GF 323
CONFIDENTIAL
- 5 -
機密
recommended by the Sub-committee, but also voluntary compliance without legislation and other options open for consideration, i.e. the do-nothing approach, the self-regulatory approach and the compulsory compliance approach.
12.
The do-nothing approach
This approach aims at maintaining the status quo of non-intervention in the use of personal data stored in computer systems. The success of this approach would depend greatly on the conscientiousness of computer operators and related personnel in ensuring that personal data intended for a particular lawful purpose was not divulged freely to the disadvantage or inconvenience of the data subject. This approach does not seem appropriate in the present local situation where computer applications have become widespread and there has been increasing public awareness concerning data protection. Consequently, it is thought, the adoption of this approach would lead to public concern. Moreover, having regard to the fact that measures have been implemented in the United States and some European countries for data protection and privacy, this approach, if adopted, might adversely affect Hong Kong's image as a major international commercial and financial centre.
13.
The self-regulatory approach
This approach is the one adopted for certain federal government agencies in America under the United States Privacy Act of 1974. The Act applies to both computerized data banks and to manual records. The major characteristic of this Act, as distinct from other national legislation on privacy, is its concept of self-regulation without a government or
government-appointed supervisory or regulatory authority. The US Act requires each of the federal agencies to publish full details of their record systems, showing how they comply with the very detailed rules embodied in the Act. Individuals rights of access and challenge are provided for and there are criminal and civil sanctions. However, the enforcement of the US Act is left to the individual who has a right of civil action against the agency concerned if the Act's provisions are breached. The inherent weakness of the US Act is that it covers only federal Government systems and it is insufficient on its
Various state governments in the United States have introduced legislation to further protect the privacy of personal information stored in computer systems. Personal data protection is reinforced in the United States by the Counterfeit Access Device and Computer Fraud and Abuse Act 1984 which makes it a criminal offence to access and use
CONFIDENTIAL
機密