COMP4006 – IT Professional Practices

Privacy and Data Privacy

COMP4006 – Information Technology Professional Practices

Department. of Computer Science
Hong Kong Baptist University

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 1
 Overview
• Basics of Privacy
• The Value of Personal Data
• Threats to Privacy
• Privacy Controls
• Privacy Concerns in a Digital World
• Legal Protection – an International perspective
• Legal Protection in Hong Kong

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 2
 Basics of Privacy (1/2)
What is Privacy?
• Privacy is the right to be let alone, or freedom
from interference or intrusion. Information
privacy (data privacy) is the right to have some
control over how your personal information is
collected and used.

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 3
 Basics of Privacy (2/2)
3 Dimensions of Privacy (one way of categorizing privacy)
• Physical Privacy
Protecting a person against undue interference (such
as physical searches) that violates his/her moral sense
• Territorial Privacy
Protecting a physical area surrounding a person that
may not be violated without the acquiescence (默認)
of the person
Today’s topic
• Informational Privacy (a.k.a. Data Privacy)
Deals with the gathering, compilation and selective
dissemination of information

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 4
 Physical Privacy
• How about Physical Search at airport? Most airport
security control were tightened after 911 attack.

Can you spot the interesting thing on the

screen? Privacy-friendly!
https://www.dailymail.co.uk/travel/article-2033918/Airport-body-scanners-Heathrow-trials-new-privacy-friendly-security-technology.html

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 5
 Territorial Privacy (your own space)
• Countless of complaints about Pokemon Go, that
offend others on their homes.

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 6
 Data Privacy
• Everywhere – how others take care of your personal
information, and how the internet takes care of your
digital footprint!

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 7
 Privacy and Society’s needs
• Society’s needs sometimes trump individual
privacy (e.g., national security, military, crime
investigation)
• Privacy rights are not absolute
• Balance needed
– Individual rights
– Society’s need

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 8
 Part 2
• Basics of Privacy
• The Value of Personal Data
• Threats to Privacy and Privacy Controls
• Privacy Concerns in a Digital World
• Legal Protection – an International perspective
• Legal Protection in Hong Kong

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 9
 Data is the new oil

THIS IS GOOGLE

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 10
 Among 270 Google’s products, TWO
products account for 70% revenue

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 11
 Success factors of Google Search and
YouTube

Big Data Technology Relevant information

(deliver search results people
really wanted)
Super fast
algorithm User experience

Brand - simple, yet Personalization

friendly layout
Personal Data
COMP4006 – Information Technology Professional Practices Module
Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 12
 Same for Facebook (Meta)
The Social Network (a movie) is a
2010 American biographical drama
film.
Original Plan: A messaging tool
within universities, and for dating
Now: online social media and social
networking service for the whole
world

In Facebook, advertising accounts

for 97% of total revenue.

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 13
 Personal data collected

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 14
 Targeted Ads in Google
The ads are mainly
related to “your
search keywords”

A more
personalized
experience makes
customers more
loyal, stay longer,
and offers better
and relevant
services.

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 15
 The value of ‘Personal Data’ is huge

Source: McKinsey Global Institute

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 16
 1. Personal-
ization

2. Risk / Loan
analysis

3. Fraud
detection

4. Engagement
/ Interaction

Source: McKinsey Global Institute

COMP4006 – Information Technology Professional Practices Module
Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 17
 Summary - ‘Personal Data’ is
important
• Personal data plays a crucial role → create new
business value
• Enables customer insights, targeted marketing,
product innovation, enhanced customer
experiences, data-driven decision making, and
potential monetization and partnerships. (Relate
to your own e-shopping experience)
• Leveraging personal data effectively and ethically,
organizations can unlock significant value and
gain a competitive edge in their respective
industries.

