Embed Size (px)
Citation preview
Developing Mobile Apps: Privacy Matters
應用程式重私隱 創新科技贏信任
Introductory Seminar on the Personal Data (Privacy) Ordinance
2
Surveys on the top 60 mobile apps
May 2014 • 55% provided privacy
policy
• 15% of the policies that were tailor-made to apps
• 8% app developers had not provided sufficient details to identify themselves
May 2013 • 60% provided privacy policy
• 8% of the policies that were tailor-made to apps
• 60% app developers had not provided contact details
PCPD Enforcement
3
PCPD Enforcement
4
What are the basic data protection principles and legal requirements?
What is “Personal Data” ?
“Personal Data” should satisfy three conditions:
(1) relating directly or indirectly to a living individual;
(2) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and
(3) in a form in which “access to” or “processing of” the data is practicable.
6
Data Protection Principles
under the Ordinance
• The six data protection principles form the base of the Ordinance.
• Data users must comply with the six data protection principles in the collection, holding, accuracy, retention period, security, privacy policy and access to and correction of personal data.
7
Six Data Protection Principles
(DPPs)
• DPP 1 - Purpose and manner of collection
• DPP 2 - Accuracy and duration of retention
• DPP 3 - Use of personal data
• DPP 4 - Security of personal data
• DPP 5 - Information to be generally available
• DPP 6 - Access to personal data
8
Principle 1
Purpose and manner of collection
• shall be collected for purposes related to
the functions or activities of the data user
• the data collected should be adequate but
not excessive
• the means of collection must be lawful and
fair
9
10
inform the data subject of the following immediately or in
advance:
a) the purposes of data collection;
b) the classes of persons to whom the data may be transferred;
c) whether it is obligatory or voluntary for the data subject to
supply the data;
d) where it is obligatory for the data subject to supply the data, the
consequences for him if he fails to supply the data; and
e) the name or job title and address to which access and correction
requests of personal data may be made.
Principle 1
Purpose and manner of collection
Principle 2
Accuracy and duration of retention
• Data users shall take practicable steps to ensure the
accuracy of personal data held by them.
• All practicable steps must be taken to ensure that personal
data is not kept longer than is necessary for the fulfillment of
the purpose
• If a data user engages a data processor to process personal
data on the data user’s behalf, the data user must adopt
contractual or other means to prevent any personal data
transferred to the data processor from being kept longer than
is necessary for processing of the data 11
Principle 3
Use of personal data
12
• Personal data shall not, without the prescribed
consent of the data subject, be used for a new
purpose.
New purpose means any purpose other than the purposes
for which they were collected or directly related purposes
Principle 4
Security of personal data
• All practicable steps shall be taken to ensure that personal
data are protected against unauthorized or accidental
access, processing, erasure, loss and use
• Security in the storage, processing and transmission of
data.
• If a data user engages a data processor to process personal data on the data user’s behalf, the data user must adopt contractual or other means to prevent unauthorized or accidental access, processing, erasure, loss or use of the data transferred to the data processor for processing
13
Principle 5
Information to be generally available
Data users have to provide
(a) policies and practices in relation to
personal data;
(b) the kind of personal data held;
(c) the main purposes for which personal data
are used.
14
Privacy Policy
Principle 6
Access to personal data
• A data subject shall be entitled to
(a) request access to his/her personal
data;
(b) request correction of his/her
personal data.
• Data user may charge a fee for
complying with the data access request
15
16
Data User
Notification
Data Subject
Consent
Provide data subjects with
“prescribed information” and
response channel through
which the data subject may
elect to give consent
Notification should be easily
understandable
Should be given explicitly
and voluntarily
“consent” includes an
indication of “no objection”
"
Intends to use
personal data or
provide personal
data to another
person for use in
direct marketing
Provision of
Personal Data
New Regulatory Regime of Direct Marketing
(effective from 1 April 2013)
17
Use of Personal Data in Direct Marketing Provide Personal Data to another person for
Use in Direct Marketing
1. The data user intends to use the personal
data of the data subject for direct marketing;
1. The data user intends to provide the personal
data of the data subject to another person for
use by that person in direct marketing;
2. The data user may not so use the data
unless the data user has received the data
subject’s consent to the intended use;
2. The data user may not so provide the data
unless it has received the data subject’s
written consent to the intended provision;
3. The kinds of personal data to be used; 3. The provision of the data is for gain (if it is to
be so provided);
4. The classes of marketing subjects in relation
to which the data is to be used;
4. The kinds of personal data to be provided;
5. The response channel 5. The classes of persons to which the data is to
be provided;
6. The classes of marketing subjects in relation to
which the data is to be used; and
7. The response channel
Prescribed information:
New Regulatory Regime of Direct Marketing
(effective from 1 April 2013)
18
Use of Personal Data in
Direct Marketing
• Under the existing Ordinance, data user must notify
a data subject of his opt-out right when using his
personal data in direct marketing for the first time
• Upon receiving an opt-out request, the data user
must cease using the data
19
Maximum Fine
(HK$)
Maximum
Imprisonment
Non-Compliance 500,000 3 years
Non-Compliance if the
personal data is
provided to third party
for its use in direct
marketing in exchange
for gain
1,000,000 5 years
New Regulatory Regime of Direct Marketing
Higher Penalties for Non-Compliance
20
Preparing Personal Information Collection Statement
and Privacy Policy Statement
What is PICS ?
