《葉謝鄧》合伙人


  • 葉謝鄧律師行:分行多、律師眾、資歷厚、經驗豐、實力強
    高級合伙人:謝連忠律師。執業14年‧創辦葉謝鄧律師行‧曾接受各大媒體無數訪問、婚姻監禮人。
    疏忽傷亡索償管理合伙人:謝連豐律師。本行辦超過600宗傷亡索償,賠償總額億計。
    債務重組、破產案管理合伙人:孫楚雍律師。本行已辦理過千宗IVA、超過五千宗破產。
    樓宇買賣、贖樓、IVA、破產案合伙人:鄧達明律師。本行已辦理過千宗IVA、超過五千宗破產。

Hot Sites



Electronic monitoring and workplace surveillance

As organizations adopt productivity enhancement policies and require employees to account for work in terms of billable hours, management is increasingly employing technology that can monitor and trace employees workplace activities. An example of this technology would be e-mail monitoring software that may record details of outbound and inbound messages sent from, or to, an E-mail account provided by the employer for work-related purposes. While most people would concede that it is an employer's right to be able to monitor, supervise and oversee employee's workplace behaviour, the use of information surveillance technology may potentially be in conflict with the data protection.

The following reading discusses the issue of workplace privacy. The sections entitled ‘Computer Monitoring’, ‘Electronic Mail and Voice’ and ‘Workplace Privacy Protections’ are most relevant to our discussion.

‘Employee Monitoring: Is There Privacy in the Workplace?’ http://www.privacyrights.org/fs/fs7-work.htm

Be open about the use of cookies

A cookie is a small computer file that is sent from a web server to a user's computer for future identification when the computer again visits the same web site. In keeping with Principle 1 of the Ordinance, organizations using cookies should inform visitors of this practice in their Privacy Policy Statements and inform visitors that non-acceptance of cookies may affect the functionality of the organizations’ websites.

Ensure security of data

Principle 4 of the Ordinance requires websites to adopt security measures to protect the data that they collect and transmit. Organizations should apply a "harm test" to the personal data they collect and transmit on the Internet so as to implement the appropriate level of security measures.

As a general rule, organizations collecting detailed or sensitive personal details (such as resumes from job applicants or credit card/bank account information for service payments) are required to observe a stringent level of security (such as the use of firewalls or encryption). If transfers of sensitive personal data are not encrypted, web sites should alert users to the risks of transmission and offer alternative secure means to the users for supplying the data. Therefore, when processing sensitive information such as the financial data, medical data or person identifiers of an individual, privacy enhancing technologies must be adopted. In addition to following principle 4 of the Ordinance, there are other reasons why organizations should take measures to ensure the security of online data. A leak of a client's personal data caused by the organization's lax security may easily give rise to civil claims for compensation and criminal prosecution.

Principle 4 of the Ordinance also relates to security measure fro storing personal data Allowing uncontrolled access by Internet surfers to personal data held by an organisation could be in contravention of Principle 4. Again, a "harm test" can be applied. In addition, individuals providing personal data concerned should be fully informed at the outset about the sort of access that others may have to information that they provide.

Giving special regard to youth and children

Data Protection Principle 1 of the Ordinance provides, among other requirements, that personal data shall be collected by means which are fair in the circumstances of the case. Children and young persons are vulnerable and collecting information including personal data directly from them without appropriate parental control and supervision could be regarded as unfair collection of personal data. However, unlike America, Hong Kong does yet not have a specific legislation controlling the collection and use of personal data supplied by under age young people and children.

However, the PCO is of the view that when collecting information from children, an organization must take Principle 1 of the Ordinance into account and ensure that information is collected in ways that are ‘lawful and fair’. Sites aimed at minors are therefore strongly urged to carefully consider their policies for collecting information from young persons, and to involve parents/guardians in the data collection process.

The following links take you to privacy statements for sites aimed at young children:

· www.ctw.org/aboutus/privacy_policy.php#privacy2

· www.yahooligans.com/docs/safety/privacy.html

Notice how these statements provide guidance notes to parents on how to supervise their children when they surf the Internet.

