Personal data means any data “relating directly or indirectly to a living individual, from which it is possible and practical to ascertain the identity of the individual from the said data, in a form in which access to or processing of the data is practicable” (e.g. a document or a video tape).  The legal definition of personal data can be found in section 2 of the Personal Data (Privacy) Ordinance ( Cap. 486 )(“the Ordinance”).

Obvious examples of personal data are an individual’s name and fingerprints, through which he or she can be identified. Alternatively, it may also be practicable to ascertain an individual through a combination of data such as telephone number, address, sex and age of an individual.

The Ordinance came into force on 20 December 1996. It applies to any person who collects, holds, processes and uses personal data within the private and public sectors as well as government departments. Generally speaking, the Ordinance governs the ways of collecting and using personal data, and prevents any abuse of data that is considered as intruding on an individual’s privacy.

Under current statutory and common law in the Hong Kong SAR, only personal data is protected under the Ordinance. Article 14 of the Hong Kong Bill of Rights stipulates that “no one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.” However, the Ordinance does not cover privacy matters other than personal data.

Any person or organization collecting, holding, processing or using personal data must comply with the six data protection principles laid down in section 4 and schedule 1 of the Personal Data (Privacy) Ordinance . (Note: The person from whom personal data are or will be collected is called the “data subject” , and the person or organization that is collecting the personal data is called the ” “data user” .)

The Privacy Commissioner’s Office (PCO) may issue an enforcement notice to the person or company who committed the breach, with intent to direct that wrongdoer to stop violating the data collection principles and take any necessary remedial action. Non-compliance with the PCO’s enforcement notice is an offence and is liable to a fine or imprisonment. The victim who suffers damage, including injury to feelings, as a result of such violation may also be entitled to compensation from the wrongdoer through civil proceedings.

Principle 1 – purpose and manner of collection of personal data

Personal data must be collected for a lawful purpose. The purpose of collection must be directly related to a function or activity of the data user. The data collected should be adequate but not excessive in relation to that purpose.

Personal data should also be collected by lawful and fair means. Unauthorized access to another person’s bank account records or credit card information is an example of unlawful means of collecting personal data. If a person/organization intentionally uses a misleading way to collect personal data, this amounts to an unfair means of data collection. A company collecting the personal data of job applicants by means of recruitment activities when in fact they are not really recruiting any one is an example of unfair means of collecting personal data.

When personal data are collected from an individual, that person (the data subject) must be provided with the following information, which includes:

• the purpose for which the data are to be used;
• the classes of persons to whom the data may be transferred;
• whether it is obligatory or voluntary for the data subject to supply the data;
• the consequences arising if the data subject fails to supply the data; and
• the data subject has the right to request access to and correction of the data.

Principle 2 – accuracy and duration of retention of personal data

Data users must ensure that the data held are accurate and up-to-date. If there is doubt as to the accuracy of the data, data users should stop using the data immediately. They should not keep the data any longer than is necessary for the purpose for which the data were collected.

Principle 3 – use of personal data

Unless personal data are used with the prescribed consent of the data subject, the data must not be used for any purpose other than the one mentioned at the time the data were collected (or a directly related purpose). “Prescribed consent” means the express consent given voluntarily by the data subject.

Principle 4 – security of personal data

Data users must take appropriate security measures to protect personal data. They must ensure that personal data are adequately protected against unauthorized or accidental access, processing, erasure, or use by other people without authority.

Principle 5 – information to be generally available

Data users must publicly disclose the kind (not the content) of personal data held by them and their policies and practices on how they handle personal data.

The best practice is to formulate a “Privacy Policy Statement” that encompasses information such as the accuracy, retention period, security and use of the data as well as measures taken regarding data access and data correction requests.

Principle 6 – access to personal data

A data subject is entitled to ask a data user whether or not the data user holds any of his/her personal data, and to request a copy of such personal data held by that user. If it is found that the data contained therein is inaccurate, the data subject has the right to request the data user to correct the record.

The data user must accede to the access and correction requests within a statutory period of 40 days. If the data user could not process the request within the period specified, it must provide a reply and state its reasons within 40 days.

Individuals/data subjects who wish to make data access requests may download the Data Access Request Form (OPS003) from the Privacy Commissioner’s Office and send the completed form to the company which holds the personal data. It should be noted that the Ordinance permits data users, in complying with the data access requests, to charge a reasonable fee. However, the data users concerned should not charge more than the direct cost of complying with the requests.

For more details of the six principles, please go to the Personal Data Privacy Liberal Studies provided by The Office of the Privacy Commissioner of Personal Data (PCPD).

A. Exemptions

In some situations, data users may be exempt from the restrictions imposed by the Ordinance or the six Data Protection Principles (DPP). The Personal Data (Privacy) (Amendment) Ordinance 2012 (the Ordinance) introduces further new exemptions. Some examples are summarised below:

Household affairs or recreational purposes

According to section 52 of the Ordinance, personal data for household affairs or recreational purposes is exempt from “DPP 4 and 5, and Ordinance sections 36 and 38(b) . Keeping the phone numbers of your family members for daily communication or keeping the phone numbers of your friends to arrange leisure activities are examples in this category.

