II. The six data protection principles

Any person or organization collecting, holding, processing or using personal data must comply with the six data protection principles laid down in section 4 and schedule 1 of the Personal Data (Privacy) Ordinance . (Note: The person from whom personal data are or will be collected is called the “data subject” , and the person or organization that is collecting the personal data is called the ” “data user” .)

The Privacy Commissioner’s Office (PCO) may issue an enforcement notice to the person or company who committed the breach, with intent to direct that wrongdoer to stop violating the data collection principles and take any necessary remedial action. Non-compliance with the PCO’s enforcement notice is an offence and is liable to a fine or imprisonment. The victim who suffers damage, including injury to feelings, as a result of such violation may also be entitled to compensation from the wrongdoer through civil proceedings.

Principle 1 – purpose and manner of collection of personal data

Personal data must be collected for a lawful purpose. The purpose of collection must be directly related to a function or activity of the data user. The data collected should be adequate but not excessive in relation to that purpose.

Personal data should also be collected by lawful and fair means. Unauthorized access to another person’s bank account records or credit card information is an example of unlawful means of collecting personal data. If a person/organization intentionally uses a misleading way to collect personal data, this amounts to an unfair means of data collection. A company collecting the personal data of job applicants by means of recruitment activities when in fact they are not really recruiting any one is an example of unfair means of collecting personal data.

When personal data are collected from an individual, that person (the data subject) must be provided with the following information, which includes:

  • the purpose for which the data are to be used;
  • the classes of persons to whom the data may be transferred;
  • whether it is obligatory or voluntary for the data subject to supply the data;
  • the consequences arising if the data subject fails to supply the data; and
  • the data subject has the right to request access to and correction of the data.

Principle 2 – accuracy and duration of retention of personal data

Data users must ensure that the data held are accurate and up-to-date. If there is doubt as to the accuracy of the data, data users should stop using the data immediately. They should not keep the data any longer than is necessary for the purpose for which the data were collected.

Principle 3 – use of personal data

Unless personal data are used with the prescribed consent of the data subject, the data must not be used for any purpose other than the one mentioned at the time the data were collected (or a directly related purpose). “Prescribed consent” means the express consent given voluntarily by the data subject.

Principle 4 – security of personal data

Data users must take appropriate security measures to protect personal data. They must ensure that personal data are adequately protected against unauthorized or accidental access, processing, erasure, or use by other people without authority.

Principle 5 – information to be generally available

Data users must publicly disclose the kind (not the content) of personal data held by them and their policies and practices on how they handle personal data.

The best practice is to formulate a “Privacy Policy Statement” that encompasses information such as the accuracy, retention period, security and use of the data as well as measures taken regarding data access and data correction requests.

Principle 6 – access to personal data

A data subject is entitled to ask a data user whether or not the data user holds any of his/her personal data, and to request a copy of such personal data held by that user. If it is found that the data contained therein is inaccurate, the data subject has the right to request the data user to correct the record.

The data user must accede to the access and correction requests within a statutory period of 40 days. If the data user could not process the request within the period specified, it must provide a reply and state its reasons within 40 days.

Individuals/data subjects who wish to make data access requests may download the Data Access Request Form (OPS003) from the Privacy Commissioner’s Office and send the completed form to the company which holds the personal data. It should be noted that the Ordinance permits data users, in complying with the data access requests, to charge a reasonable fee. However, the data users concerned should not charge more than the direct cost of complying with the requests.

For more details of the six principles, please go to the Personal Data Privacy Liberal Studies provided by The Office of the Privacy Commissioner of Personal Data (PCPD).

A. Exemptions

In some situations, data users may be exempt from the restrictions imposed by the Ordinance or the six Data Protection Principles (DPP). The Personal Data (Privacy) (Amendment) Ordinance 2012 (the Ordinance) introduces further new exemptions. Some examples are summarised below:

Household affairs or recreational purposes

According to section 52 of the Ordinance, personal data for household affairs or recreational purposes is exempt from “DPP 4 and 5, and Ordinance sections 36 and 38(b) . Keeping the phone numbers of your family members for daily communication or keeping the phone numbers of your friends to arrange leisure activities are examples in this category.

Employment-related purposes

Under certain circumstances, data users may be exempt from some (but not ALL) of the restrictions of the six DPPs. Sections 53 , 54 , 55 and 56 of the Ordinance state that personal data used for employment-related purposes is exempt from the provisions of data-access requests. DPP 6 and section 18(1)(b) of the Ordinance require data users to supply the personal data they hold to the data subject. Such data includes, for example:

  • personal data relating to staff planning proposals;
  • personal data which is the subject of certain evaluative processes prior to the decision being taken and where an appeal can be made against such a decision, including the processes of recruitment, promotion, awarding, removal or disciplinary action; or
  • a personal reference for an appointment up to the time when the position is filled.

