Jurisdiction - Hong Kong
Reports and Analysis
Hong Kong – A Guide To The Personal Data (Privacy) Ordinance.

7 April, 2013

 

A. INTRODUCTION

 

The Personal Data (Privacy) Ordinance was enacted on 3rd August, 1995. A Commissioner was appointed with effect from 1st August, 1996 to oversee the implementation and administration of the Ordinance and most of the provisions of the Ordinance came into force on 20th December, 1996 (the current Commissioner, as of October 2012, is Mr. Allan Chiang). Upon handover of sovereignty of Hong Kong to China on 1st July, 1997, one of the sections in the Ordinance providing that its provisions prevail over other legislation was repealed.

 

The sources for the Hong Kong law were the Guidelines on the Protection of Privacy and Transborder Flows of Personal Information adopted by the Organization for Economic Cooperation and Development (OECD) in 1980 and the Convention for the Protection of Individuals with regard to the Automatic Processing of Data of the Council of Europe signed in 1981. Basing the law on these sources ensured that Hong Kong's legislation fell into line with internationally accepted data protection principles, thus also helping to ensure that Hong Kong could continue to participate in international exchanges of personal data.

 

The Hong Kong legislation controls personal information collected and held by both public and private bodies and applies to automated and non-automated data.  

 

The legislation has been criticised in some, more liberal, quarters on the basis (i) that it does not go far enough to protect particularly sensitive private information about individuals (such as information about race, political opinions, religious beliefs, health, sexual preferences, past criminal convictions and other matters which it would be reasonable to expect to be kept private) and (ii) that the opportunity was not taken to clarify and, perhaps, to expand the law on breach of confidence. 

 

Some significant amendments to the legislation were enacted in the latter half of 2012. These changes provided, among other things, for the regulation of the sale of personal data and the use of personal data for direct marketing following recent controversy about misuse of personal data by corporations connected to the Hong Kong Government. Some of the changes came into force on 1st October 2012 and the amendments in relation to direct marketing and assistance for aggrieved persons came into force on 1st April 2013.

 

 

 

B. THE PERSONAL DATA (PRIVACY) ORDINANCE (The "Ordinance")

 

1.    Specially defined terms

 

The Ordinance uses a number of terms of art. Some of the more commonly used ones are set out below:

 

data means any representation of information (including an expression of opinion – as to which, see 5.8 below) in any document, and includes a personal identifier; (the use of the term "expression of opinion" possibly creates a loophole since it might be possible to avoid falling within the definition by recasting an opinion as an intention);

 

data subject means the individual who is the subject of personal data;

 

data user means a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of personal data;

 

document includes, in addition to a document in writing –

 

(a)

a disc, tape or other device in which data other than visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced from the disc, tape or other device; and

(b)

a film, tape or other device in which visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced from the film, tape or other device;

 

personal data means any data –

 

(a)

relating directly or indirectly to a living individual;

(b)

from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and

(c)

in a form in which access to or processing of the data is practicable;

 

(the Court of Appeal in "Eastweek Publisher Limited and Eastweek Limited v The Privacy Commissioner for Personal Data" (the "Eastweek Case1" ) has confirmed that a photograph of a person can constitute personal data);

 

personal identifier means an identifier –

 

(a)

that is assigned to an individual by a data user for the purpose of the operations of the user; and

(b)

that uniquely identifies that individual in relation to the data user; 

 

but does not include an individual's name used to identify that individual (this definition obviously would include a personal identification number (PIN) or telephone identification number (TIN) used to gain access to bank accounts); 

 

use includes disclosure or transfer of data.

 

 

2. Application

 

2.1 Binds Hong Kong Government


It is expressly provided that the Ordinance binds the Hong Kong Government putting this issue beyond any doubt. [Section 3(1)].

2.2 Overriding nature


The original sections in the Ordinance stating that in the event of inconsistencies or conflicts with other legislation in Hong Kong, the Ordinance would prevail were repealed on 1st July 1997 when China resumed sovereignty over Hong Kong.

 

3. Data Protection Principles

 

3.1 Foundation of the Ordinance


The 6 data protection principles are the foundation upon which the legislation is based. Unless required or permitted by the Ordinance, a data user shall not contravene any data protection principle. [Section 4] In view of the importance of these principles to the working of the Ordinance, they are set out below in full.

 

3.2 Principle 1 – purpose and manner of collection of personal data

 

(1) Personal data shall not be collected unless –

 

(a)

the data are collected for a lawful purpose directly related to a function or activity of the data user who is to use the data;

(b)

subject to paragraph (c), the collection of the data is necessary for or directly related to that purpose; and

(c)

the data are adequate but not excessive in relation to that purpose.

 

(2) Personal data shall be collected by means which are –

 

(a)

lawful; and

(b)

fair in the circumstances of the case.

 

(3) Where the person from whom personal data are or are to be collected is the data subject, all practicable steps shall be taken to ensure that –

 

(a)

he is explicitly or implicitly informed, on or before collecting the data, of-

 

(i)

whether it is obligatory or voluntary for him to supply the data; and

 

(ii)

where it is obligatory for him to supply the data, the consequences for him if he fails to supply the data; and

(b)

he is explicitly informed –

 

(i)

on or before collecting the data, of –

 

 

(A)

the purpose (in general or specific terms) for which the data are to be used; and

 

 

(B)

the classes of persons to whom the data may be transferred; and

 

(ii)

on or before first use of the data for the purpose for which they were collected, of –

 

 

(A)

his rights to request access to and to request the correction of the data; and

 

 

(B)

the name or job title, and address, of the individual who is to handle any such request made to the data user,

 

unless to comply with the provisions of this subsection would be likely to prejudice the purpose for which the data were collected and that purpose is specified in the Ordinance as a purpose in relation to which personal data are exempt from the provisions of data protection principle 6 (see 14 below).

 

The Court of Appeal in the Eastweek case considered the question of collection of personal data in the context of a journalist taking a photograph of an anonymous member of the public on a busy street to illustrate an article on fashion. The Court of Appeal said this did not constitute collection of personal data for the purposes of data protection principle 1(2) because she was anonymous or was not sufficiently identified so far as the newspaper was concerned. The Court concluded, we think wrongly, that there had to be an act of compilation of information about an identified person or about a person whom the data user intended to identify for there to be "collection of personal data". The Court conceded that taking a photograph might constitute collection of personal data if, for example, the photo were to be included in a dossier about an identified subject.

 

 

3.3 Principle 2 – accuracy and duration of retention of personal data

 

(1) All practicable steps shall be taken to ensure that –

 

(a)

personal data are accurate having regard to the purpose (including any directly related purpose) for which the personal data are or are to be used;

(b)

where there are reasonable grounds for believing that personal data are inaccurate having regard to the purpose (including any directly related purpose) for which the data are or are to be used –

 

(i)

the data are not used for that purpose unless and until those grounds cease to be applicable to the data, whether by the rectification of the data or otherwise; or

 

(ii)

the data are erased;

(c)

where it is practicable in all the circumstances of the case to know that:

 

(i)

personal data disclosed on or after the day the Ordinance comes into effect to a third party are materially inaccurate having regard to the purpose (including any directly related purpose) for which the data are or are to be used by the third party; and

 

(ii)

[those] data were inaccurate at the time of such disclosure,
the third party –

 

 

(A)

is informed that the data are inaccurate; and

 

 

(B)

is provided with such particulars as will enable the third party to rectify the data having regard to that purpose.

 

(2) All practicable steps must be taken to ensure that personal data are not kept longer than is necessary for the fulfilment of the purpose (including any directly related purpose) for which the data are or are to be used.

 

(3) Without limiting subsection (2), if a data user engages a data processor, whether within or outside Hong Kong, to process personal data on the data user's behalf, the data user must adopt contractual or other means to prevent any personal data transferred to the data processor from being kept longer than is necessary for processing of the data.

 

(4) In subsection (3) data processor means a person who:

 

(a)

processes personal data on behalf of another person; and

(b)

does not process the data for any of the person's own purposes.

 

The Ordinance defines "processing" to include amending, augmenting, deleting or rearranging personal data, whether by automated means or otherwise. [Section 2(1)]

 

3.4 Principle 3 – use of personal data

 

(1)

Personal data shall not, without the prescribed consent (as to which, see 10.2(a) below) of the data subject, be used for a new purpose.

 

(It will be noted that the definition of "use" includes disclosure and transfer).

(2)

A relevant person in relation to a data subject may, on his or her behalf, give the prescribed consent required for using his or her personal data for a new purpose if:

 

(a)

the data subject is –

 

 

(i)

a minor;

 

 

(ii)

incapable of managing his or her own affairs; or

 

 

(iii)

mentally incapacitated within the meaning of section 2 of the Mental Health Ordinance (Cap 136);

 

(b)

the data subject is incapable of understanding the new purpose and deciding whether to give the prescribed consent; and

 

(c)

the relevant person has reasonable grounds for believing that the use of the data for the new purpose is clearly in the interest of the data subject.

(3)

A data user must not use the personal data of a data subject for a new purpose even if the prescribed consent for so using that data has been given under subsection (2) by a relevant person, unless the data user has reasonable grounds for believing that the use of that data for the new purpose is clearly in the interest of the data subject.

(4)

In this section, new purpose, in relation to the use of personal data, means any purpose other than:

(a)

the purpose for which the data were to be used at the time of the collection of the data; or

(b)

a purpose directly related to the purpose referred to in paragraph (a).

 

 

Principle 4 – security of personal data

 

(1) All practicable steps shall be taken to ensure that personal data (including data in a form in which access to or processing of the data is not practicable) held by a data user are protected against unauthorised or accidental access, processing, erasure, loss or use having particular regard to –

 

(a)

the kind of data and the harm that could result if any of those things should occur;

(b)

the physical location where the data are stored;

(c)

any security measures incorporated (whether by automated means or otherwise) into any equipment in which the data are stored;

(d)

any measures taken for ensuring the integrity, prudence and competence of persons having access to the data; and

(e)

any measures taken for ensuring the secure transmission of the data.

 

(2) Without limiting subsection (1), if a data user engages a data processor, whether within or outside Hong Kong, to process personal data on the data user's behalf, the data user must adopt contractual or other means to prevent unauthorised or accidental access, processing, erasure, loss or use of the data transferred to the data processor for processing.

 

(3) In subsection (2), data processor has the same meaning given by subsection (4) of data protection principle 2.

 

3.6 Principle 5 – information to be generally available

 

All practicable steps shall be taken to ensure that a person can –

 

(a)

ascertain a data user's policies and practices in relation to personal data;

(b)

be informed of the kind of personal data held by a data user;

(c)

be informed of the main purposes for which personal data held by a data user are or are to be used.

