Add to collection(s) Add to saved
  1. Social Science
  2. Law

Powerpoint of Ernst & Young Advisory Services Limited

advertisement 
Personal Data Protection and Security
Measures
November 2014
Data privacy breaches do happen …
Who will be the next?
Number of complaints in Hong Kong
Contactless smart
card operator case
Hospital case
Magazine
case
Government office
employee
video case
Deceitful data
collection case
Six banks involved
selling of data of
600,000 customers
Bank
retention of
data 99 years
case
Government
authority in
healthcare case
Data leakage of
8000 students
case
Police Notebook
Case
Papers dump case
1507
1600
1400
1225
1200
1000
789
800
906
888
919
953
972
1067
1233
Fitness
centre
case
1022
834
824
568
600
418
400
253
200
52
0
95-96 96-96 97-98 98-99 99-00 00-01 01-02 02-03 03-04 04-05 05-06 06-07 07-08 08-09 09-10 10-11 11-12 12-13
Enactment
of PDPO
Code of
Practice on
Consumer
Credit Data
Commencement
of PDPO
Code of Practice on
the Identity Card
Page 2
Consultation paper
Code of Practice on
HR Management
Legislative Council Brief
Personal Data (Privacy)(Amendment) Bill 2011
Guidelines
on employee
monitoring
DURS Consultation Paper
Enactment of
Personal Data
(Privacy)
(Amendment)
Ordinance 2012
(Source: http://www.pcpd.org.hk/english/publications/annualreport.html)
Privacy Seminar for HKU
Agenda
Page 3
1
Data Privacy Regulations and Requirements
2
Information Security Measures
3
Privacy Management Program and Data Inventories
4
Practices in the University
5
Case Study
Privacy Seminar for HKU
1. Data privacy regulations and
requirements
►
‘Personal data’ means any data ►
(a) relating directly or indirectly to a living individual;
►
►
►
Indirect relationship; Remoteness
Direct relationship; Triviality
(b) from which it is practicable for the identity of the individual to be
directly or indirectly ascertained; and
►
►
Practicable = reasonably practicable
Take into account all relevant data controlled by the party in question
►
►
(c) in a form in which access to or processing of the data is
practicable.
►
Page 4
Totality of such data
Form refers to the physical shape, structure, type, etc. of the data in
question
Privacy Seminar for HKU
1. Data privacy regulations and requirements
(cont’d)
DPP2: Accuracy and Retention
This provides that personal data
should be accurate, up-to-date and
kept no longer than necessary
DPP1: Collection
This provides for the
lawful and fair
collection of personal
data and sets out the
information a data user
must give to a data
subject when collecting
personal data from the
subject (see PICS
sample on next page)
Data Collection
DPP4: Security Safeguards
Data
Storage
Data
Usage /
Transfer
DPP3: Use
Unless the data subject
gives consent, his/her
personal data should only
be used for the purposes
for which they were
collected or a directly
related purpose
Page 5
Data Destroy
Data
Maintenance
This requires appropriate security
measures to be applied to personal
data (including data in a form in which
access to or processing of the data is
not practicable)
DPP5: Transparency of Policies
and Practices
This provides for openness by data
users about the kinds of personal data
they hold and the main purposes for
which personal data are used
DPP6: Access and Correction
This provides data subjects with the
rights of access to and correction of
their personal data
Privacy Seminar for HKU
1. Data privacy regulations and requirements
(cont’d)
JUPAS Personal Information Collection Statement
Page 6
Privacy Seminar for HKU
1. Data privacy regulations and requirements
(cont’d)
►
Practical Tips
►
►
►
►
►
Page 7
PICS should not be too vague or wide in scope
Remember to put PICS in exit interviews/ alumni contact forms
Collect as little personal data as possible
Allow certain personal data to be voluntarily collected
HKID is considered to be sensitive personal data
Privacy Seminar for HKU
1. Data privacy regulations and requirements
(cont’d)
Ensure that information collected are adequate but not excessive
Collection of personal data relevant to recruitment exercise
► What personal data should be collected for recruiting
► Work experience, job skills, competencies, academic/professional qualifications,
good characters and other attributes required for the job
► What should an employer collect regarding ID cards
► Employer should not collect a copy of the identity card of a job applicant during
the recruitment process unless and until the individual has accepted an offer of
employment
► Regarding job applicant’s family data what should be asked?
