Tech-Privacy Expert: Embed Privacy Before Systems Are Built
"Privacy-by-design" is the guiding principle for tech pros, says Henry Chang, information technology advisor, Office of the Privacy Commissioner for Personal Data (PCPD).
CWHK: Can you share with us your professional background? When did you start to become aware of data privacy?
Henry Chang: I became interested in tech-related compliance and regulations about six or seven years ago. While I was working at OFTA (Office of the Telecommunications Authority), I took up an advisory role when Hong Kong was establishing our unsolicited electronic messages ordinance.
I don't come from a legal background, but tech-related compliance is important when it comes to making sure the use of technologies can benefit the public.
CWHK: How long have you been in IT?
HC: More than 20 years. Prior to PCPD and OFTA, I worked for different organizations including the Hong Kong Monetary Authority and the British Museum.
CWHK: Are you the first IT advisor at the Office of the PCPD?
HC: Yes--I joined the office in 2010 when LegCo approved the budget for this post. But the Office of the PCPD had solid understanding of the implications of technologies for data privacy before this particular post was created. Hong Kong's first Privacy Commissioner Stephen Lau is a tech veteran.
CWHK: What's the role of IT advisor at the Office of the PCPD? What are the challenges facing you?
HC: My responsibilities are broad--ranging from operations and investigation to communications with the local IT industry. When it comes to data privacy, the use of technology is a prime concern, as almost all data are in digital form today. The task of embedding data privacy and protection into technology practices is challenging because traditional practice is to implement privacy-related technologies after a system is built.
That's the major reason why people see a trade-off between system functionality and data privacy/security. If we embed privacy and security in dataflow and the data lifecycle before a feasibility study is done, we don't have to sacrifice functionality--we call this principle privacy-by-design.
CWHK: In general are local IT pros concerned about data privacy? What are their major concerns?
HC: The Octopus incident was a clarion call to action in addressing data privacy issues in Hong Kong. While many local tech workers are aware of these issues, they don't have a roadmap to overcome them.
Last December, we started to provide training to IT managers, aiming to develop professionals that bring data privacy culture to their organizations.
CWHK: The Office of the PCPD helped the Hong Kong Computer Society come up with a practical guide for IT pros published in January. What was your role in this guide?
HC: I was there as a coordinator between the Office and the HKCS to make sure the guide is factually correct in its sections on data privacy laws.
We also organized a data privacy training session on the day of the practical guide launch, when more than 30 people attended.
CWHK: Will there be any further data privacy training for IT pros in the future?
HC: We provide training on an ongoing basis for members of the public and professionals in different areas like IT, law, and banking and finance, in addition to workshops for members of the public. While sessions for the public are free, we charge professional participants HK$450 for each industry specific workshop. The charge isn't about making money--organizations are data collectors who have the responsibility to make sure they understand and comply with relevant laws. But individual members of the public are data subjects--it's our responsibility to provide them with free training.
CWHK: Do you think organizations will create roles like "data privacy manager" in the future?
HC: Many firms know they must do something, but, I don't see them creating a new post to ensure data privacy. Everyone in an organization must be data privacy-aware.
CWHK: In the past few years, the Hong Kong Police, Hospital Authority and OFTA leaked confidential data by leaving USB drives in public space or via Foxy. How did the Office of the PCPD work with them to alleviate the situation? Any improvements so far?
HC: We have issued a guidance note on the use of portable storage devices (PSDs) such as USB thumb drives for all types of organizations. The number of complaints against the government related to security of personal data dropped to 22 in 2011 from 32 in 2008, but the overall number of complaints against both the public and private sectors grew from 793 in 2008 to 1,486 in 2011.
CWHK: Will the office propose a ban on the use of PSDs?
HC: This isn't practical. We mention in our guidance note that storing confidential data in PSDs isn't the best practice and organizations should avoid storing too much data in them. But the office of the PCPD can't propose a ban because we're here to facilitate technology use while minimizing the impact on data privacy breach.
CWHK: Organizations increasingly embrace BYOD (Bring Your Own Device) in a work setting. How might this impact data privacy at personal and corporate levels?
HC: Organizations must have enough security control to protect internal data before they allow BYOD. For instance, if firms allow workers to access company data via smartphones, they need to know if the phones have been "jailbroken."
CWHK: What have the office done regarding the changes in Google's policy of user data privacy?
HC: We have been in talks with Google because the company hasn't provided information on user options. At this stage, there isn't any choice to opt-out of this scheme of letting Google to share more of your data across its services--you either continue to use the Google services as usual or you delete your account.
As far as I know, many organizations around the globe have taken actions. For instance, the Electronic Privacy Information Center in the US filed a lawsuit to compel the US-based Federal Trade Commission to enforce the Google [user] consent order and block Google's proposed user data consolidation before March 1.
CWHK: What technologies and tech issues are you interested in? If you were not an IT advisor at the Office of the PCPD, what would you be doing?
HC: I am interested in computer forensics. This skill is needed by organizations like banks, consultancy, and the police force.