Employment-related purposes

Under certain circumstances, data users may be exempt from some (but not ALL) of the restrictions of the six DPPs. Sections 53 , 54 , 55 and 56 of the Ordinance state that personal data used for employment-related purposes is exempt from the provisions of data-access requests. DPP 6 and section 18(1)(b) of the Ordinance require data users to supply the personal data they hold to the data subject. Such data includes, for example:

• personal data relating to staff planning proposals;
• personal data which is the subject of certain evaluative processes prior to the decision being taken and where an appeal can be made against such a decision, including the processes of recruitment, promotion, awarding, removal or disciplinary action; or
• a personal reference for an appointment up to the time when the position is filled.

Health grounds

Under section 59 of the Ordinance, personal data relating to the physical or mental health of a data subject is exempt from the provisions of data access requests (DPP 6 and section 18(1)(b) of the Ordinance) and restrictions on data use (DPP3) if the application of those provisions would be likely to cause serious harm to the physical or mental health of the data subject or any other individual.

In addition, according to section 59(2) , enacted in 2012, if the application of restrictions on data use would be likely to cause serious harm to the physical or mental health of a data subject or any other individual, personal data relating to the identity or location of the data subject would also be exempt from DPP 3.

Care and guardianship

Personal data in relation to a minor which is transferred or disclosed to the minor’s parent or guardian by the Hong Kong Police Force or the Customs and Exercise Department is exempt from the restrictions on personal data use (DPP 3) if the transfer or disclosure is in the interest of the minor and would facilitate proper care and guardianship of the minor. ( section 59A , enacted in 2012)

News activities

Under section 61 , if personal data is held for the purpose of news activities, such data may be exempt from the provision in respect of data-access requests (DPP 6; sections 18(1)(b) , 38(i) , 36 and 38(b) ), unless and until the data is published or broadcast. If the data user is of the view that the disclosure of the personal data is in the public interest, then such disclosure may also be exempt from the restrictions on use (DPP 3).

In an appeal case reported by the Privacy Commissioner for Personal Data (PCPD) concerning the issue of public interest in news activities, the principal of an academic institute disclosed personal data of his staff to newspaper reporters in order to defend the reputation of the institute in response to accusations made by the complainant. It was held by the PCPD that such disclosure was in the public interest in facilitating fair and balanced reporting (please refer to Complaint Case Notes for full details).

Human embryos

Under section 63 , personal data which consists of information showing that an identifiable individual was or may have been born in consequence of a reproductive technology procedure is exempt from the provisions of DPP 6 and section 18(1)(b) , provided that its disclosure under those provisions is made in accordance with section 33 of the Human Reproductive Technology Ordinance ( Cap 561 ).

Emergency situations

Under section 63C , enacted in 2012, personal data is exempt from the restrictions on the collection of data (DPP 1(3)) and on the use of data (DPP 3) if the application of those provisions would be likely to prejudice the identification of an individual involved in a life-threatening situation, informing the individual’s immediate family members of his situation, the carrying out of emergency rescue operations, or the provision of emergency relief services.

B. Outsourced processing of personal data

It is an increasingly common practice for data users to outsource and entrust personal data processing to third parties. There have also been an increasing number of personal data leakage incidents which have occurred during the outsourced processing of personal data, which may have caused substantial and irreparable damage to the affected data subjects.

All the data protection principles apply to the processing of personal data by a third party. Under the Ordinance, where personal data is entrusted to a data processor, a data user is liable as the principal for any act done by its authorised data processor.

The Amendment Ordinance 2012 provides enhanced protection by amending DPP 2 and DPP 4. With effect from 1 October 2012, additional obligations are imposed on a data user which engages a data processor, whether within or outside Hong Kong, to carry out data processing on that user’s behalf. The data user must adopt contractual or other means to prevent any personal data transferred to the data processor from being kept longer than necessary for processing the data (DPP2(3)) and to prevent unauthorised or accidental access, processing, erasure, loss or other inappropriate use of the data (DPP 4(2)).

Under the amended Ordinance, data processor means a person who:

1. processes personal data on behalf of another person; and
2. does not process the data for any of the person’s own purposes.

Please read the PCPD’s leaflet for more details on the new obligations.

With the rapid advancement in information and communication technologies (ICT) and the popularization of outsourcing the processing of personal data, the collection (other than from the data subject directly) and dissemination of personal data has become much easier. This also makes it easier for data subjects to suffer damage if a person, whether or not entrusted by the data user, intentionally discloses the personal data obtained from a data user. In view of the seriousness of any intrusions into personal data privacy and the gravity of the harm that may be caused to the data subjects, the Amendment Ordinance 2012 creates a new offence to combat the disclosure of personal data obtained without the consent of the data user under certain conditions.

Under section 64 , it is an offence for any person to disclose any personal data of a data subject obtained from a data user without the data user’s consent:

1. with the intent to obtain gain in money or other property, whether for the benefit of the person or another person;
2. with the intent to cause loss in money or other property to the data subject; or
3. irrespective of his intent, with the disclosure causing psychological harm to the data subject.

The maximum penalty is a fine of $1,000,000 and imprisonment for five years.

Please read the PCPD’s leaflet for more details on the new offence and its justification.

The Code of Practice on the Identity Card Number and other Personal Identifiers and its compliance guide for data users (issued by the Privacy Commissioner’s Office) came into force on 19 December 1998 . Any breach of the Code may be used as evidence in any legal proceedings relating to the Ordinance against the relevant data user.