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 18
 Part 3
• Basics of Privacy
• The Value of Personal Data
• Threats to Privacy and Privacy Controls
• Privacy Concerns in a Digital World
• Legal Protection – an International perspective
• Legal Protection in Hong Kong

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 19
 Threats to Privacy (1/7)
• Information technologies can be misused to
invade users’ privacy and commit computer
crimes
• Minimize or prevent risks by:
• installing OS updates regularly
• using antivirus and antispyware software
• using e-mail security features

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 20
 Threats to Privacy (2/7)
• According to Cybersecurity Ventures in 2020,
cybercrime will cost the world economy $10.5 trillion
annually by 2025.
• Costs include:
• Loss of revenue
• Stolen identities and intellectual property
• Damage to companies’ and individuals’ reputations
• Expense of enhancing and upgrading a company’s
cyber security
• Loss of business information

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 21
 Threats to Privacy (3/7)
• Spyware – Software gathers information about
users while connected to the Internet.
• Some can change computer settings
• Prevent by installing antivirus or antispyware
software
• Adware – Form of spyware that collects
information about the user to determine
advertisements to display
• Prevent by installing an ad-blocking feature in the
Web browser

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 22
 Threats to Privacy (4/7)
• Phishing – Sending fraudulent e-mails that seem
to come from legitimate sources (i.e., bank or
university) – perhaps the largest threat
• Pharming – Like phishing but the official Web site
of an organization is hijacked by altering Web site
IP address via a domain name system server
• Baiting – similar to phishing attacks but baiter
gives recipient a promise (i.e., free software or
gift card)

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 23
 Threats to Privacy (5/7)
• SMiShing (SMS phishing) - technique that
tricks user to download malware onto a
mobile device
• Vishing (voice or VoIP phishing) - using voice
technology that tricks user into revealing
important financial or personal information to
unauthorized entities
• More to come…

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 24
 Threats to Privacy (6/7)
• Keystroke Loggers - Software or hardware
devices that monitor and record keystrokes
• Used legally by companies to track employees’
use of e-mail and the Internet
• Used maliciously to collect credit card
numbers while user shops online
• Preventable by some antivirus and
antispyware programs

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 25
 Threats to Privacy (7/7)
• Sniffing – capture and record network traffic
• Used by hackers to intercept information
• Spoofing – attempt to gain access to a
network by posing as an authorized user
• Used to find sensitive information
• Also happens when an illegitimate program
poses as a legitimate one

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 26
 Examples – Phishing Emails

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 27
 Example - Pixel Spyware

https://www.youtube.com/watch?v=TlztKf7PlJ8
COMP4006 – Information Technology Professional Practices Module
Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 28
 Internet Tracking – Is it a threat?
• Record of individual’s Internet activity
– Web sites and newsgroups visited
– Incoming and outgoing e-mail addresses

• Tracking
– Secretly collecting clickstream data
– ISP in perfect position to track you (all transactions go
through ISP)
– Using cookies and pixels (to be further investigated in
case study discussion)
– Using Web bugs

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 29
 iOS 14 – “Ask App Not to Track” Affecting
Pixel Tracking

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 30
 Did they steal your own data for
making money?

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 31
 Strike a Balance
• Perfect data privacy can be achieved by not
sharing or making accessible
• Perfect data utility can be achieved by sharing
the data and make use of them

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 32
 Privacy Controls (1/3)
• Technical Privacy Controls
– Protecting user identities
– Protecting usee identities
– Protecting confidentiality & integrity of personal
data
• Legal Privacy Controls

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 33
 Privacy Controls (2/3)
Protecting User Identities (Three different levels)
• Anonymity – a user may use a resource or service
without disclosing her identity. True identity is
completely unknown.

