**************************************************
Following is a question by the Hon Tsang Yok-sing and a written reply by the Secretary for Home Affairs, Dr Patrick Ho, in the Legislative Council today (October 25):
Question:
At present, after a member of the public has lost or sold his mobile phone, the personal data in the phone may possibly be abused, for instance, being made public on the Internet, by the person who gets hold of the phone. In this connection, will the Government inform this Council whether it plans to enact legislation to criminalise the act of abusing other people's data in mobile phones, so as to enhance the protection of individual privacy; if so, of the progress of its plan; if not, the reasons for that?
Reply:
Madam President,
There are existing protections and remedies against the abuse of other people's data stored in mobile phones. Depending on the circumstances involved, unauthorised use, including disclosure, of personal data stored in a mobile phone may attract both civil and criminal liabilities under existing legislation.
The obtaining, retention and disclosure of personal data contained in a mobile phone is subject to the regulation and controls of the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO). A data user is prohibited under section 4 of the PDPO from doing an act, or engaging in a practice, that contravenes the data protection principles (DPP) set out in Schedule 1 of the Ordinance, unless the act or practice is permitted under the Ordinance.
DPP 1 requires, among other things, that the collection of personal data must be conducted by lawful means and be fair in the circumstances. The data user is also required to take all practicable steps to ensure that the data subjects are informed of the purpose of data collection on or before the collection. While each case will be determined on the facts of the case, in general the obtaining of the personal data in the circumstances described in the question will likely be in breach of these requirements.
DPP 2 requires, inter alia, that personal data should not be kept longer than is necessary for the purpose for which they are collected. Again, the retention of the personal data in the circumstances described in the question will likely be in breach of such requirement.
As for disclosure, DPP3 requires a data user to obtain the data subject's consent before using the latter's personal data for any purposes other than those for which the data were to be used at the time of collection. Again, the unauthorised upload or disclosure in the circumstances described in the question will likely be in breach of such requirement.
Under the PDPO, the Privacy Commissioner may serve an enforcement notice on a person who has contravened the requirements stipulated in the Ordinance. Contravention of an enforcement notice is a criminal offence. The offender is liable on conviction to a fine at level 5 and to imprisonment for two years; and in the case of a continuing offence, to a daily penalty of $1,000. Moreover, an affected person who suffers damage because of a contravention of the requirements under the PDPO is also entitled to compensation (including compensation for injury of feelings) from the person who contravened the PDPO requirements.
We are reviewing the PDPO and will take into account public views and the Honourable Member's concerns in considering whether additional legislative sanctions are required for protection of individual privacy against unlawful collection and disclosure of personal data, including circumstances described in the question.
Ends/Wednesday, October 25, 2006
Issued at HKT 12:40
NNNN
