bodyType

customContents

entityId

entityUuid

articlePageQuery

filter

article

articleBaseAdvertisingInfoArticle

articleListArticle

articleSeoArticle

helpersCheckIsPostiesArticle

hooksArticleAcknowledgementGateOverlayArticle

hooksTrackPageViewArticle

hooksContentInterestArticle

articleLinkingDataContent

hooksAmpRedirectArticle

articleSchemaContent

liveArticle

advertZone

sentiment

contentLock

topics

types

sections

moreOnThisArticles

urlAlias

commentCount

authorLocations

authors

paywallTypes

corrections

sponsorType

displaySlideShow

multimediaEmbed

printHeadline

seriesContainer

socialHeadline

headline

flag

firstTopic

glossary

flattenTypeIds

publishedDate

additionalInfoBoxes

images

image

relatedLinks

relatedNewsletters

__typename

createdDate

sponsor

pdfFiles

seriesReverseOrder

series

disableOffPlatformContent

published

updatedDate

summary

subHeadline

body

keywords

readingTime

customTimezone

liveContents

SCMP Reporter

The Privacy Commissioner has urged the government to give serious consideration to making unauthorised sales of personal data a criminal offence.
Roderick Woo Bun, who is investigating the HK$44 million sale of the details of 1.9 million Octopus Card holders, said it should do this as part of a review of the privacy law, which is now under way.
Under the law as it stands, the sale of personal data by data users for profit without the consent of the subject is not a criminal offence and there is no penalty for misuse of personal data in direct marketing.
An offence is committed only if a person does not comply with an enforcement notice issued by the privacy watchdog after investigation. 
But in Britain, unlawful obtaining, disclosure or sale of personal data is an offence under the Data Protection Act.  
'The government should consider introducing a law to regulate transfer of personal data for sale,' Woo said at a media lunch yesterday. 'The Octopus incident has [shown] that personal data has become a valuable commodity in the market, about which the public has great concern,' he said.
Woo, who will finish his five-year term on Saturday, said he hoped his successor would encourage and assist the government in reviewing the privacy law. 
His views were backed by lawmaker Wong Kwok-hing who said there was a pressing need for such a law. 'It is very clear that there are too many grey areas and loopholes in the existing privacy law, and the penalties that exist are not stiff enough to deal with contravention of data protection principles,' he said.
Wong will move a motion in the Legislative Council in October calling for stiff laws and regulation on the transfer of personal data on Octopus Cards or other stored-value travel and shopping cards. He said the government should not delay in submitting new legislation to plug the loopholes. 
A three-month public consultation on the review of the Personal Data (Privacy) Ordinance  was completed eight months ago but there have still been no reports or recommendations. 
The Constitutional and Mainland Affairs Bureau  said it was analysing and consolidating views received in about 170 written submissions. 
'When we have general directions on the way forward, we will arrange for further public discussions on possible legislative proposals,' a spokeswoman said.
The consultation invited views on whether contraventions of data protection principles should be an offence, whether the privacy commissioner should have the power to fine offenders, and whether there should be a penalty for misuse of personal data in direct marketing. 
The privacy commissioner has also proposed that he should be able to provide legal assistance to help people seek compensation for such breaches. 
Human Rights Monitor director Law Yuk-kai  said it was very important that the watchdog should provide legal assistance. 'This can help in the pursuit of justice through bringing test cases to court,' Law said 
While the present law allows people to seek compensation in civil cases, there have been no court awards for privacy breaches since the law was enacted in 1996.
Meanwhile, Wong said he was helping  several complainants to apply for aid from the Consumer Council's legal action fund, to seek compensation from the Octopus card issuer for the sale of personal data to its merchant partners such as insurance companies. 
But the council said yesterday that it had so far received no such application.
Octopus has come under heavy criticism since Octopus Holdings chief executive Prudence Chan Bik-wah  disclosed on Monday that the card issuer had not only been passing personal details of holders to its partners in a rewards scheme but had made HK$44 million in the past 41/2 years from selling the data.
Who do you turn to? 
What to do if your personal data has been misused 
At the Privacy Commissioner's office 
- file a complaint 
- seek resolution through  mediation 
- if that fails, a formal  investigation is begun  
- enforcement notice may be  issued; failure to comply may  lead to HK$50,000 fine and  two years in jail 
Seek redress through civil proceedings 
- sue for compensation if  you suffer any damage,  including emotional distress   
- results of the privacy  commissioner's  investigation cannot be  used as evidence
- privacy commissioner is  not empowered to provide  legal assistance 
Commissioner's proposed changes to privacy law in 2009 
- criminalise unauthorised  collection of, disclosure and  sale of personal data 
- increase penalty for misuse  of personal data 
- offer legal assistance to help  victim seek compensation 
- impose heavy fines for  serious data violations 
SOURCE: OFFICE OF THE PRIVACY COMMISSIONER 



Make illegal sale of data an offence, privacy chief says