Greetings, fellow privacy professionals.
I hope you are safe and well. It’s pretty much impossible to talk about anything else other than COVID-19 right now, as the unfortunate situation has brought security and privacy into the spotlight, from the collection of data for contact tracing, employer rights regarding collecting and disclosing employee data, to work-from-home security and privacy concerns.
To start with, in March, IAPP’s Hong Kong chapter held the first-ever virtual KnowledgeNet meeting, and it was well received. We were honored to have Privacy Commissioner for Personal Data Commissioner Stephen Wong as our distinguished guest, and while we covered a number of topics, COVID-19 and its impact on privacy and security concerns was the main topic on everyone’s minds. Given the current situation, patient privacy and public health concerns are becoming a key topic of discussion in many regions specifically in Asia-Pacific where the first wave of COVID-19 has been active since January 2020, raising concerns from the observation of how China was tackling this crisis yet still operating within the law.
I covered contact tracing briefly last month, but we have seen more reports about this in recent weeks when efforts in the Asia-Pacific region are helping shape the way for other regions to follow. Especially in Singapore, with the launch of the “TraceTogether” mobile application used for close-range Bluetooth detection to see if people around you are infected. This has gained a lot of coverage here and abroad, with the U.K.’s Information Commissioner’s Office announcement that mobile tracking is indeed legal during a pandemic, and Germany has plans to launch their own version of this, as well. However, I think it is important that we also take into account the privacy risks, and some are questioning if these tracking apps are actually targeting the wrong people, given the demographic of the people who actively use these apps. We also need to make sure that if such measures are going to take place, then sufficient controls, such as data retention and deletion, need to be factored into the discussion.
Regarding guidelines for employers and employees, the PCPD released a media statement on the best practices for companies during the COVID-19 pandemic stating that while there may be legitimate business requirements for collecting health data, companies in Hong Kong still need to make sure they collect data that is necessary, appropriate and proportionate as per the ordinance. One key point in the statement is that “a fresh Personal Information Collection Statement must be provided when or before the data collection to inform employees of the data collected and the purposes (e.g., protection of public health), and the classes of persons (e.g., public health authorities) to whom their data may be transferred.” So, I would encourage all IAPP members to assess your current PICS to see if it takes into account situations that cater to the current public health emergency.
Finally, in other news, updates have been made to the Certified Information Technologist certification, and you can find details on the certification exam here. It’s a great certification to complement your existing IAPP certifications and a great way to understand more of the technical privacy controls that are needed to implement privacy by design and default.
Stay at home, and take care of yourselves and your family!
Keep safe; keep secure.