknown e-mails or messages
•Check sender’s details
•Do not click on hyperlinks
•Do not log into unverified websites
•Pay extra attention if you were asked for personal or credit card details
•If case of suspected scam, save relevant e-mails or messages and report to police
62Source: Cyber Defender of Cyber Security and Technology Crime Bureau (HK Police Force)
Cybersecurity
• Cyber incidents have increased in frequency and magnitude. Complex
cyberthreats due to the use of sophisticated techniques.

• Threats to companies e.g., theft of information, disruption of functions,

ransomware demands, destruction of hardware and software, and
corruption of data.

• Financial risks
• Loss of confidentiality, integrity, critical business processes, and
information assets.
• Operational impacts e.g., inability to produce goods and services,
system downtime, missed opportunities, and an outsized focus on
incident or breach management impacts can be significant.
• Loss of customers’ trust
• Company’s brand damaged

63Source: Deloitte Center for Financial Services and the Deloitte Centre for Board Effectiveness
Cybersecurity
Cyber incidents and cyber risks  threats to corporations
Cybersecurity  top priority to corporate boards
Securities and Exchange Commission’s proposal on
‘Cybersecurity Risk Management, Strategy, Governance, and
Incident Disclosure’ (March 2022)
Policies and procedures to identify and manage cybersecurity risks

Management’s role in implementing cybersecurity policies and

procedures
Corporate directors’ cybersecurity expertise, if any, and the board’s
oversight of cybersecurity risk
Updates about previously reported material cybersecurity
incidents
64
Source: Deloitte Center for Financial Services and the Deloitte Centre for Board Effectiveness
Cybersecurity
• SEC’s proposal arouses discussions in boardrooms as to whether boards
should appoint a board member with cyber expertise.
• Boards may increase their understanding of cybersecurity issues
and hence the level of tech-savviness in boardroom through
 Participation in ongoing organizational cyber risk governance awareness
programs and board education programs
 Presentations at board meetings by internal and external cyber risk
experts
 Industry forums and resources offered by professional associations
 Interaction with peers serving on other boards
 Reviews of incident responses at other companies to understand the
lessons learned
 Cyber wargames and simulations
 Directors’ colleges, which are executive-level programs at some
universities intended for board directors and C-suite leaders

65
Source: Deloitte Center for Financial Services and the Deloitte Centre for Board Effectiveness
Cybersecurity law
 No single law deals with cyber crime currently in HK
 The following organisations, which are supported by HKSAR, respond to cyber
threats and incidents:
 Hong Kong Emergency Response Team Coordination Centre
(managed by HK Productivity Council) for coordinating responses for local
enterprises and internet users
 Government Computer Emergency Response Team Hong Kong 
a work unit under the Office of the Government Chief Information Officer
for coordinating and handling incidents relating to both the private and
public sectors.
 Hong Kong Police Force  Cyber Security and Technology Crime
Bureau, which is responsible for handling cybersecurity issues and
combating computer crime.

Source:Yuet Ming Tham, ‘ The Privacy, Data Protection and Cybersecurity Law Review: Hong Kong’
66
Cybersecurity law
Consultation Paper on Cyber-Dependent Crimes and Jurisdictional
Issues dated 20 July 2022
‘The Cybercrime Sub-committee of the Law Reform Commission published the

Consultation Paper on Cyber-Dependent Crimes and Jurisdictional Issues today

(July 20), making preliminary proposals for law reform to address the challenges
to protection of individuals' rights caused by the rapid developments associated
with information technology, the computer and internet, and the potential for
them to be exploited for carrying out criminal activities’.