Complying with the notification requirements under
DPP1(3)
To be provided to a data subject on or before collecting
personal data directly from that data subjects
How about personal data collected from third
parties instead of data subjects?
21
What is PICS ?
Core elements specified in DPP1(3)
How should a PICS be given?
usually will be found in the data collection form
(e.g. application form)
if personal data is collected from data subject online,
the online form should include a PICS, either as a
part of its text or by means of a hyperlink
advisable to provide written PICS 22
What is PICS ?
Any exceptions?
Subject to the exception where compliance would be
likely to prejudice an exempted purpose specified in
Part VIII in relation to DPP6 (e.g. prevention or
detection of crime under section 58)
e.g. Administrative Appeals Board (AAB) no: 23/2008
Repeated collections in same circumstances within
12 months – section 35 23
Details required in PICS
Statement of purpose
Example (1)
“To provide location-based weather service, the
app would get user’s location and present data”
24
ill-defined purposes of use:
• …….
• Other related purposes
• …..
• If you provide any personal data to us, you agree that we can use personal data about you for any purpose we choose
Details required in PICS
25
Statement as to whether it is obligatory or voluntary for
the individual to supply his personal data
Examples
Details required in PICS
26
Statement of possible transferees
Details required in PICS
ill-defined data transferees:
• any other persons under a duty of confidentiality to our company
• any company within our Group, our respective subsidiaries and any company in which the same has an interest
27
Statement of rights of access and correction and
contact detail
Notice of contact person for requesting access or
correction
Example
“You have the right to request access to and
correction of information held by us about you. If
you wish to access or correct your personal data,
please contact our data protection officer at 1/F,
No. 1 Main Road or [email protected]”
Details required in PICS
28
Recommendations
The language and presentation should be user-
friendly
Specific PICS to be used for specific collection
purposes
Statement of security measures
29
30
Complying with DPP5
Should be made available AT ALL TIMES
Wider scope which may includes data retention
policy, data security measures, data breach handling
and use of special tools
advisable to provide
written PPS
What is PPS ?
30
Make use of the default Privacy Policy link in the app
installation page to explain to app users, prior to the
installation of the apps,
what data your app, and where applicable, your
business, would access/transmit/store/share/use and
why;
Recommendations
31
The language and presentation should be user-friendly
If the privacy policy is complicated, consider:
using a layered approach to explain the details
the use of icons, graphics or animations to simplify the
privacy policy for app users; and
Provide contact details for enquiries
Recommendations
32
33
• Available before installation
• (Nearly) single page and in simple language
• Specific to the types of data accessed
• Assured users what it would not do
• But – don’t copy this…
The good - transparent
34
• transparency is central to respecting
the privacy of individuals and will be rewarded
with customer trust and loyalty:
the cornerstone of business success
Mobile Apps and Privacy
35
Contact Us
q Hotline - 2827 2827
q Fax - 2877 7026
q Website - www.pcpd.org.hk
q E-mail - [email protected]
q Address - 12/F, 248 Queen’s Road East, Wanchai, HK
© Office of the Privacy Commissioner for Personal Data, 2014
The above PowerPoint may not be reproduced without the written consent of the Office of the
Privacy Commissioner for Personal Data.
Note: The contents herein are for general reference only. It does not provide an exhaustive guide to the application of the Personal Data
(Privacy) Ordinance (“the Ordinance”). For a complete and definitive statement of law, direct reference should be made to the Ordinance
itself. The Privacy Commissioner for Personal Data (“the Commissioner”) makes no express or implied warranties of accuracy or fitness
for a particular purpose or use with respect to the above information. The contents herein will not affect the exercise of the functions and
power conferred to the Commissioner under the Ordinance.
