36
Developing Mobile Apps: Privacy Matters 應用程式重私隱 創新科技贏信任 Introductory Seminar on the Personal Data (Privacy) Ordinance

Introductory Seminar on the Personal Data (Privacy) Ordinance · 2015-08-25 · Principle 4 Security of personal data • All practicable steps shall be taken to ensure that personal

  • Upload
    others

  • View
    0

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Introductory Seminar on the Personal Data (Privacy) Ordinance · 2015-08-25 · Principle 4 Security of personal data • All practicable steps shall be taken to ensure that personal

Developing Mobile Apps: Privacy Matters

應用程式重私隱 創新科技贏信任

Introductory Seminar on the Personal Data (Privacy) Ordinance

Page 2: Introductory Seminar on the Personal Data (Privacy) Ordinance · 2015-08-25 · Principle 4 Security of personal data • All practicable steps shall be taken to ensure that personal

2

Surveys on the top 60 mobile apps

May 2014 • 55% provided privacy

policy

• 15% of the policies that were tailor-made to apps

• 8% app developers had not provided sufficient details to identify themselves

May 2013 • 60% provided privacy policy

• 8% of the policies that were tailor-made to apps

• 60% app developers had not provided contact details

Page 3: Introductory Seminar on the Personal Data (Privacy) Ordinance · 2015-08-25 · Principle 4 Security of personal data • All practicable steps shall be taken to ensure that personal

PCPD Enforcement

3

Page 4: Introductory Seminar on the Personal Data (Privacy) Ordinance · 2015-08-25 · Principle 4 Security of personal data • All practicable steps shall be taken to ensure that personal

PCPD Enforcement

4

Page 5: Introductory Seminar on the Personal Data (Privacy) Ordinance · 2015-08-25 · Principle 4 Security of personal data • All practicable steps shall be taken to ensure that personal

What are the basic data protection principles and legal requirements?

Page 6: Introductory Seminar on the Personal Data (Privacy) Ordinance · 2015-08-25 · Principle 4 Security of personal data • All practicable steps shall be taken to ensure that personal

What is “Personal Data” ?

“Personal Data” should satisfy three conditions:

(1) relating directly or indirectly to a living individual;

(2) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and

(3) in a form in which “access to” or “processing of” the data is practicable.

6

Page 7: Introductory Seminar on the Personal Data (Privacy) Ordinance · 2015-08-25 · Principle 4 Security of personal data • All practicable steps shall be taken to ensure that personal

Data Protection Principles

under the Ordinance

• The six data protection principles form the base of the Ordinance.

• Data users must comply with the six data protection principles in the collection, holding, accuracy, retention period, security, privacy policy and access to and correction of personal data.

7

Page 8: Introductory Seminar on the Personal Data (Privacy) Ordinance · 2015-08-25 · Principle 4 Security of personal data • All practicable steps shall be taken to ensure that personal

Six Data Protection Principles

(DPPs)

• DPP 1 - Purpose and manner of collection

• DPP 2 - Accuracy and duration of retention

• DPP 3 - Use of personal data

• DPP 4 - Security of personal data

• DPP 5 - Information to be generally available

• DPP 6 - Access to personal data

8

Page 9: Introductory Seminar on the Personal Data (Privacy) Ordinance · 2015-08-25 · Principle 4 Security of personal data • All practicable steps shall be taken to ensure that personal

Principle 1

Purpose and manner of collection

• shall be collected for purposes related to

the functions or activities of the data user

• the data collected should be adequate but

not excessive

• the means of collection must be lawful and

fair

9

Page 10: Introductory Seminar on the Personal Data (Privacy) Ordinance · 2015-08-25 · Principle 4 Security of personal data • All practicable steps shall be taken to ensure that personal

10

inform the data subject of the following immediately or in

advance:

a) the purposes of data collection;

b) the classes of persons to whom the data may be transferred;

c) whether it is obligatory or voluntary for the data subject to

supply the data;

d) where it is obligatory for the data subject to supply the data, the

consequences for him if he fails to supply the data; and

e) the name or job title and address to which access and correction

requests of personal data may be made.