Post clear privacy policy statements

It is quite common for websites to have long-winded privacy policy statements. There are good reasons why this is the case. In order to demonstrate their awareness of and compliance with the six key principles of the Ordinance, most organizations collecting personal data online, usually prepare and make available an easy-to-find privacy policy statement that describes the organizations data privacy protection measures.

A privacy statement usually informs visitors of the organization's privacy policies and its practices in relation to personal data (for example the kinds of personal data collected and held and the main purposes for which the data are used.) Although organizations are not required to post privacy statements on every page of their website, websites are encouraged The Office of Privacy Commissioner to have them posted in a conspicuous place. The privacy policy statement should be set up as a linked page accessible from the home page and other pages from which personal data are collected. Most privacy policies are usually accessed by a link at the bottom part of each page.

The PCO has prepared a booklet called “Preparing Online Personal Information Collection (PIC) Statements and Privacy Policy Statements (PPS)” to help websites comply with the Privacy Ordinance. This is available at www.pco.org.hk

Prepare personal information collection (“PIC”) statements

Websites usually collect personal data from online users by asking them to complete forms.

Data Protection Principle 1 of the Ordinance requires organizations to clearly state their reasons for collecting personal data and Principle 3 states that this data can only be used for the reasons stated. Using information for any purposes that have not been stated may be in breach of the Ordinance. Therefore, websites should prepare and make available on-line a Personal Information Collection (“PIC”) Statement setting out the purposes for which the data collected are to be used. The Office of Privacy Commissioner suggests that the PIC Statement be laid out on the same web page as any personal data collection forms. However, the PIC could also be on another page, as long as it carries a clearly visible, well-described link to the page from which information is collected.

Direct marketing – the right to opt out

The tremendous growth in the number of people using email, has resulted in the Internet being increasingly used as a marketing tool by corporations. One of the most popular forms of e-commerce is using e-mail as a direct marketing tool.

In the past, merchants relied on direct mailing, faxes and telemarketing to conduct targeted marketing campaigns. While these marketing methods are still widely used, email is increasingly being adopted as a marketing medium because it is cheap, fast and potentially has a very wide reach. Unlike direct mailing which requires costly the production of printed materials and postage charges, a massive email marketing campaign can literally be distributed all over the world without any significant cost. Furthermore, the transmission of marketing materials by email only requires bandwidth, which is not charged according to usage volumes. The Internet therefore provides a new, easy and economical platform for direct marketing. If advertisers can also obtain spending and demographic profiles of consumers via cookie-generated profiles and/or via bought customer email lists, the potential for cheap targeted marketing is enormous.

However, Hong Kong's direct e-marketers need to be aware of data protection obligations when they are collecting, recording and using personal data via email. Hong Kong organizations must observe certain legal restrictions on data collection when compiling advertising profiles and mailing lists, and must observe the data protection principles and provisions of the Hong Kong Data Protection Ordinance when they engage in online direct marketing. Consumers also have the right to opt out of marketing that is directed towards them.

Spamming

It's very likely that every time you check your email account, you will find some unsolicited ‘junk mail’, or promotional or advertising material that has been sent by a business or organization. Unsolicited electronic mail, also called "spam," is both a nuisance to Internet users and a threat to network security. Spam imposes substantial costs on Internet users and providers (especially in terms of time), and users and Internet providers have undertaken a variety of measures to reduce or stop spamming. Later in this unit (when we look at how website owners should comply with data protection laws), we will see that most attempts by users to control spamming have been counterproductive.
To find out more about spam, you can visit the following site:
www.ofta.gov.hk/junk-email/page1.htm

Collecting Personal Data From Children

Let's now focus on an issue that is noted in the Yahoo privacy statement, namely the issue relating to children's use of the Internet. In particular, the question of how information is collected from children is worth examining.

Increasingly children are becoming a target for direct marketing over the Internet or television. Please elaborate on/give examples of some specific privacy issues related to kids.

