Appendix A: The Data Protection Principles (Schedule 1 of the Ordinance)

If you are responsible for administering personal data, that are subject to this Ordinance, you will certainly want to read the full original text of the Data Protection Principles below. We provide a summary, with some of the cross references expanded, but this is intended as a preliminary introduction only.

The Principles are a statement of ideals which anyone operating under the Ordinance must follow, unless the Ordinance specifies some other action. For example, Principle 6 says that individuals have the right to know if you hold data about them. It mentions no conditions under which you may hold data and avoid telling them. But Part VIII of the Ordinance does describe a few special cases where you would be exempt from the need to disclose that you hold the data. Sections 55 - 61 give some examples). If one or more of these conditions are fulfilled, you must follow the Ordinance, not Principle 6.

        

1 — purpose and manner of collection of personal data

What personal data you may collect

When deciding what categories of personal information to collect and keep about individuals, you are limited to information that is really required. The data you keep must have a purpose related to your (the data user's) function or activity. Not surprisingly, you can only use them for lawful purposes.

How you may collect personal data

You must collect data by fair and legal means.

If you collect them from the data subject directly, you have to tell the individual whether they must give the information, and the consequences if they don't give it. You should tell them the purposes for which data will be used (though this is not necessary if the purpose is implicit) and, in general terms, who you might transfer the data to. Before you use them, you must inform them of their rights of access and correction, and who they have to contact for this purpose. Mostly, you would want to tell them this at the time of collection, not wait until you were about to use the data.

If someone sends you e-mail, their e-mail address would be an example of a 'personal identifier'. When associated with the person's name, these two together would constitute personal data and be protected. If someone fills in a web-page form which generates an e-mail to you, this should be treated like any other form of personal data collection and you need to follow Principle 1.

Exceptions

If the purpose of holding the personal data is one covered by theexemptions described in Part VIII and following the 'What' and 'How' above would compromise that purpose, you need not follow the guidelines. Except in the case of certain personnel data (see 53 — 56) this will not apply to most commercial firms, as the categories relate to Hong Kong's security, criminal and legal information, health records and news-gatherer's source data.

Ordinance text for 1

 

        

2 — accuracy and duration of retention of personal data

The core of principle 2 is that you have to try as hard as you can to make sure that any personal data you hold are right, and when you have finished using them for their original purpose or some related purpose, you must destroy them. If you think the data might be wrong, you should either investigate to find a source of more accurate information, or get rid of them. 'Wrong' can include 'incomplete'.

Ordinance text for 2

 

        

3 — use of personal data

The clear restrictions set out in Principle 1 imply most of what Principle 3 says, other than from a precise legal wording viewpoint. This Principle does introduce a new possibility: that you may legitimately use data for a purpose other than that for which they were collected, if you first obtain the data subject's specific permission.

Ordinance text for 3

 

        

4 — security of personal data

You must consider the protection of

• the personal data that you hold,
• data that you process
• and data that you transmit.

As you would expect, you have to protect against unauthorized and accidental access. But Principle 4 goes further: you also have to protect against erasure, processing or other use — where these could cause harm to the individual.

This Principle takes account of the fact that 100% security is not achievable. It spells out the factors to consider when deciding how much protection is 'practicable' (that is: reasonably practicable, see Part I) for any given set of data. But you must make your own judgement when trying to decide what a court will consider 'reasonable', if things unfortunately go wrong.

Ordinance text for 4

 

Additional points:

The Principle gives some guidelines which we interpret as follows:

• If, through your handling of their data, serious harm comes to an individual, you will have to show that you took commensurately serious steps to protect the data. If the harm could only ever be reasonably regarded as insignificant, your security obligations will be less onerous.
• If the Commissioner or a court has to consider whether the steps taken were reasonable, they may take into account where the data were stored, who had access to the data, how protected they were by any security mechanism or procedural controls, and how you select and control the staff having access to the data.
• Of particular importance are the security measures that you take in transmitting data. If you use the Internet to collect or move personal data that comes within the scope of this Ordinance, you have a clear responsibility to encode the data, since you have no control of their route or visibility between start and end points. This may influence your choice of Internet Service Provider if you do not operate your own servers, because not all use server software with a Secure Sockets Layer.

        

5 — information to be generally available

Tell them what personal data you hold, why you hold them and how you handle them. In practice, this means that you may wait for people to ask, then answer by phone, or at most send them a flier. This should give your fees for data access request. The Commissioner is unlikely to expect you to go to extreme lengths, such as advertising in the newspaper.

Ordinance text for 5

 

        

6 — access to personal data

They can ask if you have personal data about them, expect to see it for a fair fee and understand what they see, and request corrections. You can refuse, under specified circumstances, to allow them to see the data or to make changes but must give a reason. They can object to a refusal.

Ordinance text for 6

 

Appendix B: Meanings and Interpretation (Section 2 of the Ordinance)

   (1)  In this Ordinance, unless the context otherwise requires— 
"act" includes a deliberate omission;

So note that you don't have to actually do anything to commit an 'act': Deciding to do nothing counts as an 'act'.

