Privacy Law Resources
Cyberspace Law and Policy Centre
University of New South Wales
Symposium ~ Interpreting Privacy Principles: Chaos or Consistency?
17 May 2006, 9:00 a.m. - 12:30 p.m.
Australian Graduate School of Management’s Sydney CBD venue,
Level 6, 1 O’Connell Street, Sydney
Issues the Privacy Commissioner’s Office has faced in Communicating our Interpretation of DPP
Roderick Woo, Hong Kong Privacy Commissioner
Mr Chairman, Distinguished Guests, Ladies and Gentlemen,
I have been asked by Professor Greenleaf to comment briefly on the issues the Office of the Privacy Commissioner for Personal Data in Hong Kong has encountered in communicating our interpretation of Hong Kong’s Data Protection Principles (“DPP”) and the approaches we have taken to disseminate our understanding. I am not sure how our experience in Hong Kong can apply elsewhere although I am sure you will be able to identify with some of the issues I will touch upon. The Personal Data (Privacy) Ordinance of Hong Kong makes reference to 6 DPP which distill the essence of its provisions.
My office will have been in operation for 10 years come December. In the period up until March end 2006 we have dealt with 6718 complaints and 153,323 enquiries. So, we have some experience upon which to base our interpretation of the DPP. As time is short, I shall on this occasion mention four issues we have dealt with in interpreting the DPP.
1 First, trying to communicate the core ideas of our personal data privacy law to the mass. The citizens of Hong Kong no more carry their privacy rights around in their head than they do any other set of rights. Our research shows that they do not have a good recall of their rights unless prompted. Having said that, they do exhibit a very high level of awareness of personal data privacy in its most generic sense.
The substance of the DPP does not therefore readily lend itself to mass communication and that is the first hurdle we face.
2 Secondly, over the course of the years there have not been many judicial precedents to assist us in our interpretation of the DPP. Professor Greenleaf has already made mention of the Eastweek case. Other rulings have dealt with exemptions, for example, what constitutes “seriously improper conduct” under Section 58 (Crime etc.) and the “lawful and fair collection” of personal data using clandestine means.
I should perhaps add that those dissatisfied with the decisions of the Privacy Commissioner may appeal a decision to the Administrative Appeals Board (“AAB”) in Hong Kong. There have been 86 appeals to date of which 78 have been dismissed, withdrawn or struck out. However, rulings in some cases have been beneficial in confirming our views e.g. failure on the part of a complainant to name “a data user specified under the complaint” as required under Section 37.
3 The third issue we face is that there is, partially out of ignorance, a view in some quarters that the Privacy Commissioner is both omnipotent and omniscient, a person who can and should single-handedly right all of the citizens grievances on privacy issues. Our interpretation of the DPP leads to a good proportion of complaints being filtered out because there is no prima facie case, and/or because the contravention of the provision of the Ordinance was due some one-off human failings. This can and does cause frustration to complainants. It is a continuing challenge for us to manage public expectations of our role and powers. Let me elaborate on two false impressions that have some currency in Hong Kong.
❑ The first of these is that my Office deals in privacy per se whereas our remit is restricted to personal data privacy.
❑ The second of these is that any dispute an individual has with another party, that has the most tenuous of links with personal data, should automatically be laid at my door. This mistaken impression is most evident in cases in Hong Kong that involve disputes between employer and employee.
It has been said that perception is reality and that is the situation we have to deal with because unless it is addressed there will only be a widening of the expectations gap.
4 Finally, even if we were able to comprehensively understand all aspects of the interpretation of the Ordinance we would confront problems in terms of formulating communications strategies to convey that understanding. Why? Because our budget for communications and related activities is woefully inadequate. In the current financial year our budget for communications is just HK$957,000 which is less than 3% of our annual budget. Restrictive as the budget is we have tried not to let financial considerations defeat us.
What sorts of interpretations typify the majority of cases with which we deal? These would tend to fall into one of two categories:
❑ DPP 1 ~ Purpose and manner of collection of personal data
❑ DPP3 ~ Use of Personal Data.
In the year ending March 2006, DPP1 and DPP3 accounted for no less than 66% of all complaints cases handled.
A good example of the interpretation of DPP3 is illustrated by the concept of “directly related purpose.” We receive quite a number of complaints the substance of which is that complainants object to their bank transferring personal data collected by the bank to a third party debt collector to recover a debt. Our interpretation of DPP3 is that where an individual seeks the services of a bank commercial reality necessitates the recovery of any debts and this constitutes a directly related purpose. As a result, we have taken a consistent stand on the matter. Indeed, it is consistency in our interpretations that is central to the work of our Operations team. If inconsistencies are allowed to arise in the way in which we interpret the DPP then this is something that is likely to invite trouble.
Apart from the concept of a directly related purpose, the notion of what does, or does not, constitute “lawful and fair collection” has also been the subject of dispute. The issues posed by this principle have received considerable attention recently as the Government is intent upon introducing The Interception of Communications and Surveillance Bill which, under specified circumstances, permits the use of covert surveillance to collect evidence. My office has already made a detailed submission of its views on the Bill to the Government. Some of those views have been echoed by Legislative Council members who claim that clauses of the Bill violate Hong Kong’s Bill of Rights.
