HK Commissioner covers privacy in a democracy and management advice in his end of term statement

Allan Chiang, Hong Kong’s Privacy Commissioner for Personal Data, announced the end of his five year term of office today with a statement reviewing some highlights. He referred to tensions between privacy and freedom of the press. He has recently appealed to the government for adopting a more proactive approach in introducing legislative and administrative measures to safeguard against misuse of personal data in public registers. He wrote that “we are not promoting privacy as an absolute right” but warned against function creep as a risk in the use of public registers beyond their original purpose.

As the Privacy Commissioner has both advocacy and enforcement roles, “Hong Kong is fortunate that the Personal Data (Privacy) Ordinance provides for the Privacy Commissioner to operate independently as a statutory authority.”

In a rather unusual statement for a privacy commissioner about the balance between privacy, freedom of expression, and democratic values, Chiang states that “Privacy provides both the boundaries of and protection for the space in which we can be ourselves. Privacy nurtures self-expression, creativity, speaking your mind, associating with whomever you wish, and pursuing your interests…. In the worst case scenario of insufficient protection of privacy, we may exercise restraint when we participate in society at large and adapt our behaviour both online and offline. This will jeopardise the very foundation for an open and healthy democracy.”

Message to top management

He addresses a message that privacy and data protection demands the attention of top management and cannot be regarded as merely a legal and compliance issue. Companies should be “proactive and preventative, rather than reactive and remedial.” He sees privacy protection as part of corporate governance, a business imperative throughout organisations. He states that there is a need to make a strategic shift from compliance to accountability. ”This entails the adoption of holistic and encompassing privacy management programmes that ensure robust privacy policies and procedures are in place and implemented for all business practices, operational processes, as well as product and service design.”

Media coverage of his decisions and naming organisations suffering data breaches have had a major impact on corporate and public awareness. He has maintained the flow of policy guidance which in the last two weeks alone has included advice on:

  • Guidance on collection and use of biometric data
  • Excessive and unfair collection of employees’ fingerprint data
  • The use of recruitment advertisements as a method for collecting personal data which breaches the principle of fair collection
  • Privacy concerns about use of cloud services, and
  • Privacy concerns about smart phones.