"adverse action", in relation to an individual, means any  
   action that may adversely affect the individual's rights,  
   benefits, privileges, obligations or interests (including  
   legitimate expectations); 
"appointed day" means the day appointed under section 1(2); 

The appointed day is the day on which this Ordinance comes into effect.

"approved code of practice" means a code of practice  
   approved under section 12; 
"code of practice" includes—
        (a) a standard;  
        (b) a specification; and 
        (c) any other documentary form of practical guidance; 

See also Part III 12 (7) which further defines a code of practice as including part of a code of practice.

"Commissioner" means the Privacy Commissioner for Personal  
   data established under section 5(1); 
"Committee" means the Personal data (Privacy) Advisory  
   Committee established under section 11(1); 
"complainant" means the individual, or the relevant person on  
   behalf of an individual, who has made a complaint; 
"complaint" means a complaint under section 37; 
"correction", in relation to personal data, means  
   rectification, erasure or completion; 

This special meaning of 'correction', whilst logical in the context of bad data held about an individual, is not the everyday one which would usually imply that bad data have been replaced by good. 'Correcting' personal data by erasing it may often be the only alternative, given the sources of data in commercial files and the unwillingness of data subjects to provide new data.

"daily penalty" means a penalty for each day on which the  
   offence is continued after conviction therefor; 
"data" means any representation of information (including an  
   expression of opinion) in any document, and includes a personal
   identifier;

This, together with the later definition of 'document', makes it clear that this Ordinance applies to paper files and microfilm, as well as computer data and it applies to unstructured text as well as structured data.

"data access request" means a request under section 18; 
"data correction request" means a request under section 22(1); 
"data protection principle" means any of the data  
   protection principles set out in Schedule 1;   

You must follow the Data Protection Principles, unless some aspect of the Ordinance allows you to do something different. For example, Principle 6 says that an individual is entitled to know if you hold data that refer to them. The Ordinance specifies exemptions. Sections 57 - 61, give some of the special circumstances in which you are allowed to avoid confirming that you hold such data. One example is if you hold data about a crime which is under investigation.

"data subject", in relation to personal data, means the 
   individual who is the subject of the data; 
"data user" in relation to personal data, means a person  
   who, either alone or jointly or in common with other persons,  
   controls the collection, holding, processing or use of the data;

But see the exclusion in 2(12) (below, in this Part).

"data user return" means a data user return referred 
   to in section 14(4); 
"disclosing", in relation to personal data, includes  
   disclosing information inferred from the data; 
"document" includes, in addition to a document in writing—
        (a) a disc, tape or other device in which data other than  
            visual images are embodied so as to be capable, with or  
            without the aid of some other equipment, of being  
            reproduced from the disc, tape or other device; and 
        (b) a film, tape or other device in which visual images are  
            embodied so as to be capable, with or without the aid of  
            some other equipment, of being reproduced from the film,  
            tape or other device; 
"employment" means employment under—
        (a) a contract of service or of apprenticeship; or 
        (b) a contract personally to execute any work or labour, and  
   related expressions shall be construed accordingly;  
"enforcement notice" means a notice under section 50(1); 
"financial regulator" means any of—
        (a) the Monetary Authority appointed under section 5A of the  
            Exchange Fund Ordinance (Cap. 66); 
        (b) the Securities and Futures Commission established by  
            section 3 of the Securities and Futures Commission  
            Ordinance (Cap. 24); 
        (c) a clearing house within the meaning of section 2(1) of  
            the Commodities Trading Ordinance (Cap. 250) or a  
            recognized clearing house within the meaning of the  
            Securities (Clearing Houses) Ordinance (Cap. 420); 
        (d) the Exchange Company within the meaning of section 2(1)  
            of the Commodities Trading Ordinance (Cap. 250); 
        (e) the Exchange Company within the meaning of section 2(1)  
            of the Stock Exchanges Unification Ordinance (Cap. 361); 
        (f) the Insurance Authority appointed under section 4 of the  
            Insurance Companies Ordinance (Cap. 41); 
        (g) the Registrar of Occupational Retirement Schemes  
            appointed under section 5 of the Occupational Retirement  
            Schemes Ordinance (Cap. 426); 
        (h) a person specified in a notice under subsection 2(7) to be  
            a regulator for the purposes of this definition; 
"inaccurate", in relation to personal data, means the data is  
   incorrect, misleading, incomplete or obsolete; 

As with the definition of 'correction' above, this extends the meaning beyond that in everyday use, which might not normally be taken to include 'incomplete' or 'misleading' information.