The US is the largest market for electronic commerce and the White House report "A framework for Global Electronic Commerce" (dated 1 July 1997) cites as a particular concern "the use of information gathered from children, who may lack the cognitive ability to recognise and appreciate privacy concerns. Parents should be able to choose whether or not personally identifiable information is collected from or about their children". As a result of a large scale survey of websites, the US Federal Trade Commission in its "Report to Congress on Privacy Online" (dated 4 June 1998) recommended legislation that would place parents in control of the online collection and use of personal data from their children. This legislation requires that when websites collect information from kids they also need to provide notice to the children's parents and obtain parental consent. The aim of the legislation is to ensure that parents know about, and control, the online collection of information from their children.

Clicktrails

Clicktrails are information derived from an individual's behaviour, pathway, or choices expressed while visiting a web site. They contain the links that a user has followed and are logged on the web server (the ISP's computer, for those who do not run their web server).

Clicktrails are normally used for troubleshooting and system maintenance purposes. However, clicktrails can also be misused to record profiles of the habits, tastes and online activities of an individual user. Information thereby traced (depending on the type of information) can adversely impinge on a person's privacy by targeting an individual for marketing a product or by fraudulently soliciting business from an individual. Please give some examples of how clicktrails can be used.

For more information about clicktrails, please refer to www.pco.org.hk/english/publications/guide_data_user_10.html

Website privacy statements

Trust is an important element of e-commerce.

Businesses and consumers that trade over the Internet do not have the benefit of seeing each other face to face. Nor do they have a history of personal interaction to base their trust on. The Internet is an open network that is easily subject to misuse such as an outsider getting personal information such as credit card data and medical records without authority. To build trust, e-commerce providers must be able to ensure customer privacy and maintain security of websites and email communications. Enterprises taking inadequate privacy and security measures face the risk of litigation, negative publicity, and loss of customer loyalty. Consequently, most reputable e-traders employ security measures and publish an online privacy statement that guarantees commitment to a range of privacy issues.

The best way to get a broad understanding of online privacy issues that relate to corporations and businesses is to actually go online and to look at some commercial privacy policies. The following activity asks you to look at the privacy statements of three websites that receive a lot of traffic in Hong Kong. As you browse their privacy statements, try to assess the key issues that each statement addresses.

Taking steps to protect your own personal data

As we can see, disclosure of personal information online may unwittingly expose individuals to a host of on- and offline dangers. However, we also cannot escape the fact that we need to give information to access online services and that information is stored about us on a daily basis across a range of electronic databases. Most of the services that require us to give personal information should have security measures in place to protect this information (and in a moment we will look at examples of corporate privacy and security statements). We should also be aware of our rights to data privacy and later in the unit we will explore how we can access and enact these rights.

The most fundamental guideline for protecting your own personal data is to only disclose personal information whenever it is absolutely required and where organizations or corporations offer clear guidelines to protect data privacy.

You should be extremely careful not to disclose personal information online in situations where there are no privacy protection guidelines (for example, posting personal information in a chat room or newsgroup). Avoid disclosing your own or others’ personal information such as email addresses, home addresses, job and company details in a public forum. Disclosing this kind of information in a public forum such as a chat room can lead to many of the above abuses of privacy as well as other problems such as solicitation for fraudulent investments, electronic harassment or stalking, and attempts to establish undesired relationships or contacts. Also, take care not to pass on others’ email addresses or details without their permission. Simply forwarding an email with others’ email addresses on it can compromise the data privacy of others and result in privacy intrusions such as unwanted messages or spam.

