Privacy Law and Policy Reporter
Hong Kong’s Privacy Commissioner for Personal Data has issued guidance on automated matching of personal data under the Personal Data (Privacy) Ordinance. A pamphlet entitled ‘Matching procedure: some common questions’ (accessible on the Commissioner’s web site at http://www.pco.org.hk/info/) aims to assist data users to understand when and how it is necessary to obtain consent from the Privacy Commissioner under s 30 to carry out such procedures. Although s 30 is one of two sections not yet in force (see 3 PLPR 179) organisations carrying out matching procedures have been able since 1 March 1997 to apply for advance consent from the Privacy Commissioner using an application form he provides. Stephen Lau, Privacy Commissioner for Personal Data, said s 30 was planned to be brought into force by the middle of this year.
Organisations obtaining advance consent will be permitted to continue carrying out the matching procedure concerned after s 30 comes into force.
Under the Ordinance, matching procedures are defined as procedures whereby personal data in respect of ten or more individuals are compared by automated means with other personal data in respect of those individuals collected for different purposes, and where, as a result of the comparison, adverse action may be taken against one or more of the individuals concerned. Before organisations may carry out such procedures, they must either obtain consent either from all the individuals concerned or from the Privacy Commissioner.
There is no equivalent provision in the Australian or NZ Privacy Acts which requires advance consent for all data matching operations.
Bruce Slane has been reappointed for another three year term as NZ Privacy Commissioner. He was originally appointed in 1992 under the interim Privacy Commissioner Act 1991.
The Commissioner’s Auckland Office Manager, Robert Stevens, has gone into private legal practice, but will continue to act as a consultant to the Commissioner. He was a mainstay of the Commissioner’s office since 1992 when the Privacy Act 1993 was still a Bill.
As well as managing the Auckland investigation staff, he managed inquiries and the monitoring of information matching (see (1995) 2 PLPR 145). Deborah Marshall has become Manager, Investigations, Auckland, and Judith Oliver has departed the post of Manager, Investigations, Wellington.
Information Age, the monthly IT industry publication, includes two of PLPR’s Editorial Panel, Peter Leonard and Roger Clarke, in its annual ‘50 most influential figures on the information technology and telecommunications scene’ in Australia. Other ‘privacy friendly’ figures in the list include Alan Stockdale, Philip Argy, Patrick Fair, Bill Caelli and Ashley Goldsworthy.
In April 1997 the Privacy Commissioner for Personal Data issued for public consultation a draft Code of Practice for protecting personal data privacy in relation to consumer credit reference services. The consultation period ended in mid-May. It is the first Code of Practice drawn up by the Commissioner to provide practical guidance on the application of the requirements under the Ordinance.
In announcing the draft Code, the Commissioner’s office explained (see http://www.pco.org.hk/info/):
The draft Code aims to ensure that the handling of personal data by credit reference agencies is fair and in line with the six data protection principles in the Personal Data (Privacy) Ordinance.
It defines the scope of personal data that credit reference agencies may hold and the use of such data. In addition, what these agencies should do to ensure the accuracy and security of data held and the maximum retention period for various types of data are also specified.
The draft Code also aims to increase the transparency of the operation of such services by requiring credit providers to inform individuals if their personal data are subject to disclosure to a credit reference agency, the identity of the agency, whether any refusal to provide credit is based on a credit report from such an agency, and how to obtain a copy of the credit report.
The draft Code also requires that credit reference agencies respond promptly to requests for copies of credit reports which have resulted wholly or partly in refusal of credit. Such requests should be complied with within three days by fax or 10 days by post so that individuals can check the accuracy of such reports in a timely manner.