► Should only ask about a job applicant’s family data when assessing conflict of
interest and if there actually is the need. (mpf, insurance)
► Should outside activities be recorded?
► Recording the details of a candidate’s outside activities and interest must be
excessive unless the employer can demonstrate that such details is relevant to
the inherent requirements of the job
Page 8
Privacy Seminar for HKU
1. Data privacy regulations and requirements
(cont’d)
►
Practical tips
►
►
►
Page 9
Data retention policy
House keeping of personal data such as emails
Inform data subject or get consent if personal data will be retained
forever
Privacy Seminar for HKU
1. Data privacy regulations and requirements
(cont’d)
Ensure that personal data are accurate
Ensure that personal data are retained only for the amount of time necessary to
complete the purpose.
►
►
What are some good ways to ensure that employee data is accurate
► Employers can implement a reminder system to ask employee to report changes
of their personal data. An employer can also consider providing employees with
copies of employment-related data at regular intervals and invite them to report
on any changes that need to be made
What should we do with personal data of job applicants that are rejected
► According to the Code of Practice on Human Resource Management, personal
data of unsuccessful applicants may be retained for a period of up to two years
from the date of rejecting applicants and should then be destroyed. They should
also provide unsuccessful job applicants the opportunity to request the
destruction of their data if they do not wish them to be used for this purpose.
Page 10
Privacy Seminar for HKU
1. Data privacy regulations and requirements
(cont’d)
►
Practical tips
►
►
►
►
Page 11
Privacy clauses with data processors
Placements, internships and special classes
Get consent from students if for additional purposes
Direct Marketing
Privacy Seminar for HKU
1. Data privacy regulations and requirements
(cont’d)
Ensure that personal data are only used for the purposes mention in DPP1
► Can an employer enter into an agreement with a credit card company to offer a credit
card with special terms and conditions for its employee
► Unless the employer obtained prescribed consent, the employer should not use
the employee’s data and pass them to the credit card company for marketing of
the card.
► Can an employer transfer documents regarding an employee’s medical claim to its
insurer
► This is a directly related purpose to the original purpose for which claim
documents are collected.
► Can an employer transfer documents to the inland revenue department?
► This is a statutory requirement for disclosure and should be transferred.
Page 12
Privacy Seminar for HKU
1. Data privacy regulations and requirements
(cont’d)
Ensure that personal data are secure
► When transferring personal data to third parties, what are some examples of
protecting personal data
► When mailing out documents, keep it in a sealed envelope addressed to the
recipient and marked “Private and Confidential”. If it is email transmission,
security protection software should be use such as encryption.
► What are some ways to protect electronic files of job applicants
► Database comprising personal data of job applicants should be accessible only by
a secure password on a need to know basis.
Page 13
Privacy Seminar for HKU
1. Data privacy regulations and requirements
(cont’d)
Data Leakage Prevention (“DLP”) Project
► Encryption of USB flash drive before any write access to the
device
► Access to the USB flash drive will be protected by password and
data stored in the device will be encrypted
► The software is available for download by all staff after logon into
HKU portal under the DLP Project web site.
► Mandatory for all PCs that are within scope of the DLP Project
► Step by step guide, FAQs and download the software at
http://www.its.hku.hk/dlp-project/
Page 14
Privacy Seminar for HKU
14
1. Data privacy regulations and requirements
(cont’d)
Ensure that Privacy Policy Statement are easily accessed
► A PPS should be made available to anyone, in an easily accessible manner, whether
the personal data is collected by the data user in the physical world or in the online
world
► If a data user operates a website, it is recommended that a web version of the PPS
be made available by means of a prominent link at the top or at the bottom of the
home page and every page of the website.
