| This is the text of the Hong Kong Personal Data (Privacy) Ordinance, with hypertext (click and jump) links to all paragraph and section cross references, and to the definitions of all terms defined in the Ordinance. For information about the conventions adopted in setting this out, please refer to the separate page. |  |
 |
 this part |  | ||
HONG KONG
ORDINANCE NO 81 OF 1995
An Ordinance to protect the privacy of individuals in relation to
personal data, and to provide for matters incidental thereto or
connected therewith.
PART I
PRELIMINARY
1. Short title and commencement
(1) This Ordinance may be cited as the Personal data (Privacy)
Ordinance.
(2) This Ordinance shall come into operation on a day to be
appointed by the Secretary for Home Affairs by notice in the
Gazette.
2. Interpretation
(1) In this Ordinance, unless the context otherwise requires—
"act" includes a deliberate omission;
"adverse action", in relation to an individual, means any
action that may adversely affect the individual's rights,
benefits, privileges, obligations or interests (including
legitimate expectations);
"appointed day" means the day appointed under section 1(2);
"approved code of practice" means a code of practice
approved under section 12;
"code of practice" includes—
(a) a standard;
(b) a specification; and
(c) any other documentary form of practical guidance;
"Commissioner" means the Privacy Commissioner for Personal
data established under section 5(1);
"Committee" means the Personal data (Privacy) Advisory
Committee established under section 11(1);
"complainant" means the individual, or the relevant person on
behalf of an individual, who has made a complaint;
"complaint" means a complaint under section 37;
"correction", in relation to personal data, means
rectification, erasure or completion;
"daily penalty" means a penalty for each day on which the
offence is continued after conviction therefor;
"data" means any representation of information (including an
expression of opinion) in any document, and includes a personal
identifier;
"data access request" means a request under section 18;
"data correction request" means a request under
section 22(1);
"data protection principle" means any of the data
protection principles set out in Schedule 1;
"data subject", in relation to personal data, means the
individual who is the subject of the data;
"data user" in relation to personal data, means a person
who, either alone or jointly or in common with other persons,
controls the collection, holding, processing or use of the data;
"data user return" means a data user return referred
to in section 14(4);
"disclosing", in relation to personal data, includes
disclosing information inferred from the data;
"document" includes, in addition to a document in writing—
(a) a disc, tape or other device in which data other than
visual images are embodied so as to be capable, with or
without the aid of some other equipment, of being
reproduced from the disc, tape or other device; and
(b) a film, tape or other device in which visual images are
embodied so as to be capable, with or without the aid of
some other equipment, of being reproduced from the film,
tape or other device;
"employment" means employment under—
(a) a contract of service or of apprenticeship; or
(b) a contract personally to execute any work or labour, and
related expressions shall be construed accordingly;
"enforcement notice" means a notice under section 50(1);
"financial regulator" means any of—
(a) the Monetary Authority appointed under section 5A of the
Exchange Fund Ordinance (Cap. 66);
(b) the Securities and Futures Commission established by
section 3 of the Securities and Futures Commission
Ordinance (Cap. 24);
(c) a clearing house within the meaning of section 2(1) of
the Commodities Trading Ordinance (Cap. 250) or a
recognized clearing house within the meaning of the
Securities (Clearing Houses) Ordinance (Cap. 420);
(d) the Exchange Company within the meaning of section 2(1)
of the Commodities Trading Ordinance (Cap. 250);
(e) the Exchange Company within the meaning of section 2(1)
of the Stock Exchanges Unification Ordinance (Cap. 361);
(f) the Insurance Authority appointed under section 4 of the
Insurance Companies Ordinance (Cap. 41);
(g) the Registrar of Occupational Retirement Schemes
appointed under section 5 of the Occupational Retirement
Schemes Ordinance (Cap. 426);
(h) a person specified in a notice under subsection 2(7) to be
a regulator for the purposes of this definition;
"inaccurate", in relation to personal data, means the data is
incorrect, misleading, incomplete or obsolete;
"inspection" means an inspection under section 36;
"investigation" means an investigation under section 38;
"log book", in relation to a data user, means the log book
kept and maintained by the data user under section 27(1);
"matching procedure" means any procedure whereby personal
data collected for 1 or more purposes in respect of 10 or more
data subjects are compared (except by manual means) with personal
data collected for any other purpose in respect of those data
subjects where the comparison—
(a) is (whether in whole or in part) for the purpose of
producing or verifying data that; or
(b) produces or verifies data in respect of which it is
reasonable to believe that it is practicable that the
data,
may be used (whether immediately or at any subsequent time) for
the purpose of taking adverse action against any of those data
subjects;
"matching procedure request" means a request under
section 31(1);
"personal data" means any data—
(a) relating directly or indirectly to a living individual;
(b) from which it is practicable for the identity of the
individual to be directly or indirectly ascertained; and
(c) in a form in which access to or processing of the data is
practicable;
"personal data system" means any system, whether or not
automated, which is used, whether in whole or in part, by a data
user for the collection, holding, processing or use of personal
data, and includes any document and equipment forming part of the
system;
"personal identifier" means an identifier—
(a) that is assigned to an individual by a data user for the
purpose of the operations of the user; and
(b) that uniquely identifies that individual in relation to
the data user,
but does not include an individual's name used to identify that
individual;
"practicable" means reasonably practicable;
"prescribed officer" means a person employed or engaged
under section 9(1);
"processing", in relation to personal data, includes amending,
augmenting, deleting or rearranging the data, whether by automated
means or otherwise;
"register" means the register of data users kept and
maintained by the Commissioner under section 15(1);
"relevant data user", in relation to—
(a) an inspection, means the data user who uses the personal
data system which is the subject of the inspection;
(b) a complaint, means the data user specified in the
complaint;
(c) an investigation—
(i) in the case of an investigation initiated by a
complaint, means the data user specified in the
complaint;
(ii) in any other case, means the data user the subject
of the investigation;
(d) an enforcement notice, means the data user on whom the
notice is served;
"relevant person", in relation to an individual (howsoever
the individual is described), means—
(a) where the individual is a minor, a person who has
parental responsibility for the minor;
(b) where the individual is incapable of managing his own
affairs, a person who has been appointed by a court to
manage those affairs;
(c) in any other case, a person authorized in writing by the
individual to make a data access request, a data
correction request, or both such requests, on behalf of
the individual;
"requestor", in relation to—
(a) a data access request or data correction request, means
the individual, or the relevant person on behalf of an
individual, who has made the request;
(b) a matching procedure request, means the data user who has
made the request;
"specified", in relation to a form, means specified under
section 67;
"third party" in relation to personal data, means any person
other than—
(a) the data subject;
(b) a relevant person in the case of the data subject;
(c) the data user; or
(d) a person authorized in writing by the data user to
collect, hold, process or use the data—
(i) under the direct control of the data user; or
(ii) on behalf of the data user;
"use", in relation to personal data, includes disclose or
transfer the data;
"would be likely to prejudice" includes would prejudice.
