Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

HK’s IoT manufacturers should be more transparent about their privacy policies: PCPD

Nayela Deeba | Feb. 7, 2017
Only two out of five fitness band manufacturers provided consumers with information on how they handled personal data

wearable smart watch

Manufacturers of fitness bands and Internet of Things (IoT) devices in Hong Kong need to better communicate their privacy and security measures to consumers, according to a study conducted by the Office of the Privacy Commissioner for Personal Data (PCPD), Hong Kong.

The study examined five locally manufactured fitness bands and their apps from April to June 2016. It aims to explore the "privacy challenges and implications brought about by [IoT manufacturers] so as to raise the privacy awareness of the device manufacturers," said Stephen Kai-yi Wong, Privacy Commissioner for Personal Data, Hong Kong.

Out of the five devices examined, two came with a privacy policy explaining how the manufacturer handled personal data.

While none of the device manufacturers specified where they would store personal data, only one device manufacturer told consumers that it would safeguard the collected personal data.

The study also found that only two manufacturers provided information on how consumers can contact them for privacy-related matters.

"While the IoT devices can enhance the quality of people's daily lives, they also trigger privacy concerns in this Big Data era as they have the ability to collect, generate and analyse data about their users. The manufacturers therefore should adopt "Privacy by Design" and "Privacy by Default" when they proceed to develop the devices and the associated mobile applications with a view to protecting and respecting consumers' personal data. The trust and business reputation amongst consumers would then be built and enhanced, generating more business opportunities in return," Wong said.

To help manufacturers enhance the transparency of their privacy protection measures, PCPD recommended them to:

  • Use simple language when crafting the privacy policy to help consumers better understand important information;
  • State clearly the types of personal data to be collected, the purposes of collection, the potential transferees of the personal data, and the security measures adopted to safeguard the personal data;
  • Adopt "Privacy by Design" and minimise data collection;
  • Adopt "Privacy by Default" for all IoT devices and associated apps;
  • Incorporate sufficient security safeguards to protect the personal data in transmission and in storage;
  • Offer opt-out choices to users if the related apps need to access data that is not directly relevant to the core functions of the device (such as location data, and phone book);
  • Provide clear instructions to users for erasing personal data stored in IoT devices and storage eleswhere; and
  • Provide contact information so that users can contact an official on privacy-related matters, and provide timely responses.

PCPD privacy guidelines
Click on image to enlarge. Credit: PCPD

 

Sign up for CIO Asia eNewsletters.