Regrettably, many Internet users are not sufficiently aware of the dangers associated with disclosing sensitive personal information in the online environment. To assist surfers protect their own privacy, Hong Kong's Privacy Commission Office has published a booklet entitled "Internet Surfing with Privacy in Mind - A Guide for Individual Net Users". This booklet is available from the PCO's website at www.pco.org.hk/english/publications/guide_privacy_mind_1.html

Health and medical records

Online medical data can also be abused. At the very least, the tampering with or unauthorized publication of someone's medical history can cause embarrassment and or inconvenience to an individual. However, if a person's medical records are changed or used without authorization, a person's health can be compromised if inaccurate medical records result in wrong diagnosis or treatment. The loss or compromise of medical information can be fatal if doctors are denied information about treatment history or are given incorrect or inappropriate data

Employment records

Nowadays, most organizations and corporations store their human resources records on electronic databases. Although many organizations and institutions (including the Open University of Hong Kong) now adopt measures to safeguard and protect the personal records of employees, the potential still exists for employment record privacy to be violated intentionally and unintentionally. Incorrect data information relating to an employee can have a strong negative impact on someone's career; for example, it could result in a wrong performance appraisal or prevent someone from achieving a promotion.

Personal identifiers and ‘indentity theft’

One online user may misuse another person's personal identifiers to forge his/her identity. An Internet user's personal information (such as name, address and identity card number) can be used by a cyber criminal to falsely represent someone online or gain fraudulent access to credit cards or e-commerce sites. Please give an example of how this might occur.

The following link tells you more about how identity theft can occur on the Internet
http://computer.howstuffworks.com/identity-theft5.htm

Financial and credit information

Many people use online banking services. Financial data such as transactional records on deposits and savings are stored online. Unauthorised access and alteration can result in money being taken from accounts. Incorrect credit information can result in bad credit information, harming a person's credit rating and his/her future ability to borrow from financial institutions.

Personal data protection

Internet users are frequently required to provide personal data online. If you start up a yahoo or hotmail account, register for an online banking service or buy your groceries online, you will be asked to provide personal information about yourself. Whenever you buy goods or services online, you also have to provide highly sensitive information such as credit card numbers or personal identifiers such as your Hong Kong ID card number. Similarly, as corporations and institutions such as hospitals and universities increasingly adopt electronic databases, private information about your health, education, employment and travel histories is increasingly prone to misuse. Although there are measures in the Data Protection (Privacy) Ordinance to protect how these kinds of data are collected, used and shared, a certain amount of responsibility for the protection of data privacy also falls upon individual Internet users.

Extent is privacy ‘protected’ by law?

The principle of privacy is recognized in several international covenants. The United Nations Declaration on Human Rights, for example, says that ‘no-one shall be subject to arbitrary or unlawful interference with his privacy, family, home and correspondence'. The European Convention on Human Rights, and the International Covenant on Civil and Political Rights make similar statements.

Similarly, the Organization for Economic Cooperation and Development OECD issued a set of Guidelines concerning the protection of privacy of personal records in 1980. These broad and voluntary Guidelines were meant to establish standards for privacy rules followed by governments and businesses. You can view these guidelines at the following link: http://www.cdt.org/privacy/guide/basic/oecdguidelines.html (Although many companies claim to have adopted the guidelines, very few have ever implemented practices that directly matched the OECD standards.)

Despite the presence of covenants and guidelines recognizing and supporting the principle and importance of privacy, it must be emphasized that the laws of most places (including Hong Kong's Basic Law) give no general right to privacy. Moreover, courts in Hong Kong have rejected opportunities to create such general rights. For example, in the English case Malone v MPC (No.2) [1979], the contention that the tapping of the plaintiff's telephone in the course of a criminal investigation violated his right to privacy was rejected. The ruling for this cased said that –‘It is no function of the court to legislate in a new field. The extension of existing laws and principles is one thing; the creation of an altogether new right is another’.

Therefore, in Hong Kong, in the absence of a clearly defined legal right, privacy must be looked at in the context of the Data Protection (Privacy) Ordinance which offers data privacy protection, as opposed to personal privacy protection. Hence, personal privacy per se, is not covered by legislative provisions in Personal Data (Privacy) Ordinance. Hong Kong's Data Protection (Privacy) Ordinance is based on a similar 1984 UK act, which is turn was based on a European data protection convention. We will examine the Data Protection Ordinance in more detail later in this unit, but for the moment let's briefly look at how and why the Personal Data (Privacy) Ordinance evolved.

