Personal Data (Privacy) Law in Hong Kong- A Practical Guide on Compliance 9789629375294, 9789629372828

Citation preview

Personal Data (Privacy) Law in Hong Kong

00_Data Protection_prelims.indd 1

2016/6/27 1:57:53 PM

00_Data Protection_prelims.indd 2

2016/6/27 1:57:53 PM

Personal Data (Privacy) Law in Hong Kong A Practical Guide on Compliance Edited by Stephen Kai-yi WONG Guobin ZHU

00_Data Protection_prelims.indd 3

2016/6/27 1:57:53 PM

©2016 City University of Hong Kong

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, Internet or otherwise, without the prior written permission of the City University of Hong Kong Press.

ISBN: 978-962-937-282-8

Published by City University of Hong Kong Press Tat Chee Avenue Kowloon, Hong Kong Website: www.cityu.edu.hk/upress E-mail: [email protected]

Printed in Hong Kong

00_Data Protection_prelims.indd 4

2016/6/27 1:57:53 PM

Contents in Brief

Foreword (Mohan BHARWANEY J.)

xix

Preface (Stephen Kai-yi WONG)

xxi

Preface (Guobin ZHU)

xxv

Acknowledgments

xxix

Chapter 1

Introduction



1

Chapter 2

The Meaning of “Personal Data”



7

Chapter 3

The Meaning of “Collect”

23

Chapter 4

The Meaning of “Data User”

37

Chapter 5

Data Protection Principle 1

49

Chapter 6

Data Protection Principle 2

97

Chapter 7

Data Protection Principle 3

111

Chapter 8

Data Protection Principle 4

147

Chapter 9

Data Protection Principle 5

175

Chapter 10 Data Protection Principle 6(a) to (d) and the Data Access Provisions in Part 5

183

Chapter 11 Data Protection Principle 6(e) to (g) and the Data Correction Provisions in Part 5

219

Chapter 12 Exemption Provisions in Part 8

233

00_Data Protection_prelims.indd 5

2016/6/27 1:57:53 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Appendix I

Data Protection Principles

275

Appendix II

Exemptions under Part 8 of the Ordinance

281

Appendix IIIA Case Notes on Significant Court Judgments

297

Appendix IIIB Case Notes on Significant Administrative Appeals Board Decisions

329

Appendix IV The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

371

Appendix V

Checklist for Data Useres in Ensuring Compliance with the Ordinance

499

Appendix VI Data Subject’s When His Personal Data Privacy Interest is Infringed

501

Appendix VII List of Publications of the Commissioner

505

Index

511

List of Court Cases and Administrative Appeals Board Decisions

519

vi

00_Data Protection_prelims.indd 6

2016/6/27 1:57:53 PM

Contents in Detail

Chapter 1 Introduction The Regulatory Approach



3

Disclaimer



5

Abbreviations Used in This Book



5

Meaning of the Term “Data”



8

Definition of “Personal Data”



9

Paragraph (a) — “Relating Directly or Indirectly to a Living Individual”



9

Paragraph (b) — “From Which It Is Practicable for the Identity of the Individual To Be Directly or Indirectly Ascertained”

13

Paragraph (c) — “in a Form in Which Access to or Processing of the Data is Practicable”

15

Consideration of Certain Types of Information IP Addresses Email Addresses Biometric Data Such As DNA and Fingerprint Data Examination Scripts Mobile Phone Numbers



Is Fabricated Information Personal Data?

22

Chapter 2 The Meaning of “Personal Data”

00_Data Protection_prelims.indd 7

17 17 18 19 20 21

2016/6/27 1:57:53 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Chapter 3 The Meaning of “Collect” The Eastweek Case

24

The Meaning of “Collect”

25

Consequence of Absence of “Collection”

28

Practical Example: Whether the Use of CCTV for Security or Monitoring Purposes Amounts To Collection of Personal Data

30

Information Privacy and Other Privacy Interests

31

Chapter 4 The Meaning of “Data User” Meaning of “Data User” with Reference to the Eastweek Case

38

Meaning of “Data User” with Reference to More Recent AAB Cases

39

Section 2(12)

41

Meaning of “Person” in the Context of Data User

42

Joint Data Users

44

What is the Relationship between a Data User and a Data Processor?

46

Section 4

47

Chapter 5 Data Protection Principle 1 DPP1(1) Collection of HKID Numbers and Copies of HKID Collection of HKID Numbers for Customer Loyalty Programmes Collection of HKID Numbers through Mobile Apps Collection of Personal Data for Direct Marketing Purposes Collection of Health Data of Employees Collection of Criminal Records of Prospective Employees



50 52 57 59 60 61 62

DPP1(2) Collection of Personal Data through Blind Recruitment Advertisements

63 64

viii

00_Data Protection_prelims.indd 8

2016/6/27 1:57:53 PM

Contents in Detail

Collection of Personal Data by Covert Means Collection of the Activities of Individuals That Take Place inside a Private Residence by Systematic Surveillance and Using a Long-Focus Lens Employees Providing Past Medical Records and Consequential Disciplinary Actions Giving Misleading Information to Obtain a Credit Report from a Credit Reference Agency Collection of Personal Data from the Public Domain Collection of Biometric Personal Data, such as Fingerprint Data and Consent

65

69 71 72 73 74

DPP1(3)

77

Applications of DPP1(3)

78

Obligation Not Absolute — “All Practicable Steps”

79

Notification Requirements The Purposes of Use The Classes of Persons to Whom the Data May Be Transferred The Right to Request Access to and Correction of the Data



81 82 84 86

Specific Requirements on Notification when Collecting Personal Data for Direct Marketing Purposes Application of the Direct Marketing Requirements Consent Notification Requirements Section 35D(1): Pre-existing Data Section 35D(2): Data Collected from a Third Person



87 88 89 90 92 93

Online Behavioural Tracking

94

Chapter 6 Data Protection Principle 2 DPP2(1)

98

DPP2(2) and Section 26

103

New Requirements under DPP2(3) and (4): Personal Data Transferred to “Data Processor” for Processing

108

ix

00_Data Protection_prelims.indd 9

2016/6/27 1:57:53 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Chapter 7 Data Protection Principle 3 Importance of DPP3

112

What Amounts to Use?

112

What Is a New Purpose?

112

The Original Purpose of Collection The Purposes of Collection Stated in the PICS The Lawful Functions and Activities of the Data User Restrictions of Use Imposed upon Data User by Data Provider or Data Subject Transferring Personal Data between Data Users Personal Data Collected from the Public Domain

113 113 115

Purposes Directly Related to the Original Purpose of Collection Data User to Avoid Disclosing Unnecessary and Excessive Personal Data

126

Is Sale of Personal Data a Directly Related Purpose of Use?

133

Prescribed Consent

135

Prescribed Consent Given by a Relevant Person

138

Part 6A of the Ordinance: Consent for Use or Provision of Personal Data in Direct Marketing Consent and Use Regarding Pre-Existing Data

140 143

Data Subject Withdrawing Consent (Opt-out Right ) under Part 6A

144

116 119 120

129

Chapter 8 Data Protection Principle 4 The General Requirements of DPP4

148

Data Breaches (a) Banking and Insurance Industries (b) Government and Public Bodies (c) Telecommunications Companies (d) Legal Practitioners (e) Hospitals and Clinics (f) Mobile Application Developers

158 159 160 162 164 166 168

x

00_Data Protection_prelims.indd 10

2016/6/27 1:57:53 PM

Contents in Detail

Application of DPP4: Storage and Transmission of Data

169

Outsourcing the Processing of Personal Data to Data Processors

170

Chapter 9 Data Protection Principle 5 The General Requirements of DPP5

176

What Goes into a PPS?

177

PPS to Be Made Generally Available

178

What Other Information Is Recommended to Be Made Available

180

The Exercise of the Commissioner’s Enforcement Powers under Section 50

182

Chapter 10 Data Protection Principle 6(a) to (d) and the Data Access Provisions in Part 5 The Basis of a Data Access Request

184

What Constitutes a Data Access Request?

185

Who May Make a Data Access Request?

187

How to Make a Data Access Request?

189

How and When to Comply with a Data Access Request? Statutory Period Broad and Generic Requests for Personal Data Steps to Be Taken for Failure to Comply with a Data Access Request within the Statutory Period Language and Format When Responding to a Data Access Request Data Access Request Made to the Hong Kong Police Force for Criminal Conviction Records

192 192 194

Requested Data Comprising Personal Data of Another Individual

201

Charge for Complying with a Data Access Request

204

When Must a Data User Refuse to Comply with a Data Access Request?

208

197 198 200

xi

00_Data Protection_prelims.indd 11

2016/6/27 1:57:53 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

When May a Data User Refuse to Comply with a Data Access Request?

210

Steps To Take in Refusing To Comply with a Data Access Request

214

Proper Exercise of the Right To Access Personal Data

216

Chapter 11 Data Protection Principle 6(e) to (g) and the Data Correction Provisions in Part 5 The Relationship between a Data Correction Request and a Data Access Request

220

Who Can Make and How to Make a Data Correction Request?

221

Compliance with a Data Correction Request

223

Circumstances in Which a Data User Shall or May Refuse to Comply with a Data Correction Request

226

Steps To Take in Refusing to Comply with a Data Correction Request

229

Chapter 12 Exemption Provisions in Part 8 Exemptions in General

234

Section 51A — Performance of Judicial Functions

236

Section 52 — Domestic Purposes

238

Sections 53 and 54 — Staff Planning and Employment

239

Section 55 — Relevant Process

240

Section 56 — Personal References

242

Section 57 — Security, etc. in Respect of Hong Kong

243

Section 58 — Crime, etc.

245

Section 58A — Protected Product and Relevant Records under Interception of Communications and Surveillance Ordinance

254

Section 59 — Health

254

xii

00_Data Protection_prelims.indd 12

2016/6/27 1:57:54 PM

Contents in Detail

Section 59A — Care and Guardianship of Minors

256

Section 60 — Legal Professional Privilege

257

Section 60A — Self-Incrimination

260

Section 60B — Legal Proceedings, etc.

260

Section 61 — News

263

Section 62 — Statistics and Research

267

Section 63 — Exemption from Section 18(1)(a)

268

Section 63A — Human Embryos, etc.

269

Section 63B — Due Diligence Exercise

269

Section 63C — Emergency Situations

272

Section 63D — Transfer of Records to Government Records Service

272

Appendix I  Data Protection Principles Principle 1 — Purpose and Manner of Collection of Personal Data

275

Principle 2 — Accuracy and Duration of Retention of Personal Data

276

Principle 3 — Use of Personal Data

277

Principle 4 — Security of Personal Data

278

Principle 5 — Information To Be Generally Available

279

Principle 6 — Access to Personal Data

279

Appendix II  Exemptions under Part 8 of the Ordinance Section 51  Interpretation

281

Section 51A  Performance of Judicial Functions

281

Section 52  Domestic Purposes

282

Section 53  Employment— Staff Planning

282

Section 54  Employment— Transitional Provisions

282

xiii

00_Data Protection_prelims.indd 13

2016/6/27 1:57:54 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Section 55  Relevant Process

283

Section 56  Personal References

284

Section 57  Security, etc. in Respect of Hong Kong

284

Section 58  Crime, etc.

286

Section 58A  Protected Product and Relevant Records under Interception of Communications and Surveillance Ordinance

289

Section 59  Health

289

Section 59A  Care and Guardianship of Minors

290

Section 60

290

Legal Professional Privilege

Section 60A Self Incrimination

291

Section 60B Legal Proceedings etc.

291

Section 61  News

291

Section 62  Statistics and Research

292

Section 63  Exemption from Section 18(1)(a)

293

Section 63A Human Embryos, etc.

293

Section 63B Due Diligence Exercise

293

Section 63C Emergency Situations

295

Section 63D Transfer of Records to Government Records Service

295

Appendix IIIA  Case Notes on Significant Court Judgments Cathay Pacific Airways Limited v Administrative Appeals Board & Another (HCAL 50/2008); Reported in: [2008] 5 HKLRD 539

298

Chan Chuen Ping v The Commissioner of Police (HCMP 2741/2013); Reported in: [2014] 1 HKLRD 142

301

Chan Yim Wah Wallace v New World First Ferry Services Limited (HCPI 820/2013)

303

xiv

00_Data Protection_prelims.indd 14

2016/6/27 1:57:54 PM

Contents in Detail

Dr. Alice Li Miu-ling v The Hong Kong Polytechnic University (DCEO 1/2004)

307

Eastweek Publisher Limited & Another v Privacy Commissioner for Personal Data (CACV 331/1999); Reported in: [2000] 2 HKLRD 83

311

Lily Tse Lai Yin & Others v The Incorporated Owners of Albert House & Others (HCPI 828/1997) 314 M v M (FCMC 1425/1988)

316

Ng Shek Wai v The Medical Council of Hong Kong (HCAL 167/2013); 318 Reported in: [2015] 2 HKLRD 121 Oriental Press Group Limited v Inmediahk.net Limited (HCA 1253/2010); Reported in: [2012] 2 HKLRD 1004 321 Wu Kit Ping v Administrative Appeals Board (HCAL 60/2007); Reported in: [2007] 4 HKLRD 849

324

Tso Yuen Shui v Administrative Appeals Board (HCAL 1050/2000)

326

Appendix IIIB  Case Notes on Significant Administrative Appeals Board Decisions  AAB No. 24/1999

330

AAB No. 16/2000

332

AAB No. 22/2000

334

AAB No. 24/2001

336

AAB No. 35/2003

338

AAB No. 17/2004

340

AAB No. 5/2006

342

AAB No. 27/2006

344

AAB No. 46/2006

346

AAB No. 7/2007

349

xv

00_Data Protection_prelims.indd 15

2016/6/27 1:57:54 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

AAB No. 16/2007

351

AAB No. 12/2008

355

AAB No. 25/2009

357

AAB No. 37/2009

360

AAB Nos. 5 & 6/2012

364

AAB No. 54/2014

367

Appendix IV  The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance Code of Practice on Identity Card Number and Other Personal Identifiers

371

Code of Practice on Consumer Credit Data

392

Code of Practice on Human Resource Management

433

Appendix V  Checklist for Data Users in Ensuring Compliance 499 with the Ordinance

Appendix VI  Data Subject’s Rights When His Personal Data Privacy Interest is Infringed Conciliation with the Data User

501

Lodging of a Complaint with the Commissioner under Section 37

501

Appeal to the Administrative Appeals Board under Section 9 of the Administrative Appeals Board Ordinance, Chapter 442, Laws of Hong Kong

502

Civil Remedies

503

xvi

00_Data Protection_prelims.indd 16

2016/6/27 1:57:54 PM

Contents in Detail

Appendix VII  List of Publications of the Commissioner Codes of Practice/Guidelines

505

Guidance Notes

506

Information Leaflets

507

Books

508

Leaflets/Booklets

509

xvii

00_Data Protection_prelims.indd 17

2016/6/27 1:57:54 PM

00_Data Protection_prelims.indd 18

2016/6/27 1:57:54 PM

Foreword

The idea of a right to privacy, which arose in reaction to the rapid rise of newspapers, instant photography and the “paparazzi” of the 19th century, has evolved into a constitutional right in much of the developed world. It is enshrined in Hong Kong through Articles 28, 29, 30 and 39 of the Basic Law. Hong Kong stands proud as the first jurisdiction in Asia to enact legislation to safeguard personal data in the form of the Personal Data (Privacy) Ordinance, Cap 486 (“the Ordinance”) which came into force in 1996. At its centre are the six Data Protection Principles based on the 1980 OECD Guidelines.1 The office of the Privacy Commissioner for Personal Data was created under this legislation to provide oversight and ensure compliance. The Octopus scandal in mid-2010 eventually led to substantial changes being made to the Ordinance that were enacted in 2012 and 2013, the main amendments being the Direct Marketing provisions and the provision of legal assistance and representation to aggrieved persons. In this digital age, the Ordinance is proving to be the main safeguard of our privacy rights. The Data Protection Principles seek to create broad common principles based on fairness that apply to the public and private sectors. The passage of twenty years since the enactment of the Ordinance has given rise to a substantial body of case law and administrative decisions on these principles and the other provisions of the Ordinance. The new amendments have already been the subject of judicial scrutiny.2 This publication, which replaces its predecessor,3 has the dual aim of

1. Organisation for Economic Co-operation and Development’s Guidelines on the Protection of Privacy and Transborder Flows of Personal Data which contain a statement of Fair Information Practices. 2. Including my decision in Chan Yim Wah Wallace v. New World First Ferry Services Ltd. [2015] 3 HKC 382; HCPI 820/2013. 3. Data Protection Principles in the Personal Data (Privacy) Ordinance — from the Privacy Commissioner’s Perspective, 2nd Ed., 2010

00_Data Protection_prelims.indd 19

2016/6/27 1:57:54 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

becoming a practitioner’s guide on the important subject of personal data privacy, containing, as it does, a detailed exposition of the principles and provisions in the Ordinance and a comprehensive source of reference materials, and of enabling the Privacy Commissioner to discharge his major duty to promote awareness and understanding of the Ordinance. I am sure it will be well received by the legal as well as the wider community of Hong Kong for the practical guidance it provides on good data protection practices.

Mohan BHARWANEY Judge In Charge of the Personal Injury List of the High Court Panel Judge under the Interception of Communications and Surveillance Ordinance, Cap 589 July 2016

xx

00_Data Protection_prelims.indd 20

2016/6/27 1:57:54 PM

Preface

In 1996, Hong Kong enforced the Personal Data (Privacy) Ordinance, Cap 486, Laws of Hong Kong (“the Ordinance”) and became the first jurisdiction in Asia operating with a dedicated piece of legislation on personal data privacy protection. The Privacy Commissioner for Personal Data (“the PCPD”) was created in the same year, being the statutory body independent of the Government to oversee the compliance of the Ordinance. The publication of this book coincides with the twentieth anniversary of the founding of the regulatory framework of personal data privacy in Hong Kong, reflecting on the changes which its two decades of life and growth have seen. The origin of the law is attributable to the 1995 EU Directive1 which aimed to protect the fundamental rights and freedoms of natural persons, in particular their right to privacy with respect to the processing of personal data without restricting or prohibiting the free flow of personal data. PDP (Personal data privacy) was an acronym of which few had any understanding at that time. The first decade of the operation, amid the Information Age, was one of slow growth, until 2009 when there was a marked increase in the transfer and sale of customers’ personal data by enterprises for direct marketing purposes.

1. Directive 95/46/EC of the European Parliament and of the Council of 25 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The Directive requires European Community member states to implement national legislation that meets the minimum standards of data protection by 1998 and prohibits member states from transferring personal data to countries that do not have in place adequate protection of personal data. See http://ec.europa.eu/justice/policies/privacy/ docs/95-46-ce/dir1995-46_part1_en.pdf

00_Data Protection_prelims.indd 21

2016/6/27 1:57:54 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

In 2012, the Ordinance was substantially amended as a result of a comprehensive review of the regulatory regime on direct marketing and the impact of information and communications technology on privacy protection. As revealed in the findings of a survey2 undertaken in 2014, personal data privacy has become a popular issue on both social agendas and those of senior management. An in-depth understanding of the Ordinance is considered an asset by individuals, organisations and practitioners alike. It is not surprising that there are not many judicial decisions on the law as twenty years is not a lengthy period for the development of a new area of law. There are however hundreds of decisions made by the Administrative Appeals Board which is a quasi-judicial body established by statute to determine appeals lodged against the decisions made by the Commissioner in relation to complaints. Many of these quasi-judicial decisions are also published by the PCPD to ensure transparency of the reasoning and application of the law. The PCPD has the benefit of twenty years of experience as the regulator, receiving in the region of 20,000 enquiries and determining about 2,000 complaints on a yearly basis. With the start of the third decade of the operation of the PCPD amid this Age of Artificial Intelligence, this book is offered as a practical guide on compliance to all stakeholders, as well as those who are interested in the personal data privacy landscape in Hong Kong. My learned predecessors published the first and second editions of a handbook entitled Data Protection Principles in the Personal Data (Privacy) Ordinance — from the Privacy Commissioner’s perspective in 2006 and 2010 respectively. Expanding on the commendable initiative of my predecessors, I attempt to roll out an all-inone guide on personal data privacy law in Hong Kong, which also offers updates on the 2012 legislative amendments as well as other selected texts, cases and materials up to February 2016. Case notes of significant court judgments and Administrative Appeals Board decisions, as well as the three Codes of Practice issued by the PCPD are annexed. This book is organised and written with a view to explaining the conceptual, legal and practical frameworks of the personal data privacy protection in Hong

