CODE OF PRACTICE FOR RELEASE OF INFORMATION

Similar documents
General Rules on the Processing of Personal Data SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)...

SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)... 16

GUEST WIFI NETWORK. Terms and Conditions and Acceptable Use Protocol

ASSETMARK TRUST COMPANY TOTALCASH MANAGER TM ACCESS AUTHORIZATION AGREEMENT

Attachment 1. Commission Decision C(2010)593 Standard Contractual Clauses (processors)

Practice Circular on Protection of Personal Data - Questions and Answers (Q&As)

EUROPEAN COMMISSION DIRECTORATE-GENERAL JUSTICE

EUROPEAN COMMISSION DIRECTORATE-GENERAL JUSTICE. Commission Decision C(2010)593 Standard Contractual Clauses (processors)

Educational License for Latinobarómetro Data Bank - Licence Agreement For Database Use

HONG KONG DEALER ELECTRONIC SERVICE AGREEMENT

Data Processing Agreement

SUBSIDIARY LEGISLATION DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) REGULATIONS

1. This is the Country Addendum (Vietnam) to the UOB Business Internet Banking Service Agreement (the Agreement ).

DATA PROCESSING AGREEMENT. (1) You or your organization or entity as The Data Controller ( The Client or The Data Controller ); and

Financial Dispute Resolution Centre Financial Dispute Resolution Scheme. Mediation and Arbitration Rules. February 2014

Model Non-Collusion Clauses and Non-Collusive Tendering Certificate

IMPORTANT PLEASE READ CAREFULLY PORTFOLIO END USER AGREEMENT

Data Processing Agreement

AGREEMENT FOR KIB KENANGA AGENCY NETWORK SERVICE

AGREEMENT FOR ACCESS, WHICH MAY RESULT IN PERSONAL DATA PROCESSING

UGANDA REVENUE AUTHORITY TERMS AND CONDITIONS FOR WEB PORTAL USE

Exhibit MC - Standard Contractual Clauses (processors)

DocuSign Envelope ID: D3C1EE91-4BC9-4BA9-B2CF-C0DE318DB461

TERMS AND CONDITION OF SUPPLIER REGISTRATION

to the Government Gazette of Mauritius No. 14 of 14 February 2009

Strategic Partner Agreement Terms

PRIVACY POLICY DOT DM Corporation Commonwealth of Dominica cctld (.dm)

TM2/TM3 Online Terms and Conditions

Remote Support Terms of Service Agreement Version 1.0 / Revised March 29, 2013

User Agreement. Between: And: Member Member Address Member City Member Nation. InterFishMarket GmbH Stadtturmstrasse Baden Switzerland

WASHINGTON COUNTY PROPERTY RECORDS TECHNOLOGY AND INFORMATION SUBSCRIPTION AGREEMENT

SUPPLIER DATA PROCESSING AGREEMENT

Terms and Conditions for Use of Patton Redirection Services and Server Use

DATA PROCESSING ADDENDUM. 1.1 The User and When I Work, Inc. ("WIW") have entered into the Terms of Service, for the provision of the Service.

Disciplinary procedures for all employees

.nz REGISTRAR AUTHORISATION AGREEMENT

3T Software Labs EULA

Fragomen Privacy Notice

March 2016 INVESTOR TERMS OF SERVICE

Legal assistance for civil claims under the Personal Data (Privacy) Ordinance

Access to Personal Information Procedure

OTrack Data Processing Terms

AIA Australia Limited

ELECTRONIC DATA PROTECTION ACT An Act to provide for protection to electronic data with regard to the processing of electronic data in Pakistan

KAISER FOUNDATION HOSPITALS ON BEHALF OF KAISER FOUNDATION HEALTH PLAN OF THE MID-ATLANTIC STATES, INC.

FUJITSU Cloud Service K5: Data Protection Addendum

FREEDOM OF INFORMATION ACT POLICY

POLOKWANE SOCIETY OF ADVOCATES

MDP LABS SERVICES AGREEMENT

TELECOMMUNICATIONS ORDINANCE (Chapter 106) WIRELESS INTERNET OF THINGS LICENCE. [Company Name]... [Address]

Telekom Austria Group Standard Data Processing Agreement

Financial Dispute Resolution Service (FDRS)

Tariff No.: F Published on 1 April 2010

Annex 1: Standard Contractual Clauses (processors)

EOH 000 ICT TAC 01 Website Terms and Conditions of Use

First Session Tenth Parliament Republic of Trinidad and Tobago REPUBLIC OF TRINIDAD AND TOBAGO. Act No. 11 of 2010

Trócaire General Terms and Conditions for Procurement

Lex Mundi Data Privacy Guide: Focus on the Asia/Pacific Region

Website Standard Terms and Conditions of Use

Privacy Policy. Cabcharge will only collect personal information which is necessary for the operation of its business.

