LCQ10: Protection of personal data accessible in the public domain
************************************************************

     Following is a question by the Hon Charles Mok and a written reply by the Secretary for Constitutional and Mainland Affairs, Mr Raymond Tam, in the Legislative Council today (October 16):

Question:

     When the Government conducted a consultation in 2009 in respect of the review of the Personal Data (Privacy) Ordinance (Cap. 486) (the Ordinance), the Office of the Privacy Commissioner for Personal Data (PCPD) proposed that personal data available in the public domain should be exempted from Data Protection Principle 3 (i.e. personal data should only be used for the purposes for which it was collected or for a directly related purpose), but the Government considered the proposal not well justified and did not pursue the matter.  In the investigation report released by PCPD in mid-August this year, PCPD alleged that a mobile phone application, which enabled users to search litigation and bankruptcy data in a database formed by consolidating data available in the public domain, had seriously invaded the privacy of the data subjects.  Some members of the information technology (IT) industry have relayed to me that it is necessary to review the legislation on the use of data available in the public domain, as it has failed to keep up with technological developments.  Meanwhile, the Government has developed 62 mobile applications to provide services to the public, and those applications also involve access to users' data.  In this connection, will the Government inform this Council:

(a) whether it knows if PCPD has consulted the personnel and bodies of the IT industry in formulating "the Guidance on the Use of Personal Data Obtained from the Public Domain" to ensure that the Guidance is practicable; if PCPD has, of the details; if not, the reasons for that;

(b) given that making public sector information (PSI) widely available and providing PSI for free re-use to facilitate the development of online services and mobile applications have been proposed in the public consultation document on 2014 Digital 21 Strategy, whether the authorities have discussed with PCPD about the formulation of guidelines to help the IT industry to avoid invading personal privacy when using PSI; if they have, of the details; if not, the reasons for that;

(c) given the privacy legislation in some countries (such as Singapore and New Zealand) has made certain exemptions for the use of data available in the public domain, whether the authorities will review (i) the definition of "data available in the public domain", (ii) the scope of exemptions from the data protection principles, and (iii) the (explicit or implicit) purposes of making data publicly available when the Ordinance came into effect in 1996; if they will, of the details; if not, the reasons for that;

(d) whether it knows if PCPD has conducted sample checks on the ways that personal data are used by the mobile applications developed by government departments; and if PCPD has requested various government departments (and their agents) to develop the applications concerned in accordance with "Personal data privacy protection: what mobile apps developers and their clients should know"; if PCPD has, of the details; if not, the reasons for that; and whether the Government has assessed the potential risks posed by its mobile applications to the privacy of users and implemented corresponding measures; if it has, of the details; if not, the reasons for that; and

(e) whether mobile applications developed by various government departments (and their agents) have accessed users' data (including unique phone identifier, location data, account information for accessing the applications, the applications running on the mobile phone, camera/microphone function of mobile phones, SMS/MMS messages, call logs, address book, calendar details, etc.), with a breakdown of the types of personal data accessed by the name of the mobile application; whether various government departments (and their agents) have prepared privacy policy statements that are easy to find and understand, so that when users download the applications, clear explanations are given as to whether the data on the users' phones will be accessed by the applications and the purposes thereof, the types of data to be accessed and the ways that such data will be accessed; how the departments concerned (and their agents) handle the data which are personally identifiable and those which are not?

Reply:

President,

     The purpose of Data Protection Principle 3 of the Personal Data (Privacy) Ordinance (the Ordinance) is to protect the personal data of the data subject from being used in purposes not expected originally.  Data Protection Principle 3 stipulates that personal data shall not, without the prescribed consent of the data subject, be used for any purpose other than the purpose for which the data were to be used at the time of the collection of the data or for any purpose other than the directly related purpose.  

     In consultation with the relevant policy bureaux and organisations, the reply to the different parts of the question is as follows:

(a) According to information provided by the Office of the Privacy Commissioner for Personal Data (PCPD), the aim of the "Guidance on Use of Personal Data Obtained from the Public Domain" (the Guidance) issued by PCPD on August 13, 2013 is to assist data users in complying with the requirements under the Ordinance, in particular, the Data Protection Principles.  The Guidance is intended to serve as a general reference to data users when they collect and use personal data in the public domain but not for any particular industry; accordingly, PCPD has not consulted any particular industry when formulating the Guidance.  That said, PCPD will review all the guidelines issued from time to time and welcome the views and responses from various industries.  After issuing the Guidance, PCPD has organised a seminar for the Information Technology industry on August 30, 2013 to explain to the participants how the Guidance and the Ordinance apply to mobile applications.

