Privacy Ordinance needs Strengthening
First published: 12th March 2008
I am so glad that Eugene R. Raitt and the Hong Kong Direct Marketing Association considers that the existing Personal Data Privacy Ordinance is "fine the way it is written" (Letters, 12 March). I am sure that is a great relief to all the people whose data was leaked from the IPCC last year.
I agree with the Privacy Commissioner, Roderick Woo Bun, that the ordinance needs to be reviewed and improved. I think there are two major areas that should be updated:
- Enforcement: currently, the Commissioner can issue enforcement notices against parties breaking the ordinance, and the fines and imprisonment mentioned by Mr Raitt can only be imposed if the notice is ignored. Unfortunately, in the case of data leaks, the damage has already been done. No-one was held responsible and punished for the IPCC case. We should be sending a strong message to those that take care of our data that they have a responsibility for ensuring its security.
- Exemptions: I agree that our Legislators were probably targeting the ordinance at organisational misuse of personal data when they wrote the ordinance, but the Information Society has empowered as all - including empowering us with the capability to misuse personal data in very damaging ways. We should review the broad exemption for recreational and domestic purposes. As a Society, we need to consider what we think is appropriate behaviour, for example, when someone picks up a lost memory card and finds it contains personal data - whether that is financial records, medical records, or nude photos; should they try to return it to the owner, or broadcast it to the the world? Should we have laws that punish them for broadcasting the personal data?
Finally, can I remind Mr Raitt that the ordinance is not targeted at his responsible members, as we have seen from the IPCC case, the recent nude photos cases, and from the massive data leaks in the USA and UK, many people and organisations are holding, processing, and sometimes mis-handling, personal data. We need effective regulation of this.