► PPS should be linked directly
► What goes into a good PPS
►
►
►
►
►
►
►
►
►
►
Page 15
Collection of personal data from minors
Cookies
Retention of Personal Data
Handling of sensitive personal data
Disclosure of personal data
Protection measures
Outsourcing Arrangement
Transparency
Access and Correction
Answering enquiries about privacy policy and practices
Privacy Seminar for HKU
1. Data privacy regulations and requirements
(cont’d)
Ensure that Data Access Request is performed according to procedure
►
►
►
►
►
►
Create a Data Access Request Form
Check the identity of the requestor
Response to a DAR within 40 days
Log book
Reasonable Fee
Give the requestor a written notification with reasons if cannot comply with a
DAR within 40 days
Page 16
Privacy Seminar for HKU
2. Information Security Measures
►
►
Data Classification - Identify / Manage / Protect Data
Three Levels of Classification
►
►
►
►
►
Sensitive
Restricted
Official Use Only
Protection due to proprietary, ethical or privacy considerations
Restricted
►
►
Page 17
Open to Public
No Restriction on Access
Sensitive
►
►
Public
Public
Protected by regulations, policies or contractual agreements
Unauthorized access may cause financial or reputational loss to HKU
Privacy Seminar for HKU
2. Information Security Measures (Cont’d)
Page 18
Privacy Seminar for HKU
2. Information Security Measures (Cont’d)
►
Practical Tips
►
Work Station
►
►
►
►
►
►
Storage
►
►
►
Encryption
Backup
Removable Storage
►
►
►
Page 19
Complex Password
Enable login password and screen saver password
Logout
Avoid using public computer to access confidential files
Physical Security
Encryption
Erase data after use
Store sensitive data only when it is absolutely necessary
Privacy Seminar for HKU
2. Information Security Measures (Cont’d)
►
Practical Tips
►
Cloud Storage
►
►
►
►
►
Social Network
►
►
►
Privacy and Security Settings
Manage your friends
Mobile Security
►
►
►
Page 20
Privacy and confidentiality
Data Retention
Exposure of data
Data Encryption
Enable Screen Lock
Encrypt data
Install mobile security apps
Privacy Seminar for HKU
3. Privacy Management Program and Data
Inventories
Privacy Management Program (PMP)
►
PCPD has advocated that identified sectors (banking, insurance,
telecommunications and insurance) should develop and maintain a PMP (for the
promotion of accountability)
►
To ensure that appropriate policies and procedures are in place to promote good
privacy practices in the following areas (Feb 2013): Organization commitment,
program controls, monitoring and annual review of program control effectiveness, and
assessing and updating program controls.
►
35 companies had pledged in Feb 2014 to implement the PMP.
Page 21
Privacy Seminar for HKU
3. Privacy Management Program and Data
Inventories (Cont’d)
Privacy Management Program (PMP) (Cont’d)
►
Organization commitment
►
Program controls
►
Personal information inventory
►
Policies
►
Risk assessment tools
►
Training and education requirements
►
Breach and incident management response protocol
►
Service provider management
►
External communication
►
Monitoring and annual review of program control effectiveness
►
Assess and update program controls as necessary
Page 22
Privacy Seminar for HKU
3. Privacy Management Program and Data
Inventories (Cont’d)
►
►
“An organisation should know what kinds of personal data it holds (for
example, personal data of employees, personal data of customers,
etc.), how the personal data is being used – and whether the
organization really needs it at all”
“Every component of an accountable, effective privacy management
programme begins with this assessment.” – Privacy Management
Programme : A Best Practice Guide
Page 23
Privacy Seminar for HKU
3. Privacy Management Program and
Data Inventories (Cont’d)
Page 24
Privacy Seminar for HKU
4. Practices in the University
►
►
►
►
►
►
►
The Privacy Policy Statement: http://www.hku.hk/privacy_policy/
Code of Practice: https://uis.hku.hk/web/gsabc/pdpo_cop.pdf
(portable storage devices, incident handling / reporting and other
guidelines)
Data Collection Statement
Statutory Data Access / Correction Request Process
University Data Protection Officer and Personal Data Protection
Coordinators
Information Technology Services (advice / security measures /
guidelines / training information):
http://www.its.hku.hk/services/training/infosec/personal-dataprotection
Central Compliance Team (compliance/monitoring)
Page 25
Privacy Seminar for HKU
25
5. Case Study
Case No.: 1997005
Employee resignation notice containing excessive data
►
►
►
►
A company sent fax messages to its customers to inform them of the resignation of an employee.
Included in the messages is his identity card number.
This was done without the employee's knowledge or consent.
Upon enquiry by the PCPD, the company explained that the act was intended to prevent the exemployee soliciting business from its clients.
