Jurisdiction - Hong Kong
Hong Kong – New Guidance For Data Users Of Personal Data Obtained From The Public Domain.

30 September, 2013


Under Hong Kong law the collection and use of personal data are subject to the Personal Data (Privacy) Ordinance (“the Ordinance“). The Ordinance sets out six data protection principles and aims at protecting personal data and preventing the misuse of personal data by data users.
The Ordinance restricts personal data from being used for any purpose other than the one for which it was originally collected (or a directly related purpose), unless the data subject has given its express and voluntary consent. The Office of the Privacy Commissioner for Personal Data has recently issued Guidance on Use of Personal Data Obtained from the Public Domain (“the Guidance”) which, for the first time, confirms that the restriction applies equally to personal data which is sourced from the public domain, and provides guidance for data users on how to determine the permitted purpose for use of personal data which has been collected from the public domain and sets out some recommended practices for users of such data.

What is the Permitted Purpose?

The Guidance advises that when assessing the permitted purpose a data user should consider the original purpose for which the personal data was placed in the public domain and whether any restrictions have been imposed on further uses of the data.
Where the original purpose is not clear, the permitted purpose should be determined in accordance with the reasonable expectation of personal data privacy of the data subject. 
The test is whether a reasonable person in the data subject’s situation would find the re-use of the data unexpected, inappropriate or otherwise objectionable, taking into account all factors in the circumstances, such as, the level of sensitivity of the personal data, the risk of harm (e.g. identity theft, financial loss, harassment or injury to feelings) and the commercial use of the personal data (e.g. where the data is used in the interests of the data subject or where there is a public interest).
The circumstances in which the personal data is disclosed may also be relevant: there is likely to be a higher risk of harm to the data subject where personal data is disclosed online on a website that can be accessed by any person.
Particular care should be taken where combining and re-arranging personal data from a number of different sources (e.g. for the purpose of profiling an individual). Whilst this is not prohibited under the Ordinance, the purpose for which the combined or re-arranged data is used must not fall outside of the permitted purpose.

Other Obligations

Data users collecting and using personal data from the public domain must also comply with other obligations under the Ordinance. These include the obligation to ensure that personal data held by the data user is accurate and not retained for longer than necessary; to implement a transparent privacy policy and appropriate security measures to protect personal data from unauthorised access or use; and, to ensure that data subjects are able to access and correct their personal data.
Failure to comply with the provisions of the Ordinance can expose a data user to both civil and criminal liability.


Certain uses of personal data are exempt under the Ordinance. The exempt uses include the use of data for the prevention or detection of crime; legal proceedings; news and broadcasting (in the public interest); and, statistics and research. The burden of proof is on the data user to prove that one of the exemptions applies.

What Can Data Users Do to Protect Themselves?

The Guidance recommends certain ‘best practices’ for data users who intend to collect and use personal data from the public domain. These are summarised below:
• Where using personal data for a purpose that is different to that for which the data was originally obtained, the data user should obtain the express consent of the data subject, particularly where the personal data is of a sensitive nature.
• Data users should not combine, re-arrange or match personal data which was originally collected for different purposes as this can lead to increased risk of misinterpretation of the personal data and inaccurate inferences being made against data subjects.
• Data users should implement administrative and technological measures to ensure that use of the data by third parties is consistent with or directly relates to the original purpose of disclosure of data in the public domain or, if not, that it falls under one of the relevant exemptions.
• Data users should ensure that the data subject is given the right to verify the accuracy of any personal data and, as far as practicable, to comply with any request of the subject data’s to remove or delete the personal data from a combined or linked-up database which is created for a new purpose.
• Data users should take steps to ensure the accuracy and reliability of any information collected from the public domain about a data subject. They should also provide a means by which data subjects can object to or correct any inaccurate data.
• Data users should not use sensitive personal data in a way that is inconsistent with the data subject’s legal rights of privacy under Hong Kong law.
Data users that are operators of public registers or directories must take greater measures to ensure that they are not in breach of the Ordinance. The Guidance sets out additional recommended practices for these data users.
For further information, please contact:
Paul Westover, Partner, Stephenson Harwood
[email protected]
Victor Lee, Stephenson Harwood
Fiona Cheng, Stephenson Harwood

Comments are closed.