The Privacy Commissioner's Office has been conducting a series of workshops (lastest sessions for April – June 2013 included in this email communication) on the newly amended ordinance in order to provide helpful guidance for direct marketing practitioners. Recently I attended the only English language version of this workshop in order to hear first-hand what was being covered and how things were being explained. What I found was a bit disturbing and thus I feel obligated to share this with all of you.
Since we played a major and instrumental role in negotiating the changes to the ordinance, and worked very closely with the HK government through the CMAB, liaising with the privacy commissioner as well, we are in a good position to understand what the new ordinance actually requires in terms of compliance. As all of you know, two major victories for our side were the maintenance of the "opt-out" regime, and grandfathering of all previously collected data (as long as that data was collected in compliance with the then in force ordinance). If/when you attend the privacy commissioner's workshops, both of these positions would not be made very clear at all. In addition, there is confusion about what is meant by the term "written consent".
Thus I think it is worthwhile to once again summarize these points in what one hopes is an easier to understand and apply manner:
1. Grandfathering applies to all the data you have previously collected in accordance and compliance with the existing ordinance at the time of collection with the following conditions. First, the data continues to be used only for the purposes originally intended; second, the data is used purely for internal marketing of your company's products or services; third, the customer profile data remains the same. If your company meets these conditions then it's business as usual and no further or new steps are necessary to be taken.
If, however, your company decides to add more personal information to existing data, i.e. exact date of birth, then you MUST follow the new guidelines regarding disclosure, including a new opt-out opportunity.
If your company decides to use "grandfathered" data to promote a brand new category of product or service then you MUST follow the new guidelines as above.
If your company decides to share data with a third party for direct marketing purposes, i.e. sharing your data with an insurance company to offer insurance to your customers, then both YOUR COMPANY and the third party must comply with the new ordinance.
In other words, those members who have data that they use for their own internal purposes of promotion should have no worries at all, as for them it will be continuation without interruption or change.
2. Opting-out, data collection, and "written" consent. It's important to understand that the new ordinance is primarily focused on the FIRST INSTANCE of data collection by the data user from the data subject. When a customer (data subject) first enters your database, through a product or service purchase or any other means, your company will generally ask the customer to fill out a form, either a real paper form or an electronic form. It is on this form that the disclosure statement needs to be made, i.e. intention of use of data, general categories of services/products to be offered, whether or not there will be a "gain" from sharing data (if being shared), etc. In addition, in an easily readable format you must give the customer the option to tick a box saying "NO, please don't share or use my data for direct marketing purposes" as a general opt-out, or you may give them category specific opt-out choices, i.e. tick boxes for each product/service category.
The customer (data subject) does NOT need to actually sign that form, either paper or electronic, but the form must be returned or collected by the company as written proof that during the first instance of data collection all the required disclosures were made along with the proper opt-out choice. Thus "written" consent merely means the existence of a written record at time of collecting personal data, not a written signature. By including a ‘signature’ would save unnecessary debate in the future if customers do not remember they have filled in such form, but it is not mandatory by law.
Unfortunately, the privacy commissioner and his office are trying very hard to push an "opt-in" approach, and therefore in the guidance notes that they think will be "helpful", almost all the examples they use are "opt-in" rather than what was just described above, the classic opt-out method. Naturally, when pressed, they answer that both scenarios are acceptable. Please do not be fooled or sidetracked, the law ONLY requires opt-out as described above, and the "written" consent is NOT a signature, merely a written record that compliance was achieved. This cannot be repeated enough times. After the first instance of data collection, then you would use the normal opt-out regime that most companies have been using for years, with no further disclosure statements necessary unless there is a change in use.
In the event that this note does not help make things more clear for you, please feel free to either e-mail me directly or give me a call. I would be happy to assist you or your compliance teams to fully understand the requirements.
Meanwhile, Details of the Professional Workshops is also available at http://www.pcpd.org.hk/english/activities/workshop.html
GPO Box 7416 Hong Kong
GPO Box 7416 Hong Kong