Recent guidance published by the Hong Kong Commissioner covered the use of CCTV and Drones, and the collection of Biometric data.
CCTV and Drones
A specialist drone retailer estimates that there are now more than 5,000 drone users in Hong Kong. As well, Hong Kong is the hub for shipment of over 90% of the world's drones. Recently updated guidance issued by the Hong Kong Commissioner expanded guidance regarding use of CCTV to also be applicable for drones.
Hong Kong is seemingly the first Asia Pacific jurisdiction to address the use of drones from a Privacy perspective. There has been attention and legislation around drones, but it has been focused on Aviation and safe operation.
As with the collection of Biometric data, recommendations for the use of CCTV and drones include an assessment of the need for CCTV, and give examples of suitable uses such as "deterring and detecting specific or repeated criminal activities like the throwing of corrosive liquid from heights". Always the user is advised to search for the least intrusive option, to safeguard the data, destroy it as soon as it is not needed, and endure that subjects are aware of cameras.
Covert CCTV surveillance should not be used without strong/overriding justification, and only as the last resort. Other specifics address third party contractors who have access to images, requiring that contractual or other means ensure that personal data accessible by contractors is not kept longer than necessary.
The updated guidelines for drone operators suggest conducting privacy impact assessments of potential flight paths, determining in advance what to do with any irrelevant data captured, and alerting people in the immediate flight paths that they are being filmed.
Although Hong Kong law does not distinguish between Personal Data and Sensitive Personal Data, the commissioner has published Guidance pertaining to Biometric Data, indicating that it merits added protection.
The ten page booklet stresses that biometric data should be collected only if absolutely necessary and if other data collection means do not meet the required security objectives. A Privacy Impact Assessment should be conducted and the Guidance suggests questions to help inform the decision of whether other means might be adequate.
If Biometric data is to be collected, the subjects should be fully apprised and consent should be freely given. The minimum of necessary data should be collected and it should be used only for the original stated purpose. The data should be safeguarded and deleted once it is no longer required.