By Cynthia TellezAt the Mission for Migrant Workers, one topic that we regularly discuss among staff is the Privacy Law. This is conducted to remind ourselves that inasmuch as we are getting information in relation to problems of migrant workers when they seek assistance from our office, we should be versed on the said ordinance to protect both the client and our office.
But the Data Privacy Law does not only apply to offices that get information from their clients to render services. This also pertains to individuals, including migrant workers.
So in this Know Your Rights article, we wish to at least assist migrants in knowing the rules relating to privacy especially now that almost everybody is using social media, and they are constantly asked to provide information to loan agencies including addresses of their employer or guarantor, etc.
This article hopes to provide a certain guide so we do not find ourselves in a difficult situation.
What are being protected in the Data Privacy Law?
All information that can identify a person or any form that gives access to information is what the said law is concerned about. These are personal data protected by the Ordinance including names, phone numbers, addresses, identity card numbers, photos, medical records and employment records.
To be concrete, let us deal with some examples:
1) Migrants who give out the address and phone number of their employers to lending companies without their employer’s permission;
2) Using social media like Twitter, Facebook, and similar platforms, and posting pictures, address or HKID of another person without permission
3) Listing a person’s name as guarantor in a loan transaction without the express consent of that person, even if he or she is a friend or a relative.
These are but some examples of acts that violate the Data Privacy Law. These acts violate the rights of the concerned persons who can file a complaint to the Privacy Commissioner as a result. They may even demand damages against the person that violated their privacy.
The Ordinance gives what is called as the six data protection principles (DPP) to users of data or information taken. The Ordinance said that these constitute the core of the whole law.
DPP1 - Data Collection Principle:
1) Personal data must be collected in a lawful and fair way, for a purpose directly related to a function activity of the data user.
2) Data subjects must be notified of the purpose and the classes of persons to whom the data may be transferred.
3) Data collected should be necessary but not excessive.
DPP2- Accuracy & Retention Principle:
Practicable steps shall be taken to ensure personal data is accurate and not kept longer than is necessary to fulfill the purpose for which it is used.
DPP3 - Data Use Principle
Personal data must be used for the purpose for which the data is collected or for a directly related purpose, unless voluntary and explicit consent with a new purpose is obtained from the data subject.
DPP4 - Data Security Principle
A data user needs to take practical steps to safeguard personal data from unauthorized or accidental access, processing, erasure, loss or use.
DPP5 - Openness Principle
A data user must take practicable steps to make personal data policies and practices known to the public regarding the types of personal data it holds and how the data is used.
DPP6 - Data Access & Correction Principle
A data subject must be given access to his/her personal data and allowed to make corrections if it is inaccurate.
In other words, based on some of the examples that we mentioned above, the six core principles say that:
1) We should get the approval of our employer before giving the address, phone number, names of our employer or any other information, to any lending companies.
2) A consent should be given by the person who will act as guarantor in loan application. Without the consent, the person affected may file complaints to the Commissioner of the Privacy Ordinance.
3) The information/data that we took legally, meaning with permit from the people concerned, must be used only for a specific purpose and NOT to other purposes without the permission again of the concerned person(s).
4) The data user must protect all the information taken and not reveal it irresponsibly to the public or other people who are outside of the purpose for which the data was collected. So, avoid free-wheeling distribution of data that may have a bad effect on somebody.
5) Of course it is okay if it is a birthday party or outing at the beach or any group gathering and the pictures taken were uploaded in social media. But still, any person can ask the one who uploaded it to remove (if possible) or cover her/his face if they want to. This is part of respecting whatever their reason is.
So let us be conscious of our actions. Let us remember that ignorance of law is not an excuse. Let us be careful of our actions so as not to put us in a bad situation.
This is actually the main reason on why we at the Mission always inform clients that all information/data in the case file will remain only in the office.
As part of always being conscious of the said Ordinance, we also would like to take this opportunity to announce that the Mission will institute certain rules to protect our clients and also to protect the Mission while it is carrying out its mandate in serving the migrant workers.
Every client of the Mission will be asked to sign a sort of permission in getting information whenever they ask the Mission’s assistance in relation to their problems or cases. This is to protect both of us.
---
This is the monthly column from the Mission for Migrant Workers, an institution that has been serving the needs of migrant workers in Hong Kong for over 31 years. The Mission, headed by its general manager, Cynthia Tellez, assists migrant workers who are in distress, and focuses its efforts on crisis intervention and prevention through migrant empowerment. Mission has its offices at St John’s Cathedral on Garden Road, Central, and may be reached through tel. no. 2522 8264.