Principle 1

Purpose and manner of collection

Page 11: Introductory Seminar on the Personal Data (Privacy) Ordinance · 2015-08-25 · Principle 4 Security of personal data • All practicable steps shall be taken to ensure that personal

Principle 2

Accuracy and duration of retention

• Data users shall take practicable steps to ensure the

accuracy of personal data held by them.

• All practicable steps must be taken to ensure that personal

data is not kept longer than is necessary for the fulfillment of

the purpose

• If a data user engages a data processor to process personal

data on the data user’s behalf, the data user must adopt

contractual or other means to prevent any personal data

transferred to the data processor from being kept longer than

is necessary for processing of the data 11

Page 12: Introductory Seminar on the Personal Data (Privacy) Ordinance · 2015-08-25 · Principle 4 Security of personal data • All practicable steps shall be taken to ensure that personal

Principle 3

Use of personal data

12

• Personal data shall not, without the prescribed

consent of the data subject, be used for a new

purpose.

New purpose means any purpose other than the purposes

for which they were collected or directly related purposes

Page 13: Introductory Seminar on the Personal Data (Privacy) Ordinance · 2015-08-25 · Principle 4 Security of personal data • All practicable steps shall be taken to ensure that personal

Principle 4

Security of personal data

• All practicable steps shall be taken to ensure that personal

data are protected against unauthorized or accidental

access, processing, erasure, loss and use

• Security in the storage, processing and transmission of

data.

• If a data user engages a data processor to process personal data on the data user’s behalf, the data user must adopt contractual or other means to prevent unauthorized or accidental access, processing, erasure, loss or use of the data transferred to the data processor for processing

13

Page 14: Introductory Seminar on the Personal Data (Privacy) Ordinance · 2015-08-25 · Principle 4 Security of personal data • All practicable steps shall be taken to ensure that personal

Principle 5

Information to be generally available

Data users have to provide

(a) policies and practices in relation to

personal data;

(b) the kind of personal data held;

(c) the main purposes for which personal data

are used.

14

Privacy Policy

Page 15: Introductory Seminar on the Personal Data (Privacy) Ordinance · 2015-08-25 · Principle 4 Security of personal data • All practicable steps shall be taken to ensure that personal

Principle 6

Access to personal data

• A data subject shall be entitled to

(a) request access to his/her personal

data;

(b) request correction of his/her

personal data.

• Data user may charge a fee for

complying with the data access request

15

Page 16: Introductory Seminar on the Personal Data (Privacy) Ordinance · 2015-08-25 · Principle 4 Security of personal data • All practicable steps shall be taken to ensure that personal

16

Data User

Notification

Data Subject

Consent

Provide data subjects with

“prescribed information” and

response channel through

which the data subject may

elect to give consent

Notification should be easily

understandable

Should be given explicitly

and voluntarily

“consent” includes an

indication of “no objection”

"

Intends to use

personal data or

provide personal

data to another

person for use in

direct marketing

Provision of

Personal Data

New Regulatory Regime of Direct Marketing

(effective from 1 April 2013)

Page 17: Introductory Seminar on the Personal Data (Privacy) Ordinance · 2015-08-25 · Principle 4 Security of personal data • All practicable steps shall be taken to ensure that personal

17

Use of Personal Data in Direct Marketing Provide Personal Data to another person for

Use in Direct Marketing

1. The data user intends to use the personal

data of the data subject for direct marketing;

1. The data user intends to provide the personal

data of the data subject to another person for

use by that person in direct marketing;

2. The data user may not so use the data

unless the data user has received the data

subject’s consent to the intended use;

2. The data user may not so provide the data

unless it has received the data subject’s

written consent to the intended provision;

3. The kinds of personal data to be used; 3. The provision of the data is for gain (if it is to

be so provided);

4. The classes of marketing subjects in relation

to which the data is to be used;

4. The kinds of personal data to be provided;

5. The response channel 5. The classes of persons to which the data is to

be provided;