(b) The Administration launched a Public Sector Information (PSI) portal, "Data.One" (data.one.gov.hk), in 2011 to provide PSI in digital format for free use.  The purpose is to facilitate the development of online services and mobile applications by stimulating creativity and tapping community wisdom, thereby bringing convenience to citizens, facilitating businesses and supporting academic researches.  Thus far, 14 categories of datasets are available on the portal, including road traffic information, air pollution indices, weather data, geo-referenced public facility data, population census statistics, property market statistics, etc.  The data released on the portal do not involve personal privacy.

     In the 2014 Digital 21 Strategy public consultation document, the Administration proposes to make Government information already released for public consumption available in digital format by default, with a view to facilitating use by the general public.  As the data which is already released for public consumption do not involve personal privacy, the issue of personal privacy infringement does not arise.

(c) The Administration has conducted a full-scale review of the Ordinance in 2009-2010 and a public consultation exercise has been conducted. One of the issues under review and on which the public were consulted is the areas of exemption under the Ordinance, in particular whether personal data available in the public domain should be exempted from Data Protection Principle 3.  PCPD proposed the Administration to consider providing for a new exemption from Data Protection Principle 3 for personal data available in the public domain.  The Administration considered that the proposal could result in abuse in the use of information available in the public domain, such as improper use of personal data available on the Internet arising from data leakage incidents.  Therefore the Administration did not see a case to take this proposal forward and consulted the public along this line.  Among the views received, only a few expressed views on this proposal.  They either opined that the exemption proposal should not be pursued or had no comment on the proposal.  As a result, the Administration did not include this exemption in the Personal Data (Privacy) (Amendment) Bill 2011 (the Bill) submitted to the Legislative Council in 2011.  When the Bill was discussed by the Legislative Council, no exemption proposal was made.

     In addition, while the Administration noted that some jurisdictions have provided an exemption, some others such as the personal data protection laws in the United Kingdom and Australia do not provide for public domain exemption.  We do not have any plan to conduct a further review for the time being.  

(d) The Office of the Government Chief Information Officer (OGCIO) has formulated relevant guidelines on the development of mobile applications, requiring bureaux/ departments (B/Ds) concerned to strictly adhere to the Ordinance and the relevant guidelines issued by PCPD during the development process.  When developing a mobile application that involves personal data, B/Ds should conduct privacy impact assessment and adopt corresponding measures to safeguard personal data privacy.

     In order to let B/Ds have a more thorough understanding of the protection of personal data privacy in the development of mobile applications, PCPD representatives briefed B/Ds in a seminar organised by the OGCIO in 2012.  

     On November 21, 2012, PCPD issued an information leaflet "Personal data privacy protection: what mobile apps developers and their clients should know", with regard to the protection of personal data by smartphone applications.  OGCIO has also uploaded the leaflet to the intranet for reference by all B/Ds.

     In response to a joint endeavor of the Global Privacy Enforcement Network, PCPD conducted a random cursory survey on privacy policy jointly with the privacy enforcement authorities from 18 regions on May 6, 2013 to review the transparency of privacy policies of data users operating on the Internet or mobile applications.  60 smartphone applications have been surveyed by PCPD of which four were developed by or commissioned to be developed by B/Ds.  The survey result has been published on PCPD's website.

(e) The details on the types of data accessible by mobile applications developed by B/Ds (or their agents) are set out at the Annex.

     If an application developed by a B/D involves collection or use of personal data, the B/D concerned will adhere to the provisions of the Ordinance and prepare a privacy policy statement to explain whether the data on the users' phones will be accessed by the application, the purposes thereof, the types of data to be accessed and the ways that such data will be accessed.  In order to enhance the transparency of the applications, OGCIO encourages B/Ds to follow the guidelines of PCPD to prepare a privacy policy statement even where collection or use of personal data is not involved.

Ends/Wednesday, October 16, 2013
Issued at HKT 16:59

NNNN