"inspection" means an inspection under section 36; 
"investigation" means an investigation under section 38; 
"log book", in relation to a data user, means the log book  
   kept and maintained by the data user under section 27(1); 
"matching procedure" means any procedure whereby personal  
   data collected for 1 or more purposes in respect of 10 or more  
   data subjects are compared (except by manual means) with personal  
   data collected for any other purpose in respect of those data  
   subjects where the comparison—
        (a) is (whether in whole or in part) for the purpose of 
            producing or verifying data that; or 
        (b) produces or verifies data in respect of which it is  
            reasonable to believe that it is practicable that the  
            data, 
   may be used (whether immediately or at any subsequent time) for  
   the purpose of taking adverse action against any of those data  
   subjects;

So just performing a computer matching process on personal data, and even using the results of that match, does not come under the constraints of a 'matching procedure' unless you may be able to use that data in an way that adversely affects a data subject's rights, benefits, privileges, obligations or interests (including legitimate expectations). In any event, the use of the results of a manual matching process is not controlled by this Ordinance.

"matching procedure request" means a request under 
   section 31(1); 
"personal data" means any data—
        (a) relating directly or indirectly to a living individual; 
        (b) from which it is practicable for the identity of the  
            individual to be directly or indirectly ascertained; and  
        (c) in a form in which access to or processing of the data is  
            practicable; 

This must be the single most important definition in the Ordinance. Please be aware that from the definitions of 'data' and 'document', the term 'personal data' is taken to include information held in computer files, paper-based systems, magnetic recordings and micro-forms systems.

Correspondence will generally not be regarded as personal data unless it is about the individual. Even then, unless it is stored in an easily-accessible form, it will not usually be so classified. Two examples of systems that could result in correspondence being classified as 'personal data' are an indexed, document-imaging system on a computer, where the indexing allows all correspondence about an individual to be located easily, and a filing cabinet with all files stored by individual filed alphabetically or according to a personal identifier (i.e. a file per data subject). Access to the data must be 'reasonably practicable' before it is regarded as personal data. Even then, only if its mis-use might adversely affect the individual is the Commissioner likely to take an active interest in any infringement.

Many companies use trade or society directories that name individuals and give addresses or other personal details. These alone are not likely to be regarded as personal data that you need to declare if you receive an enquiry from one of the individuals named in the directory. If you make the details easier to access or process by having them entered into a computer, then you will have to respond positively (unless any exemptions mentioned in Part VIII apply).

"personal data system" means any system, whether or not  
   automated, which is used, whether in whole or in part, by a data  
   user for the collection, holding, processing or use of personal   
   data, and includes any document and equipment forming part of the  
   system; 
"personal identifier" means an identifier—
        (a) that is assigned to an individual by a data user for the  
            purpose of the operations of the user; and 
        (b) that uniquely identifies that individual in relation to  
            the data user, 
   but does not include an individual's name used to identify that  
   individual; 
"practicable" means reasonably practicable; 

but 'reasonably' is not defined, so you have to make your own judgement as to what a court would consider reasonable, when the Ordinance says 'as soon as practicable', for example.

"prescribed officer" means a person employed or engaged  
   under section 9(1); 

This relates to the Commissioner's staff or contractors, not yours.

"processing", in relation to personal data, includes amending,  
   augmenting, deleting or rearranging the data, whether by automated  
   means or otherwise; 
"register" means the register of data users kept and  
   maintained by the Commissioner under section 15(1); 
"relevant data user", in relation to—
        (a) an inspection, means the data user who uses the personal  
            data system which is the subject of the inspection; 
        (b) a complaint, means the data user specified in the  
            complaint; 
        (c) an investigation— 
              (i) in the case of an investigation initiated by a  
                  complaint, means the data user specified in the  
                  complaint; 
             (ii) in any other case, means the data user the subject  
                  of the investigation; 
        (d) an enforcement notice, means the data user on whom the  
            notice is served; 
"relevant person", in relation to an individual (howsoever  
   the individual is described), means—
        (a) where the individual is a minor, a person who has  
            parental responsibility for the minor; 
        (b) where the individual is incapable of managing his own  
            affairs, a person who has been appointed by a court to  
            manage those affairs; 
        (c) in any other case, a person authorized in writing by the  
            individual to make a data access request, a data  
            correction request, or both such requests, on behalf of  
            the individual; 
"requestor", in relation to—
        (a) a data access request or data correction request, means  
            the individual, or the relevant person on behalf of an  
            individual, who has made the request; 
        (b) a matching procedure request, means the data user who has  
            made the request; 
"specified", in relation to a form, means specified under   
   section 67; 
"third party" in relation to personal data, means any person  
   other than—
        (a) the data subject; 
        (b) a relevant person in the case of the data subject; 
        (c) the data user; or 
        (d) a person authorized in writing by the data user to  
            collect, hold, process or use the data— 
              (i) under the direct control of the data user; or  
             (ii) on behalf of the data user; 
"use", in relation to personal data, includes disclose or  
   transfer the data;

This is an important definition — its breadth of scope prevents a data user from circumventing the Ordinance by transferring data out of Hong Kong for processing or revealing information for a third part to act on.

"would be likely to prejudice" includes would prejudice. 
 
   (12) A person is not a data user in relation to any personal data 
which the person holds, processes or uses solely on behalf of another 
person if, but only if, that first-mentioned person does not hold, 
process or use, as the case may be, those data for any of his own 
purposes.

So your computer-room staff, telecomms carrier or computer service bureau for example, would not normally be defined as 'data users'.