A new study released by the Office of the Privacy Commissioner for Personal Data assesses how well organisations in Hong Kong have implemented the accountability principle through their Privacy Management Programmes.

A new study released by the Office of the Privacy Commissioner for Personal Data assesses how well organisations in Hong Kong have implemented the accountability principle through their Privacy Management Programmes. Between October and November 2018, the Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) examined 26 organisations from different sectors (including insurance, finance, telecommunications, public utilities and transportation) to understand their implementation of Privacy Management Programmes (PMPs) within their organisations. The results of the survey are now available in the 2018 Study Report on Implementation of Privacy Management Programme by Data Users, recently released by the PCPD. The examination was part of the global Privacy Sweep exercise of the Global Privacy Enforcement Network. This is the sixth consecutive year for the PCPD to participate in the Privacy Sweep. The theme of the Privacy Sweep 2018 was ‘privacy accountability’. Eighteen privacy enforcement authorities from around the world, including the PCPD, participated in the Sweep exercise. The exercise aimed to assess how well organisations have implemented the accountability principle through their PMPs and their ability to manage privacy risk in all business processes. The organisations were selected due to their size and the vast amount of personal data held by them. The findings show that, despite the fact that the accountability principle is not a legal requirement, the performance of the participating Hong Kong organisations in implementing voluntary PMPs is satisfactory. In particular:

• all participating organisations have an internal data privacy policy and such policy has been embedded into their everyday practices
• over 90% of the participating organisations have designated personnel at a sufficiently senior level responsible for privacy governance, and
• 96% of the participating organisations ensure that their staff members are given comprehensive training to ensure their understanding of organisational privacy policies, procedures and best practices.

The findings reflect the weight given by the participating organisations to personal data privacy protection, as well as the resources they are willing to give this area. Nevertheless, the report reveals that nearly 40% of the participating organisations have room to improve in their procedures for notifying affected individuals and reporting to the regulatory authorities in the event of a data breach, and close to 20% of the participating organisations’ inventories of maintaining personal data were yet to be improved. ‘Organisations have to accept that personal data that they hold belongs to the customers. Customers provide their personal data to organisations based on a relationship of trust. Therefore, organisations are responsible for handling personal data in accordance with three data stewardship values, namely being respectful, beneficial and fair, in order to meet customers’ expectations,’ The Privacy Commissioner for Personal Data, Hong Kong (Privacy Commissioner), Stephen Kai-yi Wong said. Privacy Sweep 2018 echoes with the research report Ethical Accountability Framework for Hong Kong, China, under the Legitimacy of Data Processing Project, which was released in October last year by the PCPD. That report advocated the above-mentioned three data stewardship values and the goals of the privacy accountability. To assist organisations in complying with the requirements of the Personal Data Privacy Ordinance (the Ordinance) and enjoying fairness, respect and benefit with their customers and employees, the Privacy Commissioner has the following recommendations to organisations in the implementation of their PMPs.

• Provide adequate data protection training – organisations should ensure that their staff members understand the requirements under the Ordinance and observe the organisation’s policy in relation to personal data handling. If amendments are made to the organisation’s policy in relation to personal data handling or the Ordinance, the organisation should notify its staff immediately.
• Conduct a regular audit – to ensure that the policies and practices of the organisations are in compliance with the Ordinance and to identify whether there is room for improvement.
• Devise written procedures for handling of data breach incidents – in relation to the factors to be considered, including the mechanism and practice for assessing whether a data breach notification should be given to affected individuals and regulatory bodies.
• Maintain a comprehensive personal data inventory – each department of an organisation should prepare its own inventory of personal data held.
• Maintain a record of data flow – recording data flow can facilitate organisations to easily check and retrieve relevant information in future when necessary.

The Privacy Commissioner advocates that organisations should develop their own PMP, embrace personal data protection as part of their corporate governance responsibilities and apply them as a business imperative throughout the organisation, starting with the boardroom. The Privacy Commissioner emphasises that nowadays organisations should ditch the mindset of conducting their operations to meet the minimum regulatory requirements only. They should instead be held to a higher ethical standard, and adopt the PMP as a strategic framework to assist them in building a robust privacy infrastructure that is supported by an effective ongoing review and monitoring process to facilitate the compliance with the requirements under the Ordinance. Source: The Office of the Privacy Commissioner for Personal Data The ‘2018 Study Report on Implementation of Privacy Management Programme by Data Users’ is available on the Office of the Privacy Commissioner for Personal Data website: www.pcpd.org.hk.

SIDEBAR: What is the Privacy Sweep?

The Privacy Sweep mentioned in this article is an annual intelligence gathering operation organised by the Global Privacy Enforcement Network (GPEN). The joint study is carried out by data protection regulators across the globe and the 2018 study looked at how well organisations have implemented the core concept of accountability into their own internal privacy policies and programmes. Globally, while there were examples of good practice, it was found that a number of organisations had no processes in place to deal with the complaints and queries raised by data subjects and were not equipped to handle data security incidents appropriately. Participating GPEN members, including Hong Kong, made contact with 356 organisations in 18 countries during the Privacy Sweep exercise and came to the conclusions set out below.

• When it comes to monitoring internal performance in relation to data protection standards, many organisations were found to fall short, with around a quarter who have no programmes in place to conduct self-assessments and/or internal audits.
• Organisations were generally found to be quite good at giving data protection training to staff, but often failed to provide refresher training to existing staff.
• The organisations that indicated that they have monitoring programmes in place generally gave examples of good practice, noting that they conduct annual audits or reviews and/or regular self-assessments.
• Nearly three quarters of organisations across all sectors and jurisdictions had appointed an individual or team who would assume responsibility for ensuring that their organisation complied with relevant data protection rules and regulations.
• Over half of the organisations surveyed indicated that they have documented incident response procedures, and that they maintain up to date records of all data security incidents and breaches. However, a number of organisations indicated that they have no processes in place to respond appropriately in the event of a data security incident.

The international report resulting from the latest Privacy Sweep exercise, ‘GPEN Sweep 2018 – Privacy Accountability’, can be accessed on the website of the Information Commissioner’s Office, UK: https://ico.org.uk.