 

3.7 Principle 6 – access to personal data

 

A data subject shall be entitled to –

 

(a)

ascertain whether a data user holds personal data of which he is the data subject;

(b)

request access to personal data –

 

(i)

within a reasonable time;

 

(ii)

at a fee, if any, that is not excessive;

 

(iii)

in a reasonable manner; and

 

(iv)

in a form that is intelligible;

(c)

be given reasons if a request referred to in paragraph (b) is refused;

(d)

object to a refusal referred to in paragraph (c);

(e)

request the correction of personal data;

(f)

be given reasons if a request referred to in paragraph (e) is refused; and

(g)

object to a refusal referred to in paragraph (f). [Schedule 1]

 

4. Access to Personal Data

 

4.1 Access rights

 

All individuals have the right to make an "access request" to a data user. There are 2 limbs to an access request – (a) to be informed whether a data user holds personal data about that individual (the "right to disclosure") and (b) if so, to be supplied with copies of such data (the "right to copies"). Unless there is contrary evidence, a request under the first limb will also be treated as a request under the second limb. An access request can also be made by a person authorised in writing by the relevant individual, or where the individual is under 18, his parent or guardian, or where the individual is incapacitated, a person appointed by the court to manage his affairs. If a data user does not hold the relevant data but controls their use, he will be deemed to be the holder for the purposes of an access request and the Ordinance. (For the related offence, see 19.2(f) below.) [Section 18]

 

4.2 Compliance with request  

 

Unless certain specific circumstances prevail (see 4.84.9 and 8 below), a data user must comply with an access request within 40 days after receiving the request. If the data user holds personal data which are the subject of the access request, he must inform the requestor in writing that he holds the data and supply copies. If the data user does not hold the data, he must inform the requestor in writing of this fact. [Section 19(1)]

 

4.3 Compliance by Hong Kong Police

 

If the Hong Kong Police Force receives an access request about whether it holds any record of a criminal conviction of an individual and does not hold any such record, it must comply with the access request within 40 days by orally informing the requestor that it does not hold such record. [Section 19(1A)]

 

4.4 Inability to comply with request

 

If a data user cannot comply with an access request within the 40 day period, he must notify the person making the request in writing that he cannot do so and give his reasons before the expiry of the period. He still has a duty to comply with the request to the extent he is able within the 40 day period and must fully comply with the request as soon as practicable. [Section 19(2)]

 

4.5 Copies of data to be supplied

 

The copies to be supplied by a data user in compliance with an access request must be made by reference to the data held at the time of the request, although the copies may include any processing of the data which would have been made whether or not the access request had been received up to the time the copies are supplied. [Section 19(3)(a)]

 

4.6 Intelligible

 

The data supplied must be intelligible unless they are contained in a document which is itself unintelligible. If the data contain any codes, these codes must be explained. The data must be supplied in the language required in the request or, if no language is specified, in the language of the request (English or Chinese). However, this rule will not apply if the language in which the data are held is not the language specified in the request or, if no language is specified, the language in which the request is made and the copy data to be supplied is a true copy of a document which contains the relevant data. [Section 19(3)(c)]

 

4.7 Form

 

The copy data to be supplied must be in the form specified in the access request or, if no form is specified, in such form as the data user thinks fit. However, if a data user is not able to supply copy data in the form requested and there is only one form in which it is practicable to supply the data, the data user must supply the data in that form provided he accompanies the data with a notice informing the relevant data subject (or his representative) that this is the only form in which it is practicable for him to supply the copy data. If a data user cannot supply copy data in the form requested but can do so in several other different forms, he must, as soon as practicable, notify the data subject (or his representative) in writing that it is not practicable for him to supply the data in the form requested, specify the forms in which it would be practicable to supply the data and give the data subject 14 days after receipt of the notice to specify in writing which of those forms he prefers. The data user must then supply the relevant data in the form chosen by the data subject or, if the data subject fails to respond within the 14 day time limit, in such of the forms (as specified in the notice to the data subject) as he thinks fit. [Section 19(4)]

 

4.8 Obliged to reject

 

A data user shall reject an access request if:

 

(a)

he is not supplied with such information as he may reasonably require to satisfy himself as to the identity of the person making the request or, if the request is by an authorised representative, as to the identity of the principal and that the person making the request is properly authorised; or

(b)

he cannot comply with the request without disclosing personal data about another individual unless that other individual has consented to the disclosure; but a data user cannot rely upon this exception to reject an access request if: 

 

(i)

the personal data about the other person include a reference to information identifying the other individual as the source of the personal data to which the access request relates unless that information expressly identifies that other individual;

 

(ii)

he could avoid identifying the other individual by omitting relevant identifying particulars (e.g. name) from the data to be supplied to the person making the request; or

(c)

compliance with the request is otherwise prohibited under the Ordinance or any other ordinance. [Sections 20(1), (2)]

 

4.9 Discretion to reject

 

A data user is entitled (but not necessarily obliged) to reject an access request if –

 

(a)

the request is not in writing in Chinese or English;

(b)

he is not supplied with such information as he may reasonably require to locate the requested personal data;

(c)

the request follows two or more similar requests by the individual in question and/or his representatives and it is unreasonable in the circumstances for the data user to comply with the request (this exception obviously covers the possibility of an individual making repeated requests for the same information);

(d)

another data user controls the use of the data in such a way that he is unable to comply (but a data user cannot rely upon this exception if the request is simply an exercise of the right to disclosure – and not also of the right to copies; in the case of exercise of the right to copies, the data user must still comply with the request to the fullest extent possible without breaching any prohibition);

(e)

the request is not made in any form prescribed under the Ordinance (the Commissioner appointed to administer the Ordinance (see 16.1 below) has power under Section 67 of the Ordinance to prescribe forms);  

(f)

the data user is entitled under the Ordinance or any other ordinance not to comply with the request; or

(g)

compliance with the request may be refused pursuant to specific exemptions (see 14 below) provided for in the Ordinance or otherwise. [Sections 20(3), (4)]

 

4.10 Discovery and inspection

 

If, in proceedings under the Ordinance, a "specified body" (which means a magistrate, a court, the Administrative Appeals Board or the chairman of the Administrative Appeals Board) has to decide whether a data user may refuse to comply with an access request or any related question, the specified body may require the relevant personal data to be made available for its inspection but must not require the personal data to be disclosed to any party to the proceedings unless it has decided that the data user must comply with the request. This applies notwithstanding any requirement of the High Court Ordinance (Cap. 4), the District Court Ordinance (Cap. 336) or the Administrative Appeals Board Ordinance (Cap. 442). [Section 20(5)]

 

4.11 Notification of refusal

 

If a data user refuses to comply with an access request, he must notify the person requesting the information as soon as practicable, but not more than 40 days after receiving the request, giving the reasons for the refusal and, if a reason is that another data user controls the use of the data, the name and address of that data user. However, if a data user is entitled to refuse the request because the data fall within either of the exemption categories relating to Hong Kong's security interests or the prevention of crime (see 7.2(b)14.7 and 14.8 below), the data user need not give reasons for the refusal but may simply state that he has no personal data which he is required to disclose. [Section 21]

 

5. Correction of Personal Data

 

5.1 Data correction request

 

If an individual (or his authorised representative) considers that any personal data supplied to him in compliance with an access request are inaccurate, then he (or his representative – but not a representative who has only been authorised to make an access request on behalf of that individual) can make a request to the data user to correct the relevant personal data (a "correction request"). If a data user does not hold relevant personal data but controls their processing, the data subject can send the correction request to this data user. (For the related offence, see 19.2(g) below.) [Sections 22(1), (1A), (2)]

 

5.2 Third parties

 

If, in the time between receipt of a correction request and either complying or refusing to comply with the request, a data user has to disclose to a third party personal data which are subject to a correction request, he must take all practicable steps to advise that third party that the data are the subject of a correction request which is still being considered. [Section 22(3)]

 

5.3 Correction of data

 

Once a data user is satisfied that a correction request is justified, he must, not later than 40 days after receiving the request, make appropriate corrections to the data he holds and supply the person making the request with a copy of the corrected data. If a data user has disclosed the data in question to a third party within a 12 month period before receipt of the correction request and he has no reason to believe that this third party has stopped using these data, he must take all practicable steps to notify the third party, stating the reason for the correction and supplying copies of the corrected data. There is no duty to notify third parties if the relevant disclosure simply amounted to a search of a public register. There is a duty to comply, however, if the data user supplied the third party with certified true copies of the data. [Sections 23(1), (3)]

 

5.4 Inability to comply with request

 

If a data user cannot comply with a correction request within the 40 day period, he must notify the person making the request in writing that he cannot do so and give his reasons before the expiry of that period. He still has a duty to comply with the correction request to the extent he is able within the 40 day period and must fully comply with the request as soon as practicable. [Section 23(2)]

 

5.5 Obliged to reject

 

A data user shall reject a correction request if he is not supplied with such information as he may reasonably require to satisfy himself as to the identity of the person making the request or, if the request is by a representative, as to the identity of the principal and that the person making the request has been properly authorised. However, if a correction request follows upon an access request and the person who made the access request also makes the correction request, a data user cannot require this information. [Sections 24(1), (2)]

 

5.6 Discretion to reject

 

A data user is entitled (but not obliged) to reject a correction request if:

 

(a)

the request is not in writing in Chinese or English;

(b)

he is not satisfied that the personal data in question are inaccurate;

(c)

he is not supplied with such information as he may reasonably require to determine how the personal data are inaccurate;

(d)

he is not satisfied that the requested correction is accurate; or

(e)

another data user controls the processing of the personal data in such a way that he is unable to comply (but this exception cannot be relied upon to the extent that the data user can comply without breaching any prohibition by the other data user). [Sections 24(3), (4)]

 

5.7 Notification of refusal

 

If a data user refuses to comply with a correction request, he must notify the person making the request as soon as practicable but no more than 40 days after receiving the request, giving the reasons for the refusal and, if a reason is that another data user controls the processing of the data, the name and address of that data user. [Section 25(1)]

 

5.8 Opinions  

 

If a correction request relates to data which are an expression of opinion and a data user is not satisfied that the opinion is inaccurate (notwithstanding the correction request), he must make a note of why the person making the request considers the opinion to be inaccurate and ensure that the data in question cannot be used without the note being notified to any person making use of the data. A data user must also attach a copy of this note to his refusal notice. (An expression of opinion is defined as an assertion of fact which cannot be verified or which in all the circumstances it is not practicable to verify). [Sections 25(2), (3)]

 

6. Erasure of Personal Data

 

A data user must take all practicable steps to erase personal data if they are no longer required for the purpose for which they were used, unless erasure is prohibited by law or it is not in the public interest (including historical interest). A data user must take all practicable steps to erase relevant personal data even if another data user controls the processing of the relevant data. If a data user does erase data, he will not be liable in respect of such erasure in any action for damages by the other data user in control of processing. [Section 26]

 

7. Log Books

 

7.1 Maintenance of log book

 

A data user must keep and maintain a log book in English or Chinese for the purposes of the Ordinance. No particulars entered in the log book may be erased before the expiry of 4 years after the date on which they were entered. The Government (through the Home Affairs Secretary) may increase or decrease this 4 year period pursuant to his powers to make regulations under Section 70 of the Ordinance. [Section 27(1)]

 

7.2 Particulars recorded

 

Data users must enter in the log book-

 

(a)

reasons for refusal to comply with an access request (see 4.84.9 above);

(b)

if the reason for refusal to comply with an access request was because the relevant data fell within either of the exemption categories relating to Hong Kong's security interests or the prevention of crime (see 4.9 above, 14.714.8 below), particulars of the prejudice that would be caused to the interests being protected by the relevant exemption;

(c)

reasons for refusal to comply with a correction request (see 5.55.65.7 above); and 

(d)

any other particulars which may be required pursuant to regulations made under Section 70 of the Ordinance by the Home Affairs Secretary. [Section 27(2)]

 

7.3 Time for entry

 

The particulars must be entered in the log book at or before the time the relevant notice of refusal is served upon the person making an access request or a correction request. Where particulars have to be entered pursuant to regulations made under Section 70, the information must be entered into the log book within the period specified in those regulations. [Section 27(3)]

 

7.4 Commissioner's inspections

 

Data users must permit the Commissioner to carry out inspections and make copies of log books at any reasonable time and, in this regard, must provide the Commissioner facilities and assistance reasonably required in order to make inspections and to make copies. [Section 27(4)]

 

8. Fees Imposed by Data User

 

Fees for complying or refusing to comply with access requests or correction requests are permitted but they cannot be excessive. If it would be possible for a data user to comply with an access request in more than one form, the fee must be the lowest fee which he would charge for complying with an access request in any of those forms. Data users may refuse to comply with access requests until their fee has been paid. If further requests for copies of personal data are made, the data user can impose a fee for supplying further copies not exceeding his administrative and other costs for doing so. [Section 28]

 

9. Language of Notices

 

A notice from a data user responding to an access request or a correction request will be invalid unless it is in the language in which the request is made, if in English or Chinese or, in any other case, in English or Chinese at the discretion of the data user. [Section 29]

 

10. Matching Procedures

 

10.1 Definition

 

matching procedure is defined as any procedure whereby personal data collected for one or more purposes in respect of 10 or more data subjects are compared (not manually) with personal data collected for any other purpose in respect of those data subjects where the comparison – 

 

(a)

is (whether in whole or in part) for the purpose of producing or verifying data that; or

(b)

produces or verifies data in respect of which it is reasonable to believe that it is practicable that the data, 

 

may be used (whether immediately or at any subsequent time) for the purpose of taking any action (an "adverse action") that may adversely affect any of the relevant data subjects' rights, benefits, privileges, obligations or interests (including legitimate expectations) [Section 2(1)].

