A stricter regime for profiling07 June 2016
Hong Kong Issues Clearer Guidance on Privacy Notices
Broadly, a PICS statement sets out how a data subject's personal data will be collected and used by the organization. A PPS statement – which often incorporates a PICS – should also set out the organization's policies on data retention, data security, and how it will deal with requests for data access and correction. The PICS and PPS statements are required under DPP1 (which requires a data user to inform a data subject of the purpose and manner of collection of their personal data) and DPP5 (which requires a data user to take steps to ensure that a data subject can ascertain the personal data policies and practices of the data user), respectively.
When the rules on direct marketing were changed in Hong Kong on April 1, 2013, the PCPD issued guidelines to explain the changes to the Ordinance but those guidelines provided only brief details on the format and use of PICS and PPS statements. Organizations looking to engage in direct marketing activities after April 1 were required to make changes to their personal data collection statements and privacy policies to ensure compliance with the new legislation, but often struggled to do so, as guidance on the changes required was limited. These latest guidance notes help to fill that information gap.
The timing of the publication of this latest guidance note by the PCPD is also interesting. As part of a global initiative with other members of the Global Privacy Enforcement Network, the PCPD conducted an Internet Privacy Sweep in Hong Kong between May 6 and 12, 2013. That initiative examined the availability, clarity, and accessibility of the PICS and PPS statements that local providers of software applications ("Apps") give to their customers upon the installation of their Apps. While the official results of the sweep are due to be announced later this summer, the publication of this guidance note by the PCPD now, perhaps suggests that in Hong Kong at least there is a concern with the availability and clarity of PICS and PPS statements. This guidance note may be just the first step in a series of follow up actions to be taken by the PCPD on this issue.
The Regulation aims to strengthen the rights of individuals. It does so by retaining rights that already exist under the Data Protection Directive and introducing the new rights of data...06 June 2016
Grounds for processing03 June 2016