The Code gives practical guidance to data users on the application of the Ordinance in relation to the collection, accuracy, retention, use and security of: (a) identity card (“ID card”) numbers and copies of ID cards; and (b) other personal identifiers that uniquely identify individuals, e.g. passport numbers, employee/staff numbers, examination candidate numbers and patient numbers.

Where a data user has collected an ID card number or copy of an ID card for a purpose allowed under the Code, the data should generally be used ONLY for that purpose. The records of ID card numbers or ID card copies should not be kept for longer than is necessary to fulfill the purpose for which they were collected.

Data users should also implement adequate security safeguards for data that they hold or transmit. Specifically, the Code requires that a copy of an ID card in paper form should be marked “copy” across the image of the ID card. Records of ID card numbers and ID card copies should also be treated as confidential documents which should be kept in locked cabinets or secure areas when they are not in use.

Due to advances in easy-to-use technology and lower costs, fingerprint data for personal identification has been put to use for purposes other than the investigation of crime. To regulate the use of this sensitive personal data, the Commissioner revised the note entitled Guidance on Collection of Fingerprint Data in May 2012.

NOTE:

The above questions and answers only highlight the general points of the Code. For further information, please refer to the whole content of the Code on the PCPD webpage . It is recommended that you contact the PCPD or consult a lawyer if you have any queries about the Code.

1. Generally speaking, under what circumstances can a person ask me to provide my ID card number or ID card copy?

ID card number

Unless authorized by law, no data user may compel an individual to provide his or her ID card number. A data user may request an individual to provide his or her ID card number under the circumstances where the collection of the ID card number is permitted by the Code. The following list contains some daily examples (this is not an exhaustive list):

• Where there is an Ordinance which requires data users to collect ID card numbers, e.g. section 17K of the Immigration Ordinance ( Cap. 115 ) requires employers to keep a record of the number of the document, which is usually an ID card, by virtue of which each employee is lawfully employable.
• Where the use of the ID card number is necessary for any of the purposes mentioned in section 58(1) of the Ordinance, which includes the prevention or detection of crime, and the assessment or collection of any tax or duty.
• To enable the data user to identify the individual concerned or to attribute data to him or her where any of the following is necessary:
  • to advance the interests of the individual, e.g. to ensure that the correct medical record is referred to when treating a patient;
  • to prevent any third party other than the data user from suffering a detriment, e.g. to ensure that someone else is not given the wrong medication because the wrong medical record is referred to;
  • to enable the data user to safeguard against damage or loss that is more than trivial, e.g. drivers involved in a traffic accident may exchange ID card number in order to identify each other when pursuing a claim arising from the accident.
• For inclusion in a document that establishes or is evidence of any legal or equitable right or interest or legal liability that is not trivial, e.g. in documents that establish an individual’s right of ownership of a flat.
• As the means of future identification of an individual who is permitted to enter premises where monitoring of the activities of the individual inside the premises is not reasonably practicable, e.g. entry to a commercial building outside office hours.
• As a condition for allowing an individual to have custody or control of property which is of a value that is more than trivial, e.g. rent a flat or car.

ID card copy

Again, no data user may compel an individual to provide a copy of his or her ID card unless authorized by law. A data user may request an individual to provide a copy of his or her ID card under the circumstances where the collection of the copy is permitted by the Code. The following list contains some daily examples (this is not an exhaustive list):

• To carry out any of the purposes mentioned in section 58(1) of the Ordinance, which includes the prevention or detection of crime, and the assessment or collection of any tax or duty.
• To provide proof of compliance with any statutory requirement, e.g. an employer may collect a copy of an ID card to prove compliance with the requirement of section 17J of the Immigration Ordinance ( Cap.115 ) to inspect the ID card of an individual when the employer intends to confirm the employment of that person.
• To comply with a requirement to collect an ID card copy which is included in any code, rules, regulations or guidelines applicable to the data user and which requirement has been endorsed in writing by the Privacy Commissioner, e.g. banks may collect copies of the ID cards of their customers according to the Money Laundering Guidelines issued by the Hong Kong Monetary Authority.
• To collect or check the ID card number of the individual, but only if the individual has been given the choice of presenting his or her ID card in person instead (e.g. Transport Department is permitted to collect copies of ID cards for this purpose in relation to applications for driving licences made by post, as individuals are given the choice of presenting their ID cards in person).
• For the issuing of an officially recognised travel document, e.g. the BN(O) passport.

Collection of copies of ID cards is specifically NOT permitted in the Code under the following circumstances:

1. merely to safeguard against a clerical error in recording the name or ID card number of the individual (i.e. the copy should not be collected in order only to enable the person to check the accuracy of the record that has been made of the individuals name or ID card number); or
2. merely in anticipation of a prospective relationship with the individual (e.g. it would not be permissible for an employer to collect a copy of the ID card of an individual only because the employer may wish to offer him or her employment at a later stage).

2. Can the security staff of a building ask me to enter my ID card number in a visitors’ log book at the entrance of a building?

This depends on whether the monitoring of your activities inside the building is feasible or not (e.g. is it feasible to arrange a security guard to accompany you inside the building). If this is feasible, the security staff should not collect your ID card number. If such monitoring is not feasible, they are allowed to collect your ID card number.