Health grounds

Under section 59 of the Ordinance, personal data relating to the physical or mental health of a data subject is exempt from the provisions of data access requests (DPP 6 and section 18(1)(b) of the Ordinance) and restrictions on data use (DPP3) if the application of those provisions would be likely to cause serious harm to the physical or mental health of the data subject or any other individual.

In addition, according to section 59(2) , enacted in 2012, if the application of restrictions on data use would be likely to cause serious harm to the physical or mental health of a data subject or any other individual, personal data relating to the identity or location of the data subject would also be exempt from DPP 3.

Care and guardianship

Personal data in relation to a minor which is transferred or disclosed to the minor’s parent or guardian by the Hong Kong Police Force or the Customs and Exercise Department is exempt from the restrictions on personal data use (DPP 3) if the transfer or disclosure is in the interest of the minor and would facilitate proper care and guardianship of the minor. ( section 59A , enacted in 2012)

News activities

Under section 61 , if personal data is held for the purpose of news activities, such data may be exempt from the provision in respect of data-access requests (DPP 6; sections 18(1)(b) , 38(i) , 36 and 38(b) ), unless and until the data is published or broadcast. If the data user is of the view that the disclosure of the personal data is in the public interest, then such disclosure may also be exempt from the restrictions on use (DPP 3).

In an appeal case reported by the Privacy Commissioner for Personal Data (PCPD) concerning the issue of public interest in news activities, the principal of an academic institute disclosed personal data of his staff to newspaper reporters in order to defend the reputation of the institute in response to accusations made by the complainant. It was held by the PCPD that such disclosure was in the public interest in facilitating fair and balanced reporting (please refer to Complaint Case Notes for full details).

Human embryos

Under section 63 , personal data which consists of information showing that an identifiable individual was or may have been born in consequence of a reproductive technology procedure is exempt from the provisions of DPP 6 and section 18(1)(b) , provided that its disclosure under those provisions is made in accordance with section 33 of the Human Reproductive Technology Ordinance ( Cap 561 ).

Emergency situations

Under section 63C , enacted in 2012, personal data is exempt from the restrictions on the collection of data (DPP 1(3)) and on the use of data (DPP 3) if the application of those provisions would be likely to prejudice the identification of an individual involved in a life-threatening situation, informing the individual’s immediate family members of his situation, the carrying out of emergency rescue operations, or the provision of emergency relief services.

B. Outsourced processing of personal data

It is an increasingly common practice for data users to outsource and entrust personal data processing to third parties. There have also been an increasing number of personal data leakage incidents which have occurred during the outsourced processing of personal data, which may have caused substantial and irreparable damage to the affected data subjects.

All the data protection principles apply to the processing of personal data by a third party. Under the Ordinance, where personal data is entrusted to a data processor, a data user is liable as the principal for any act done by its authorised data processor.

The Amendment Ordinance 2012 provides enhanced protection by amending DPP 2 and DPP 4. With effect from 1 October 2012, additional obligations are imposed on a data user which engages a data processor, whether within or outside Hong Kong, to carry out data processing on that user’s behalf. The data user must adopt contractual or other means to prevent any personal data transferred to the data processor from being kept longer than necessary for processing the data (DPP2(3)) and to prevent unauthorised or accidental access, processing, erasure, loss or other inappropriate use of the data (DPP 4(2)).

Under the amended Ordinance, data processor means a person who:

  1. processes personal data on behalf of another person; and
  2. does not process the data for any of the person’s own purposes.

Please read the PCPD’s leaflet for more details on the new obligations.

With the rapid advancement in information and communication technologies (ICT) and the popularization of outsourcing the processing of personal data, the collection (other than from the data subject directly) and dissemination of personal data has become much easier. This also makes it easier for data subjects to suffer damage if a person, whether or not entrusted by the data user, intentionally discloses the personal data obtained from a data user. In view of the seriousness of any intrusions into personal data privacy and the gravity of the harm that may be caused to the data subjects, the Amendment Ordinance 2012 creates a new offence to combat the disclosure of personal data obtained without the consent of the data user under certain conditions.

Under section 64 , it is an offence for any person to disclose any personal data of a data subject obtained from a data user without the data user’s consent:

  1. with the intent to obtain gain in money or other property, whether for the benefit of the person or another person;
  2. with the intent to cause loss in money or other property to the data subject; or
  3. irrespective of his intent, with the disclosure causing psychological harm to the data subject.

The maximum penalty is a fine of $1,000,000 and imprisonment for five years.

Please read the PCPD’s leaflet for more details on the new offence and its justification.