REGISTRANT AGREEMENT Version 1.5

Siemens SCM STAR Portal Terms of Use for Suppliers

Terms and Conditions Belfius via SWIFT

CHAPTER 308B ELECTRONIC TRANSACTIONS

THE FLORIDA BAR 651 EAST JEFFERSON STREET TALLAHASSEE, FL /

COMMON TERMS AND CONDITIONS FOR CASH MANAGEMENT PRODUCTS & SERVICES

Website Development Agreement

South Carolina Department of Motor Vehicles

National Register of Public Service Interpreters CODE OF PROFESSIONAL CONDUCT

MEMORANDUM OF UNDERSTANDING. for the listing of. Hong Kong Exchanges and Clearing Limited. The Stock Exchange of Hong Kong Limited BETWEEN

COMPREHENSIVE JAMS COMPREHENSIVE ARBITRATION RULES & PROCEDURES

DAKOTA COUNTY PROPERTY RECORDS TECHNOLOGY AND INFORMATION SUBSCRIPTION AGREEMENT

SELECT COUNSEL, INC. TERMS OF USE Effective as of October 25, 2016

Application Terms of Use

Data Processing Addendum

Criminal Procedure Act 2009

ITC MODEL CONTRACT FOR AN INTERNATIONAL COMMERCIAL AGENCY

Proper Handling of Data Correction Request by Data Users 1

BASECONE DATA PROCESSING AGREEMENT (BASECONE AS PROCESSOR)

Freedom of Information Policy, Procedures and Requests

Terms and Conditions. is a Blog Site.

DATA PROTECTION (AMENDMENT) REGULATIONS Amendments to the Data Protection Regulations Insertion of new sections...

INVESTIGATION OF ELECTRONIC DATA PROTECTED BY ENCRYPTION ETC DRAFT CODE OF PRACTICE

THE PIGGOTT SCHOOL FREEDOM OF INFORMATION POLICY AND GUIDANCE

Qualified Suppliers Agreement (Lawyers & Notaries)

AdvancED Conflict of Interest Policy

Terms of Service and Use Agreement

the Notices section below.

ERITREA ETHIOPIA CLAIMS COMMISSION RULES OF PROCEDURE CHAPTER ONE: RULES APPLICABLE TO ALL PROCEEDINGS

FDRS Application Form (Financial Institutions)

EU GDPR - DATA PROCESSING ADDENDUM INSTRUCTIONS FOR CDNETWORKS CUSTOMERS

EUREKA STOCK & SHARE BROKING SERVICES LTD. SEBI Regn NO. INB (NSE) SPEED - e Application Form Annexure 1 (For Password Users)

CONDITIONS DELEGATED REPORTING EMIR CLIENT REPORTING SERVICE AGREEMENT

LICENSE AGREEMENT THIS AGREEMENT is dated the of, 2014.

THE NATIONAL PAYMENT SYSTEM ACT, 2011 NO. 39 OF 2011 LAWS OF KENYA

Combar/CLLS Guidance note on the Agreement for the Supply of Services by a Barrister in a Commercial Case

CUSTODY AGREEMENT - INDIVIDUALS

(On client s letterhead) Attn: Subject: Application for online foreign exchange facility

Last revised: 6 April 2018 By using the Agile Manager Website, you are agreeing to these Terms of Use.

EUROPEAN COMMISSION DIRECTORATE-GENERAL JUSTICE. Directorate C: Fundamental rights and Union citizenship Unit C.3: Data protection

Transcription:

HONG KONG INTERNET SERVICE PROVIDERS ASSOCIATION CODE OF PRACTICE FOR RELEASE OF INFORMATION Draft Version 0.9 27 Aug 2015 www.hkispa.org.hk Gratitude to Squire Patton Boggs for preparing this documentation

