Personal Data Protection in Hong Kong

What is personal data?
Personal data is information which relates to a living person and can be used identify that person. It exists in a form in which access or processing is practicable. Obvious examples of personal data protected by the Personal Data (Privacy) Ordinance (Cap 486) ("PDPO") include names, phone number, addresses, identity card numbers, photos, medical records and employment records.
What are “Data Subject”, “Data User” and “Data Processor”?
There are two parties involved in the use of personal data: the data subject and the data user. The data subject is the individual who is the subject of the data, e.g. employees or customers and the data user is the person who, either alone or jointly with others, controls the collection, holding, processing, or use of the data, e.g. employers. The data user is liable as the principal for the wrongful act of its data processor.
A data processor is the processor of personal data on behalf of a third party and not process for its own purposes, e.g. IT service provider.
According to Data Protection Principles 2 and 4, a data user must adopt a contractual or other means to: (1) prevent any personal data transferred to the data processor from being kept longer than necessary for the processing of the data; and (2) prevent unauthorized or accidental access, processing erasure, loss or use of the data transferred to the data processor for processing.
Six Data Protection Principles
In Hong Kong, the PDPO was enacted to protect the privacy of individuals’ personal data. A person who collects, holds, processes or uses the data (a data user) must follow the six Data Protection Principles (“DPPs”). The DPPs represent the core of the Ordinance and cover the entire life cycle of personal data.
DDP1 – Data Collection Principle

Personal data must be collected in a lawful and fair way, for a purpose directly related to a function/activity of the data user. All practicable steps shall be taken to notify the data subjects of the purpose of data collection, and the classes of persons to whom the data may be transferred. Data collected should be necessary but not excessive.
DDP2 – Accuracy & Retention Principle
Personal data must be accurate. Personal data is not kept for a period longer than it is necessary to fulfil the purpose for which it is used.
DDP3 – Data Use Principle
Personal data is required to be used for the purpose for which it is collected or a directly related purpose, unless voluntary and explicit consent is obtained from the data subject.
DDP4 – Data Security Principle
A data user needs to take practical steps to safeguard the personal data from unauthorized or accidental access, processing, erasure, loss or use.
DDP5 – Openness Principle
A data user must make known to the public its personal data policies and practices, the types of personal data it holds and how the data are used.
DDP6 – Data Access & Correction Principle
A data subject must be given access to his personal data and to make corrections where the data is inaccurate.
Consequences of breaching the DPPs
Contravention of DPPs does not constitute a criminal offence directly. The commissioner may serve an enforcement notice to direct the data user to remedy the contravention. Non-compliance with the enforcement notice is an offence which could result in a maximum fine of HK$50,000 and imprisonment for up to 2 years.
Major changes under Personal Data (Privacy) (Amendment) Ordinance 2012
There are six major changes in the Personal Data (Privacy) (Amendment) Ordinance 2012. Most provisions became effective on 1 October 2012, with those concerning the use of personal data for direct marketing and legal assistance for aggrieved individuals became effective on 1 April 2013.
The six major changes under the Personal Data (Privacy) (Amendment) Ordinance 2012 are:

  • use of personal data for direct marketing (effective on 1 April 2013);
  • provision of personal data to another for use in direct marketing;
  • power to issue enforcement notices;
  • regulation of data processors;
  • disclosure of personal data obtained without consent; and
  • legal assistance for aggrieved individuals (effective on 1 April 2013).
Code of Practice on Human Resource Management
The PCPD issued “The Code of Practice on Human Resource Management” (“the Code”) to give practical guidance to employers and employees on how to properly handle personal data at each stage of the employment process. The Code draws on data protection principles and applies them to the management of personal data in three important areas: recruitment; current employment and former employees’.

November 2015
Any further inquiries, please contact us.