The interpretation given to another principle, “a reasonable manner” is also worthy of mention in connection with making a request for data access or correction. Some data subjects hold the mistaken view that their DAR rights entitle them to copies of everything and anything that may contain a direct or indirect reference to them. The problems that this mentality generates have led a local chapter of a foreign chamber of commerce to allege the unreasonableness of some data subject requests for example, employees contesting the accuracy of comments made in relation to a performance appraisal exercise, placing onerous and disproportionate demands upon the data user. A previous AAB ruling has expressed sympathy with this view, deprecating the use of the Ordinance as a “tool of oppression or revenge.”
I am not sure whether the following measures qualify for the title of ‘novel,’ which is what Professor Greenleaf asked for, but here are some of the steps we have taken to try to clarify our interpretation placed upon the DPP which, it should be noted, are principles and not incontrovertible laws set in stone. Let me begin with the Operations Division.
How do they uphold consistency in their day-to-day case handling?
1 In our dealings with bona fide complaints and enquiries we make a standard practice of explaining those DPP that relate to the nature of the complaint in any correspondence with the complainant. This informs the individual of that aspect of the Ordinance that we see as being applicable given the nature of the complaint. Where complainants have misconstrued the applicability of a DPP or provision in relation to their complaint we endeavour to correct this with a justification. Again, we seek consistency in the type of justification we offer complainants.
2 Secondly, we publish anonymised versions of complaint cases on our website. This is intended to do two things. First, it is a means of conveying the notion of consistency and second it is a mechanism by which we demonstrate our thinking in relation to events that are of an unusual or catastrophic order e.g. SARS, and the Asian tsunami.
If, I now turn to our Corporate Communications Division, then what we have done to convey both the substance of the DPP, and our interpretation of them, amounts to a bit of marketing. We realize that it is not possible to convey the same message to everyone and for that reason we have segmented the market so that we target different segments with different messages. Those messages, and the vehicles used to deliver them, are tailored for audiences as diverse as practicing lawyers and primary school children.
So what sorts of approaches have we adopted towards communicating with the public? Let me say that, given the different characteristics of the audiences we endeavour to appeal to, effective communication is a matter of tailoring the message to the market.
First, the Legal and Personal Data Practitioner Audience
In this segment of the market we have …
1 … developed a case notes and AAB rulings reporting system on our website which we periodically update to reflect contemporary issues. The contents of these cases and rulings appear to us to reinforce the conventional wisdom we have adopted in interpreting the DPP. Incidentally, we also publish the AAB rulings on both our Office website and, through the commendable efforts of Professor Greenleaf, on the World LII site.
2 Second, in two or three months time we will be publishing a legal book under the title: Data Protection Principles in the Personal Data (Privacy) Ordinance ~ The Privacy Regulator’s Perspective. The 6 DPP form the framework of this book which reports on the views expressed on the application of the principles and provisions of the Ordinance. In addition it depicts the regulatory stance taken by the Commissioner’s Office, in relation to the facts and evidence presented in the course of handling complaints.
It is a document that contains a fair amount of legal details and in-depth analysis and serves as useful reference material for legal professionals, academics and data users who wish to have a deeper understanding of the interpretation given by my office to the Ordinance.
3 Thirdly, since 2000 we have operated a Data Protection Officers Club which meets two or three times a year. Members are invariably data protection officers and meetings offer the opportunity for my office to:
• update members on Codes of Practice and recent developments in personal data privacy;
• explain our interpretation of the DPP in complaint cases that we handle; and
• offer a forum in which to share experience between club members in both the public and private sectors. We also invite guest speakers to address specific issues e.g. the handling of personal data in the Human Resource Management context and identity theft.
With this sector of the public we can, and do, deal with more complex privacy issues in a more intellectual, and more often than not, legalistic manner.
If I turn to the Children and Youth Audience then our approach is fundamentally different. Here we have used a range of activities to stimulate awareness, interest and understanding. We seldom go so far as to explain to them our interpretation of the DPP. Our primary objective is to win young hearts and minds. How have we done this?
1 First, we visit primary schools with a road show that features a popular children’s entertainer who puts across a much simplified privacy message to children using, humour, music, puppets and games. This has been enormously successful with school principals and children alike, so much so that we are producing a DVD of the show so that we can reach all primary school pupils. There are over 500 primary schools in Hong Kong. So far we have staged the show at 50 of them. Given the resources at our disposal I think this is not bad.
2 Second, in Hong Kong secondary schools there are two syllabuses called Economics and Public Affairs and Government and Public Affairs. These syllabuses examine economic, political and social institutions and contemporary issues. They endeavour to instill in pupils social values that will make them more rounded and responsible citizens. We are actively seeking to get treatment of personal data privacy issues included on those syllabuses.
3 Third, we have targeted secondary school pupils and youth audiences with website and poster design competitions which require, on their part, a reasonable understanding of the DPP. Again, these competitions have proved to be very popular.
In February 2005 we developed an online seminar titled “Introduction to the Personal Data (Privacy) Ordinance” which is designed to give the general public a better understanding of its provisions. The seminar acts as a self-administered training tool that can be paced to suit the needs of the individual. The content is presented with a voice over and sheds light on the DPP with illustrative examples of their application.
I am beginning to think of other ways, besides soft strategies, to address some of the issues we face. This is because we continue to see examples of an almost complete absence of due diligence in certain sectors of our community in conforming with the DPP. There is little point in concentrating exclusively on communicating our interpretation of the DPP if a considerable number of data users are not paying sufficient attention to them. In this instance it is questionable as to just how effective the sorts of communication programmes I have outlined are likely to be with the more recalcitrant, or more negligent. I feel that the time has come for my office to come up with something more persuasive.