1. What is “personal data”?
Personal data means any data “relating directly or indirectly to a living individual, from which it is possible and practical to ascertain the identity of the individual from the said data, in a form in which access to or processing of the data is practicable” (e.g. a document or a DVD). Obvious examples of personal data are an individual’s name and fingerprints, , through which he or she can be identified. Alternatively, it may also be practicable to ascertain an individual through a combination of data such as telephone number, address, sex and age of an individual.
For legal definition of personal data and how the law protects personal data privacy, please visit Daily Lives Legal Issues > Data subject of personal data > The meaning of “personal data” .
2. Are there any exemptions for data users from the Personal Data (Privacy) Ordinance or the Data Protection Principles?
In some situations, data users may be exempt from some of the restrictions imposed by the Ordinance or the six Data Protection Principles (DPPs). Some of the common situations for exemptions include, among other things, the followings:
- keeping the phone numbers of one’s family members for daily communication or keeping the phone numbers of one’s friends for arranging leisure activities;
- personal data held by courts, magistrates or judicial officers in the course of performing judicial functions;
- personal data held for the purpose of prevention or detection of a crime; or
- personal data held for the purpose of news activities.
If you want to know what other exemption situations are, please refer to Daily Lives Legal Issues > Data subject of personal data > The six Data Protection Principles .
3. Under what circumstances can someone ask me to provide my ID card number or ID card copy?
ID card number
Unless authorized by law, no data user may compel an individual to provide his or her ID card number. A data user may request an individual to provide his or her ID card number under the circumstances where the collection of the ID card number is permitted by the Code of Practice on the Identity Card Number and other personal Identifiers (“the Code”) issued by the Office of the privacy Commissioner of Personal Data. The following list contains some daily examples (this is not an exhaustive list):
- Where there is an Ordinance which requires data users to collect ID card numbers, e.g. employers to keep a record of the number of the document, which is usually an ID card, by virtue of which each employee is lawfully employable;
- to advance the interests of the individual, e.g. to ensure that the correct medical record is referred to when treating a patient; or
- as the means of future identification of an individual who is permitted to enter premises where monitoring of the activities of the individual inside the premises is not reasonably practicable, e.g. entry to a commercial building outside office hours.
ID card copy
Again, no data user may compel an individual to provide a copy of his or her ID card unless authorized by law. A data user may request an individual to provide a copy of his or her ID card under the circumstances where the collection of the copy is permitted by the Code. The following list contains some daily examples (this is not an exhaustive list):
- to collect or check the ID card number of the individual, but only if the individual has been given the choice of presenting his or her ID card in person instead, e.g. Transport Department is permitted to collect copies of ID cards for this purpose in relation to applications for driving licences made by post, as individuals are given the choice of presenting their ID cards in person;
- for the issuing of an officially recognised travel document, e.g. the HKSAR passport.
For more details, please refer to Daily Lives Legal Issues > Data subject of personal data > Use of ID card numbers and ID card copies .
4. Can someone use my personal data for direct marketing?
When data users intend to use or provide an individual’s personal data in direct marketing, they are required to inform the individuals of the prescribed information and obtain their consent. On the other hand, individuals may exercise their right to opt-out of direct marketing activities.
Under the law, “direct marketing” (in the context of personal data privacy) means:
- offering or advertising the availability of goods, facilities or services; or
- soliciting donations or contributions for charitable, cultural, philanthropic, recreational, political or other purposes,
by means of:
- information or goods sent to specific persons by mail, facsimile transmission, electronic mail, or other similar means of communication, where the information or goods are addressed to a specific person or specific persons by name; or
- telephone calls made to specific persons.
Contravention of any of the requirements by law is an offence.
For more details, please go to Daily Lives Legal Issues > Data subject of personal data > Privacy regarding direct marketing .
5. What should I do if I believe that my data privacy is being violated?
You may lodge a complaint to the Office of the Privacy Commissioner for Personal Data (PCPD). After receiving a complaint, the staff of the PCPD would first conduct preliminary enquires to see if you hold substantial grounds. The PCPD may inform you of its preliminary views and ask the opposite party to take remedial action to resolve the issues surrounding the complaint.
If the dispute cannot be resolved by mediation, the PCPD may conduct a formal investigation. If it is found that there are contraventions on the part of the data user, an enforcement notice would be served on that data user by the PCPD directing him/her to take any necessary remedial action. Data users who do not comply with the PCPD’s enforcement notice commit an offence and are liable to a fine or imprisonment.
If you suffer damage (including injury to feelings) as a result of the wrongdoings of the data user, you can sue the data user for compensation through civil proceedings. The Commissioner can grant legal assistance to eligible complainant.
If you want to know more about this, please go to Daily Lives Legal Issues > Data subject of personal data > Complaints, penalties and legal assistance .