However, the security staff should take appropriate security measures to ensure that such entries in a visitors’ log book are concealed from subsequent visitors who enter their details. If you are unwilling to provide your ID card number, you can suggest other alternatives. Examples of such alternatives include identification by another identification document (e.g. a staff card), or identification by someone known to the security staff (e.g. by a resident in the case of a residential building).

It is recommended by the Privacy Commissioner’s Office that in normal circumstances, entries in the visitor log book can be retained for a period of not more than one month. If there are any valid grounds justifying a longer retention period (e.g. where the records are required for evidentiary purposes or to assist a police investigation of detected or reported unlawful activities), the security staff can retain the data for more than one month. For more guidelines on this matter, please refer to the PCO’s publication ” Personal Data Privacy: Guidance on Property Management Practices “.

3. Can a police officer ask me to show him/her my ID card?

A request to show your ID card, without the requester making a record of any information on the card, is not covered by the Code. Generally, however, if police officers or other public officers (e.g. an immigration officer) ask to record your ID card number in your dealings with them, you should let them do so, as these officers have statutory powers to require individuals to furnish their ID card numbers in dealings with the Government.

For further information about the power the police have to check ID cards, please go to another topic Police and Crime under the CLIC website.

4. Can a prospective employer record my ID card number or collect a copy of my ID card when I attend a job interview?

In order to check whether you have applied for or held a position in the company before, the prospective employer can collect your ID card number. However, a copy of your ID card should not be collected unless and until you become an employee of that company.

5. If I have accepted an employment offer, can my employer collect a copy of my ID card?

Yes, as a copy of your ID card is evidence of your employer’s compliance with the requirements of the Immigration Ordinance to inspect your ID card before employing you. However, companies are required by the Code to mark the word “copy” across the image of copies of ID cards to reduce the chance for misuse and abuse.

6. Can a club ask me to provide my ID card number and a copy of my ID card if I apply to be a member?

Generally speaking, collection of ID card numbers of its members by a membership club may be permitted under the Code to enable the club management to check membership. However, there appears to be no justification to collect copies of members’ ID cards.

7. Can companies providing mobile phone services record my ID card number or collect a copy of my ID card if I apply for their services?

These companies operate on the basis of deferred payment (i.e. customers are usually required to make monthly payment after using their services). Hence, they require a means of proving the identity of their customers in order to obtain payment. Moreover, they face the problem that the services concerned are not provided to a fixed location. On the other hand, there have been a number of reported cases of individuals fraudulently obtaining such services using another person’s name and address, and of the salespersons opening accounts for fictitious persons to defraud their company. For these reasons, the collection of the ID card numbers and copies of the ID cards is generally justified under the Code. However, these companies should mark the word “copy” across the image of the copies.

8. Can banks/insurance companies collect a copy of my ID card when I apply to be their customer?

Yes, because they are required to do this under the guidelines issued by the relevant regulatory bodies. These requirements have been endorsed by the Privacy Commissioner. However, the word “copy” should be marked across the image of the copies of their customers’ ID cards.

9. What should I be aware of before I provide my ID card number or ID card copy to other persons?

The Code requires organizations or persons (the data users), before recording an ID card number, to consider alternatives that are less privacy intrusive. If you are not happy about a request to provide your ID card number, suggest to the requestor/data user alternatives that are reasonable and acceptable to you. For example, try to arrange for identification of yourself by someone else who is already known to the organization. An organization may be contravening the Code if it refuses to accept an alternative without a good explanation.

Compared to ID card numbers, stricter limits are imposed on the collection of ID card copies because of the greater dangers they carry in relation to possible fraud or other misuse. Generally speaking, this gives you greater justification in querying a request to provide a copy of your ID card.

The Code generally requires the data users to mark photocopies of ID cards they keep with the word “copy”. This marking should be made across the entire image of the ID card. The only exception to this marking requirement you are likely to encounter is where the photocopy is going to be converted into some other form, e.g. microfilm.

If you provide a photocopy of your ID card in person to a data user, you can insist that it must be marked “copy” in your presence.

Unless otherwise required or permitted by law, data users should ensure that an ID card number and the name of the holder are not displayed together publicly.

One common situation in which a breach of the above requirement may occur is the publication of notices including individuals’ names and ID card numbers in a newspaper (e.g. notices carrying the result of a lucky draw or a competition). Another is the display of notices containing individuals’ names and ID card numbers on a notice board in places such as a school, an office, or the lobby of a residential building. A further one is the inadvertent disclosure of the names and ID card numbers of visitors to subsequent visitors to a building in a visitors’ log-book.

Where you encounter a situation such as those described above, ask the organization/data user to stop displaying or disclosing those data (or else to justify the display/disclosure). An organization is likely to have contravened the Code if it cannot provide good justification.

10. Under what circumstances can a person ask me to provide other personal identifiers (e.g. staff number, passport number or patient number)?

In general, the requirements of the Code in relation to ID card numbers also apply to other personal identifiers. In other words, other personal identifiers may be collected only under the circumstances and by the means permitted for ID card numbers and are subject to similar requirements as regards retention and use.