1. BACKGROUND AND OBJECTIVE OF THIS CODE 1.1 Hong Kong Internet Service Providers Association ( HKISPA ), Hong Kong Customs and Excise Department ( Customs ) and Hong Kong Police Force ( Police ) recognise a commonality of interest between industry and government in prevention, detection and investigation of criminal activity whilst balancing the rights and privacy of individuals. 1.2 Safety, security and reliability of the Internet are dependent upon early detection of criminal activity that might undermine achievement of these objectives. However, this requires a balancing of such fundamental rights as the right of individuals to privacy of communications and the right of individuals to be protected against criminal activities. 1.3 To address the legitimate rights and expectations of law abiding citizens to the protection of their personal information, HKISPA together with input from Customs and the Police has developed this Code. This Code endeavours to set clear procedures for cooperation between ISPs, Customs and the Police in an effort to balance the interest of the parties involved. 2. CONTRACTUAL OBLIGATION TO KEEP INFORMATION CONFIDENTIAL 2.1 ISPs would often have contractual obligations to keep information confidential and not to release such information to any third parties except in certain circumstances such as disclosures made pursuant to a court order or a request for governmental authorities. 2.2 ISPs should bear in mind that unless disclosures are permitted under the relevant contract, it is likely a breach of contract even if the request was made by governmental authorities such as Customs and the Police, especially if such request are not legally binding on the ISPs. In such case, unauthorized disclosures may subject the ISP to liability towards its customers. 2.3 Moreover, some contracts would require the ISP to notify the intended disclosure to the relevant customer prior to the disclosure. These are important obligations that must be complied with unless restricted by legislations such as legislations that prevent the act of tipping off. 2.4 In light of the above, prior to any disclosure, ISPs should ensure that such disclosures are permitted under the relevant contract. 3. PERSONAL DATA (PRIVACY) ORDINANCE 3.1 Even if ISPs are not contractually bound to keep information confidential, ISPs should take note that the Personal Data (Privacy) Ordinance ( Ordinance ) may be applicable to the intended disclosure if the data concerned constitutes Personal Data. 3.2 Pursuant to Section 2 of the Ordinance, Personal Data means any data: 3.2.1 relating directly or indirectly to a living individual; 1

3.2.2 from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and 3.2.3 in a form in which access to or processing of the data is practicable. 3.3 It is important to note that Personal Data only covers data relating to a living individual. Therefore, corporate information such as contact details of staff and clients which constitute personal data of the relevant individuals will be covered under the Ordinance. 3.4 Pursuant to the Data Protection Principle ( DPP ) 3 of the Ordinance, ISPs shall not, without the prescribed consent of the data subject, disclose the personal data of the data subject for a purpose unrelated to the original purpose of collection. The Ordinance contains certain exemption provisions, including section 58(2). If the exemption provision is applicable, the data will be exempted from the relevant requirement of the Ordinance, and a data user who discloses the personal data to a third party under such circumstances should not constitute a contravention of DPP3. 3.5 There is no provision in the Ordinance compelling ISPs to disclose the personal data of a data subject to a third party. Whether ISPs may rely on the exemption under section 58(2) of the Ordinance to disclose the data is for the ISP to decide. If the ISP decides to disclose the data by relying on the exemption provisions of the Ordinance, it will have to bear the risk of contravening the Ordinance in the event that it is adjudged that the data are not exempted. Under the Ordinance, ISPs has no duty and cannot be compelled to rely on the exemption provisions to disclose others personal data. 3.6 If ISPs wish to rely on section 58(2) of the Ordinance in disclosing the personal data of a data subject to Customs and/or the Police, it must fulfil two major conditions: 3.6.1 the data are to be used for a purpose specified in section 58(1) of the Ordinance, e.g. detection of crime, prevention of unlawful or seriously improper conduct or dishonesty, etc; and 3.6.2 the application of DPP3 to such use would be likely to prejudice any of those purposes. 3.7 Even if the data fulfil the first condition, the ISP still has to consider the second condition. According to the Administrative Appeals Board s decision in Administrative Appeal No. 5 of 2006, whether or not the relevant purposes would likely be prejudiced does not depend upon the subjective belief of the data user, but an objective inference. ISPs must be prudent and should not hastily conclude that section 58(2) of the Ordinance is applicable by merely relying on general allegations made by data requestors; otherwise the requirements of DPP3 may be contravened. 3.8 A third party who requests for personal data of a data subject from a data user should provide sufficient information to the data user, including the purpose of requesting for the data (e.g. which kind of unlawful conduct he is trying to prevent?), on how the application of DPP3 to the disclosure of the data would likely prejudice the purposes, etc., so that the data user can consider whether section 58(2) of the Ordinance is applicable. On the other hand, if the ISP considers the information 2