(2) For the avoidance of doubt, it is hereby declared that
paragraph (c) of the definition of "relevant person" shall not be
construed—
(a) to entitle a person who has only been authorized to make
a data access request on behalf of an individual to make
a data correction request on behalf of the individual;
(b) to entitle a person who has only been authorized to make
a data correction request on behalf of an individual to
make a data access request on behalf of the individual.
(3) Where under this Ordinance an act may be done with the
prescribed consent of a person (and howsoever the person is
described), such consent—
(a) means the express consent of the person given
voluntarily;
(b) does not include any consent which has been withdrawn by
notice in writing served on the person to whom the consent
has been given (but without prejudice to so much of that act
that has been done pursuant to the consent at any time
before the notice is so served).
(4) Subject to section 64(10), it is hereby declared that any
reference in this Ordinance to the effect that a data user (howsoever
described)—
(a) has contravened a requirement under this Ordinance; or
(b) is contravening a requirement under this Ordinance,
includes—
(i) where paragraph (a) is applicable, any case where
the data user has done an act, or engaged in a
practice, in contravention of a data protection
principle;
(ii) where paragraph (b) is applicable, any case where
the data user is doing an act, or engaging in a
practice, in contravention of a data protection
principle.
(5) Notwithstanding any other provisions of this Ordinance, a
complaint may be made (and an investigation, if any, initiated by the
complaint may be carried out) in relation to a person who has ceased
to be a data user except any such person who has not at any time been
a data user during the period of 2 years immediately preceding the
date on which the Commissioner receives the complaint and,
accordingly, a person in relation to whom such a complaint is made
shall for the purposes of such complaint (and an investigation, if
any, initiated by such complaint) be deemed to be a data user, and
the other provisions of this Ordinance shall be construed
accordingly.
(6) Any reference in this Ordinance to a data protection
principle followed by a number is a reference to the principle
bearing that number set out in Schedule 1.
(7) The Governor may, by notice in the Gazette, specify a person
to be a regulator for the purposes of the definition of "financial
regulator".
(8) It is hereby declared that a notice under subsection (7) is
subsidiary legislation.
(9) Where a person—
(a) holds any office, engages in any profession or carries on
any occupation; and
(b) is required by any law, or by any rules made under or by
virtue of any law, to be a fit and proper person (or
words to the like effect) to hold that office, engage in
that profession or carry on that occupation,
then, for the purposes of this Ordinance, any conduct by that person
by virtue of which he ceases, or would cease, to be such a fit and
proper person shall be deemed to be seriously improper conduct.
(10) Subsection (9) shall not operate to prevent seriously
improper conduct including, for the purposes of this Ordinance,
conduct by virtue of which a person ceases, or would cease, to be a
fit and proper person notwithstanding that the conduct is not conduct
to which that subsection applies.
(11) Words and expressions importing the neuter gender in relation
to any data user shall include the masculine and feminine genders.
(12) A person is not a data user in relation to any personal data
which the person holds, processes or uses solely on behalf of another
person if, but only if, that first-mentioned person does not hold,
process or use, as the case may be, those data for any of his own
purposes.
(13) For the avoidance of doubt, it is hereby declared that, for
the purposes of this Ordinance, any conduct by a person by virtue of
which he has or could become a disqualified person or a suspended
person under the Rules of Racing and Instructions by the Stewards of
the Royal Hong Kong Jockey Club, as in force from time to time, is
seriously improper conduct.
3. Application
(1) This Ordinance binds the Government.
(2) Where there is any conflict or inconsistency between the
provisions of this Ordinance and the provisions of any other
Ordinance, then the provisions of this Ordinance shall, to
the extent of that conflict or inconsistency, as the case may be,
prevail over the provisions of that Ordinance.
4. Data protection principles
A data user shall not do an act, or engage in a practice, that
contravenes a data protection principle unless the act or practice,
as the case may be, is required or permitted under this Ordinance.
 this part | | ||
Contents
[Prelim. & definitions] [Admin.]
[Codes of practice]
[Returns & register]
[Data access & correction]
[Matching & transfers]
[Complaints, etc.] [Exemptions]
[Offences] [Forms, fees, etc.]
[Sched 1: Data protection principles]
[Sched 2: Finances]
[Sched 3: Prescribed information]
[Sched 4: Other ordinances]
[Sched 5: Prescribed matters]
[Sched 6: Warrants]
|
For consulting on compliance with the Personal Data (Privacy) Ordinance or creative help with business planning, information technology, project management and the Internet please contact us. |