6. The classes of marketing subjects in relation to

which the data is to be used; and

7. The response channel

Prescribed information:

New Regulatory Regime of Direct Marketing

(effective from 1 April 2013)

Page 18: Introductory Seminar on the Personal Data (Privacy) Ordinance · 2015-08-25 · Principle 4 Security of personal data • All practicable steps shall be taken to ensure that personal

18

Use of Personal Data in

Direct Marketing

• Under the existing Ordinance, data user must notify

a data subject of his opt-out right when using his

personal data in direct marketing for the first time

• Upon receiving an opt-out request, the data user

must cease using the data

Page 19: Introductory Seminar on the Personal Data (Privacy) Ordinance · 2015-08-25 · Principle 4 Security of personal data • All practicable steps shall be taken to ensure that personal

19

Maximum Fine

(HK$)

Maximum

Imprisonment

Non-Compliance 500,000 3 years

Non-Compliance if the

personal data is

provided to third party

for its use in direct

marketing in exchange

for gain

1,000,000 5 years

New Regulatory Regime of Direct Marketing

Higher Penalties for Non-Compliance

Page 20: Introductory Seminar on the Personal Data (Privacy) Ordinance · 2015-08-25 · Principle 4 Security of personal data • All practicable steps shall be taken to ensure that personal

20

Preparing Personal Information Collection Statement

and Privacy Policy Statement

Page 21: Introductory Seminar on the Personal Data (Privacy) Ordinance · 2015-08-25 · Principle 4 Security of personal data • All practicable steps shall be taken to ensure that personal

What is PICS ?

Complying with the notification requirements under

DPP1(3)

To be provided to a data subject on or before collecting

personal data directly from that data subjects

How about personal data collected from third

parties instead of data subjects?

21

Page 22: Introductory Seminar on the Personal Data (Privacy) Ordinance · 2015-08-25 · Principle 4 Security of personal data • All practicable steps shall be taken to ensure that personal

What is PICS ?

Core elements specified in DPP1(3)

How should a PICS be given?

usually will be found in the data collection form

(e.g. application form)

if personal data is collected from data subject online,

the online form should include a PICS, either as a

part of its text or by means of a hyperlink

advisable to provide written PICS 22

Page 23: Introductory Seminar on the Personal Data (Privacy) Ordinance · 2015-08-25 · Principle 4 Security of personal data • All practicable steps shall be taken to ensure that personal

What is PICS ?

Any exceptions?

Subject to the exception where compliance would be

likely to prejudice an exempted purpose specified in

Part VIII in relation to DPP6 (e.g. prevention or

detection of crime under section 58)

e.g. Administrative Appeals Board (AAB) no: 23/2008

Repeated collections in same circumstances within

12 months – section 35 23

Page 24: Introductory Seminar on the Personal Data (Privacy) Ordinance · 2015-08-25 · Principle 4 Security of personal data • All practicable steps shall be taken to ensure that personal

Details required in PICS

Statement of purpose

Example (1)

“To provide location-based weather service, the

app would get user’s location and present data”

24

Page 25: Introductory Seminar on the Personal Data (Privacy) Ordinance · 2015-08-25 · Principle 4 Security of personal data • All practicable steps shall be taken to ensure that personal

ill-defined purposes of use:

• …….

• Other related purposes

• …..

• If you provide any personal data to us, you agree that we can use personal data about you for any purpose we choose

Details required in PICS

25

Page 26: Introductory Seminar on the Personal Data (Privacy) Ordinance · 2015-08-25 · Principle 4 Security of personal data • All practicable steps shall be taken to ensure that personal

Statement as to whether it is obligatory or voluntary for

the individual to supply his personal data

Examples

Details required in PICS

26

Page 27: Introductory Seminar on the Personal Data (Privacy) Ordinance · 2015-08-25 · Principle 4 Security of personal data • All practicable steps shall be taken to ensure that personal

Statement of possible transferees

Details required in PICS

ill-defined data transferees:

