By David Ellis (partner) and Stephen Bureaux (solicitor)
Originally published in June 2002.
On 17 June 2002, the Office of the Telecommunications Authority, acting in collaboration with the Consumer Council, the Independent Commission Against Corruption and the Office of the Privacy Commissioner for Personal Data, issued the Code to help ensure that data held by the Fixed and Mobile Telecommunications service operators, are properly protected from misuse.
The Code is voluntary and seeks to set out best practice standards for operators regarding to the various obligations in relation to personal data contained in the Personal Data (Privacy) Ordinance ("PDO"), the Prevention of Bribery Ordinance ("PBO"), and the operators' telecommunications licence conditions.
The authorities involved recognise that in the course of their business and provision of services, fixed and mobile telecommunications service operators collect a large volume of customer personal data including a customer's telephone number, residential address and details of customer call history, which data may be sensitive in certain circumstances.
The Code sets out good practice for preventing unauthorised disclosure of customer information by the operator's staff, and serves as general guidance for the operators to set their standards and measures in respect of the protection of customer information. The Code, although it is drafted with the various legal obligations contained in the PDO, PBO and the licences in mind, is not exhaustive with respect to those obligations. Operators must also ensure their compliance with any additional legal obligations not covered by the Code.
The structure of the Code is first to identify five overall "good practices" which should be adopted in order to prevent unauthorised disclosure of Customer Personal Data. These are:
- The establishment and following of a Policy of Protection of Customer Personal Data.
- The implementation of Technical Measures for the Protection of Customer Personal Data.
- Ensuring adequate Location Security.
- Ensuring adequate Staff Security.
- Satisfactory procedures for the transfer of Customer Personal Data.
The Code then recommends more detailed good practice policies in respect of each area, including technical methods of data protection such as encryption and password protected access control, and non-technical methods such as physical security, staff training and staff supervision.
The Code is voluntary in nature, but it is hoped by the authorities involved that consumers would exercise their right to choose operators who adopt the Code, thus encouraging compliance. In addition, according to section 13 of the PDO, in any legal proceedings where a contravention of the PDO is alleged to which the Code is relevant, then failure to comply with the Code will be admissible as evidence proving such contravention.
The original email legal update is copyright Johnson Stokes & Master at the date written first above. All rights reserved. This publication provides information and comments on legal issues and developments of interest to our clients and friends. The foregoing is intended to provide a general guide to the subject matter and is not intended to provide legal advice or a substitute for specific advice concerning individual situations. Readers should seek legal advice before taking any action with respect to the matters discussed herein. Please also read the JSM legal publications Disclaimer.