Privacy as Defined Today

Justice Brandeis' definition of being "let alone" no longer adequately defines the concept of privacy in the 21st Century Cyber Age. The modern definition of privacy therefore needs to also include ‘the right to control our personal information, even after we disclose it to others.’ (http://www.cdt.org/privacy/guide/start/). Therefore, a contemporary definition of privacy also needs to include the concept of personal data protection in which an individual has the right to control the flow and access of information and data related to his/her personal details. Professor Raymond Wacks sums up this modern concept of privacy by arguing that ".... at the heart of our concern to protect 'privacy' lies a desire, perhaps even a need, to prevent information about us being known to others without our consent." (Wacks 1996)

Modern technology clearly poses new and increasing threats to this broader definition privacy. As a US Privacy Protection Study Commission argued, "The real danger (posed to privacy by the Information Age) is the gradual erosion of individual liberties through the automation, integration, and interconnection of many small, separate record-keeping systems, each of which alone may seem innocuous, even benevolent, and wholly justifiable." (US Privacy Protection Study Commission 1977). In recent years, privacy advocates have increasingly lobbied for measures to safeguard the protection of personal data. One example of an organization committed to defending data protection privacy issues is the US-based Electronic Frontier Foundation www.eff.org

Threats on Privacy in Modern Days

Suppose you receive an anonymous letter one day. The letter describes in details what you have done in the past 3 days. It tells at what time you leave your home, which bus you took, where you have shopped and with whom you have met. It even refers to how you changed your clothes before you went to bed. Your immediate reaction will be anger and then you may become scared because you would wonder how the writer has come to know so much about you. After you have calmed down yourself, you probably would think that you have been psychologically hurt because you have not foreseen that someone have been watching over you in so much detail. Because you have heard about ‘privacy’ before and know that it is known to be a right to a person, you would probably think about the legal remedies in order to prevent that to happen again.

Now ask yourself the following questions:

1. In the above example, you have been hurt psychologically. Do you think that there will surely be a legal remedy to you just because of that?

2. Are you sure that you can find out who your privacy intruder is so that you can have him successfully prosecuted?

3. What remedies you are looking for: civil so that you can get a compensation or criminal so that the privacy intruder can be arrested and punished?

Privacy as Defined Today

Justice Brandeis' definition of being "let alone" no longer adequately defines the concept of privacy in the 21st Century Cyber Age. The modern definition of privacy therefore needs to also include ‘the right to control our personal information, even after we disclose it to others.’ (http://www.cdt.org/privacy/guide/start/). Therefore, a contemporary definition of privacy also needs to include the concept of personal data protection in which an individual has the right to control the flow and access of information and data related to his/her personal details. Professor Raymond Wacks sums up this modern concept of privacy by arguing that ".... at the heart of our concern to protect 'privacy' lies a desire, perhaps even a need, to prevent information about us being known to others without our consent." (Wacks 1996)

Modern technology clearly poses new and increasing threats to this broader definition privacy. As a US Privacy Protection Study Commission argued, "The real danger (posed to privacy by the Information Age) is the gradual erosion of individual liberties through the automation, integration, and interconnection of many small, separate record-keeping systems, each of which alone may seem innocuous, even benevolent, and wholly justifiable." (US Privacy Protection Study Commission 1977). In recent years, privacy advocates have increasingly lobbied for measures to safeguard the protection of personal data. One example of an organization committed to defending data protection privacy issues is the US-based Electronic Frontier Foundation www.eff.org

What is ‘privacy’?

Privacy has long been regarded as a right that all individuals are entitled to enjoy. In 1928, American Supreme Court Justice Louis Brandeis defined privacy as "the right to be let alone". (http://www.cdt.org/privacy/guide/start/). He also argued that privacy was a right that was cherished by most people. However, when he defined privacy, Justice Brandeis was living in a simpler world. His definition was made long before the emergence of the Information Age where someone's personal information can be rapidly captured, copied, compiled, published and transported around the world in a matter of seconds.

