- Powered by Yip Tse & Tang, Solicitors & Notaries 葉謝鄧律師行

Some practical tips on protecting data privacy online

First, we give a checklist that website operators can follow to ensure that they comply with the Ordinance's 6 principles. Then, we give individual Internet some general tips for protecting their own online privacy.
A privacy assessment checklist for website operators

This checklist of questions can be used by website operators to help them comply with the privacy protection requirements of the Ordinance:

1. How does my website use a visitor's personal information? Is it only for the reasons stated to the visitor?

2. Is the visitor notified about the purposes for collecting the information when it is collected?

3. Can a visitor opt in or opt out of a marketing database or emailing list?

4. Is the information collected and stored in our personal data's database accurate and up-to-date? This is particularly important for credit information data and medical data.

5. Can visitors get access to, change or remove any personal data that is collected and stored online?

6. Have I formulated a privacy policy for the website and if so, is it posted conspicuously on the website for visitors’ access?

7. Have I considered engaging a third party to carry out an independent audit of the privacy protection on my website?

Be cautious when posting data on websites

Website operators are often tempted to post lots of information on their website because it does not cost them much and because they believe that an informative website may attract more visitors. However, Principle 3 of the Ordinance states that any information collected by a data user can only be used for the purposes defined at the time of collection and any other uses of collected data must have the ‘consent’ of the data subject who gave the information.

Imagine that a sports association is hosting a squash competition and asks all the competitors to register for the competition online. After the sports association has received all the competitors’ details, it wants to post the draw for the competition (i.e. tell all the competitors how many games will be played in different age groups or ability groups).

The data collected from each competitor is as follows:

1. Name
2. Age
3. Sex
4. Player level (including information about championships that players have won).
5. Name of indoor sports club or district players are representing.

To comply with Ordinance, the squash association needs to tell all competitors why it is collecting this personal data and it must not use this information for any other reasons, unless it gets the consent of all competitors. So on its website, the sports association tells competitors that its purpose collecting the information is to tell everyone information about the competition's categories. If the association simply uses the information to publicize the different categories of the competition it is complying with the Ordinance.

However, if the competition attracts some famous players and the sports association decides that it can promote the event by publishing biographies of these players, it may be in breach of the Ordinance if it does not get consent from these players to use their personal information to promote the event.

Encourage anonymous browsing of web sites

Surfing anonymously over the Internet is the safest way to protect your privacy and ensure no release of personal information or data. A person should be able to browse the Internet in the same way that someone can window shop in a shopping arcade without revealing his/her identity, even if he or she makes a purchase.

Therefore, a website should encourage anonymous browsing, or at least give visitors an informed choice about whether or not they need to disclose their identity.

E-mail scam hits bank customers

Scammers forged bank's identity and sent emails in massive scale (i.e. spamming). This is called 'branded fake'. Quite often, the e-mail addresses were randomly generated and it then by chance ‘hit’ the bank's customer. UK customers of MBNA had that experience in February 2004 which was widely reported in the news.

The faked emails came with a variety of subject lines such as "MBNA's OfficiaI Notice," "Attention all MBNA users" and "0fficial Notice for all users of MBNA." The message falsely claimed that the “bank” is putting in a new security system to "help you avoid frequently fraud transactions and to keep your investments in safety".

Customer logging in the fake page will have their personal bank information or identity stolen and relayed directly to the crooks who adopted spamming as a cheating tool.

Very often, the link on the email will lead the customer to a site bearing a ‘look and feel’ (colour, lay-out and even fonts) highly similar to the true site but in any event, the site will have a professional look in order not to arouse the customer's suspicion.

To avoid such kind of fraud, customers are advised to note the following:

1. Ensure that the emails truly come from the bank.

2. Don’t click on any links provided in the emails without thoughts

3. Before deciding to take any actions including clicking on the link, visit the true site first

4. If customer has doubts or is not sure, telephone the bank's customer hotline and enquire. Make sure that the telephone number is the number of the true bank.

5. Compare the domain name of the site if you have accidentally clicked on the link with the true site.

6. Report to the bank if you suspect there is a fraud or attempted fraud or you have been cheated.

7. Informing the bank IMMEDIATELY on being cheated is VERY IMPORTANT. This will enable the bank to take immediate step to ban the crook on dealing with your bank account.

In the past few years, many banks in UK and US as well as in Hong Kong had been bit by phishing scams. In Hong Kong, fraudsters were found to attempt to cheat banks’ customers by releasing fake web-site using domain names highly similar to the true banks. To give a few examples, they are: HSBC, DBS and Bank of East Asia.

In December 2003, NatWest of UK temporarily suspended its internet banking facility after some of its customers were sent fraudulent e-mails asking them to divulge their account details.

In October 2003, Nationwide and NatWest in UK were targeted by a similar hoax as was the Halifax, while in September fraudsters tried to trick customers of Lloyds TSB and Barclays.

On 7 December 2001 in UK, a five-strong Net fraud gang has been sentenced to a total of just under eight and half years for a conspiring to defraud online banks.

The four men and one woman made bogus multiple credit card applications with Egg, Cahoot, Smile, Marbles, MBNA, and SonyCard.

The gang, hailing from Buckinghamshire and Northamptonshire, were arrested by officers from the National Crime Squad in August 2000 after a six month operation.