Could Mandatory Privacy Impact Assessment a Solution to Enhance Personal Privacy and Data Protection?
Mr. Chester Soong
From the many cases of data leakage in the recent years from various Hong Kong Government agencies such as the Hong Kong Hospital Authority, Hong Kong Police Force, and the even the mis-use of personal data of the customers by Octopus, the local electronic debit card payment service provider, the general public has raised their concerns over personal data and privacy. Although other jurisdictions such as the US and EU may not share similar cases, their public awareness on personal privacy has been more mature in comparing with the relevant legislations and case laws.
PIA has been a common tool being used in certain western jurisdictions as a precautionary measure on compliance to the privacy laws. But very few of them have made it a mandatory requirement before an organization launches a public project or implement an application system. Some governments such as the UK and Hong Kong have used funding on development of new IT systems as an incentive measure to conduct PIA for public organizations. But this is still an uncommon practice among public organizations and almost rare that a private enterprise would self-initiate such a project.
Why is this so? Does it mean that PIA is not an effective tool in preventing the law to be breached? The presentation will touch on the how some of the major jurisdictions, including Hong Kong, approaching the issue of using PIA. It will then compare the situation and legal requirements on performing PIA in some of the major jurisdictions. The presenter will give a more detailed analysis on the difficulties or barriers that these countries could be facing when promoting the use of PIA as a mandatory practice.
Finally, the presenter will propose a framework that would try to strike a balance between the cost and benefits of making PIA an obligatory requirement.