inadequate, it should ask for explanation and provision of more information from the requestor. ISPs shall not hastily disclose the personal data of the data subject by just relying on the words of or general allegation made by the requestor. 3.9 Even if the data are intended to be used for prevention of crime or seriously improper conduct, disclosure of the data on a ground that is not substantiated by evidence may have serious harm on the data subject s data privacy. Therefore, ISPs may disclose the data to the third party only upon sufficient information to satisfy himself that the data are exempted. 4. REQUEST FORM FOR RELEASE OF INFORMATION 4.1 To standardize the manner in which Customs and/or the Police may request ISPs to provide information, HKISPA has prepared a standard form as annexed as Schedule 1 that Customs and the Police have agreed to use when requesting information from ISPs. 4.2 An ISP is not legally required to comply with any request merely because Customs and/or the Police have completed the standard request form, especially if the request is not made pursuant to a court order or warrant. 4.3 ISPs are requested to exercise their own care and diligence in considering whether to comply with a request to ensure that it does not become liable in any manner by complying with a request. If in doubt, ISPs should seek legal advice immediately upon receiving a request. In most circumstances, Customs and the Police would wait for your lawyer to arrive at the scene even if there is a court order or warrant. 5. MINIMAL DISRUPTION TO ISPS 5.1 If ISPs decide to comply with a request, Customs and the Police have kindly agreed that, where possible, they can make a mirror copy of the data instead of physically removing the hardware and servers from the data centre of the ISPs so as to cause minimal disruption to the daily operations of the ISPs. 5.2 In such cases, it is likely that the officer from Customs and/or the Police would have to be in-charge and at least oversee the copying processing so as to maintain the chain of evidence so that the evidence can be used in court. As this copying process may take significant time, ISPs may have to provide manpower to support Customs and/or the Police in such operations. 3

Schedule 1 Date of Request: Full Name of ISP: ( ISP ) Requesting Party s Details Full Name of Government Authority: Full Name of Requesting Officer: Rank of Requesting Officer: (Rank must be Senior Officer or above) Telephone Number: Fax Number: Reference No.: ( Authority ) Information Requested Please state clearly the details of the information requested: (If necessary, please attach additional pages) Is the request made pursuant to a Court Order or Warrant: Yes / No* (If yes, please enclose a copy of the Court Order or Warrant) If the request is not made pursuant to a Court Order or Warrant, please answer Questions 1-6. 1. Please confirm if the requested data will be used for one of the purposes stated in section 58(1) of the Personal Data (Privacy) Ordinance, and that not disclosing the data will likely prejudice the purposes. * Yes * No 2. If you answer to question 1 is Yes, please specify: (a) the particular purpose under section 58(1) for which the data to be used. (b) the nature of the conduct involved. 4

Schedule 1 (c) how the said purpose would likely be prejudiced by the application DPP3 (i.e. obtaining the prescribed consent of the data subject for release of the data). 3. Please state clearly any other legal basis for the request citing the relevant sections of the legislation and which kind of unlawful conduct is the Authority trying to prevent: (If necessary, please attach additional pages) 4. Please confirm if the data owner should be made aware of the act of this request. * Yes. * No. Please state the time when the data owner should be made aware of this request: Please state reason why the data owner should not be made aware of this request: 5. Please confirm that the present request is made because the Authority has no feasible alternative and this is the only way to obtain the data required for the purposes specified in section 58(1) of the Personal Data (Privacy) Ordinance. * Yes * No 6. Please confirm if the Authority will indemnify the ISP for complying with this request. * Yes. * No. The Authority confirms that it shall fully indemnify the ISP, to the extent permissible by law, for any loss and damage suffered by the ISP from any claim or law suit in connection with or arising from complying with this request. The Authority confirms that the ISP may refuse to provide the data requested. If the ISP complies with the Authority s request and releases the requested data, it shall bear on its own all the associated legal risk and cost consequences. Note to ISPs: Regardless of Yes or No to Question 6 above, you have the right to refuse providing the data unless the request is pursuant to a Court Order or Warrant. However, if 5

Schedule 1 the answer to Question 6 is No or the answer is left blank, you are advised to carefully consider the legal risk associated with releasing the data. By making this request, the Authority hereby confirms that this request is a lawful request and in the Authority s opinion, the ISP will not be held liable in any manner for complying with this request. Signature of Requesting Officer Date * Please delete as appropriate 6

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback