|This is the text of the Hong Kong Personal Data (Privacy) Ordinance, with hypertext (click and jump) links to all paragraph and section cross references, and to the definitions of all terms defined in the Ordinance. For information about the conventions adopted in setting this out, please refer to the separate page.|
HONG KONG ORDINANCE NO 81 OF 1995 An Ordinance to protect the privacy of individuals in relation to personal data, and to provide for matters incidental thereto or connected therewith. PART I PRELIMINARY 1. Short title and commencement (1) This Ordinance may be cited as the Personal data (Privacy) Ordinance. (2) This Ordinance shall come into operation on a day to be appointed by the Secretary for Home Affairs by notice in the Gazette. 2. Interpretation (1) In this Ordinance, unless the context otherwise requires— "act" includes a deliberate omission; "adverse action", in relation to an individual, means any action that may adversely affect the individual's rights, benefits, privileges, obligations or interests (including legitimate expectations); "appointed day" means the day appointed under section 1(2); "approved code of practice" means a code of practice approved under section 12; "code of practice" includes— (a) a standard; (b) a specification; and (c) any other documentary form of practical guidance; "Commissioner" means the Privacy Commissioner for Personal data established under section 5(1); "Committee" means the Personal data (Privacy) Advisory Committee established under section 11(1); "complainant" means the individual, or the relevant person on behalf of an individual, who has made a complaint; "complaint" means a complaint under section 37; "correction", in relation to personal data, means rectification, erasure or completion; "daily penalty" means a penalty for each day on which the offence is continued after conviction therefor; "data" means any representation of information (including an expression of opinion) in any document, and includes a personal identifier; "data access request" means a request under section 18; "data correction request" means a request under section 22(1); "data protection principle" means any of the data protection principles set out in Schedule 1; "data subject", in relation to personal data, means the individual who is the subject of the data; "data user" in relation to personal data, means a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data; "data user return" means a data user return referred to in section 14(4); "disclosing", in relation to personal data, includes disclosing information inferred from the data; "document" includes, in addition to a document in writing— (a) a disc, tape or other device in which data other than visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced from the disc, tape or other device; and (b) a film, tape or other device in which visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced from the film, tape or other device; "employment" means employment under— (a) a contract of service or of apprenticeship; or (b) a contract personally to execute any work or labour, and related expressions shall be construed accordingly; "enforcement notice" means a notice under section 50(1); "financial regulator" means any of— (a) the Monetary Authority appointed under section 5A of the Exchange Fund Ordinance (Cap. 66); (b) the Securities and Futures Commission established by section 3 of the Securities and Futures Commission Ordinance (Cap. 24); (c) a clearing house within the meaning of section 2(1) of the Commodities Trading Ordinance (Cap. 250) or a recognized clearing house within the meaning of the Securities (Clearing Houses) Ordinance (Cap. 420); (d) the Exchange Company within the meaning of section 2(1) of the Commodities Trading Ordinance (Cap. 250); (e) the Exchange Company within the meaning of section 2(1) of the Stock Exchanges Unification Ordinance (Cap. 361); (f) the Insurance Authority appointed under section 4 of the Insurance Companies Ordinance (Cap. 41); (g) the Registrar of Occupational Retirement Schemes appointed under section 5 of the Occupational Retirement Schemes Ordinance (Cap. 426); (h) a person specified in a notice under subsection 2(7) to be a regulator for the purposes of this definition; "inaccurate", in relation to personal data, means the data is incorrect, misleading, incomplete or obsolete; "inspection" means an inspection under section 36; "investigation" means an investigation under section 38; "log book", in relation to a data user, means the log book kept and maintained by the data user under section 27(1); "matching procedure" means any procedure whereby personal data collected for 1 or more purposes in respect of 10 or more data subjects are compared (except by manual means) with personal data collected for any other purpose in respect of those data subjects where the comparison— (a) is (whether in whole or in part) for the purpose of producing or verifying data that; or (b) produces or verifies data in respect of which it is reasonable to believe that it is practicable that the data, may be used (whether immediately or at any subsequent time) for the purpose of taking adverse action against any of those data subjects; "matching procedure request" means a request under section 31(1); "personal data" means any data— (a) relating directly or indirectly to a living individual; (b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and (c) in a form in which access to or processing of the data is practicable; "personal data system" means any system, whether or not automated, which is used, whether in whole or in part, by a data user for the collection, holding, processing or use of personal data, and includes any document and equipment forming part of the system; "personal identifier" means an identifier— (a) that is assigned to an individual by a data user for the purpose of the operations of the user; and (b) that uniquely identifies that individual in relation to the data user, but does not include an individual's name used to identify that individual; "practicable" means reasonably practicable; "prescribed officer" means a person employed or engaged under section 9(1); "processing", in relation to personal data, includes amending, augmenting, deleting or rearranging the data, whether by automated means or otherwise; "register" means the register of data users kept and maintained by the Commissioner under section 15(1); "relevant data user", in relation to— (a) an inspection, means the data user who uses the personal data system which is the subject of the inspection; (b) a complaint, means the data user specified in the complaint; (c) an investigation— (i) in the case of an investigation initiated by a complaint, means the data user specified in the complaint; (ii) in any other case, means the data user the subject of the investigation; (d) an enforcement notice, means the data user on whom the notice is served; "relevant person", in relation to an individual (howsoever the individual is described), means— (a) where the individual is a minor, a person who has parental responsibility for the minor; (b) where the individual is incapable of managing his own affairs, a person who has been appointed by a court to manage those affairs; (c) in any other case, a person authorized in writing by the individual to make a data access request, a data correction request, or both such requests, on behalf of the individual; "requestor", in relation to— (a) a data access request or data correction request, means the individual, or the relevant person on behalf of an individual, who has made the request; (b) a matching procedure request, means the data user who has made the request; "specified", in relation to a form, means specified under section 67; "third party" in relation to personal data, means any person other than— (a) the data subject; (b) a relevant person in the case of the data subject; (c) the data user; or (d) a person authorized in writing by the data user to collect, hold, process or use the data— (i) under the direct control of the data user; or (ii) on behalf of the data user; "use", in relation to personal data, includes disclose or transfer the data; "would be likely to prejudice" includes would prejudice. (2) For the avoidance of doubt, it is hereby declared that paragraph (c) of the definition of "relevant person" shall not be construed— (a) to entitle a person who has only been authorized to make a data access request on behalf of an individual to make a data correction request on behalf of the individual; (b) to entitle a person who has only been authorized to make a data correction request on behalf of an individual to make a data access request on behalf of the individual. (3) Where under this Ordinance an act may be done with the prescribed consent of a person (and howsoever the person is described), such consent— (a) means the express consent of the person given voluntarily; (b) does not include any consent which has been withdrawn by notice in writing served on the person to whom the consent has been given (but without prejudice to so much of that act that has been done pursuant to the consent at any time before the notice is so served). (4) Subject to section 64(10), it is hereby declared that any reference in this Ordinance to the effect that a data user (howsoever described)— (a) has contravened a requirement under this Ordinance; or (b) is contravening a requirement under this Ordinance, includes— (i) where paragraph (a) is applicable, any case where the data user has done an act, or engaged in a practice, in contravention of a data protection principle; (ii) where paragraph (b) is applicable, any case where the data user is doing an act, or engaging in a practice, in contravention of a data protection principle. (5) Notwithstanding any other provisions of this Ordinance, a complaint may be made (and an investigation, if any, initiated by the complaint may be carried out) in relation to a person who has ceased to be a data user except any such person who has not at any time been a data user during the period of 2 years immediately preceding the date on which the Commissioner receives the complaint and, accordingly, a person in relation to whom such a complaint is made shall for the purposes of such complaint (and an investigation, if any, initiated by such complaint) be deemed to be a data user, and the other provisions of this Ordinance shall be construed accordingly. (6) Any reference in this Ordinance to a data protection principle followed by a number is a reference to the principle bearing that number set out in Schedule 1. (7) The Governor may, by notice in the Gazette, specify a person to be a regulator for the purposes of the definition of "financial regulator". (8) It is hereby declared that a notice under subsection (7) is subsidiary legislation. (9) Where a person— (a) holds any office, engages in any profession or carries on any occupation; and (b) is required by any law, or by any rules made under or by virtue of any law, to be a fit and proper person (or words to the like effect) to hold that office, engage in that profession or carry on that occupation, then, for the purposes of this Ordinance, any conduct by that person by virtue of which he ceases, or would cease, to be such a fit and proper person shall be deemed to be seriously improper conduct. (10) Subsection (9) shall not operate to prevent seriously improper conduct including, for the purposes of this Ordinance, conduct by virtue of which a person ceases, or would cease, to be a fit and proper person notwithstanding that the conduct is not conduct to which that subsection applies. (11) Words and expressions importing the neuter gender in relation to any data user shall include the masculine and feminine genders. (12) A person is not a data user in relation to any personal data which the person holds, processes or uses solely on behalf of another person if, but only if, that first-mentioned person does not hold, process or use, as the case may be, those data for any of his own purposes. (13) For the avoidance of doubt, it is hereby declared that, for the purposes of this Ordinance, any conduct by a person by virtue of which he has or could become a disqualified person or a suspended person under the Rules of Racing and Instructions by the Stewards of the Royal Hong Kong Jockey Club, as in force from time to time, is seriously improper conduct. 3. Application (1) This Ordinance binds the Government. (2) Where there is any conflict or inconsistency between the provisions of this Ordinance and the provisions of any other Ordinance, then the provisions of this Ordinance shall, to the extent of that conflict or inconsistency, as the case may be, prevail over the provisions of that Ordinance. 4. Data protection principles A data user shall not do an act, or engage in a practice, that contravenes a data protection principle unless the act or practice, as the case may be, is required or permitted under this Ordinance.
[Prelim. & definitions] [Admin.] [Codes of practice] [Returns & register] [Data access & correction] [Matching & transfers] [Complaints, etc.] [Exemptions] [Offences] [Forms, fees, etc.]
[Sched 1: Data protection principles] [Sched 2: Finances] [Sched 3: Prescribed information] [Sched 4: Other ordinances] [Sched 5: Prescribed matters] [Sched 6: Warrants]
For help with business planning, information technology,
creativity, project management and the Web contact us.
And do visit WikIT, the wiki on mind maps that we host.