Source: HKSAR Press Release 20 July 2022/The Law Reform Commission of Hong Kong

67
Cybersecurity law
Recommendations from the Law Reform Commission
 Five cyber-dependent offences:
• illegal access to a programme or data;
• illegal interception of computer data;
• illegal interference of computer data;
• Illegal interference of computer system; and
• possessing a device or data for committing a crime.
•Hong Kong courts may assume jurisdiction if the
perpetrator's act has caused or may cause serious damage to Hong
Kong.
•Offenders of the proposed offences could be jailed for up to 14
years, and could get life imprisonment if their acts involve
endangering people's lives.
Source: HKSAR Press Release 20 July 2022/The Law Reform Commission of Hong Kong
68
Cybersecurity
Corporations to focus on cyber risk governance  Boards to
oversee strategies, policies and procedures to mitigate
cyber risk.
Measures to promote increased focus
• Cyber risk assessment;
• Response plan – practiced through scenario or wargaming exercises to
improve corporation’s ability to respond and recover in case of cyberattack;
evaluation of the plan;
• Recovery plan;
• A review team includes senior management and each line of business and
corporate function;
• Annual review of cybersecurity budgets by board or audit committee;

69
Source: Deloitte Center for Financial Services and the Deloitte Centre for Board Effectiveness
 Cybersecurity
Measures to promote increased focus
• Create a culture of awareness and accountability and promote a
culture of cyber risk consciousness as part of the overall enterprise risk
management structure in enhancing cybersecurity;
• External review of cyber risk programs (including governance structure
for cyber risk and strategy and implementation of mitigation controls;
• Review reports on risk assessments at third parties, e.g. vendors and
suppliers in cloud, mobile, hosing and software-as-a service arrangements (to
confirm these organisations are complying with the corporation’s cyber risk
programs and standards).

70Source: Deloitte Center for Financial Services and the Deloitte Centre for Board Effectiveness
Cybersecurity
National Association of Corporate Directors (NACD)
• Suggests boards to consider 5 cybersecurity principles in
enhancing their oversight of cyber risk.
Five principles
• Cybersecurity as a risk management issue for the entire enterprise and not just a
technology or IT issue;
• Boards should understand the legal aspects of cyber risks;

• Boards should have appropriate access to cybersecurity expertise and discuss

cyber risk management regularly in board meetings;
• Boards should set an expectation for management to establish an enterprise-wide
risk management framework that is adequately resourced;
• Boards should identify risks with management, including risk prioritization, appetite,
and mitigation strategies.
• Source: Deloitte Center for Financial Services and the Deloitte Centre for Board Effectiveness
71
Cybersecurity
National Institute of Standard and Technology (NIST) framework
• NIST framework helps the boards, management and stakeholders understand cyber
risks and benchmark company’s approach with other companies
• Strategy of NIST framework focuses on 5 functions
• Identify – identifying cybersecurity risk to systems, people, assets, data, and
capabilities; focusing on critical assets, degree of exposure in environment, threats,
business impacts; understanding of regulatory requirements, governance, risk
assessments and risk management strategy.

• Protect – establish safeguards to limit/contain potential impact of a cyber incident

to protect critical infrastructure; develop cyber risk management framework with
appropriate controls and asset management tactics (which are integrated in the
overall ERM and crisis management programs) to provide mobile and endpoint
security.

• Direct – metrics for monitoring cyber key performance indicators and controls
testing help to detect cyber incidents.
72
Source: Deloitte Center for Financial Services and the Deloitte Centre for Board Effectiveness
Cybersecurity
National Institute of Standard and Technology (NIST) framework
• Strategy of NIST framework focuses on 5 functions
• Respond – what actions to take in minimizing impacts of a cyber incident? 
crisis response planning  practicing response via scenario planning or wargaming.
Companies may consider when and how to engage local, national, and global law
enforcement resources.

• Recover – timely recovery from cyber incident and restoration of capabilities or

services; understand practices of other companies in the same industry to activate
crisis response plans and promote technical resilience.

Source: Deloitte Center for Financial Services and the Deloitte Centre for Board Effectiveness

73
 Cybersecurity
Effective board in the oversight of cyber risk
• Cyber awareness from the top
• Participate in organizational awareness programs
• Demonstrate due diligence, ownership and effective governance of cyber risk
• Hold regular board and committee meetings to understand the threat
landscape, business-critical risks and metrics (of which may be developed with
respect to cyber risk management and mitigation, e.g. overdue security
assessments, third-party incidents and recovery testing, overdue access
reviews, deficient password requirements, asset threats, etc.)
• Evaluation of the impact of an incident and company’s existing cyber incident
response plan
• Review policies and cyber risk framework (to create a culture of awareness
and accountability) and discuss cybersecurity related issues with the relevant
people in the management.