The Commissioner's views on the matter
►
Breach of DPP4
►
Did not ensure Personal Data were protected from accidental or unauthorized use.
►
Breach of DPP 3.
►
When employee resigns, purpose of notifying customers that he resigned is regarded as a
directly related purpose.
►
However, the personal data used for such a purpose should be limited to those data which
are sufficient.
►
Disclosing the employee's identity card number is unnecessary.
Page 26
Privacy Seminar for HKU
5. Case Study (Cont’d)
Case No.: 2006014
Employee complained her employer logged in her computer collecting cookies without notifying her
► An organization allows its employees to have access to computers for work related activities. The employee
was assigned a user name and a password that was set by herself.
► The employee’s supervisor ask for the employee’s password, stating it’s for “emergency use”
► Supervisor then logon to the employee’s computer by using the password and collected the employee’s
browsing data. The Supervisor then use it as evidence that the employee has been playing online games during
office hour.
► The employee complain to the commissioner about the supervisor’s collection of the employee’s cookies
Contravention of DPP1
► Cookies are personal data as it contained information (english name) to identify the individual and the cookies
were gathered to address the individual’s suspected breach of regulations.
► The collection of cookies by the supervisor logging into the computer with the password was inconsistent with
the original purpose of collecting the employee's password
► The employee would not expect her supervisor to collect the cookies
► Action Taken: Organization has to stop using employees' passwords to log in their computers and access their
browsing history, unless their prior consent was obtained
Contravention of DPP5
► The Organization had not clearly notified the employee of the purpose of employee monitoring, the monitoring
activities that might be taken, or the use of the data collected
► Action Taken: Organization has to put in place monitoring and security policies and remind its employees
of the policies
Page 27
Privacy Seminar for HKU
5. Case Study (Cont’d)
Case No.: 1998123
Use of data obtained from Land Registry for direct marketing purpose.
The following question had been asked in this enquiry case:
Q: We are a bank. We have obtained the list of Transacted Property addresses which are issued by
Land Registry. We intend to use those Transacted Property address for direct marketing
purposes, that is for credit card promotion and we will also inform the occupants of those
transacted property addresses that we will, without any charge to them, cease to use those data if
they so requests. We would therefore request for your opinion on whether we can use the
transacted property addresses list for our coming direct marketing campaign?
Privacy Commissioner Preferred View and Comments
►
Such data are not collected or disclosed by the Land Registry for the purpose of direct marketing
and hence their use for this purpose would require the prior consent given voluntarily of the
individuals who are the subjects of the data
►
Individuals with whom you do not have a past banking relationship may be surprised to receive a
direct marketing approach from you and may query how you obtained their contact details
►
Result in a negative consumer reaction
Page 28
Privacy Seminar for HKU
5. Case Study (Cont’d)
Case No.: 2006010
Online data leakage of personal data of policyholder of an insurance company
►
A database containing personal data of about 600 policyholders of an insurance company been
leaked and was accessible by the public on the Internet via a website.
►
The agent uploaded and stored the concerned personal data in a web file server at his home
►
The data was therefore accessible to unauthorized persons through the Internet search engine.
Contravention of DPP4
►
Caused by the inappropriate giving of access to the personal data to the insurance agent.
►
Although the insurance company claimed to have established guidelines and control procedures to
restrict the access and transfer of policyholders' personal data by insurance agents, PCPD found that
the alleged controls were substantially inadequate
Action by the Privacy Commissioner
The insurance company has to specify clearly the circumstances under which processing of policyholders'
personal data out of office premises are allowed
Page 29
Privacy Seminar for HKU
Q&A
Page 30
Privacy Seminar for HKU
Related documents
“Contrasting the early 19th versus early 21st Centuries”
“Contrasting the early 19th versus early 21st Centuries”
Central Missouri Cardiovascular Associates P
Central Missouri Cardiovascular Associates P
Privacy Confidentiality Minor
Privacy Confidentiality Minor
IAPP presentation - International Association of Privacy Professionals
IAPP presentation - International Association of Privacy Professionals
Maintaining Privacy and Dignity in Care (Fiona Throp)
Maintaining Privacy and Dignity in Care (Fiona Throp)
Merenje koncentracije i trzisne moci privrednih
Merenje koncentracije i trzisne moci privrednih
Download
advertisement