• Unobservability (or unlinkability) – a user may use a

resource or service without others being able to
observe that the resource or service is being used.
Example: encryption, private browser (incognito)

• Pseudonymity – a user acting under a pseudonym,

means that he uses alternative identify
COMP4006 – Information Technology Professional Practices Module
Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 34
 Three types of Privacy Control

Unobservability

Pseudonymity

Anonymity EMPTY

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 35
 Privacy Controls (3/3)
Protecting Usee Identities - Data privatisation is the
removal of personal identifiable information (PII) from
data, through the below ways:
• Data Summarisation – sets of individual data records
are compressed into summary statistics (for
example, date of birth into age group)

• Data Tokenisation – the personal data within a

dataset that allows an individual to be identified is
replaced by a token (possibly generated from the
personal data such as by hashing)
COMP4006 – Information Technology Professional Practices Module
Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 36
 Tokenization Example (at system
backend)
Tokenization is a method of substituting the original sensitive data with non-
sensitive placeholders referred to as tokens. In credit card industry, Keep your
sensitive data such as your credit card number in something called a token
vault, which basically sits outside the system in a secure location. Although, the
token is associated with your secure data, it is completely useless elsewhere.

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 37
 Data Lake Governance

As a system architect, One major task is to ensure PII data stored in a secured
and encrypted environment in Raw Zone. Business users may only view non-
PII data in end-user interface.
COMP4006 – Information Technology Professional Practices Module
Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 38
 Part 4
• Basics of Privacy
• The Value of Personal Data
• Threats to Privacy and Privacy Controls
• Privacy Concerns in a Digital World
• Legal Protection – an International perspective
• Legal Protection in Hong Kong

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 39
 Data Privacy
• A.k.a. information privacy
• Concerns about how personal information is
collected and used
• Personal data, PII(Personal Identifiable Information):
• Name • Salary
• Telephone number • Nationality
• Address • Photo
• Sex • HKID card number
• Age • Medical records
• Occupation

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 40
 GDPR – General Data Protection
Regulation Purpose
Limitation

Fairness
Data
and
minimizatio
transparenc
n
y
General
Data
Protection
Regulation
Integrity
and
confidential Accuracy
ity

We focus on the
Storage regulation in HK,
limitation
called PDPO

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 41
 Different level of Privacy Legislation
by Region

• https://unctad.org/page/data-protection-and-privacy-legislation-
worldwide#:~:text=137%20out%20of%20194%20countries,countries%20having%20adopted%20such%20legislations.

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 42
 Part 5
• Basics of Privacy
• The Value of Personal Data
• Threats to Privacy and Privacy Controls
• Privacy Concerns in a Digital World
• Legal Protection – an International perspective
• Legal Protection in Hong Kong
• Privacy Violation Cases

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 43
 Protecting Personal Data in HK (1/7)
• In Hong Kong, personal data is protected under
the Personal Data (Privacy) Ordinance 法例
(PDPO)

• An independent statutory body – the Office of the

Privacy Commissioner for Personal Data (PCPD) –
is set up to oversee its enforcement
(ref: https://www.pcpd.org.hk)

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 44
 Protecting Personal Data in HK (2/7)
Key Concepts in PDPO
• Personal Data
• Data User
• Six Data Protection Principles
• Offences and Compensation

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 45
 Protecting Personal Data in HK (3/7)
PDPO – Personal Data
• The information which relates to a living
person and can be used to identify that
person.
• It exists in a form in which access or
processing is practicable.

• Examples: Names, Phone numbers, ID

numbers, photos.
COMP4006 – Information Technology Professional Practices Module
Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 46
 Protecting Personal Data in HK (4/7)
PDPO – Data User
• A person who, either alone or jointly or in
common with other persons, controls the
collection, holding, processing or use of the
data.

• Liable as the principal for the wrongful act of

its authorized data processor.

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 47
 Protecting Personal Data in HK (5/7)
PDPO – Six Data Protection Principles
• Everyone who is responsible for handling data
(Data User) should follow the Six Data
Protection Principles ("DPPs")

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 48
 Protecting Personal Data in HK (6/7)
PDPO – Offences and Compensation
• Non-compliance with Data Protection Principles does
not constitute a criminal offence directly. The
Commissioner (私隱專員) may serve an Enforcement
Notice to direct the data user to take steps to remedy
the contravention and prevent re-occurrence.