Source: Deloitte Center for Financial Services and the Deloitte Centre for Board Effectiveness
74
 References
Personal Data (Privacy) Ordinance (Chapter 486)
https://www.elegislation.gov.hk/hk/cap486
Personal Data (Privacy)(Amendment) Ordinance 2021 Implementation Guideline
https://www.pcpd.org.hk/english/doxxing/files/GN_PDPAO_e.pdf
Code of Practice on Human Resource Management (PCPD)
http://www.pcpd.org.hk/english/data_privacy_law/code_of_practices/files/hrdesp_e.pdf
Codes of Practice on Human Resource Management Compliance Guide for Employers
and HRM Practitioners (PCPD)
http://www.pcpd.org.hk/english/data_privacy_law/code_of_practices/files/ehrm_e.pdf
Frequently Asked Questions About Recruitment Advertisements (Nov 2014)
http://www.pcpd.org.hk/english/data_privacy_law/code_of_practices/files/faq_recruitment
_e.pdf
Code of Practice on Consumer Credit Data (PCPD)
http://www.pcpd.org.hk/english/ordinance/files/CCDCode_2013_e.pdf
Code of Practice on Code of Practice on the Identity Card Number and other Personal
Identifiers (PCPD)
http://www.pcpd.org.hk/english/ordinance/files/picode_e.pdf
75
References
Cyber Defender of Cyber Security and Technology Crime Bureau (HK Police Force)
30 Best Practices for Preventing a Data Breach, BestSecurityScorecard
https://securityscorecard.com
Yuet Ming Tham, ‘ The Privacy, Data Protection and Cybersecurity Law Review: Hong Kong’
https://thelawreviews.co.uk/title/the-privacy-data-protection-and-cybersecurity-law-review/hong-kong
HKSAR Press Releases
The Law Reform Commission of Hong Kong
Deloitte Center for Financial Services and the Deloitte Centre for Board Effectiveness
https://www2.deloitte.com/us/en/pages/center-for-board-effectiveness/articles/a-new-chapter-in-
cyber.html
Securities and Exchange Commission’s proposal on ‘Cybersecurity Risk Management, Strategy,
Governance, and Incident Disclosure’ (March 2022)
Guidance on the Ethical Development and Use of Artificial Intelligence (PCPD)
https://www.pcpd.org.hk

76
 Written Notification Sample

We advise that we intend to sell the kinds of your personal

data set out below to the classes of persons set out below for
marketing of the types of goods, facilities, or services or
solicitation of donations or contributions set out below.

Kinds of personal data intended to be sold

 Name and contact details including address, telephone

numbers and e-mail address
 Personal profile including age, sex and occupation
 Nature of goods, facilities, or services provided by us to you

77
 Written Notification Sample
Classes of persons to whom the data will be sold
 Banks and financial institutions
 Credit card companies
 Insurance companies
 Telecommunication companies
 Charities
 Political parties

Types of goods, services or facilities or donations or contributions

 Financial products
 Credit cards
 Insurance products
 Telecommunication services
 Charitable donations to charities based in HK
 Contributions to political parties in HK

78
 Written Notification Sample
RESPONSE FACILITY FOR WRITTEN CONSENT
You may consent or object to any or all of the above by completing, signing and
returning this form to us or otherwise notifying us in writing.

□ I consent to the above.

□ I object to the above.
□ I object to the above in the following respects:

in relation to the following kinds of personal data:

[please complete]
in respect of the following types of person to whom data will be sold:
[please complete]
in respect of the following types of goods, services, facilities, donations or
contributions:
[please complete]

79
 Written Notification Sample

When completed, this form may be returned to our Data Protection Office at
the address set out below.

Data Protection Office

[Data user]
[Address]

Hong Kong

Signed Date

80