Manufacturers of fitness bands and Internet of Things (IoT) devices in Hong Kong need to better communicate their privacy and security measures to consumers, according to a study conducted by the Office of the Privacy Commissioner for Personal Data (PCPD), Hong Kong.
The study examined five locally manufactured fitness bands and their apps from April to June 2016. It aims to explore the "privacy challenges and implications brought about by [IoT manufacturers] so as to raise the privacy awareness of the device manufacturers," said Stephen Kai-yi Wong, Privacy Commissioner for Personal Data, Hong Kong.
While none of the device manufacturers specified where they would store personal data, only one device manufacturer told consumers that it would safeguard the collected personal data.
The study also found that only two manufacturers provided information on how consumers can contact them for privacy-related matters.
"While the IoT devices can enhance the quality of people's daily lives, they also trigger privacy concerns in this Big Data era as they have the ability to collect, generate and analyse data about their users. The manufacturers therefore should adopt "Privacy by Design" and "Privacy by Default" when they proceed to develop the devices and the associated mobile applications with a view to protecting and respecting consumers' personal data. The trust and business reputation amongst consumers would then be built and enhanced, generating more business opportunities in return," Wong said.
To help manufacturers enhance the transparency of their privacy protection measures, PCPD recommended them to:
- State clearly the types of personal data to be collected, the purposes of collection, the potential transferees of the personal data, and the security measures adopted to safeguard the personal data;
- Adopt "Privacy by Design" and minimise data collection;
- Adopt "Privacy by Default" for all IoT devices and associated apps;
- Incorporate sufficient security safeguards to protect the personal data in transmission and in storage;
- Offer opt-out choices to users if the related apps need to access data that is not directly relevant to the core functions of the device (such as location data, and phone book);
- Provide clear instructions to users for erasing personal data stored in IoT devices and storage eleswhere; and
- Provide contact information so that users can contact an official on privacy-related matters, and provide timely responses.
Sign up for CIO Asia eNewsletters.