In the above example, you may just feel angry or scared on being watched. Nothing has suggested that your daily activities have been recorded, processed or even ‘sold’ to a third party. Things have however changed because of technological improvements. This includes the use of high-speed computers which can stored and processed huge amount of data at very low cost. Besides, data can easily be digitized and compressed for easy transmission and sharing. Personal data has a marketing value because it can help marketers to have their services or products promoted and drive sales, thereby leading to huge profits. As a result, in today's digital environment, personal information has become a highly sought after commodity that is collected and compiled, bought and sold. Information that we once regarded as ‘personal’ (such as our medical records, credit histories, spending habits) has now become ‘public’ data which is stored, shared, and even sold on the Internet. As businesses, government offices and web masters gain access to personal data, the protection of this information is becoming increasingly compromised. In addition, every time we click on to the Internet, we increase the possibility of being contacted by advertisers sending ‘spam’ or other unwanted or intrusive information.

In the above example, you will certainly become even more angry if you subsequently find out on an Internet homepage that your meeting with your girlfriend inside a coffee shop has been recorded into a video and displayed there. If you have some knowledge about digital know-how and use of the Internet, you may then know how this comes about. However, you may not have any of such knowledge and will be wondering how this can be so easily done.

E-mail scam hits bank customers

Scammers forged bank's identity and sent emails in massive scale (i.e. spamming). This is called 'branded fake'. Quite often, the e-mail addresses were randomly generated and it then by chance ‘hit’ the bank's customer. UK customers of MBNA had that experience in February 2004 which was widely reported in the news.

The faked emails came with a variety of subject lines such as "MBNA's OfficiaI Notice," "Attention all MBNA users" and "0fficial Notice for all users of MBNA." The message falsely claimed that the “bank” is putting in a new security system to "help you avoid frequently fraud transactions and to keep your investments in safety".

Customer logging in the fake page will have their personal bank information or identity stolen and relayed directly to the crooks who adopted spamming as a cheating tool.

Very often, the link on the email will lead the customer to a site bearing a ‘look and feel’ (colour, lay-out and even fonts) highly similar to the true site but in any event, the site will have a professional look in order not to arouse the customer's suspicion.

To avoid such kind of fraud, customers are advised to note the following:

1. Ensure that the emails truly come from the bank.

2. Don’t click on any links provided in the emails without thoughts

3. Before deciding to take any actions including clicking on the link, visit the true site first

4. If customer has doubts or is not sure, telephone the bank's customer hotline and enquire. Make sure that the telephone number is the number of the true bank.

5. Compare the domain name of the site if you have accidentally clicked on the link with the true site.

6. Report to the bank if you suspect there is a fraud or attempted fraud or you have been cheated.

7. Informing the bank IMMEDIATELY on being cheated is VERY IMPORTANT. This will enable the bank to take immediate step to ban the crook on dealing with your bank account.

In the past few years, many banks in UK and US as well as in Hong Kong had been bit by phishing scams. In Hong Kong, fraudsters were found to attempt to cheat banks’ customers by releasing fake web-site using domain names highly similar to the true banks. To give a few examples, they are: HSBC, DBS and Bank of East Asia.

In December 2003, NatWest of UK temporarily suspended its internet banking facility after some of its customers were sent fraudulent e-mails asking them to divulge their account details.

In October 2003, Nationwide and NatWest in UK were targeted by a similar hoax as was the Halifax, while in September fraudsters tried to trick customers of Lloyds TSB and Barclays.

On 7 December 2001 in UK, a five-strong Net fraud gang has been sentenced to a total of just under eight and half years for a conspiring to defraud online banks.

The four men and one woman made bogus multiple credit card applications with Egg, Cahoot, Smile, Marbles, MBNA, and SonyCard.

The gang, hailing from Buckinghamshire and Northamptonshire, were arrested by officers from the National Crime Squad in August 2000 after a six month operation.

《香港電子法律》書介

星級法律網