The document discusses proper procedures and practices for handling private and confidential data according to the Personal Data (Privacy) Ordinance. It outlines the data protection principles, including collection, accuracy, use, security, and access. It emphasizes taking all reasonably practicable steps to ensure data security against unauthorized access or use, considering the data kind and potential harm, physical storage location, security measures, integrity of those with access, and secure transmission.

1. Proper Procedures and Practices in Handling Private & Confidential Data 23 May 2008 Wilson LEE Legal Counsel Office of the Privacy Commissioner for Personal Data

2. Proper Procedures and Practices in Handling Private & Confidential Data The Law Personal Data (Privacy) Ordinance, Cap. 486 Data Protection Principles – Data user cannot contravene (s.4) Major aspects governed (1) Collection (2) Accuracy and Retention (3) Use (4) Security (5) Access

3. Contravention (1) Enforcement Notice (2) Criminal Prosecution – 2 years’ imprisonment and fine $25,001-50,000. (3) Civil Claim Proper Procedures and Practices in Handling Private & Confidential Data

4. DPP4 – Security of personal data Not guarantee All reasonably practicable steps to ensure the personal data are protected against unauthorized or accidental access, processing, erasure or other use having particular regard to :– (1) The kind of data and the harm that could result if any of those things should occur; Proper Procedures and Practices in Handling Private & Confidential Data

5. (2) The physical location where the data are stored; (3) Any security measures incorporated (whether by automated means or otherwise) into any equipment in which the data are stored; (4) Any measures taken for ensuring the integrity, prudence and competence of persons having access to the data; and (5) Any measures taken for ensuring the secure transmission of the data. Proper Procedures and Practices in Handling Private & Confidential Data

6. What kinds of data are stored? Sensitive? Confidential? – HKID No., heath condition, fingerprints… Classifying the data. Degree of harm? Proper Procedures and Practices in Handling Private & Confidential Data

7. Where are the data stored? A server, a disk, a USB? – Control by data user. Terminal in common area? Locked room. Proper Procedures and Practices in Handling Private & Confidential Data

8. Security measures incorporated into the storing equipment? System security. Encryption Downloading/copying allowed? – Absolutely necessary? Remote access – Absolutely necessary? USB? Login record System testing Proper Procedures and Practices in Handling Private & Confidential Data

9. Integrity, prudence and competence of persons having access to the data Need to know basis – Who can have access? Who can amend? Only the authorized person can have access. Access code – confidential, regular change. Security policy installed. Make sure he read your policy – Supervision, guidance, training. Third party contractor – assessment, reputation, contract terms, checks and reminders. Proper Procedures and Practices in Handling Private & Confidential Data

10. Secure transmission Electronic means – Encryption, in parcels, acknowledgement… Physical transmission - Proper labeling, sealing, in parcels, acknowledgment... Proper Procedures and Practices in Handling Private & Confidential Data

11. PCPD web site (www.pcpd.org.hk)

12. ~ END ~