• Contravention of an enforcement notice is an offence

which could result in a maximum fine of HK$50,000
and imprisonment for 2 years.

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 49
 Protecting Personal Data in HK (7/7)
PDPO – Offences and Compensation (cont)
• An individual who suffers damage, including injured
feelings, by reason of a contravention of the Ordinance
in relation to his or her personal data may seek
compensation from the data user concerned. (Civil
infringement)
• The Ordinance also criminalizes misuse or
inappropriate use of personal data in direct marketing
activities (Part VI); non-compliance with Data Access
Request (section 19); unauthorized disclosure of
personal data obtained without data user's consent
(section 64) etc. (Criminal offense)

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 50
 PCPD Six Data Privacy Principles (1/5)
• DPP1 – Data Collection Principle
• DPP2 – Accuracy & Retention Principle
• DPP3 – Data Use Principle
• DPP4 – Data Security Principle
• DPP5 – Openness Principle
• DPP6 – Data Access & Correction Principle

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 51
 PCPD Six Data Privacy Principles (2/5)
DPP1 – Data Collection Principle
• Personal data must be collected in a lawful and
fair way, for a purpose directly related to a
function/activity of the data user.
• Data subjects must be notified of the purpose
and the classes of persons to whom the data may
be transferred.
• Data collected should be necessary but not
excessive.

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 52
 PCPD Six Data Privacy Principles (3/5)
DPP2 – Accuracy & Retention Principle
• Personal data must be accurate and should not
kept for a period longer than is necessary to fulfil
the purpose for which it is used.

DPP3 – Data Use Principle

• Personal data must be used for the purpose for
which the data is collected or for a directly
related purpose, unless voluntary and explicit
consent with a new purpose is obtained from the
data subject.

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 53
 PCPD Six Data Privacy Principles (4/5)
DPP4 – Data Security Principle
• A data user needs to take practical steps to
safeguard personal data from unauthorised or
accidental access, processing , erasure, loss or
use.

DPP5 – Openness Principle

• A data user must make personal data policies and
practices known to the public regarding the types
of personal data it holds and how the data is
used.

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 54
 PCPD Six Data Privacy Principles (5/5)
DPP6 – Data Access & Correction Principle
• A data subject must be given access to his/her
personal data and allowed to make
corrections if it is inaccurate.

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 55
 Example of Personal Information
Collection Statement
The Alpha Corporation
Personal Information Collection Statement pertaining to Recruitment

The personal data collected in this application form will be used by the Alpha Purpose
Corporation to assess your suitability to assume the job duties of the position for which Statement
you have applied and to determine preliminary remuneration, bonus payment, and
benefits package to be discussed with you subject to selection for the position.
Personal data marked with (*) on the application form are regarded as mandatory for Obligatory
selection purposes. Failure to provide these data may influence the processing and or optional
outcome of your application. to provide
data
It is our policy to retain the personal data of unsuccessful applicants for future
recruitment purposes for a period of two years. When there are vacancies in our Classes of
subsidiary or associate companies during that period, we may transfer your application transferees
to them for consideration of employment.

Under the Personal Data (Privacy) Ordinance, you have a right to request access to, and Access &
to request correction of, your personal data in relation to your application. If you wish to
correction
exercise these rights, please complete our "Personal Data Access Form" and forward it
to our Data Protection Officer in the Human Resources.
right

Question: Can you identify where DPP1, DPP2, DPP3, DPP4, DPP5 and DPP6 have been applied?
COMP4006 – Information Technology Professional Practices Module
Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 56
 Use of Personal Data in Direct
Marketing
• Direct Marketing means sending promotional
information of goods or services, addressed to specific
persons by name by mail, fax, email or phone

• Data user must notify a data subject of his opt-out

right when using his personal data in direct marketing
for the first time

• Upon receiving an opt-out request, the data user must

cease using the data
COMP4006 – Information Technology Professional Practices Module
Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 57
 Use of Personal Data in Direct
Marketing

