Proper Procedures and Practices  in Handling  Private & Confidential Data 23 May 2008 Wilson LEE Legal Counsel Office of t...
Proper Procedures and Practices  in Handling Private & Confidential Data <ul><li>The Law </li></ul><ul><li>Personal Data (...
<ul><li>Contravention </li></ul><ul><li>(1) Enforcement Notice </li></ul><ul><li>(2) Criminal Prosecution – 2 years’ impri...
<ul><li>DPP4 – Security of personal data </li></ul><ul><li>Not guarantee </li></ul><ul><li>All  reasonably practicable  st...
<ul><li>(2) The  physical location  where the data are stored; </li></ul><ul><li>(3) Any  security measures  incorporated ...
<ul><li>What kinds of data are stored? </li></ul><ul><li>Sensitive? Confidential?  </li></ul><ul><li>–  HKID No., heath co...
<ul><li>Where are the data stored? </li></ul><ul><li>A server, a disk, a USB? – Control by data user. </li></ul><ul><li>Te...
<ul><li>Security measures incorporated into the storing equipment? </li></ul><ul><li>System security. </li></ul><ul><li>En...
<ul><li>Integrity, prudence and competence of persons having access to the data </li></ul><ul><li>Need to know basis – Who...
<ul><li>Secure transmission </li></ul><ul><li>Electronic means – Encryption, in parcels, acknowledgement… </li></ul><ul><l...
PCPD web site (www.pcpd.org.hk)
<ul><li>~ END ~ </li></ul>
Upcoming SlideShare
Loading in …5
×

Tech Matrix 20080523

386 views

Published on

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
386
On SlideShare
0
From Embeds
0
Number of Embeds
12
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Tech Matrix 20080523

  1. 1. Proper Procedures and Practices in Handling Private & Confidential Data 23 May 2008 Wilson LEE Legal Counsel Office of the Privacy Commissioner for Personal Data
  2. 2. Proper Procedures and Practices in Handling Private & Confidential Data <ul><li>The Law </li></ul><ul><li>Personal Data (Privacy) Ordinance, Cap. 486 </li></ul><ul><li>Data Protection Principles – Data user cannot contravene (s.4) </li></ul><ul><li>Major aspects governed </li></ul><ul><li>(1) Collection </li></ul><ul><li>(2) Accuracy and Retention </li></ul><ul><li>(3) Use </li></ul><ul><li>(4) Security </li></ul><ul><li>(5) Access </li></ul>
  3. 3. <ul><li>Contravention </li></ul><ul><li>(1) Enforcement Notice </li></ul><ul><li>(2) Criminal Prosecution – 2 years’ imprisonment and fine $25,001-50,000. </li></ul><ul><li>(3) Civil Claim </li></ul>Proper Procedures and Practices in Handling Private & Confidential Data
  4. 4. <ul><li>DPP4 – Security of personal data </li></ul><ul><li>Not guarantee </li></ul><ul><li>All reasonably practicable steps to ensure the personal data are protected against unauthorized or accidental access, processing, erasure or other use having particular regard to :– </li></ul><ul><li>(1) The kind of data and the harm that could result if any of those things should occur; </li></ul>Proper Procedures and Practices in Handling Private & Confidential Data
  5. 5. <ul><li>(2) The physical location where the data are stored; </li></ul><ul><li>(3) Any security measures incorporated (whether by automated means or otherwise) into any equipment in which the data are stored; </li></ul><ul><li>(4) Any measures taken for ensuring the integrity, prudence and competence of persons having access to the data; and </li></ul><ul><li>(5) Any measures taken for ensuring the secure transmission of the data. </li></ul>Proper Procedures and Practices in Handling Private & Confidential Data
  6. 6. <ul><li>What kinds of data are stored? </li></ul><ul><li>Sensitive? Confidential? </li></ul><ul><li>– HKID No., heath condition, fingerprints… </li></ul><ul><li>Classifying the data. </li></ul><ul><li>Degree of harm? </li></ul>Proper Procedures and Practices in Handling Private & Confidential Data
  7. 7. <ul><li>Where are the data stored? </li></ul><ul><li>A server, a disk, a USB? – Control by data user. </li></ul><ul><li>Terminal in common area? </li></ul><ul><li>Locked room. </li></ul>Proper Procedures and Practices in Handling Private & Confidential Data
  8. 8. <ul><li>Security measures incorporated into the storing equipment? </li></ul><ul><li>System security. </li></ul><ul><li>Encryption </li></ul><ul><li>Downloading/copying allowed? – Absolutely necessary? </li></ul><ul><li>Remote access – Absolutely necessary? </li></ul><ul><li>USB? </li></ul><ul><li>Login record </li></ul><ul><li>System testing </li></ul>Proper Procedures and Practices in Handling Private & Confidential Data
  9. 9. <ul><li>Integrity, prudence and competence of persons having access to the data </li></ul><ul><li>Need to know basis – Who can have access? Who can amend? </li></ul><ul><li>Only the authorized person can have access. </li></ul><ul><li>Access code – confidential, regular change. </li></ul><ul><li>Security policy installed. </li></ul><ul><li>Make sure he read your policy – Supervision, guidance, training. </li></ul><ul><li>Third party contractor – assessment, reputation, contract terms, checks and reminders. </li></ul>Proper Procedures and Practices in Handling Private & Confidential Data
  10. 10. <ul><li>Secure transmission </li></ul><ul><li>Electronic means – Encryption, in parcels, acknowledgement… </li></ul><ul><li>Physical transmission - Proper labeling, sealing, in parcels, acknowledgment... </li></ul>Proper Procedures and Practices in Handling Private & Confidential Data
  11. 11. PCPD web site (www.pcpd.org.hk)
  12. 12. <ul><li>~ END ~ </li></ul>

×