 

10.2 Prohibition

 

Data users are prohibited from carrying out matching procedures (whether in whole or in part) unless – 

 

(a)

the relevant data subjects have given their prescribed consent [see Section 2(3)] (i.e. voluntarily given in writing or orally, and revocable at any time in writing); or

(b)

the Commissioner has consented to the matching procedure (see 10.6 and 10.7 below); or

(c)

the matching procedure belongs to a specified class and is carried out in accordance with any specified conditions (see 10.3 below); or

(d)

the matching procedure is required or permitted under any ordinance specified in Schedule 4 of the Ordinance (currently no ordinances so specified). [Section 30(1)]

 

10.3 Specified classes

 

The Commissioner has power to specify classes of matching procedure which do not require consent from either the data subject or the Commissioner and he may specify conditions for carrying out such procedures. Before specifying any such conditions, the Commissioner must consult with any bodies which represent groups of data users to whom the conditions will apply and such other interested persons as he thinks fit. Any specification notice published in the Gazette pursuant to this power is to be treated as subsidiary legislation. [Sections 30(2), (3), (4)]

 

10.4 Adverse action

 

A data user cannot take adverse action against any individual as a result of carrying out a matching procedure unless he has first served a written notice on the individual specifying the proposed adverse action and his reasons for taking it and giving the individual 7 days after receipt of the notice to explain why the adverse action should not be taken. No adverse action may be taken until after the expiry of the 7 day period. If, however, compliance with this notification requirement would prejudice any criminal investigation, the requirement to give the notice will not prevent the data user from taking adverse action. In this case, it is not clear whether the notice still needs to be given though. [Section 30(5), (6)]

 

10.5 Matching procedure requests

 

A procedure is established for data users who propose to carry out matching procedures to request the Commissioner's general consent to a specific matching procedure. (For the related offence, see 19.2(h) below.) [Section 31] 

 

10.6 Determining requests

 

The Commissioner shall determine a matching procedure request within 45 days of receiving the request. In making his determination, he must take into account the following prescribed matters:

 

(a)

whether the matching procedure in the public interest;

(b)

the type of personal data to be the subject of the matching procedure;

(c)

likely consequences to a data subject if the procedure resulted in adverse action being taken against him;

(d)

any practices and procedures to be followed to enable a data subject to make a correction request in respect of personal data produced or verified by the procedure and before any adverse action is taken against him;

(e)

any practices and procedures to be followed to ensure the accuracy of personal data produced or verified by the procedure;

(f)

whether data subjects to be informed of the procedure before carried out;

(g)

whether any practicable alternative to the procedure;

(h)

any benefits to be derived from the procedure. [Section 32(1), Schedule 5]

 

10.7 Consent to requests

 

If satisfied as to these prescribed matters, the Commissioner must serve a consent notice upon the person making the request, specifying any conditions. If not satisfied, he must serve a refusal notice specifying which of the prescribed matters were not satisfied and giving reasons. If consent is given, any data user can then carry out the approved matching procedure even though he did not make the original request or it was not made on his behalf. (For the related offence, see 19.1(b) below.) [Sections 32(1) (b), (3)]

 

10.8 Appeals

 

There is a right of appeal to the Administrative Appeals Board to a person making a matching procedure request (or to a data user on whose behalf a request is made) against any conditional consent or any refusal of consent. [Section 32(3)]

 

10.9 Points of note

 

Interesting points to note about matching procedures are:

 

(a)

it doesn't matter whether the data produced or verified are actually used to take adverse action – the test is whether it is reasonable to believe that it would be practicable for such data to be so used;

(b)

although matching procedures done manually are not covered by these provisions, they are still covered by the Ordinance – data protection principle 3, in conjunction with Section 4, prohibits personal data from being used for a purpose other than the purpose for which collected, without consent;

(c)

matching procedures might include (1) a credit card company comparing data about applicants for credit because information produced or verified might be used to refuse credit – arguably a legitimate expectation of the relevant data users, or (2) the Housing Authority cross-checking financial status data about public housing tenants to see whether they are still entitled to subsidised rent.

 

11. Transfer of Personal Data

 

(These provisions are still not in force more than 17 years after the Ordinance was originally enacted. In any event, the Commissioner and other Hong Kong Government agencies generally recommend that data users comply with these provisions, and we understand that the Privacy Commissioner is looking into ways to implement them in the near future.)


If the collection, holding, processing or use of personal data takes place in Hong Kong or is controlled by a data user incorporated in Hong Kong or otherwise whose principal place of business is in Hong Kong, then these personal data shall not be transferred to any place outside of Hong Kong unless :

 

(a)

the Commissioner issues a notice in the Gazette under this provision with respect to a country (he may do this if he has reasonable grounds for believing that this country has in force a law substantially similar to or serving the same purpose as the Ordinance; if he has reasonable grounds to believe that the relevant law is no longer in force, he may retract this notice);

(b)

the data user has reasonable grounds for believing that the relevant place has a law substantially similar to or serving the same purpose as the Ordinance;

(c)

the data subject has consented in writing to the transfer;

(d)

the data user has reasonable grounds for believing that the transfer will avoid or mitigate adverse action against the data subject and it is not practicable to obtain the written consent of the data subject but, if it was practicable to get his consent, the data subject would give it;

(e)

the data are exempt from data protection principle 3 by virtue of a special exemption (see 14 below); or

(f)

the data user has taken all reasonable precautions and exercised all due diligence to make sure that the data will not be collected, held, processed or used in the relevant place in a way which would constitute a breach of the Ordinance. [Section 33]

 

12. Direct Marketing

 

12.1 Definitions and Guidance

 

Direct marketing is defined as the offering, or advertising the availability, of goods, facilities or services or the solicitation of donations or contributions for charitable, cultural, philanthropic, recreational, political or other purposes through direct marketing means.

 

Direct marketing means is defined as sending information or goods, addressed to specific persons by name, by mail, fax, electronic mail or other means of communication or making telephone calls to specific persons.

 

Marketing subject is defined as (a) any goods, facility or service offered, or the availability of which is advertised, or (b) any purpose for which donations or contributions are solicited, in respect of any direct marketing. [Section 35A]

 

The Privacy Commissioner also issued a Guidance Note ("Guidance Note") on the provisions in the Ordinance relating to direct marketing in January 2013 which can be accessed on his website here: http://www.pcpd.org.hk/english/publications/files/GN_DM_e.pdf

 

A: The following provisions deal are intended to deal with cases where personal data are used by the data user himself in direct marketing

 

12.2 Where Direct Marketing provisions do not apply
The Direct Marketing provisions of the Ordinance do not apply to the offering or advertising of (i) social welfare services run, subvented or subsidised by the Social Welfare Department, (ii) health care services provided by the Hospital Authority or Department of Health and (iii) broadly speaking, any other social or health services which are essential to the physical or mental health of the public. [Section 35B]

 

12.3 Specified Action if personal data to be used in Direct Marketing
If a data user intends to use a data subject's personal data for direct marketing, he must:

 

(a)

inform the data subject that (i) that he intends to use the personal data for direct marketing and (ii) he is not allowed to use the data for direct marketing unless he has received the data subject's consent;

(b)

provide the data subject with (i) the kinds of personal data to be used and (ii) the classes of marketing subjects in relation to which the data are to be used; and

(c)

provide the data subject with a channel through which he may, without charge by the data user, communicate his consent to the intended use.

 

This provision applies even if the personal data intended to be used for direct marketing were not collected by the data user. The information provided under (a) and (b) above must be presented by the data user in a manner that is easily understandable and, if in written form, easily readable. (For the related offence, see 19.4(a) below.) [Sections 35C(1), (2), (3), (4).]

 

12.4 Where no need to take Specified Action 
The requirements of the Ordinance summarised in 
12.3 above do not apply if:

 

(a)

before 1st April 2013 (when the provisions relating to Direct Marketing came into effect) (i) the relevant data subject had been explicitly informed by a data user in an easily understandable and, if relevant, easily readable manner of the intended or actual use of the data subject's personal data for direct marketing of a class of marketing subjects, (ii) the data user had used the data for such direct marketing, (iii) the data subject had not required the data user to cease to so use his data; and (iv) the data user had not, in relation to and at the time of the direct marketing, contravened any provision of the Ordinance;

(b)

(i) a data subject's personal data are provided to a data user by a person other than the data subject and (ii) that other person has notified the data user in writing (01) that sections 35J and 35K of the Ordinance (see 12.9 and 12.10 below) have been complied with in relation to the provision of data and (02) of the class of marketing subjects in relation to which the data may be used in direct marketing by the data user, as consented to by the data subject. The "relaxation" here only applies to direct marketing of the class of marketing subjects specified in the notice to the data user, though. [Sections 35D(1), (2).]

 

12.5 Consent of data subject

 

A data user who has complied with section 35C (see 12.3 above) must not use the data subject's personal data in direct marketing unless:

 

(a)

he has received the data subject's consent to the use of the personal data in the way he described in his notice to the data subject (see 12.3(b) above), either generally or selectively;

(b)

if the consent is given orally, he has, within 14 days of receipt of the consent, sent a written confirmation to the data subject, confirming (i) the date of receipt of the consent, (ii) the kind of personal data that are permitted for use in direct marketing and (iii) the class of marketing subjects which can be marketed; and

(c)

the use is consistent with the data subject's consent – this will be the case if he uses the kind of personal data and for the marketing subjects specified in his notice to the data subject (see 12.3(b) above).

 

A data subject may communicate his consent to a use of personal data either through a channel provided by the data user (see 12.3(c) above and 12.9(c) below) or any other means. (For the related offence, see 19.4(b) below.) [Sections 35E(1), (2), (3)]

 

It is not entirely clear whether data subjects must be given the opportunity to choose between different kinds of personal data and different classes of marketing subjects notified to them by data users so that their consents may only apply to the use of certain of the specific kinds of personal data and specific classes of marketing subjects for direct marketing notified to them by the data user pursuant to Section 35C (see 12.3(a) and (b) above), but not others. The Privacy Commissioner seemed initially to have taken the view that data subjects should be given this choice based, we think, on the use of "generally or selectively" in relation to the data subject's consent in Section 35E(1)(a) (see 12.5(a) above). However, the Guidance Note, at sections 2.16 and 2.17, says that consent may be given generally or selectively (see 12.5(a) above and 12.10(a) below).

 

12.6 Notification to data subject on first use for Direct Marketing

 

A data user must, when using personal data in direct marketing for the first time, inform the relevant data subject that the data user must, without charge to the data subject, cease to use the data for this purpose if the data subject so requires. This provision applies even if the personal data were not collected from the data subject by that data user. (For the related offence, see 19.4(c) below.) [Sections 35F(1), (2)]

 

12.7 Requirement to cease using personal data for Direct Marketing

 

A data subject may, at any time, require a data user to cease to use his personal data for direct marketing. A data subject has this right even if he has received the information required to be provided by the data user prior to use of personal data for direct marketing (see 12.3 above) or if he has earlier given consent to the data user or a third person to the use. A data user who is required to cease using personal data for direct marketing by a data subject must, without charge to the data subject, comply with the requirement. (For the related offence, see 19.4(d) below.) This provision does not affect Section 26 of the Ordinance (see 6 above). [Sections 35G(1), (2), (3), (6)]

 

12.8 Prescribed consent for use of personal data in Direct Marketing under data protection principle 3

 

If a data user would otherwise need, under data protection principle 3, to get the prescribed consent of a data subject to use any of his personal data for direct marketing, the data user is to be taken to have obtained the prescribed consent provided he has not contravened Sections 35C, 35E or 35G (see 12.312.5 and 12.7 above). (A data user would need to get a data subject's prescribed consent to use his personal data for direct marketing if direct marketing was a "new purpose" (see 3.4(4) above).)

 

B: The following provisions deal are intended to deal with cases where personal data are sold to others for use in direct marketing

 

12.9 Specified action if personal data provided to a third party for Direct Marketing

 

If a data user intends to provide a data subject's personal data to another person for that person's direct marketing, he must:

 

(a)

inform the data subject in writing (if personal data are only to be used for the data user's own direct marketing, the notification doesn't need to be in writing – although it is advisable that all such notices be in writing) that (i) that he intends to provide the personal data to another person for that person's direct marketing, and (ii) he is not allowed to provide the data to the third party unless he has received the data subject's written consent;

(b)

advise the data subject in writing (i) if the data are to be provided for gain, of this fact, (ii) of the kinds of personal data to be provided, (iii) of the classes of persons to whom the data are to be provided, and (iv) of the classes of marketing subjects in relation to which the data are to be used; and

(c)

provide the data subject with a channel through which he may, without charge by the data user, communicate his written consent to the provision of the data to the third party.

This provision applies even if the personal data intended to be provided to the third party were not collected by the data user providing them. The information provided under (a) and (b) above must be presented by the data user in a manner that is easily understandable and easily readable. (For the related offences, see 19.4(e) and 19.5(c) below.) [Sections 35J(1), (2), (3), (4).]

 

12.10 Consent of data subject to sale of personal data

 

A data user who has complied with section 35J (see 12.9 above) must not provide the data subject's personal data to another person for use in direct marketing unless:

 

(a)

he has received the data subject's written consent to the provision of the personal data in the way he described in his notice to the data subject (see 12.9(b) above), either generally or selectively;

(b)

if the data are provided for gain, the intention to so provide was specified in the notice under section 35J (see 12.9(b)(i) above); and

(c)

the provision of the personal data is consistent with the data subject's consent – this will be the case if he (i) uses the kind of personal data and (ii) provides the data to the persons and for the marketing subjects, specified in his notice to the data subject (see 12.9(b)(ii)-(iv) above).

 

A data subject may communicate his consent to provision of his personal data either through a channel provided by the data user (see 12.3(c) and 12.9(c) above) or any other written means. (For the related offences, see 19.4(f) and 19.5(d) below.) [Sections 35K(1), (2), (3)]

 

Please also refer to our comments in the final paragraph of 12.5 above about the Privacy Commissioner's interpretation of the requirements for a data subject's consent – in this regard, the data subject's choice under Section 35K should also apply in relation to the different classes of persons to whom personal data may be provided for direct marketing.

 

12.11 Requirement to cease providing personal data for use in Direct Marketing

 

A data subject who has been notified by a data user that his personal data may be provided to third parties for direct marketing (see 12.9 above) may, at any time, require the data user:

 

(a)

to cease to provide his personal data for this purpose; and

(b)

to notify any person to whom the data have been so provided to cease to use those data for direct marketing.

 

A data subject has this right even if he has earlier given consent to the provision of his personal data to a third person for direct marketing. A data user who is required to cease providing personal data to third parties for direct marketing must, without charge to the data subject, comply with the requirement. If the data user is also required to notify the third party to cease using the data subject's personal data for direct marketing (see 12.11(b) above), he must so notify that third party in writing. Further, the third party must stop using the relevant personal data for direct marketing in accordance with the notification from the data user. (For the related offences, see 19.4(g)19.4(h) and 19.5(e) below.) This provision does not affect Section 26 of the Ordinance (see 6 above). [Sections 35L(1), (2), (3), (4), (5), (9)]

 

12.12 Prescribed consent for providing personal data for Direct Marketing under data protection principle 3

 

If a data user would otherwise need, under data protection principle 3, to get the prescribed consent of a data subject to provide any of his personal data to another person for direct marketing, the data user is to be taken to have obtained the prescribed consent provided he has not contravened Sections 35J, 35K or 35L (see 12.912.10 and 12.11 above). (A data user would need to get a data subject's prescribed consent to provide his personal data to a third party for direct marketing if doing this was a "new purpose" (see 3.4(4) above).) [Section 35M]

 

When requirements in 12.9 – 12.12 do not apply 


The provisions summarised in 12.9 to 12.12 (inclusive) above do not apply if:

 

(a)

a data user provides, otherwise than for gain, personal data of a data subject to another person for use in offering or advertising (i) social welfare services run, subvented or subsidised by the Social Welfare Department, (ii) health care services provided by the Hospital Authority or Department of Health and (iii) broadly speaking, any other social or health services which are essential to the physical or mental health of the public [Section 35I(1)];

(b)

a data user provides personal data of a data subject to his agent for use by the agent in carrying out direct marketing on behalf of the data user [Section 35I(2)].

 

13 Repeated Collections of Personal Data

 

If, when first collecting personal data from a data subject, a data user complies with data protection principle 1(3) (see 3.2(3) above), he will not need to comply with the relevant requirement if he subsequently collects personal data provided the circumstances of the subsequent collection are not materially different from the first collection and not more than 12 months have elapsed between the first collection and subsequent collections. In other words, data users must comply with data protection principle 1(3) in respect of the collection of any personal data on an annual basis – it appears to be an ongoing requirement. [Section 35]

 

14. Exemptions

 

14.1 Exemptions limited

 

There are several exemptions from the requirements of the Ordinance. However, most of the relevant provisions are not "blanket" exemptions, but only from certain specified data protection principles and other provisions. Therefore, even if an exemption does apply, relevant provisions of the Ordinance may still apply to the extent they are not covered by specific exemption categories. If personal data are exempt from any provision of the Ordinance, then that provision will not confer any right nor impose an obligation on any person. [Section 51]

 

14.2 Performance of judicial functions

 

Personal data held by a court, a magistrate or a judicial officer ("judicial officers" basically include all judges, magistrates, coroners, officers on the Lands Tribunal, adjudicators on the Small Claims Tribunal and registrars of the courts) in the course of performing judicial functions are exempt from the provisions of all the data protection principles (see 3 above), provisions relating to data user returns (see 18 below), provisions relating to access and correction requests (see 4 and 5 above) and provisions relating to inspections and investigations (even if the Commissioner has reasonable grounds to believe that there may have been a breach of the Ordinance) (see 15.1 and 15.3 below). [Section 51A]

 

14.3 Domestic Purposes

 

Personal data held by an individual which are concerned only with the management of his personal, family or household affairs or which are held only for recreational purposes are exempt from all the data protection principles, the provisions of the Ordinance relating to data user returns and the register of data users, the provisions of the Ordinance relating to access to and correction of personal data, the provisions of the Ordinance relating to the Commissioner's power to carry out inspections of personal data systems and the provisions of the Ordinance relating to the Commissioner's powers to instigate his own investigations into possible breaches of the Ordinance. This kind of personal data may, therefore, still be subject to an investigation by the Commissioner (see 15.3 below) if a complaint has been made about an act or practice which may be in breach of the Ordinance. [Section 52]

 

14.4 Employment – Staff Planning

 

Personal data comprising information relevant to any staff planning proposal to fill either currently or potentially unfilled employment positions or to terminate any group of individuals' employment are exempt from data protection principle 6 and the right to copies. Thus, in this case, the first 5 data protection principles still apply. [Section 53]

 

14.5 Relevant Process

 

14.5.1 Exempt until determination made

 

Personal data involved in a "relevant process" are exempt from data protection principle and the right to copies until the making of a determination in respect of a relevant process.

 

14.5.2 Definition

 

Relevant process is defined as any process under which personal data are considered for the purpose of determining :

 

(a)

the suitability, eligibility or qualifications of a data subject for employment/appointment to office, promotion or continuance in employment/office, removal from employment/office or the award of contracts, awards (including academic and professional qualifications), scholarships, honours or other benefits; or

(b)

whether to continue, modify or cancel any contract, award, scholarship, honour or benefit to a data subject; or

(c)

whether disciplinary action should be taken against a data subject for breach of employment terms or terms of appointment to office, 

– but does not include any process when no appeal is available. [Section 55]

 

14.6 Personal References 

 

Personal data comprising of a personal reference not given by another individual in the ordinary course of his occupation and relevant to an individual's suitability to fill any currently or potentially unfilled employment or office are exempt from data protection principle 6 and the right to copies until the earlier of (i) the individual providing the personal data consenting in writing to the reference being seen by the relevant data subject or (ii) the relevant data subject being informed in writing of acceptance or rejection of his application to fill the employment/office in question. [Section 56] This may make individuals reluctant to give references if they do not want the relevant data subject to see what they have said about them.

 

14.7 Hong Kong's Security Interests

 

14.7.1  Safeguarding security etc. 

 

Personal data held by or on behalf of the Government for the purposes of safeguarding security (security includes prevention or prohibition of persons entering and remaining in Hong Kong if they do not have the right to enter and remain in Hong Kong), defence or international relations in respect of Hong Kong (all these things collectively "Hong Kong's security interests") are exempt from data protection principle 6 and the right to copies if the application of data protection principle 6 and the right to copies would be likely to prejudice Hong Kong's security interests. The Chief Executive or Chief Secretary has power to decide whether such an exemption is (or was) required and a certificate signed by either or them to this effect shall be evidence of this requirement. [Sections 57(1), (3)]

 

14.7.2  Use for other purposes 

 

If personal data are used for the purposes of safeguarding Hong Kong's security interests (whether or not the data are held for any of these purposes) and the application of data protection principle 3 would be likely to prejudice Hong Kong's security interests, they shall be exempt from data protection principle 3. In this case, it will be a defence to any person being sued for breach of data protection principle 3 to show he had reasonable grounds to believe that failure to use data only for the purposes for which they were collected would have been likely to prejudice the safeguarding of Hong Kong's security interests. A certificate signed by the Chief Executive or the Chief Secretary certifying that personal data are or have been used for the purposes of safeguarding Hong Kong's security interests shall be evidence of this. [Sections 57(2), (4)]

 

14.7.3  Government directions 

 

The Chief Executive or the Chief Secretary may direct the Commissioner not to exercise any of his powers of inspection or investigation (see 15.1 and 15.3 below) in relation to personal data covered by the certificate in a certificate referred to 14.7.1 or 14.7.2 above, giving reasons.  

 

14.8 Crime

 

14.8.1  Protected purposes

 

Personal data held for the purposes of :

 

(a)

preventing or detecting crime;

(b)

apprehending, prosecuting or detaining offenders;

(c)

assessing or collecting taxes;

(d)

preventing, remedying or punishing unlawful conduct or dishonesty;

(e)

preventing financial loss arising from imprudent business practices or unlawful conduct or dishonesty;  

(f)

where a data user is exercising statutory functions, ascertaining whether a data subject's character or activities are likely to have a significant adverse impact on anything to which those statutory functions relate,

are exempt from data protection principle 6 and the right to copies if the application of data protection principle 6 and the right to copies would be likely to prejudice any of the above matters or directly or indirectly identify the source of the relevant data. "Crime" is defined as (i) an offence under the laws of Hong Kong or (ii) if personal data are held or used in connection with law enforcement co-operation between Hong Kong and another country, an offence under the laws of that other country. [Sections 58(1), (6)]

 

14.8.2  Financial regulation 

 

Personal data held by a financial regulator for the purpose of:

 

(a)

ascertaining whether a data subject's character or activities are likely to have a significantly adverse impact on the discharge of his functions; or

(b)

discharging his functions,

are exempt from data protection principle 6 and the right to copies if the application of data protection principle 6 and the right to copies would be likely to prejudice any of the above matters or directly or indirectly identify the source of the relevant data. Financial regulators include the Monetary Authority, the Securities and Futures Commission, any recognised clearing house or exchange company under Schedule 1, Part I, Section 1 of the Securities and Futures Ordinance, the Insurance Authority, the Registrar of Occupational Retirement Schemes, the Mandatory Provident Fund Schemes Authority and any other regulator specified by the Chief Executive by a notice in the Gazette. The functions covered by (a) and (b) above include protecting the public against financial loss arising from, inter alia, seriously improper conduct in the fields of banking, insurance, investment or other financial services, pension schemes, company management and other companies regulation or generally promoting the general stability or efficiency of these fields. [Sections 2(1), (7), 58(1)(f)(ii), (g), (3), (4)]

 

14.8.3 Data not used for purpose for which collected 

 

Personal data used for any of the purposes specified in 14.8.1 and 14.8.2 (whether or not such data are held for those purposes) are exempt from data protection principle 3 if the application of data protection principle 3 would be likely to prejudice any of such matters. It will be a defence to any person being sued for breach of data protection principle 3 to show he had reasonable grounds to believe that failure to so use the relevant data would have been likely to prejudice such matters. [Section 58(2)].

 

14.9 Health 

 

14.9.1 State of health

 

Personal data relating to a data subject's physical or mental health are exempt from (i) data protection principle 6 and the right to copies and/or (ii) data protection principle 3 if the application of those data protection principles and the right to copies would be likely to cause serious harm to the physical or mental health of the data subject in question or any other individual. [Section 59(1)].

 

14.9.2 Identity or location

 

Personal data relating to the identity or location of a data subject are exempt from data protection principle 3 if the application of those data protection principles to the data would be likely to cause serious harm to the physical or mental health of (i) the data subject or (ii) any other individual. [Section 59(2)]

 

14.9          Care and guardianship of minors

 

Personal data in relation to a minor transferred or disclosed by the Hong Kong Police Force or Customs and Excise Department to a parent, guardian or other representative of the minor are exempt from the provisions of data protection principle 3 if (i) the transfer/disclosure of personal data is to facilitate the exercise of proper care and guardianship of the minor by the recipient, (ii) the transfer/disclosure is in the interest of the minor; and (iii) the application of those provisions in relation to such transfer/disclosure would be likely to prejudice the exercise of proper care and guardianship of the minor by the parent, guardian or other representative or the interests of the minor. [Section 59A]

 

14.10    Legal Professional Privilege 

 

Personal data are exempt from data protection principle 6 and the right to copies if they consist of information which is subject to a lawful claim for legal professional privilege. [Section 60]

 

14.11    Self incrimination 

 

If, as a result of complying with a request under data protection principle 6 or the right to copies, a data user might be incriminated in any proceedings for any offence other than an offence under the Ordinance, the data are exempt from data protection principle 6 or the right to copies. Further, information disclosed by a data user in compliance with a request under data protection principle 6 or the right to copies is not admissible against the data user in any proceedings for an offence under the Ordinance. [Section 60A]

 

14.12    Legal proceedings 

 

Personal data are exempt from data protection principle 3 if the use of the data is (i) required or authorised by or under any enactment, by any rule of law or by an order of a court in Hong Kong, (ii) required in connection with any legal proceedings in Hong Kong, or (iii) required for establishing, exercising or defending legal rights in Hong Kong. [Section 60B]

 

14.14 News

 

14.14.1 Definition

 

News activity means any journalistic activity and includes-

 

(a)

[the-]

 

(i)

gathering of news;

 

(ii)

preparation or compiling of articles or programmes concerning news; or

 

(iii)

observations on news or current affairs, for the purpose of dissemination to the public; or

(b)

the dissemination to the public of-

 

(i)

any article or programme of or concerning news; or

 

(ii)

observations on news or current affairs. [Section 61(3)]

 

14.14.2 Data held for News Activity 

 

Personal data held by a data user whose business includes a news activity solely for the purposes of that activity (or any activity related directly to that news activity) are exempt from data protection principle 6, the right to copies and the Commissioner's power to carry out an investigation into that data user following a complaint (see 15.2 below) unless and until the relevant data are published or broadcast. Accordingly, the data user may, subject to the provisions of the Ordinance, have to supply copies of the relevant data unless by doing so he would disclose the identity of his source (see 4.8(b) above and 15.9.2 below). Such personal data are also exempt from the Commissioner's power to inspect any personal data systems and the Commissioner's power to instigate his own investigations (see 15.3 below). [Section 61(1)]

 

14.14.3 Disclosure of data in public interest 

 

Personal data are exempt from data protection principle 3 if the use of the data consists of disclosing them to a data user whose business includes news activity and this disclosure is made by a person who has reasonable grounds to believe (and does reasonably believe) that the publishing or broadcasting of the data (whether or not they are actually published or broadcast) is in the public interest. [Section 61(2)] This exemption would seem to protect a person who receives personal information from the relevant data subject in confidence if there is a public interest in such information. The confidence will not be protected.

 

14.15 Statistics and Research 

 

Personal data are exempt from data protection principle 3 if the data are to be used only to prepare statistics or carry out research and the resulting statistics or results of research are not made available in a form which identifies any of the data subjects in question. [Section 62]

 

14.16 Exemption from right to disclosure 

 

If personal data would be exempt from the right to copies by virtue of the exemption provision relating to Hong Kong's security interests and crime etc., then the relevant personal data are also exempt from the right to disclosure if the interests protected by these exemptions would be likely to be prejudiced by enforcement of the right to disclosure. [Section 63]

 

14.17 Human embryos 

 

Personal data which consists of information showing that an identifiable individual was, or may have been, born in consequence of a reproductive technology procedure under the Human Reproductive Technology Ordinance (Cap. 561) are exempt from data protection principle 6 and the right to copies unless disclosure of the data is made in accordance with section 33 of that Ordinance. Where an access request relates to personal data which are or, if the data actually existed, would be exempt from the right to copies because of the latter provision, then the data are also exempt from the right to disclosure if the interest protected by that exemption would be likely to be prejudiced by the disclosure of the existence or non-existence of the data. [Section 63A]

 

14.18 Due diligence exercises

 

14.18.1 Due diligence related to proposed business transaction exempt

 

Personal data transferred or disclosed by a data user for the purpose of a "due diligence exercise" in connection with a proposed business transaction that involves (i) a transfer of the business or property of, or any shares in, the data user, (ii) a change in the shareholdings of the data user; or (iii) an amalgamation of the data user with another body,are exempt from data protection principle 3 if:

 

(a)

the personal data transferred or disclosed are not more than necessary for the purpose of the due diligence exercise;

(b)

goods, facilities or services which are the same as or similar to those provided by the data user to relevant data subjects are to be provided to the data subjects, on completion of the proposed business transaction, by a party to the transaction or a new body formed as a result of the transaction;

(c)

it is not practicable to obtain the prescribed consent of the data subject for the transfer or disclosure.

 

For the purposes of this exemption, "due diligence exercise" means the examination of the subject matter of a transaction to enable a party to decide whether to proceed with the transaction. [Sections 63B(1), (2), (6)]

 

14.18.2 Extent of due diligence exemption

 

The exemption mentioned in 14.18.1 above does not apply if the primary purpose of the proposed business transaction is the transfer, disclosure or "provision for gain" of the personal data. [Section 63B(3)] Further, if a data user transfers or discloses personal data to a person for the purpose of a due diligence exercise related to a proposed business transaction described in 14.18.1 above, that person (i) must only use the data for that purpose and (ii) must, as soon as practicable after completing the due diligence (01) return the personal data to the data user and (02) destroy any record of the personal data that is kept by the person (for the related offence, see 19.3(e) below). [Section 63B(4)]

 

For the purposes of this exemption, "provision for gain" means provision of the data in return for money or other property, irrespective of whether (i) the return is contingent on any condition or (ii) the person who provides the data retains any control over the use of the data. [Section 63B(6)]

 

14.19 Emergency situations

 

Personal data are exempt from data protection principle 1(3) (see 3.2(3) above) and data protection principle 3 (see 3.4 above) if their application would be likely to prejudice any of the following matters – (i) identifying an individual who is reasonably suspected to be, or is, involved in a life-threatening situation, (ii) informing an individual's immediate family members (meaning other persons who are related to the individual by blood, marriage, adoption or affinity) or his representatives of his involvement in the life-threatening situation, (iii) the carrying out of emergency rescue operations or provision of emergency relief services. [Section 63C]  

 

14.20 Transfer of records to Government Records Service

 

Personal data contained in records that are transferred to the Government Records Service are exempt from data protection principle 3 when the records are used by the Government Records Service solely for the purpose of (i) appraising the records to decide whether they are to be preserved or (ii) organizing and preserving the records. [Section 63D]  

 

14.21 Exemption from Data Protection Principle 1(3) 

 

It should also be remembered that where any of these exemptions is from data protection principle 6 (i.e. basically all of them), the duty under data protection principle 1(3) (see 3.2(3) above) to inform a data subject of (i) the purposes for which his data are being collected, (ii) likely transferees and (iii) other rights under the Ordinance also does not apply if to comply with the duty would be likely to prejudice the purpose for which the data are being collected.

 

 

15. Investigation and Enforcement

 

15.1  Inspections 


The Commissioner has power to carry out inspections of any personal data system to assist him in making recommendations to data users for the promotion of compliance with the Ordinance (in particular, data protection principles) by one particular data user or a class of data users. A personal data system is defined as any system, whether automated or not, used by a data user for the collection, holding, processing or use of personal data including any document and equipment forming part of the system. [Section 36]

 

15.2  Complaints 


An individual (or an authorised representative of an individual) may make a complaint to the Commissioner about an act (an act includes any deliberate omission to do something) or practice of a data user relating to personal data about that individual (or, if an exemption is being relied upon, which may be about that individual) which may be a breach of the Ordinance. If a complaint is made by more than one individual about the same act or practice, then any one of these individuals can make the complaint on behalf of all the complainants. A complaint must be in writing in Chinese or English or in another form accepted by the Commissioner and must specify the act or practice complained of and the data user involved. The Commissioner and relevant employees of the Commissioner have a duty to assist anyone who wishes to make a complaint but requires assistance to do so (see also 15.11.2(iv) (and also 21.2 and 21.3)). [Section 37]

 

15.3  Investigations 


If the Commissioner receives a complaint or if he has reasonable grounds to believe that a data user has engaged in or is engaging in an act or practice relating to personal data which may be a breach of the Ordinance, then, in the case of a complaint, the Commissioner must investigate the relevant data user to ascertain whether there has been a breach (unless entitled to refuse for any of the reasons listed in 15.4.1 or 15.4.2 below) (a "complaint initiated investigation") and, in any other case, has a discretion to investigate. [Section 38].

 

15.4 Restrictions on complaint initiated investigations

 

15.4.1 Refusal to investigate


The Commissioner is entitled to refuse to carry out or decide to terminate a complaint initiated investigation if:

 

(a)

the complainant (or his representative) has had actual knowledge of the relevant act or practice for more than 2 years prior to the Commissioner receiving the complaint (unless there are other circumstances such that the Commissioner is satisfied that it is proper to carry out or not to terminate the investigation);

(b)

the complaint is made anonymously;

(c)

the complainant cannot be identified or found;

(d)

none of the following conditions is fulfilled in respect of the act or practice complained of:

 

(i)

either the complainant (or his principal) was resident in Hong Kong or the data user in question was able to control in or from Hong Kong the collection, holding or processing or use of the relevant personal data at any time the act or practice was being engaged in;

 

(ii)

the complainant (or his principal) was in Hong Kong at any time the relevant act or practice was being engaged in;

 

(iii)

the Commissioner considers that the relevant act or practice may prejudice any right of the complainant (or his principal) in Hong Kong; or

(e)

the Commissioner is satisfied that the data user in question has not been a data user for not less than 2 years immediately before his receipt of the complaint. [Section 39(1)]

 

15.4.2  Other reasons for refusal 


The Commissioner is also entitled to refuse to carry out or decide to terminate a complaint initiated investigation if he considers:

 

(a)

the complaint or a similar complaint has previously resulted in an investigation being initiated after which the Commissioner concluded that there had been no breach of the Ordinance;

(b)

the relevant act or practice is trivial or the complaint is frivolous, vexatious or not made in good faith;

(c)

the main subject matter of the act or practice specified in the complaint is not related to privacy of the personal data of individuals; or

(d)

any investigation or further investigation is for any reason unnecessary.

 

15.4.3 Notice of refusal/termination 

 

If the Commissioner (i) refuses to carry out or (ii) decides to terminate a complaint initiated investigation, he must, as soon as practicable, and, in the case of a refusal to carry out an investigation, not later than 45 days after receipt of the complaint, notify the complainant in writing of his refusal or decision to terminate (as the case may be) and the reasons and also the complainant's (or his principal's) right to appeal to the Administrative Appeals Board against the refusal or decision to terminate. [Sections 39(3), (3A), (4)]

 

15.5 Continuation of investigation 

 

The Commissioner can carry out or continue a complaint initiated investigation in spite of the withdrawal of the complaint if he considers it to be in the public interest. In this case, the complainant shall have the same rights as if the complaint had not been withdrawn. [Section 40]

 

15.6 Notice to data user of investigation 

 

The Commissioner must give written notice to a data user of his intention to carry out an inspection or investigation, unless, in the case of an investigation, he has reasonable grounds to believe that to do this may prejudice the investigation. [Section 41]

 

15.7 Power of entry for purposes of inspection or investigation

 

15.7.1 Power of entry for inspection 

 

When carrying out an inspection of a personal data system, the Commissioner has power to enter and carry out the inspection on the premises where the system is kept. In the case of non-domestic premises, he can do so at any reasonable time and, in the case of domestic premises, he can only do so with the consent of any person (other than a minor) resident there. However, he must give at least 14 days written notice to the relevant data user of the premises where he proposes to carry out the inspection and state that the inspection will not be carried out until the 14 days have expired. In addition, the Commissioner must not exercise his inspection power in a way which unduly disrupts any operations being carried out in the relevant premises either by the relevant data user or any other person. [Sections 42(1), (3), (8)]

 

15.7.2 Power of entry for investigation 

 