3 Direct Marketing

Email Advertising Direct Selling

Telemarketing Couponing
Direct Mail
COMP4006 – Information Technology Professional Practices Module
Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 58
 Regulation of Direct Marketing
Intends to use
personal data or Provision
Data
provide personal Data User
Subject
of
data to another
Notification Consent Personal
person for use in Data
direct marketing
▪ Provide data subjects with ▪ Should be given explicitly and
“prescribed information” and voluntarily
response channel through which ▪ “consent” includes an
the data subject may elect to indication of “no objection”
give consent
▪ Notification should be easily
understandable

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 59
 “Consent” includes a clear indication
of no objection

Return the signed form but did not check the box indicating objection
= consent
COMP4006 – Information Technology Professional Practices Module
Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 60
Use of Personal Data for own direct Use of Personal Data for third party
marketing marketing
must inform the data subjects of their Same Procedure as left hand side.
intention to use the data subjects’ personal
data for direct marketing
must provide the data subjects with Must indicdate whether the data is
information on the intended use of the data to be provided for gain; and
(what personal data to use and for what the classes of persons of third party
marketing purpose) marketing
Must provide the data subjects with a
response channel regarding consent
The information provided by data users is
easily understandable
Must notify the data subjects of their op-out DDP1, DDP2, DDP3, DDP4
right for the first time and DDP5/6 also applies in
Data users must comply with the data both uses.
subjects’ request at any time to stop using
the data subjects’ personal data
COMP4006 – Information Technology Professional Practices Module
Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 61
 ~~ End of Module 02 ~~

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 62
 References
1. Ch. 5 of Ethics and Technology: Controversies, Questions, and Strategies
for Ethical Computing (4th Ed.) by Herman T. Tavani (2012)
2. Ch.4 of Ethics for the Information Age (6th Ed.) by Michael J. Quinn (2014)
3. Ch. 5 of Understanding Cyber Ethics in a Cyber World by Pierre Boulos
(2008)
4. The nature of losses from cyber-related events: risk categories and
business sectors
https://academic.oup.com/cybersecurity/article/9/1/tyac016/7000422
5. https://en.data-privacy-office.com
6. Website of Office of the Privacy Commissioner for Personal Data, Hong
Kong
https://www.pcpd.org.hk
7. https://dzone.com/articles/data-lake-governance-best-practices

COMP4006 – Information Technology Professional Practices Module

Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 63
 Example of Personal Information
Collection Statement
DDP1, 3
The Alpha Corporation
Personal Information Collection Statement pertaining to Recruitment Purpose
Statement
The personal data collected in this application form will be used by the Alpha
Corporation to assess your suitability to assume the job duties of the position for which
you have applied and to determine preliminary remuneration, bonus payment, and
benefits package to be discussed with you subject to selection for the position. DDP1, 3
Personal data marked with (*) on the application form are regarded as mandatory for Obligatory
selection purposes. Failure to provide these data may influence the processing and or optional
outcome of your application. to provide
data
It is our policy to retain the personal data of unsuccessful applicants for future
recruitment purposes for a period of two years. When there are vacancies in our Classes of
subsidiary or associate companies during that period, we may transfer your application transferees
to them for consideration of employment.
DDP1
Under the Personal Data (Privacy) Ordinance, you have a right to request access to, and Access &
to request correction of, your personal data in relation to your application. If you wish to
correction
exercise these rights, please complete our "Personal Data Access Form" and forward it
to our Data Protection Officer in the Human Resources.
right

DDP6
Question: Can you identify where DPP1, DPP2, DPP3, DPP4, DPP5 and DPP6 have been applied?
COMP4006 – Information Technology Professional Practices Module
Dr. Wilson Yu (Courtesy of Dr. Joe Yau for the original contribution) Cyberlaw & Cybercrime 64