However, the above does not apply to the collection or use of such other personal identifiers for a purpose that is directly related to the functions and activities of the person that assigned the identifier to the individuals concerned. For example, a staff number may be collected and used for purposes directly related to the functions or activities of the employer that assigned the number, such as managing employee records and the payment of employee salaries.

Data users that assign personal identifiers to individuals should take all reasonably practicable steps to ensure the security of the system under which this is done. Such steps should include security measures to safeguard against the unauthorized assignment of the identifier or production of any document (e.g. the unauthorized production of a staff card with a false staff number printed on it).

11. Complaint Case Notes from the PCPD – A property management company collected identity card numbers of residents who were applying for electronic entrance cards gaining access to the building. Is this viewed as an excessive collection of personal data?

Please read the answer provided by the PCPD website .

Some people may have the view that privacy on the Internet is more of an IT issue than a legal issue. In practice, it is a combination of the two. The following questions and answers are given with reference to the PCPD’s publication: “Internet Surfing with Privacy in Mind – A Guide for Individual Net Users” .

More leaflets are available on the PCPD’s website which correspond to the rapid advancing Internet applications and services:

• Guidance for Data User on the Collection and Use of Personal Data through the Internet (December 2011)
• Protecting Privacy – Using Computers and the Internet Wisely (March 2012)
• Online Behavioural Tracking (July 2012)
• Cloud Computing (November 2012)
• Protect Privacy by Smart Use of Smartphones (November 2012)
• Personal data privacy protection: what mobile apps developers and their clients should know (November 2012)
• Protecting Online Privacy – Be Smart on Social Networks (April 2013)

1. Are you asked to provide your personal data on-line?

If yes, you should do the following before you press the “submit” button to provide your personal data via an on-line form, or send an e-mail containing your personal data.

Look for identity details of the web site. It is possible that a site appears to be at an electronic address that does not belong to it. Visit the “About the Organization” page and check the organization’s identity details such as its name, physical location, and contact telephone/fax number. An organization may be considered as using unfair means to collect personal data if it does not disclose its identity (in which case it might have contravened Data Protection Principle 1 ).

Look for the site’s privacy policy notice. It is safer to know what the site’s personal data handling policy is before you provide them with your own. The Ordinance requires that organizations in Hong Kong should be open about their policy and practices with respect to the handling of personal data ( Data Protection Principle 5 ).

Search for an on-line notification of a Personal Information Collection (PIC) statement. The PIC statement is a means by which the site should inform you:

1. how your data are to be used;
2. to what other parties they may transfer your data;
3. your right to request a copy of your personal data and correct any errors; and
4. who should be contacted for such requests.

Under the Ordinance, organizations in Hong Kong must provide this information at or before the time they collect personal data from you.

2. Have you set your Internet browser to ask you before accepting a “cookie”?

Cookies are small files that can be stored in your computer when you visit a web page. When you visit a web site, the server of that site may request a unique ID from your Internet browser. If your browser does not have an ID, that server will deliver one to your computer and this is the process of “passing a cookie”. Sometimes when you visit a web site, you may be asked to fill in a form providing information such as your name and interests, and such information may also be stored in cookies. The host of that web site may then use cookies to track your behaviour and interests.

To enhance the degree of security of your browser, you may consider setting an option in your browser to ask your permission to accept a cookie each time one is presented. You may also use “anonymous cookies” software. You can search the Internet using the word “cookies” to find software that can keep your computer clear of cookies or make your cookies files ineffective for access. This would help to reduce your loss of privacy.

3. Are you annoyed about direct marketing e-mails addressed to you?

Under section 34 of the Ordinance, a company in Hong Kong that makes a direct marketing approach to you has an obligation to offer you an “opt-out” opportunity not to receive further marketing information from it. This gives you the right to request the sender to stop sending marketing e-mails to you.

You should also take precautions to avoid receiving unsolicited advertising e-mails. To reduce the chances of making yourself a marketing target, you should avoid registering with free e-mail services or e-mail directory services. If you use a “signature file” (note) in your e-mail correspondence , you should be careful not to provide unnecessary details about yourself in the signature file which may expose you as a marketing target.

(Note: A signature file is small text file that can be automatically attached to the end of e-mail messages. It may include the sender’s name, job title, company name, phone/fax number, etc.)

The Amendment Ordinance 2012 introduced a new regime governing the use of personal information in direct marketing, which took effect on 1 April 2013. The new regime provides stronger protection for individuals. When data users intend to use or provide an individual’s personal data in direct marketing, they are required to inform the individuals of the prescribed information and obtain their consent.

Under section 35A of the Ordinance, “direct marketing” (in the context of personal data privacy) means:

1. offering or advertising the availability of goods, facilities or services; or
2. soliciting donations or contributions for charitable, cultural, philanthropic, recreational, political or other purposes,

by means of:

1. information or goods sent to specific persons by mail, facsimile transmission, electronic mail, or other similar means of communication, where the information or goods are addressed to a specific person or specific persons by name; or
2. telephone calls made to specific persons.

Corresponding to the amendment of the Ordinance, the Commissioner published guidance notes entitled New Guidance on Direct Marketing in January 2013.

A. Use of personal data for the data user’s own direct marketing purposes

With reference to section 35C of the amended Ordinance, before using personal data in direct marketing, data users must follow the specific steps listed below:

1.  Data users must inform the data subjects of their intention to use the data subjects’ personal data for direct marketing, and they may not so use the data unless they have the data subjects’ consent.