When carrying out an investigation, the Commissioner has power to enter any premises occupied by the relevant data user or where the personal data system used by the relevant data user is located and carry out the investigation on those premises. However, he must give at least 14 days written notice to the relevant data user of the premises where he proposes to carry out the investigation and state that the investigation will not be carried out until the 14 days have expired. The Commissioner cannot exercise his power to investigate domestic premises unless a person (not a minor) resident in those premises consents before the expiry of the 14 day period after service of the notice. In addition, the Commissioner must not exercise his investigation power in a way which unduly disrupts any operations being carried out in the relevant premises either by the relevant data user or any other person. [Sections 42(2), (3), (4), (8)]

 

15.7.3 Warrant to enter for investigation 

 

The Commissioner does not have to give notice if he obtains a warrant from a magistrate to carry out the investigation of certain premises provided he can first satisfy the magistrate that he has reasonable grounds to believe that any investigation may be substantially prejudiced if he were required to give the notice. The Commissioner can also obtain a warrant from a magistrate to carry out an investigation of domestic premises if he has reasonable grounds to believe that an investigation may be substantially prejudiced by the refusal of a person resident on the premises to give his consent to entry after an appropriate notice has been served. [Sections 42(6), (7)]

 

15.7.4 Data user's assistance 

 

If the Commissioner exercises his inspection or investigation power, the data user in question must, without charge, give the Commissioner such facilities and assistance as the Commissioner may reasonably require for the purposes of the inspection or investigation. [Section 42(9)]

 

15.8 Proceedings of Commissioner 

 

The Commissioner has very wide further powers in respect of investigations. He can require information, documents or things from such persons, and make such enquiries, as he thinks fit and he can regulate his own procedures as he thinks fit. A hearing for the purposes of an investigation must be carried out in public unless the Commissioner considers that in all the circumstances it should be carried out in private or, if it is a complaint initiated investigation, if the complainant so requests in writing. Lawyers do not have the right of audience before him at any hearing for the purposes of an investigation but may do so if he thinks fit. The Commissioner is not obliged to hold any hearing for the purposes of an investigation nor does any person have the right to be heard by him. However, if during the course of an investigation, the Commissioner determines that he may have grounds to make a report or recommendation criticizing or adversely affecting any person, he shall give that person an opportunity to be heard. [Section 43]

 

15.9 Evidence

 

15.9.1 Examinations 

 

The Commissioner has power for the purposes of an investigation to examine any person who he considers can give any relevant information and, if it is a complaint initiated investigation, the complainant (or his principal) and may also require such person to provide him with information, documents or things in that person's possession or control which the Commissioner thinks may be relevant to the investigation. [Section 44(1)]

 

15.9.2  Examinations of journalists 

 

However, if, in a complaint initiated investigation of a data user whose business includes news activity, the person being examined by the Commissioner refuses to provide information or documents on the grounds that (i) this would directly or indirectly disclose the source (being an individual) of relevant personal data or (ii) he is protected by common law privilege, then the Commissioner cannot serve an enforcement notice (see 15.15 below) on the person being examined and must make an application to the High Court, not later than 28 days after the person being examined refuses to comply, for an order directing that person to comply with his requirements. The High Court may only make such an order if:

 

(a)

having regard to all the circumstances, including the circumstances of the complainant, it is satisfied that if the relevant act or practice proved to be a breach of the Ordinance, the breach would be of sufficient gravity to warrant the person being examined complying with the Commissioner's requirements;

(b)

the investigation would be substantially prejudiced if the requirements were not complied with;

(c)

it is in the public interest that the requirements be complied with; and

(d)

if common law privilege is asserted, it finds that this privilege does not apply.

 

At the hearing before the High Court, each of the Commissioner, the person being examined and the complainant has a right to be heard. [Section 44(2)]

 

15.9.3  No disclosure of examinee's identity  

 

If a person being examined complies with a requirement to give information or furnish documents or things to the Commissioner under Section 44(2)(d) (see 15.9.2 above) and the Commissioner concludes that that person has not breached a requirement of the Ordinance which is a subject of a complaint, then that person's identity may not be disclosed to the complainant. (For the related offence, see 19.2(i) below.) [Section 44(3)]

 

15.9.4 Non-application of secrecy laws  

 

No obligation to maintain secrecy or other restrictions imposed by law upon the disclosure of any information, document or other thing that is or has been in the possession of a person being examined by the Commissioner may be relied upon to prevent disclosure for the purposes of an investigation. If the Commissioner requires disclosure or production of any information, document or thing for the purposes of an investigation, that requirement will be sufficient authority for its disclosure or production. [Section 44(8)] (This provision appears to be inconsistent with 15.9.2 above and the Chief Executive's power mentioned in 15.10 below).

 

15.9.5 Payment of expenses 

 

The Commissioner has power to pay the reasonable expenses of complainants and witnesses incurred during the course of an investigation. [Section 44(9)]

 

15.10  Witnesses  

 

Persons required to give information, answer questions or produce documents and things for the purposes of an investigation have the same privileges as they would have in normal civil proceedings. However, any enactment or rule of law which authorises or requires the withholding of a document or thing or the refusal to answer any question on the grounds that this would be injurious to the public interest shall not apply. Somewhat inconsistently, the Commissioner is not permitted to require disclosure of the deliberations of the Executive Council for the purposes of the giving of any information or the answering of any question or the production of any document or thing in relation to an investigation, without the consent of the Chief Executive. Further, statements or answers given by persons during the course of an investigation are not admissible in evidence at other proceedings against any person and no evidence in respect of an investigation shall be given against any person, except in the case of perjury or an offence under the Ordinance. [Section 45]

 

15.11  Secrecy 

 

15.11.1 Commissioner's duty to maintain secrecy

 

The Commissioner and his officers are required to maintain secrecy with regard to all matters that come to their knowledge during the performance of their functions and exercise of their powers. (For the related offence, see 19.2(j) below). [Section 46(1)]

 

15.11.2 Exceptions to secrecy duty

 

However, the Commissioner can (i) disclose any matter if the disclosure is necessary for the proper performance of his functions or the proper exercise of his powers under the Ordinance, (ii) disclose such matters during legal proceedings if the matters are relevant to those proceedings, (iii) report evidence of crime to appropriate authorities and (iv) disclose evidence of something which may justify a complaint by a person to that person. He may also disclose relevant matters in any report made by him under the Ordinance which he considers will justify any of his findings or recommendations, unless disclosure would be of personal data exempt from data protection principle 6. If a report is made by the Commissioner on an inspection or investigation, and the report contains personal data, he is not permitted to publish the report unless a copy has first been sent to the relevant data user and that data user is given 28 days written notice of his right to object, in writing, to disclosure of any personal data in the report which he believes are exempt from data protection principle 6. The Commissioner may publish if the data user either does not respond within that time period or, if he does so, the Commissioner deletes the relevant personal data from the report or does not delete them and either no appeal is made or any appeal is unsuccessful. If a data user objects but the Commissioner still decides to include the relevant matter in the report, he must give the data user written notice of his decision and inform him of his right of appeal. Appeals must be made within 14 days after service of such a notice to the Administrative Appeals Board. [Sections 46(2), (3), (4), (5), (6)]

 

15.11.3 Further exceptions relating to foreign authorities
 

The Commissioner may:

 

(a)

to enable or assist a foreign authority to investigate a suspected breach of, or enforce, legal or regulatory requirements in its jurisdiction concerning the protection of privacy of personal data (such investigation or enforcement a relevant function), disclose matters to that authority; or

(b)

for the proper performance or exercise of his functions and powers under this Ordinance, disclose matters to a foreign authority which performs a relevant function,

if before disclosure is made:

 

(i)

in both cases (a) and (b), the foreign authority has undertaken to be bound by the secrecy requirements imposed by the Commissioner; and

 

(ii)

in case (a) only, in the opinion of the Commissioner, there is in force in the foreign authority's jurisdiction a law which is substantially similar to, or serves the same purposes as, the Ordinance, or in case (b) only, any one of the following conditions is satisfied:

 

(01)

in the opinion of the Commissioner, there is in force in the foreign authority's jurisdiction a law which is substantially similar to, or serves the same purposes as, the Ordinance;

 

(02)

the data subject to whom the matter relates has consented in writing to the disclosure;

 

(03)

the Commissioner has reasonable grounds for believing that, in all the circumstances (i) the disclosure is to avoid or mitigate adverse action against the data subject; (ii) it is not practicable to obtain the consent in writing of the relevant data; and (iii) if it was practicable to obtain such consent, the data subject would give it;

 

(04)

the personal data to which the matters relate are exempt from the provisions of data protection principle 3 (see 3.4 above); or

 

(05)

the Commissioner has taken all reasonable precautions and exercised all due diligence to ensure that the relevant personal data will not, in the foreign authority's jurisdiction, be collected, held, processed or used in any manner which, if done in Hong Kong, would be a breach of the Ordinance.

 

[Sections 46(7), (8), (9), (10)]

 

15.12  Results of inspections or investigation  

 

After completing an inspection, the Commissioner must inform the relevant data user of the result of the inspection, any recommendations he wishes to make to promote compliance by that data user with the Ordinance, any report he proposes to publish and any other comments. The Commissioner has the same obligations to inform any data user after an investigation and he must also inform the data user whether or not he has decided to serve an enforcement notice on him. If the Commissioner decides to serve an enforcement notice on a data user after an investigation, he may serve the notice at the same time as he gives the data user the information relating to the investigation mentioned in the previous sentence. If an investigation is initiated by a complaint, the Commissioner must inform the complainant of the result of the investigation, any recommendation he makes to the data user, any report he proposes to publish, any comments made by the data user on such recommendation or report, whether or not he has served or has decided to serve an enforcement notice (and the complainant's right to object if the Commissioner has not served and has decided not to serve an enforcement notice) and any other comments. These obligations to inform a complainant do not apply if the complainant has withdrawn his complaint. A complainant has a right of appeal against the non-service of, and a decision not to serve, an enforcement notice on a data user to the Administrative Appeals Board. [Section 47]

 

15.13 Reports  

 

The Commissioner has power to publish reports after completing an inspection or an investigation. Reports upon inspections may set out any recommendation relating to the promotion of compliance with the Ordinance by the relevant class of data users. Reports upon investigations may be published if the Commissioner considers it is in the public interest to do so and they should set out the result of the investigation, any recommendation to promote compliance with the Ordinance by the relevant class of data users and any other comments. Reports should not disclose the identity of any individual, except the Commissioner or his officers and the relevant data user. [Section 48]

 

15.14 No duty to inform or publish reports  

 

The Commissioner may not publish a report upon an investigation or inform the relevant data user and the complainant (see 15.1215.13 above) if the result of relevant investigation is that the act or practice in question is exempt from the provisions of the Ordinance (see 14 above) and the interests protected by the exemption would be likely to be prejudiced if the Commissioner did publish the report and inform the relevant persons. However, the Commissioner must inform the data user of the result of the investigation and, if the investigation was initiated by a complaint, inform the complainant that he is satisfied that there has not been a breach of the Ordinance. [Section 49]

 

15.15  Enforcement notices

 

15.15.1 Service of enforcement notices and form

 

If, after completing an investigation, the Commissioner considers that a data user is breaching the Ordinance or has done so, then he may serve a written notice upon that data user directing the data user to remedy the breach and, if appropriate, prevent any recurrence. The Commissioner's aforesaid written notice (an "enforcement notice") must (i) state that the Commissioner considers that the data user is in breach of the Ordinance giving his reasons, (ii) specify the requirement which is being or has been breached and the act or omission that constitutes the breach, (iii) specify the steps that the data user must take (including ceasing any act or practice) to remedy and, if appropriate, prevent any recurrence of the breach, (iv) specify the date on or before which the steps must be taken and (v) be accompanied by a copy of Section. 50(1B). The relevant date by which relevant steps must be taken must be a date which is not earlier than the expiry of the period within which an appeal against the notice may be made (see 15.15.2 below). In deciding whether to serve an enforcement notice, the Commissioner must consider whether the relevant breach has caused or is likely to cause damage or distress to a data subject. The steps specified in an enforcement notice to remedy and, if appropriate, prevent any recurrence of any breach may be framed (01) by reference to any approved code of practice and (02) to give the relevant data user a choice of remedy and, if appropriate, prevention measures. (For offences, see 19.3(a)-(d) below.) [Sections 50(1), (1A), (1B), (2), (3)]

 

15.15.2 Appeal procedure

 

