Letters | Why Cathay Pacific data breach warranted an investigation from the outset, not a compliance check
- While compliance checks are useful for relatively minor breaches, they need not precede an investigation in serious cases, former privacy commissioner says
- Hong Kong’s privacy watchdog should make public the outcome of more compliance checks
Organisations’ failure to cooperate with the commissioner during the investigation, including the giving of false or misleading information, is a criminal offence. Organisations found to have contravened the ordinance are subject to an enforcement notice, issued by the commissioner to remedy the contravention, non-compliance with which is also an offence. The ordinance was reinforced in 2012 to enhance the effectiveness of these enforcement measures.
By contrast, compliance checks are administrative arrangements lacking the above sanctioning powers. Organisations are not criminally liable for misleading statements. The commissioner would not determine whether there was a contravention of the ordinance and the case would normally be closed if the organisation involved promised to follow the commissioner’s advice for improvement.
Secondly, where serious breaches are brought to light by third-party sources, it is fair to ascertain facts from the organisations concerned through compliance checks before deciding whether to initiate an investigation.
To impose a compliance check as a prerequisite was a business-friendly approach, but it may not meet the aspirations of the individuals whose privacy right the commissioner is statutorily required to protect. There were notable examples from 2010 to 2015 in which self-initiated investigations were not preceded by compliance checks.
Allan Chiang, former Privacy Commissioner for Personal Data (2010-2015)