@eLaw.com.hk 葉謝鄧律師行

As organizations adopt productivity enhancement policies and require employees to account for work in terms of billable hours, management is increasingly employing technology that can monitor and trace employees workplace activities. An example of this technology would be e-mail monitoring software that may record details of outbound and inbound messages sent from, or to, an E-mail account provided by the employer for work-related purposes. While most people would concede that it is an employer's right to be able to monitor, supervise and oversee employee's workplace behaviour, the use of information surveillance technology may potentially be in conflict with the data protection.

The following reading discusses the issue of workplace privacy. The sections entitled ‘Computer Monitoring’, ‘Electronic Mail and Voice’ and ‘Workplace Privacy Protections’ are most relevant to our discussion.

‘Employee Monitoring: Is There Privacy in the Workplace?’ http://www.privacyrights.org/fs/fs7-work.htm

A cookie is a small computer file that is sent from a web server to a user's computer for future identification when the computer again visits the same web site. In keeping with Principle 1 of the Ordinance, organizations using cookies should inform visitors of this practice in their Privacy Policy Statements and inform visitors that non-acceptance of cookies may affect the functionality of the organizations’ websites.

Principle 4 of the Ordinance requires websites to adopt security measures to protect the data that they collect and transmit. Organizations should apply a "harm test" to the personal data they collect and transmit on the Internet so as to implement the appropriate level of security measures.

As a general rule, organizations collecting detailed or sensitive personal details (such as resumes from job applicants or credit card/bank account information for service payments) are required to observe a stringent level of security (such as the use of firewalls or encryption). If transfers of sensitive personal data are not encrypted, web sites should alert users to the risks of transmission and offer alternative secure means to the users for supplying the data. Therefore, when processing sensitive information such as the financial data, medical data or person identifiers of an individual, privacy enhancing technologies must be adopted. In addition to following principle 4 of the Ordinance, there are other reasons why organizations should take measures to ensure the security of online data. A leak of a client's personal data caused by the organization's lax security may easily give rise to civil claims for compensation and criminal prosecution.

Principle 4 of the Ordinance also relates to security measure fro storing personal data Allowing uncontrolled access by Internet surfers to personal data held by an organisation could be in contravention of Principle 4. Again, a "harm test" can be applied. In addition, individuals providing personal data concerned should be fully informed at the outset about the sort of access that others may have to information that they provide.

Data Protection Principle 1 of the Ordinance provides, among other requirements, that personal data shall be collected by means which are fair in the circumstances of the case. Children and young persons are vulnerable and collecting information including personal data directly from them without appropriate parental control and supervision could be regarded as unfair collection of personal data. However, unlike America, Hong Kong does yet not have a specific legislation controlling the collection and use of personal data supplied by under age young people and children.

However, the PCO is of the view that when collecting information from children, an organization must take Principle 1 of the Ordinance into account and ensure that information is collected in ways that are ‘lawful and fair’. Sites aimed at minors are therefore strongly urged to carefully consider their policies for collecting information from young persons, and to involve parents/guardians in the data collection process.

The following links take you to privacy statements for sites aimed at young children:

· www.ctw.org/aboutus/privacy_policy.php#privacy2

· www.yahooligans.com/docs/safety/privacy.html

Notice how these statements provide guidance notes to parents on how to supervise their children when they surf the Internet.

It is quite common for websites to have long-winded privacy policy statements. There are good reasons why this is the case. In order to demonstrate their awareness of and compliance with the six key principles of the Ordinance, most organizations collecting personal data online, usually prepare and make available an easy-to-find privacy policy statement that describes the organizations data privacy protection measures.

A privacy statement usually informs visitors of the organization's privacy policies and its practices in relation to personal data (for example the kinds of personal data collected and held and the main purposes for which the data are used.) Although organizations are not required to post privacy statements on every page of their website, websites are encouraged The Office of Privacy Commissioner to have them posted in a conspicuous place. The privacy policy statement should be set up as a linked page accessible from the home page and other pages from which personal data are collected. Most privacy policies are usually accessed by a link at the bottom part of each page.

The PCO has prepared a booklet called “Preparing Online Personal Information Collection (PIC) Statements and Privacy Policy Statements (PPS)” to help websites comply with the Privacy Ordinance. This is available at www.pco.org.hk

Websites usually collect personal data from online users by asking them to complete forms.