A data user has a right of appeal against an enforcement notice to the Administrative Appeals Board not later than 14 days after service of the notice. An enforcement notice cannot require remedial steps to be taken until after the appeal period has expired, unless there are special circumstances. If an appeal is made, no remedial action need be taken until the appeal is determined. If there are special circumstances such that the Commissioner considers that remedial steps should be taken as a matter of urgency, he should include a statement to this effect in his enforcement notice and he can require the data user to take the appropriate remedial steps by not later than 7 days after the service of the notice (and the data user cannot wait until after any appeal is determined in this case). The Commissioner also has power to serve an enforcement notice even before he has completed an investigation if he thinks this necessary because of special circumstances. If, however, he uses this power, he must also explain in the enforcement notice why he thinks the notice must be served as a matter of urgency. [Sections 50(4), (5), (7), (8)]

 

15.16 Data Users for the purposes of complaints / investigations

 

Complaints may still be made against persons who were data users in relation to relevant data within a period of 2 years immediately before the time the Commissioner received the complaint. The Commissioner has power to make investigations into such persons, and the other provisions of the Ordinance applicable to data users also apply generally to such persons. [Section 2(5)]

 

16. Administration

 

16.1   Commissioner   

 

As will have been noted, a special office was established on 1st August 1996 under the name of the Privacy Commissioner for Personal Data. The Commissioner is appointed by the Chief Executive and his term of office is 5 years which can be renewed for one further term of 5 years. [Section 5]

 

16.2 Funding and accounts  

 

The Commissioner is funded by the Government and any other donation or income received. He must comply with specific directions from the Treasury Secretary with respect to expenditure during any financial year. He has the power to borrow money by way of overdraft with the prior approval of the Home Affairs Secretary or in any other way after first consulting with the Home Affairs Secretary. Surplus funds may be invested in ways permitted by the Home Affairs Secretary. The Commissioner must keep proper accounts of all financial transactions and prepare annual accounts of his activities which must be set before the Chief Secretary not later than 9 months after the end of each financial year. These annual accounts shall be subject to scrutiny by the Legislative Council. The Commissioner's office is expressly exempt from taxation. [Section 5, Schedule 2]

 

16.3 Not regarded as public servant  

 

Although the Commissioner is, for the purposes of the Prevention of Bribery Ordinance (Cap. 201), deemed to be a public servant, he is not to be regarded as a public servant or as enjoying the status, immunity or privilege of a public servant. Unless otherwise permitted by the Chief Executive, the Commissioner cannot have any other office or occupation other than as Commissioner. [Section 6]

 

16.4 Functions 
 

The specific functions and powers of the Commissioner are:

 

(a)

monitoring and supervising compliance with the Ordinance;

(b)

promoting and assisting representative bodies of data users (such as, for example, the Hong Kong Association of Banks) to prepare codes of practice to assist these groups of data users in complying with the Ordinance;

(c)

promoting awareness and understanding of and compliance with the Ordinance;

(d)

examining any proposed new legislation which he considers may affect the privacy of personal data;

(e)

inspecting systems used by Government Departments or quasi-government authorities for the collection, holding, processing or use of personal data;

(f)

undertaking research into the processing of data and information technology to check on likely adverse effects any developments might have on the privacy of personal data;

(g)

liaising and cooperating with his equivalents in other countries. [Section 8(1)]

 

16.5 Powers  

 

He may also do all such things as are necessary for, or incidental or conducive to, the better performance of his functions, including holding property; entering into and performing (etc.) contracts; undertaking and executing lawful trusts which has an object the furtherance of any of the functions of the Commissioner; accepting gifts; with the approval of the Chief Executive, becoming a member of any international body concerned with personal privacy; carrying out promotional or educational activities or services (for which he may impose reasonable charges). The Commissioner may also issue guidelines from time to time indicating the manner in which he proposes to perform his functions or exercise his powers under the Ordinance. [Section 8]

 

16.6 Staff and advice  

 

The Commissioner has the power to employ staff and obtain professional and technical advice to assist him to perform his functions. He also has the power to delegate certain of his functions. [Sections 9, 10]

 

16.7 Advisory Committee  

 

There is provision for the establishment of a Personal Data (Privacy) Advisory Committee to advise the Commissioner upon matters relevant to individual privacy. This Committee will consist of the Commissioner himself (and he will be the chairman) and between 4 and 8 other persons appointed by the Home Affairs Secretary. At least one of the Committee members appointed by the Home Affairs Secretary is to have at least 5 years experience in data processing and not more than 1 of the appointees can be a government officer. [Section 11]

 

16.8 Immunity   

 

No civil liability is incurred by the Commissioner or any officer appointed by the Commissioner in respect of anything done or omitted to be done by him or his officers in good faith in the performance or purported performance or exercise of any function or power imposed or conferred on the Commissioner or his officers under the Ordinance. However, the aforesaid protection does not affect the civil liability of the Commissioner as a corporation sole. [Section 11A]

 

17. Codes of Practice

 

17.1 Approved codes 

 

The Commissioner has power to approve special codes of practice for the purpose of providing practical guidance upon requirements of the Ordinance. Approved codes of practice will normally be specified as such by the Commissioner by notice in the Gazette. The Commissioner also has power to revise provisions contained in any code and withdraw approval. Before approving a code of practice (or any revision), the Commissioner is obliged to consult with such bodies representing groups of data users to which the relevant code is to apply as he shall think fit. [Section 12] A number of codes of practice have been issued so far, including in relation to ID Cards and personal identifiers, consumer credit data, human resource management and protection of customer information for fixed and mobile (telephone) service operations.

 

17.2 Legal standing of codes 

 

The effect of any data user failing to comply with a provision of an approved code of practice will not render the data user liable to legal proceedings. However, if a data user is the subject of any proceedings for breach of the Ordinance before a "specified body" (see 4.10 above) and there is at the relevant time an approved code of practice which covers the breach, proof of a breach of the code may be taken by the relevant specified body as proof that the relevant requirement of the Ordinance has been breached too (in the absence of other evidence). [Section 13]

 

18. Data User Returns and Register of Data Users

 

18.1 Specified data user classes 


The Commissioner has power to "specify" certain classes of data users. Once a class of data users has been specified by the Commissioner, members of that data user class must submit a return to the Commissioner containing the following prescribed information:

 

(a)

name and address of data user;

(b)

type of personal data used by data user;

(c)

purpose or purposes for which the personal data are collected, held, processed or used by the data user;

(d)

classes of persons to whom data user discloses relevant personal data;

(e)

places outside Hong Kong to which personal data may be transferred;

(f)

name and address of person employed by the data user to whom access requests may be made. [Sections 14(1), (4), Schedule 3]

 

18.2 Updating information 

 

Members of specified data user classes must update information on the register on an annual basis. There is also an obligation, if there is a change to any prescribed information and it has been expressly provided that such changes must be notified, to specify such a change to the Commissioner within 30 days in a "change notice". (For the related offence, see 19.2(a) below.) [Sections 14(4), (8)]

 

18.3 Verification of data user returns

 

18.3.1 Commissioner's power to verify data user returns 

 

The Commissioner has power to verify the accuracy of information in a data user return or change notice. He may, acting reasonably, exercise this power by sending a written notice to the relevant data user or any other person whom he believes may be able to assist in verifying relevant information, requiring any document, record, information or thing specified in the notice to be provided and a written response to any question in the notice (for related offence, see 19.2(b) below). [Section 14A(1), (2)]

 

18.3.2 Right to refuse to provide information 

 

A person receiving a notice may refuse to provide any document, record, information or thing, or respond to any question, required in the notice, if entitled or obliged under any other Ordinance to do so. [Section 14A(3)]

 

18.3.3 Notice from Commissioner if information in return is inaccurate

 

If, based on any response (i.e. any document, record, information or thing provided or any reply to a question) to a notice served under Section 14A(1) and acting reasonably, the Commissioner believes that any information in a data user return or change notice is inaccurate, he may, by written notice, require the data user to correct the information in the data user return or change notice (for related offence, see 19.2(c) below). [Section 14A(4)]

 

18.3.4 Duty to comply with Commissioner's notice  
 

Subject to any right to refuse to do so under any Ordinance, a person receiving a notice must comply with a requirement in a notice under Section 14A(1) or 14A(4) within such reasonable period as is specified in the notice (for related offence, see 19.1(a) below). [Section 14A(5)]

 

18.4 Register of data users

 

18.4.1 Keep and maintain register of data users 

 

The Commissioner must keep and maintain a register of data users who have submitted data user returns, using information in those returns and in any change notices. The register must be in the form of a database containing such particulars of each data user based on the information supplied in his data user return and any change notice as the Commissioner thinks fit. [Sections 15(1), (2)]

 

18.4.2 Power to require information to maintain the register 

 

The Commissioner has power, by written notice to a data user, to require the data user to provide such information as the Commissioner may reasonably require to maintain the register in relation to that data user. A data user must provide the relevant information within not less than 30 days after receipt of the Commissioner's notice in such manner as the Commissioner requires. If any information so provided by a data user changes, then the data user shall send a written notice to the Commissioner specifying such change within 30 days after the change – but only if the information in question was specified in the Commissioner's original notice under Section 15(3) as information to which Section 15(4) applied (for the related offences, see 19.2(d) below). [Sections 15(3), (4)]

 

18.4.3 Persons ceasing to be data user 

 

If the Commissioner is satisfied that a person has ceased to be a data user, he may delete from the register any particulars relating to that person as a data user. A person who has ceased to be a data user may, by notice, request the Commissioner to delete his particulars as a data user from the register. The Commissioner must, not later than 3 months after receipt of the notice, comply with the data user's request (unless withdrawn) (for the related offence, see 19.2(e) below). [Sections 15(5), (6)]

 

18.5 Facilities for searching data user register 

 

The Commissioner must provide facilities for permitting all members of the public to make searches of the register. [Section 16]

 

19. Offences

 

19.1 HK$10,000 fine 


The following are criminal offences punishable by a fine of HK$10,000.

 

(a)

A person required to respond to a notice from the Commissioner for the purposes of verifying or correcting information in a data user return failing to do so within the specified time period in breach of Section 14A(5) (see 18.3.4 above). [Section 14A(6)]

(b)

 A person who requested the Commissioner's consent to carry out a matching procedure under Section 31 contravening any conditions specified in a consent notice under Section 32(1)(b)(i) (see 10.7 above). [Section 32(5)]

(c)

 A data user breaching, without reasonable excuse, any requirement of the Ordinance other than a data protection principle and any other provision of the Ordinance for which no specific penalty is specified. [Section 64A]

 

19.2 HK$10,000 fine/6 months imprisonment 
 

The following are criminal offences punishable by a fine of HK$10,000 and imprisonment for up to 6 months:

 

(a)

A data user, knowingly or recklessly supplying in a data user return or change notice any information which is false or misleading in a material particular, in purported compliance with Sections 14(4) or (8) (see 18.2 above). [Section 14(11)]

(b)

A person knowingly or recklessly providing any document, record, information or thing, or any response to any question, which is false or misleading in a material particular, in purported compliance with a notice under Section 14A(1) (see 18.3.1 above). [Section 14A(7)]

(c)

A data user knowingly or recklessly in a data user return or change notice supplying any information which is false or misleading in a material particular, in purported compliance with a notice under Section 14A(4) (see 18.3.3 above). [Section 14A(8)]

(d)

A data user, knowingly or recklessly supplying any information which is false or misleading in a material particular in a notice to the Commissioner, in purported compliance with Sections 15(3) or (4) (see 18.4.2 above). [Section 15(4A)]

(e)

A person supplying any information which is false or misleading in a material particular for the purpose of having his particulars deleted from the data users register (see 18.4.3 above). This appears to be a strict liability offence. [Section 15(7)]

(f)

A person supplying materially false or misleading information in an access request for the purposes of getting a data user to (i) inform that person whether he holds any personal data the subject of the access request and (ii) if applicable, supply copies of the data (see 4.1 above). Strict liability. [Section 18(5), (6)]

(g)

A person supplying materially false or misleading information in a correction request for the purposes of having personal data corrected in accordance with the request (see 5.1 above). Strict liability. [Section 22(4)]

(h)

A person supplying materially false or misleading information in a matching procedure request for the purposes of obtaining the Commissioner's consent to the carrying out of the relevant matching procedure (see 10.5 above). Strict liability. [Section 31(4)]

(i)