2.  Data users must provide the data subjects with information on the intended use of the data, including the kinds of personal data to be used and the classes of marketing subjects in relation to which the data is to be used.

3. Data users must provide the data subjects with a free-of-charge channel through which the data subjects may communicate their consent to the intended use.

4. In order to help data subjects make an informed choice, the information provided by data users must be presented in a manner that is easily understandable and, if in written form, easily readable.

In addition, according to section 35F , if data users are using the data in direct marketing for the first time , they must notify the data subjects of their op-out right, and the data users must, without charge to the data subjects, stop using the data in direct marketing if the data subjects opt out.

Data users can use the personal data in direct marketing only after they have received the data subjects’ consent to the intended use of the personal data. Consent, in this context, includes an indication of no objection to the use or provision of the personal data ( section 35A(1) ). If the data subjects give their consent orally, the data users must confirm in writing to the data subjects within 14 days from receiving their consent the permitted kind of personal data and the permitted class of marketing subjects ( section 35E ).

Data users must comply with the data subjects’ request at any time to stop using the data subjects’ personal data in direct marketing without charge to the data subject ( section 35G ).

Data users who contravene any of the requirements in the sections mentioned above commit an offence. For each offence, the data user is liable on conviction to a maximum fine of $500,000 and to a maximum imprisonment of three years.

In contrast to this new regime which is an “opt-in” regime, the old regime offered data subjects only a limited “opt-out” option: i.e., when data users used data subjects’ personal data in direct marketing for the first time, the users had to inform the subjects that they could request the data user to cease using their personal data for direct marketing purposes. If data subjects made such a request, the data users had to stop using the data; if the data subjects made no such request, their personal data could be used without any further notice. It should be noted that the old regime still applies to personal data that was used in direct marketing before the new amendment took effect, pursuant to section 35D of the amended Ordinance (also called a “Grandfather arrangement”: i.e. an old rule continues to apply to certain existing cases, while a new rule applies to all future cases). In other words, if before 1 April 2013 a data user used the personal data in direct marketing in compliance with the existing requirements of the Ordinance, that data user could continue to do so on or after 1 April 2013, in relation to the same class of marketing subjects, without being subject to the obligations imposed under the new regime.

B. Provision of personal data to third parties for use in direct marketing

In addition to the regulation on the use of personal data by data users for their own direct marketing purposes, the amended Ordinance introduces more stringent regulations on providing personal data to third parties for use in direct marketing, including the sale of personal data.

When data users intend to provide personal data to third parties for use in direct marketing, the data users must follow a procedure similar to that outlined above in part A. Additionally, they must inform the data subjects of two other kinds of information in relation to the intended use ( section 35J ):

1. whether the data is to be provided for gain; and
2. the classes of persons to whom the data is to be provided.

The form of notification and response of the data subject must be in writing . Furthermore, the data users must not provide personal data to a third party unless the data users have received written consent from the data subject. ( section 35K )

Data subjects may at any time and irrespective of whether they have previously given consent to the provision of their personal data to a third party require the data user—

1. to stop providing the data subjects’ personal data to a third party for use by that party in direct marketing; and
2. to notify any third party to whom the data has been so provided to stop using the data in direct marketing.

Accordingly, data users who receive these instructions must, without charge to the data subjects, comply with them. The notification made by the data users to the third party must be in writing . Any third party who receives such a notification from the data user must stop using the personal data in direct marketing in accordance with the notification. ( section 35L )

Contraventions of the requirements in relation to the provision of personal data to third parties for use in direct marketing are offences. For contraventions involving the provision of personal data for gain (including the sale of personal data), the maximum penalty is a fine of $1,000,000 and imprisonment for five years. For other contraventions, the maximum penalty is a fine of $500,000 and imprisonment for three years.

Unlike the use of personal data for the data users’ own direct marketing purposes, the provision of personal data to third parties for use in direct marketing is not subject to a “Grandfather arrangement” (i.e. when an old rule continues to apply to certain existing cases, while a new rule applies to all future cases). In other words, any provision of personal data to third parties, whether it happened before or after 1 April 2013, must comply with the requirements of the amended Ordinance.

With regard to cold-calling (note), staff members of the data user are recommended to give an opt-out message along the following lines: We are not allowed to use your personal data in direct marketing without your consent. If you do not wish to receive marketing calls from us, please tell me anytime and we will not call again.” If the data user fails to inform a data subject of his opt-out right or other information required by sections 35C – 35F as mentioned above, a data subject may lodge a complaint with the Office of the Privacy Commissioner for Personal Data. (Note: Cold-calling is the practice of making a marketing approach by telephone to a potential customer with whom the caller has had no previous dealings.)

The PPCD published a leaflet that introduces the ways for individuals to exercise their right of consent to opt-out of direct marketing activities under the amended Ordinance.

After receiving a complaint in relation to possible contraventions of the Personal Data (Privacy) Ordinance , the staff of the Office of the Privacy Commissioner for Personal Data (PCPD) would first conduct preliminary enquires to see if the complainant holds substantial grounds. After preliminary enquiries into the complaint, the PCPD may inform the complainant of its preliminary views and ask the opposite party to take remedial action to resolve the issues surrounding the complaint.

