The Privacy Commissioner's
Office has been conducting a series of workshops (lastest sessions for April –
June 2013 included in this email communication) on the newly amended ordinance
in order to provide helpful guidance for direct marketing practitioners.
Recently I attended the only English language version of this workshop in order
to hear first-hand what was being covered and how things were being explained.
What I found was a bit disturbing and thus I feel obligated to share this with
all of you.
Since we played a major and
instrumental role in negotiating the changes to the ordinance, and worked very
closely with the HK government through the CMAB, liaising with the privacy
commissioner as well, we are in a good position to understand what the new
ordinance actually requires in terms of compliance. As all of you know, two
major victories for our side were the maintenance of the "opt-out"
regime, and grandfathering of all previously collected data (as long as that
data was collected in compliance with the then in force ordinance). If/when you
attend the privacy commissioner's workshops, both of these positions would not
be made very clear at all. In addition, there is confusion about what is meant
by the term "written consent".
Thus I think it is
worthwhile to once again summarize these points in what one hopes is an easier
to understand and apply manner:
1. Grandfathering applies
to all the data you have previously collected in accordance and compliance with
the existing ordinance at the time of collection with the following conditions.
First, the data continues to be used only for the purposes originally intended;
second, the data is used purely for internal marketing of your company's
products or services; third, the customer profile data remains the same. If
your company meets these conditions then it's business as usual and no further
or new steps are necessary to be taken.
If, however, your company
decides to add more personal information to existing data, i.e. exact date of
birth, then you MUST follow the new guidelines regarding disclosure, including
a new opt-out opportunity.
If your company decides to
use "grandfathered" data to promote a brand new category of product
or service then you MUST follow the new guidelines as above.
If your company decides to
share data with a third party for direct marketing purposes, i.e. sharing your
data with an insurance company to offer insurance to your customers, then both
YOUR COMPANY and the third party must comply with the new ordinance.
In other words, those
members who have data that they use for their own internal purposes of
promotion should have no worries at all, as for them it will be continuation
without interruption or change.
2. Opting-out, data
collection, and "written" consent. It's important to understand that
the new ordinance is primarily focused on the FIRST INSTANCE of data collection
by the data user from the data subject. When a customer (data subject) first
enters your database, through a product or service purchase or any other means,
your company will generally ask the customer to fill out a form, either a real
paper form or an electronic form. It is on this form that the disclosure
statement needs to be made, i.e. intention of use of data, general categories
of services/products to be offered, whether or not there will be a
"gain" from sharing data (if being shared), etc. In addition, in an
easily readable format you must give the customer the option to tick a box
saying "NO, please don't share or use my data for direct marketing
purposes" as a general opt-out, or you may give them category specific
opt-out choices, i.e. tick boxes for each product/service category.
The customer (data subject)
does NOT need to actually sign that form, either paper or electronic, but the
form must be returned or collected by the company as written proof that during
the first instance of data collection all the required disclosures were made
along with the proper opt-out choice. Thus "written" consent merely
means the existence of a written record at time of collecting personal data,
not a written signature. By including a ‘signature’ would save unnecessary
debate in the future if customers do not remember they have filled in such
form, but it is not mandatory by law.
Unfortunately, the privacy
commissioner and his office are trying very hard to push an "opt-in"
approach, and therefore in the guidance notes that they think will be
"helpful", almost all the examples they use are "opt-in"
rather than what was just described above, the classic opt-out method.
Naturally, when pressed, they answer that both scenarios are acceptable. Please
do not be fooled or sidetracked, the law ONLY requires opt-out as described
above, and the "written" consent is NOT a signature, merely a written
record that compliance was achieved. This cannot be repeated enough times.
After the first instance of data collection, then you would use the normal
opt-out regime that most companies have been using for years, with no further
disclosure statements necessary unless there is a change in use.
In the event that this note
does not help make things more clear for you, please feel free to either e-mail
me directly or give me a call. I would be happy to assist you or your
compliance teams to fully understand the requirements.
Meanwhile, Details
of the Professional Workshops is also available at http://www.pcpd.org.hk/english/activities/workshop.html
Sincerely,
Eugene Raitt
Chairman
Chairman
HKDMA
GPO Box 7416 Hong Kong
Email: gene.raitt@hkdma.com
Tel: 852-21159348
Fax: 852-25811056
GPO Box 7416 Hong Kong
Email: gene.raitt@hkdma.com
Tel: 852-21159348
Fax: 852-25811056
No comments:
Post a Comment