• any other persons under a duty of confidentiality to our company

• any company within our Group, our respective subsidiaries and any company in which the same has an interest

27

Page 28: Introductory Seminar on the Personal Data (Privacy) Ordinance · 2015-08-25 · Principle 4 Security of personal data • All practicable steps shall be taken to ensure that personal

Statement of rights of access and correction and

contact detail

Notice of contact person for requesting access or

correction

Example

“You have the right to request access to and

correction of information held by us about you. If

you wish to access or correct your personal data,

please contact our data protection officer at 1/F,

No. 1 Main Road or [email protected]

Details required in PICS

28

Page 29: Introductory Seminar on the Personal Data (Privacy) Ordinance · 2015-08-25 · Principle 4 Security of personal data • All practicable steps shall be taken to ensure that personal

Recommendations

The language and presentation should be user-

friendly

Specific PICS to be used for specific collection

purposes

Statement of security measures

29

Page 30: Introductory Seminar on the Personal Data (Privacy) Ordinance · 2015-08-25 · Principle 4 Security of personal data • All practicable steps shall be taken to ensure that personal

30

Complying with DPP5

Should be made available AT ALL TIMES

Wider scope which may includes data retention

policy, data security measures, data breach handling

and use of special tools

advisable to provide

written PPS

What is PPS ?

30

Page 31: Introductory Seminar on the Personal Data (Privacy) Ordinance · 2015-08-25 · Principle 4 Security of personal data • All practicable steps shall be taken to ensure that personal

Make use of the default Privacy Policy link in the app

installation page to explain to app users, prior to the

installation of the apps,

what data your app, and where applicable, your

business, would access/transmit/store/share/use and

why;

Recommendations

31

Page 32: Introductory Seminar on the Personal Data (Privacy) Ordinance · 2015-08-25 · Principle 4 Security of personal data • All practicable steps shall be taken to ensure that personal

The language and presentation should be user-friendly

If the privacy policy is complicated, consider:

using a layered approach to explain the details

the use of icons, graphics or animations to simplify the

privacy policy for app users; and

Provide contact details for enquiries

Recommendations

32

Page 33: Introductory Seminar on the Personal Data (Privacy) Ordinance · 2015-08-25 · Principle 4 Security of personal data • All practicable steps shall be taken to ensure that personal

33

• Available before installation

• (Nearly) single page and in simple language

• Specific to the types of data accessed

• Assured users what it would not do

• But – don’t copy this…

The good - transparent

Page 34: Introductory Seminar on the Personal Data (Privacy) Ordinance · 2015-08-25 · Principle 4 Security of personal data • All practicable steps shall be taken to ensure that personal

34

Page 35: Introductory Seminar on the Personal Data (Privacy) Ordinance · 2015-08-25 · Principle 4 Security of personal data • All practicable steps shall be taken to ensure that personal

• transparency is central to respecting

the privacy of individuals and will be rewarded

with customer trust and loyalty:

the cornerstone of business success

Mobile Apps and Privacy

35

Page 36: Introductory Seminar on the Personal Data (Privacy) Ordinance · 2015-08-25 · Principle 4 Security of personal data • All practicable steps shall be taken to ensure that personal

Contact Us

q Hotline - 2827 2827

q Fax - 2877 7026

q Website - www.pcpd.org.hk

q E-mail - [email protected]

q Address - 12/F, 248 Queen’s Road East, Wanchai, HK

© Office of the Privacy Commissioner for Personal Data, 2014

The above PowerPoint may not be reproduced without the written consent of the Office of the

Privacy Commissioner for Personal Data.

Note: The contents herein are for general reference only. It does not provide an exhaustive guide to the application of the Personal Data

(Privacy) Ordinance (“the Ordinance”). For a complete and definitive statement of law, direct reference should be made to the Ordinance

itself. The Privacy Commissioner for Personal Data (“the Commissioner”) makes no express or implied warranties of accuracy or fitness

for a particular purpose or use with respect to the above information. The contents herein will not affect the exercise of the functions and

power conferred to the Commissioner under the Ordinance.