If the dispute cannot be resolved by mediation, the PCPD may conduct a formal investigation. If the complaint involves suspected contravention of a serious nature, the PCPD would immediately conduct a formal investigation instead of making preliminary enquiries. If after investigation it is found that there are contraventions on the part of the data user, an enforcement notice would be served on that data user by the PCPD directing him/her to take any necessary remedial action. Data users who do not comply with the PCPD’s enforcement notice commit an offence and are liable to a fine or imprisonment. The Commissioner can also instigate prosecution action. Under the amended Ordinance. The time for preparing information for prosecution was extended from six months to two years from the date of the commission of the offence.

If a data subject suffers damage (including injury to feelings) as a result of a contravention of the Ordinance by a data user, the data subject can sue the data user for compensation through civil proceedings. Under the amended Ordinance, the Commissioner can grant legal assistance to that person.

A. Complaint-handling policy and complaint procedures

Data subjects should first lodge a complaint with the data user who does not handle his or her personal data in accordance with the Ordinance.

If the alleged offender fails to give a satisfactory reply and the data subject decides to lodge a complaint with the PCPD, the complainant is advised to first learn about the complaint-handling policy of the PCPD. For details, please visit the PCPD webpage on this policy or call its hotline at 2827 2827.

The complaint procedure, accompanied by a flowchart , can be found on the PCPD website. Complainants should note that the time limit for lodging a complaint is two years from the date of their actual knowledge of the privacy-intrusive act or practice, but it is recommended that they lodge the complaint as soon as possible.

B. Enforcement notice and penalties

Under section 50 of the amended Ordinance, the Commissioner has wider power to serve enforcement notices. If he finds a contravention of a requirement under the Ordinance, the Commissioner can serve an enforcement notice on the data user concerned to direct it to take the necessary steps to remedy the contravention, irrespective of whether the contravention will continue or be repeated.

Any data user who fails to comply with the PCPD’s enforcement notice commits an offence and is liable to a fine at level 5 (currently $50,000) and to imprisonment for two years. The amended Ordinance provides for a heavier penalty for a second and subsequent conviction for contravening an enforcement notice. The penalty is a fine at level 6 (currently $100,000) and imprisonment of two years and, in the case of a continuing offence, a daily fine of $2,000. ( Section 50A(1) )
If data users comply with an enforcement notice issued against them within a specified period, and subsequently intentionally commit the same offence, they are liable to a fine of $50,000 and to imprisonment for two years and, in the case of a continuing offence, a daily fine of $1,000. ( Section 50A(3) )

For more details of other offences under the Ordinance, please refer to section 64 of the Ordinance.

C. Legal assistance

If data subjects suffer any damage caused by a data user in contravention of the requirements under the Ordinance, they can make a civil claim for compensation from the data user for the damage: i.e. sue the data user in a court ( section 66 ). However, the data subject may have difficulty in pursuing the lawsuit because some cases may be more complex and may incur considerable legal costs and expenses. In view of this, section 66B of the amended Ordinance authorises the Commissioner to grant legal assistance to aggrieved individuals seeking such compensation.
This legal assistance takes the form which the Commissioner considers most appropriate, including but not limited to the following:

• giving advice;
• mediation;
• arranging for advice or assistance from a solicitor or counsel; or
• arranging for representation by any person, including such assistance as is usually given by a solicitor or counsel, in the steps preliminary or incidental to any proceedings, or in arriving at or giving effect to a compromise to avoid or bring to an end any proceedings.

The assistance may be rendered through the Commissioner’s legal staff or external lawyers engaged by the Commissioner on behalf of the person seeking legal assistance. The Commissioner’s legal staff will advise the individual independently without any influence from anyone else.

The Commissioner will normally bear the cost of legal assistance. If the assisted person is successful in the claim for compensation, and in recovering the costs and expenses related to the claim, whether through legal proceedings or any other settlement, the Commissioner has the first charge on such costs and expenses payable to the assisted person (i.e. the payment will be used to settle the Commissioner’s legal costs or expenses first).

Data subjects seeking legal assistance should normally lodge a complaint against the relevant data user with the Commissioner before applying for legal assistance. They should meet the abovementioned requirements during the complaint-handling process, providing all information to the PCPD.They may lodge an application for legal assistance after the Commissioner concludes the complaint. All applications must be made on the PCPD’s Application Form .

The Commissioner may grant assistance if he thinks fit to do so . In exercising his discretion, the Commissioner will consider a series of factors, including in particular:

• whether the case raises a question of principle; or
• whether it is unreasonable, having regard to the complexity of the case or the applicant’s position in relation to the respondent or another person involved or any other matter, to expect the applicant to handle the case unaided.

The Commissioner lists the factors that he may take into account in the Leaflet entitled “Legal assistance for civil claims under the Personal Data (Privacy) Ordinance” .

Normally, an applicant for legal assistance will be informed of the result within three months after submitting all the relevant information for the application. If the Commissioner decides to grant assistance, the applicant will be asked to sign an agreement which sets out the terms and conditions under which the assistance will be given. If the Commissioner refuses the application, the applicant will be notified in writing with reasons.