A person (i.e. the Commissioner or an officer employed by him) disclosing the identity of a person who provided evidence as required and was found following a complaint initiated investigation not to be in breach of the Ordinance to the complainant in breach of Section 44(3) (see 15.9.3 above). Strict liability. [Section 44(10)]

(j)

A person (i.e. the Commissioner or an officer employed by him) not maintaining secrecy of matters arising from the performance of his functions or exercise of his powers under the Ordinance in breach of Section 46(1) (see 15.11.1 above). Strict liability. [Section 46(11)]

(k)

Any person, without lawful excuse, (i) obstructing the Commissioner (or any of his officers) when performing functions or exercising powers in respect of investigations, inspections or examinations (see 15 above generally); (ii) failing to comply with a lawful requirement of the Commissioner during the course of an inspection, investigation or examination, or (iii) making a statement to the Commissioner or his officer which he knows to be false or does not believe to be true or otherwise knowingly misleading the Commissioner (or any of his officers) in the performance of his functions or exercise of his powers in respect of inspections, investigations and examinations. [Section 50B]

 

19.3 HK$50,000 or HK$100,000 fine/2 years imprisonment  

 

The following are criminal offences punishable by fines of, respectively, HK$50,000 and HK$100,000 and imprisonment for up to 2 years:

 

(a)

A data user breaching an enforcement notice – HK$50,000. If the offence is continuing, there is an additional daily penalty of HK$1,000. [Section 50A(1)(a)]

(b)

A data user breaching an enforcement notice for a second or subsequent time – HK$100,000. If the offence is continuing, there is an additional daily penalty of HK$2,000. [Section 50A(1)(b)]

(c)

It will be a defence to show that the data user charged in (a) or (b) above exercised all due diligence to comply with the enforcement notice. [Section 50A(2)]

(d)

A data user, having originally complied with an enforcement notice, intentionally doing the same act or making the same omission in breach of the requirement specified in the enforcement notice under section 50(1A)(b) – HK$50,000. If the offence is continuing, there is an additional daily penalty of HK$1,000. [Section 50A(3)]

(See 15.15.1 above generally.)

(e)

A data user using personal data otherwise than for the purpose of a due diligence exercise related to a proposed business transaction or failing to destroy or return the same after the due diligence exercise, in breach of Section 63B(4) (see 14.18.2 above). [Section 63B(5)]

 

19.4 HK$500,000 fine/3 years imprisonment 

 

The following are criminal offences punishable by a fine of up to HK$500,000 and imprisonment for up to 3 years:

 

(a)

A data user breaching Section 35C(2) by using a data subject's personal data in direct marketing without first giving the required information to the data subject about use of personal data for direct marketing (see 12.3 above). [Section 35C(5)]

If the data user charged seeks to rely on Section 35D as a defence, he will bear the burden of proof (see 12.4 above). [Sections 35C(7)]

(b)

A data user breaching Section 35E(1) by using personal data for direct marketing without consent or not in accordance with a consent or not confirming in writing an oral consent (see 12.5 above). [Section 35E(4)]

(c)

A data user breaching Section 35F(1) by not informing a data subject the first time personal data are used for direct marketing that he must cease to use the personal data for this if the data subject so requires (see 12.6 above). [Section 35F(3)]

(d)

A data user breaching Section 35G(3) by not ceasing to use a data subject's personal data in direct marketing when required and without charge (see 12.7 above). [Section 35G(4)]

(e)

A data user breaching Section 35J(2) by providing personal data of a data subject to another person for use by that other person for direct marketing without first giving the required information to the data subject about provision of personal data to third parties for direct marketing, otherwise than for gain (see 12.9 above). [Section 35J(5)(b)]

(f)

A data user breaching Section 35K(1) by providing personal data of a data subject to a third party for direct marketing without consent and/or inconsistent with the notification otherwise than for gain (see 12.10 above). [Section 35K(4)(b)]

(g)

A data user breaching Section 35L(3) by failing to comply with a requirement by a data subject to cease providing his data to third parties for direct marketing and to notify the third parties to cease so using the data where he has provided the personal data otherwise than for gain (see 12.11 above). [Section 35L(6)(b)]

(h)

A person who receives a written notification from the data user who provided the relevant personal data to him that he must cease to use those personal data breaching Section 35L(5) by failing to comply with the notification (see 12.11 above). [Section 35L(7)]

(i)

In the case of the offences listed in (a) to (h) (inclusive) above, it will be a defence for the data user or person charged to prove that he took all reasonable precautions and exercised all due diligence to avoid the commission of the offence. [Sections 35C(6), 35E(5), 35F(4), 35G(5), 35J(6), 35K(5), 35L(8)]

 

19.5 HK$1,000,000 fine/5 years imprisonment

 

The following are criminal offences punishable by a fine of up to HK$1,000,000 and imprisonment for up to 5 years:

 

(a)

A person disclosing any personal data of a data subject which were obtained from a data user without the data user's consent, with intent (i) to obtain gain in money or other property, whether for the benefit of the person or another person or (ii) to cause loss in money or other property to the data subject. [Section 64(1)]

(b)

A person disclosing any personal data of a data subject which was obtained from a data user without the data user's consent where the disclosure causes psychological harm to the data subject. [Section 64(2)]

In both of (a) and (b) above, it will be a defence for the person charged to show that (i) he reasonably believed that the disclosure was necessary for crime prevention or detection purposes, (ii) the disclosure was required or authorised by any enactment, by any rule of law or by court order, (iii) he reasonably believed that the data user had consented to the disclosure or (iv) he (01) disclosed the personal data for the purpose of a news activity (see 14.14.1 above) or a directly related activity and (02) had reasonable grounds to believe that the publishing or broadcasting of the personal data was in the public interest. [Section 64(4)]

(c)

A data user breaching Section 35J(2) by providing personal data of a data subject to another person for use by that other person for direct marketing without first giving the required information to the data subject about provision of personal data to third parties for direct marketing, for gain (e.g. sale) (see 12.9 above). [Section 35J(5)(a)]

(d)

A data user breaching Section 35K(1) by providing personal data of a data subject to a third party for direct marketing without consent and/or inconsistent with the notification, for gain (see 12.10 above). [Section 35K(4)(a)]

(e)

A data user who fails to comply with a requirement by a data subject to cease providing his data to third parties for direct marketing and to notify the third parties to cease so using the data where he has provided the personal data for gain (see 12.11 above). [Section 35L(6)(a)]

(f)

In the case of the offences listed in (c), (d) and (e) above, it will be a defence for the data user charged to prove that he took all reasonable precautions and exercised all due diligence to avoid the commission of the offence. [Sections 35J(6), 35K(5), 35L(8)]

 

19.6 Time for laying of information

 

Notwithstanding Section 26, Magistrates Ordinance (Cap. 227), the time limit for bringing proceedings for an offence under the Ordinance is within 2 years from the date of commission of the offence (other than an offence committed before 1st October 2012). [Section 64B]

 

19.7 Breach of data protection principles

 

It will be noted that a simple breach of a data protection principle is not a criminal offence (but note 21 below).

 

20. Employers' and Principals' Liabilities

 

Anything done by an employee in the course of his employment shall be treated as done by both the employer and the employee even if it was not done with the employer's knowledge or approval. Anything done by someone as an agent for another person with the authority of the other person shall be deemed to have been done by both the principal and the agent. An employer has a defence if he can show that he took practicable steps to stop the employee from engaging in the relevant act or practice in the course of his employment. None of these provisions applies for the purposes of any criminal proceedings. [Section 65]

 

21. Compensation and assistance for aggrieved persons

 

21.1 Civil Compensation


Any individual who suffers loss (including injury to feelings) as a result of a breach of the Ordinance by a data user in respect of personal data about that individual is entitled to compensation from that data user. It will be a defence to a data user to show that he took such care as was in all the circumstances reasonably required to avoid the breach or, if the breach related to inaccurate personal data, to show that the relevant data accurately reflected data received from the data subject or a third party. Proceedings brought by an individual must be brought in the District Court but the same remedies as would be obtainable in the Court of First Instance may be awarded by the District Court. [Section 66]

 

21.2 Help in obtaining information


To help an aggrieved persone to decide whether to institute proceedings under section 66 (see 21.1 above) and to help him make a case in the most effective manner, the Commissioner may prescribe (i) forms by which the aggrieved person may question the relevant data user about his reasons for doing any relevant act, or on any other relevant matter and (ii) forms by which the respondent may reply to any questions. Any such questions and replies (whether or not in accordance with the Commissioner's prescribed forms are, subject to the points in 21.2(a)-(c) below, admissible as evidence in the proceedings and, if the District Court considers that the relevant data user, deliberately and without reasonable excuse, omitted to reply within a reasonable period or that its reply is evasive or equivocal, it may draw any inference from that fact it considers just and equitable.

 

(a)

The Commissioner may prescribe (i) the period within which questions must be served by an aggrieved person to be admissible and (ii) the manner in which a question and any reply by the relevant data user may be served.

(b)

Rules under the District Court Ordinance (Cap. 336) may empower the District Court entertaining a claim under section 66 to determine (see 21.1 above), before the date fixed for the hearing of the claim, whether a question or reply is admissible or not.

(c)

The Commissioner's assistance under this provision is without prejudice to any other enactment or rule of law regulating interlocutory and preliminary matters in proceedings before the District Court, and has effect subject to any enactment or rule of law regulating the admissibility of evidence in such proceedings. [Section 66A]

 

21.3 Commissioner's assistance in proceedings


An aggrieved person seeking compensation under section 66 (see 21.1 above) may apply to the Commissioner for assistance. The Commissioner must consider such an application and may approve it if he thinks fit. He should in particular consider approving an application if (i) the case raises a question of principle or (ii) the case's complexity, the applicant's position in relation to the relevant data user or any other person, or any other matter, would make it unreasonable to expect the aggrieved person to deal with the case unaided. Assistance by the Commissioner may include (i) giving advice, (ii) arranging for the giving of advice/assistance by a qualified lawyer, (iii) arranging for representation by any person, including assistance usually given by a solicitor or counsel preliminary or incidental to any proceedings, or in arriving at or giving effect to a compromise to avoid or bring to an end any proceedings and (iv) any other form of assistance which the Commissioner may consider appropriate. If expenses are incurred by the Commissioner in providing assistance, the recovery of those expenses (as taxed or assessed as appropriate) will constitute a first charge for the Commissioner (01) on any costs payable to the relevant aggrieved person (whether under a judgment/ order of the District Court or an agreement or otherwise) in respect of the matter in connection with which the assistance is given and (02) on the applicant's rights as regards costs under any compromise/settlement of that matter to avoid or bring to an end any proceedings. The aforesaid charge in favour of the Commissioner is subject to the Legal Aid Ordinance (Cap. 91) and to any provision in that Ordinance for payment of any sum into the Supplementary Legal Aid Fund. [Section 66B]

 

C. CONCLUSION

 

This guide contains a comprehensive summary of the Ordinance. It will be seen that the legislation has a profound effect upon all persons handling data about individuals, whether simply as employers or exercising their functions or in their businesses. All data users must have systems which enable them to comply with the requirements of the Ordinance including:

 

(i)

an officer to handle enquiries by data subjects (data protection principle 1(3)(b)(ii)(B));

(ii)

modes of collection of data which comply with data protection principle 1;

(iii)

checks on accuracy of personal data and erasure where no longer required (data protection principle 2);

(iv)

ensuring security of personal data (data protection principle 4);

(v)

a log book to record data subjects' enquiries;

(vi)

systems and procedures to deal with use of personal data for direct marketing and "sale" of personal data.

 

Government departments such as the Inland Revenue, institutions such as retail banks, credit card companies, social media websites, railways, property developers and insurance companies, bodies such as schools, hospitals and doctors' practices, solicitors and accountants, newspapers – all have found that the Ordinance goes to the very roots of their functions or businesses. Even persons supplying job references are affected. We at Deacons have considerable experience advising clients upon all aspects of the Ordinance and can provide any legal and practical assistance which may be required ranging from advice on (i) preparation of personal information collection statements, privacy policies and compliance handbooks for all types of business and for websites, through (ii) the personal data implications of acquisitions of businesses, (iii) the personal data implications of tele- and other marketing campaigns including, in particular, direct marketing, (iv) handling investigations and inspections of data users by the Commissioner to (v) general interpretation of the Ordinance and the various codes of practice. 

 

For further information, please contact:

 

Simon Deane, Partner, Deacons

simon.deane@deacons.com.hk
 

 

 

Comments are closed.