Data Protection Principle 1 of the Ordinance requires organizations to clearly state their reasons for collecting personal data and Principle 3 states that this data can only be used for the reasons stated. Using information for any purposes that have not been stated may be in breach of the Ordinance. Therefore, websites should prepare and make available on-line a Personal Information Collection (“PIC”) Statement setting out the purposes for which the data collected are to be used. The Office of Privacy Commissioner suggests that the PIC Statement be laid out on the same web page as any personal data collection forms. However, the PIC could also be on another page, as long as it carries a clearly visible, well-described link to the page from which information is collected.

The tremendous growth in the number of people using email, has resulted in the Internet being increasingly used as a marketing tool by corporations. One of the most popular forms of e-commerce is using e-mail as a direct marketing tool.

In the past, merchants relied on direct mailing, faxes and telemarketing to conduct targeted marketing campaigns. While these marketing methods are still widely used, email is increasingly being adopted as a marketing medium because it is cheap, fast and potentially has a very wide reach. Unlike direct mailing which requires costly the production of printed materials and postage charges, a massive email marketing campaign can literally be distributed all over the world without any significant cost. Furthermore, the transmission of marketing materials by email only requires bandwidth, which is not charged according to usage volumes. The Internet therefore provides a new, easy and economical platform for direct marketing. If advertisers can also obtain spending and demographic profiles of consumers via cookie-generated profiles and/or via bought customer email lists, the potential for cheap targeted marketing is enormous.

However, Hong Kong's direct e-marketers need to be aware of data protection obligations when they are collecting, recording and using personal data via email. Hong Kong organizations must observe certain legal restrictions on data collection when compiling advertising profiles and mailing lists, and must observe the data protection principles and provisions of the Hong Kong Data Protection Ordinance when they engage in online direct marketing. Consumers also have the right to opt out of marketing that is directed towards them.

It's very likely that every time you check your email account, you will find some unsolicited ‘junk mail’, or promotional or advertising material that has been sent by a business or organization. Unsolicited electronic mail, also called "spam," is both a nuisance to Internet users and a threat to network security. Spam imposes substantial costs on Internet users and providers (especially in terms of time), and users and Internet providers have undertaken a variety of measures to reduce or stop spamming. Later in this unit (when we look at how website owners should comply with data protection laws), we will see that most attempts by users to control spamming have been counterproductive.
To find out more about spam, you can visit the following site:
www.ofta.gov.hk/junk-email/page1.htm

Let's now focus on an issue that is noted in the Yahoo privacy statement, namely the issue relating to children's use of the Internet. In particular, the question of how information is collected from children is worth examining.

Increasingly children are becoming a target for direct marketing over the Internet or television. Please elaborate on/give examples of some specific privacy issues related to kids.

The US is the largest market for electronic commerce and the White House report "A framework for Global Electronic Commerce" (dated 1 July 1997) cites as a particular concern "the use of information gathered from children, who may lack the cognitive ability to recognise and appreciate privacy concerns. Parents should be able to choose whether or not personally identifiable information is collected from or about their children". As a result of a large scale survey of websites, the US Federal Trade Commission in its "Report to Congress on Privacy Online" (dated 4 June 1998) recommended legislation that would place parents in control of the online collection and use of personal data from their children. This legislation requires that when websites collect information from kids they also need to provide notice to the children's parents and obtain parental consent. The aim of the legislation is to ensure that parents know about, and control, the online collection of information from their children.

Clicktrails are information derived from an individual's behaviour, pathway, or choices expressed while visiting a web site. They contain the links that a user has followed and are logged on the web server (the ISP's computer, for those who do not run their web server).

Clicktrails are normally used for troubleshooting and system maintenance purposes. However, clicktrails can also be misused to record profiles of the habits, tastes and online activities of an individual user. Information thereby traced (depending on the type of information) can adversely impinge on a person's privacy by targeting an individual for marketing a product or by fraudulently soliciting business from an individual. Please give some examples of how clicktrails can be used.

For more information about clicktrails, please refer to www.pco.org.hk/english/publications/guide_data_user_10.html