At any stage of the provision of legal assistance, the Commissioner may use his discretion to review his decision to grant assistance and discontinue such assistance. The leaflet provides the circumstances under which legal assistance may be discontinued, including, in particular, a situation in which the applicant knowingly gives false or misleading information to the Commissioner.

The Ordinance provides no right of appeal against the Commissioner’s decision to refuse to grant legal assistance or to discontinue such assistance. However, if there is any material change of circumstances, the Commissioner may review, at his discretion, his decision upon receiving a written request from the applicant. His review decision is final.

1. What is “personal data”?

Personal data means any data “relating directly or indirectly to a living individual, from which it is possible and practical to ascertain the identity of the individual from the said data, in a form in which access to or processing of the data is practicable” (e.g. a document or a DVD).  Obvious examples of personal data are an individual’s name and fingerprints, , through which he or she can be identified. Alternatively, it may also be practicable to ascertain an individual through a combination of data such as telephone number, address, sex and age of an individual.

For legal definition of personal data and how the law protects personal data privacy, please visit Daily Lives Legal Issues > Data subject of personal data > The meaning of “personal data” .

2. Are there any exemptions for data users from the Personal Data (Privacy) Ordinance or the Data Protection Principles?

In some situations, data users may be exempt from some of the restrictions imposed by the Ordinance or the six Data Protection Principles (DPPs). Some of the common situations for exemptions include, among other things, the followings:

• keeping the phone numbers of one’s family members for daily communication or keeping the phone numbers of one’s friends for arranging leisure activities;
• personal data held by courts, magistrates or judicial officers in the course of performing judicial functions;
• personal data held for the purpose of prevention or detection of a crime; or
• personal data held for the purpose of news activities.

If you want to know what other exemption situations are, please refer to Daily Lives Legal Issues > Data subject of personal data > The six Data Protection Principles .

3. Under what circumstances can someone ask me to provide my ID card number or ID card copy?

ID card number

Unless authorized by law, no data user may compel an individual to provide his or her ID card number. A data user may request an individual to provide his or her ID card number under the circumstances where the collection of the ID card number is permitted by the Code of Practice on the Identity Card Number and other personal Identifiers (“the Code”) issued by the Office of the privacy Commissioner of Personal Data. The following list contains some daily examples (this is not an exhaustive list):

• Where there is an Ordinance which requires data users to collect ID card numbers, e.g. employers to keep a record of the number of the document, which is usually an ID card, by virtue of which each employee is lawfully employable;
• to advance the interests of the individual, e.g. to ensure that the correct medical record is referred to when treating a patient; or
• as the means of future identification of an individual who is permitted to enter premises where monitoring of the activities of the individual inside the premises is not reasonably practicable, e.g. entry to a commercial building outside office hours.

ID card copy

Again, no data user may compel an individual to provide a copy of his or her ID card unless authorized by law. A data user may request an individual to provide a copy of his or her ID card under the circumstances where the collection of the copy is permitted by the Code. The following list contains some daily examples (this is not an exhaustive list):

• to collect or check the ID card number of the individual, but only if the individual has been given the choice of presenting his or her ID card in person instead, e.g. Transport Department is permitted to collect copies of ID cards for this purpose in relation to applications for driving licences made by post, as individuals are given the choice of presenting their ID cards in person;
• for the issuing of an officially recognised travel document, e.g. the HKSAR passport.

For more details, please refer to Daily Lives Legal Issues > Data subject of personal data > Use of ID card numbers and ID card copies .

4. Can someone use my personal data for direct marketing?

When data users intend to use or provide an individual’s personal data in direct marketing, they are required to inform the individuals of the prescribed information and obtain their consent. On the other hand, individuals may exercise their right to opt-out of direct marketing activities.

Under the law, “direct marketing” (in the context of personal data privacy) means:

• offering or advertising the availability of goods, facilities or services; or
• soliciting donations or contributions for charitable, cultural, philanthropic, recreational, political or other purposes,

by means of:

• information or goods sent to specific persons by mail, facsimile transmission, electronic mail, or other similar means of communication, where the information or goods are addressed to a specific person or specific persons by name; or
• telephone calls made to specific persons.

Contravention of any of the requirements by law is an offence.

For more details, please go to Daily Lives Legal Issues > Data subject of personal data > Privacy regarding direct marketing .

5. What should I do if I believe that my data privacy is being violated?

You may lodge a complaint to the Office of the Privacy Commissioner for Personal Data (PCPD). After receiving a complaint, the staff of the PCPD would first conduct preliminary enquires to see if you hold substantial grounds. The PCPD may inform you of its preliminary views and ask the opposite party to take remedial action to resolve the issues surrounding the complaint.

If the dispute cannot be resolved by mediation, the PCPD may conduct a formal investigation. If it is found that there are contraventions on the part of the data user, an enforcement notice would be served on that data user by the PCPD directing him/her to take any necessary remedial action. Data users who do not comply with the PCPD’s enforcement notice commit an offence and are liable to a fine or imprisonment.

If you suffer damage (including injury to feelings) as a result of the wrongdoings of the data user, you can sue the data user for compensation through civil proceedings. The Commissioner can grant legal assistance to eligible complainant.

If you want to know more about this, please go to Daily Lives Legal Issues > Data subject of personal data > Complaints, penalties and legal assistance .