2. “Baseline Survey of Public Attitudes on Privacy and Data Protection 2014” conducted by the Social Sciences Research Centre of The University of Hong Kong.

xxii

00_Data Protection_prelims.indd 22

2016/6/27 1:57:54 PM

Preface

Kong, in the hope that readers, individuals or organisations; professionals or otherwise, will find it easy and user-friendly to delve into the most relevant statutory provisions for their need or interest in the topics. I cannot thank enough all of the contributors who helped to make the publication of this book a reality, but special thanks must go to the Honourable Mr. Justice BHARWANEY for his Lordship’s support in writing the most inspirational foreword to this book, Professor Guobin ZHU for being the co-editor with me, and the editorial team in my office. I would also like to record my appreciation to City University of Hong Kong Press for its dedicated efforts in providing valued assistance and publishing this book.

Stephen Kai-yi WONG Privacy Commissioner for Personal Data, Hong Kong July 2016

xxiii

00_Data Protection_prelims.indd 23

2016/6/27 1:57:54 PM

00_Data Protection_prelims.indd 24

2016/6/27 1:57:54 PM

Preface

Over 125 years ago, Samuel Warren and Louis Brandeis first published “The Right to Privacy” in the Harvard Law Review (4 Harvard L.R. 193, Dec. 15, 1890), in which they articulated that right primarily as a “right to be let alone”. This article, widely regarded as the first publication in the United States (and indeed the world) to advocate a right to privacy, opened a new page in the history of citizens’ rights protection, and its influence, together with the concept of privacy, quickly travelled far beyond the American borders. Although there is no uniform definition of the notion of privacy, it remains commonly understood as the “right to be let alone”. Privacy certainly has a wider coverage in comparison to personal data privacy, the theme of the present guide. The Law Reform Commission of Australia, cited by many as an authority, has identified four categories of privacy interests requiring legal protection, namely: (i) the interest in controlling entry to a personal place (territorial privacy); (ii) the interest in freedom from interference with one’s person and personal space (privacy of the person); (iii) the interest of the person in controlling the information held by others about him (information privacy); and (iv) the interest in freedom from surveillance and from interception of one’s communications (communications and surveillance privacy).1 According to this categorisation, personal data privacy falls under information privacy. The right to privacy has been gradually established as one of the fundamental rights of the citizen and is widely recognised as such by international and regional human rights bodies as well as in the domestic legislation of many nations.

1. See Law Reform Commission of Australia, Privacy (Report No 22, 1983), vol. 1, para 46. See also S I Benn, “The Protection and Limitation of Privacy” (1978) 52 ALJ 601 and 686. Also quoted in Report on Civil Liability for Invasion of Privacy, prepared by the Law Reform Commission of Hong Kong, December 2004, available at: http:// www.hkreform.gov.hk/en/publications/rprivacy.htm.

00_Data Protection_prelims.indd 25

2016/6/27 1:57:54 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Article 17 of the International Covenant on Civil and Political Rights2 which directly derives from Article 12 of the Universal Declaration of Human Rights (1948), provides: 1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation. 2. Everyone has the right to the protection of the law against such interference or attacks. Article 8 (1) “Right to respect for private and family life” of the European Convention on Human Rights (1950) also guarantees that “Everyone has the right to respect for his private and family life, his home and his correspondence”. In Hong Kong, the right to privacy as stipulated in the ICCPR was incorporated into law before the handover by way of the Hong Kong Bill of Rights Ordinance (Cap 383, 1991). Actually, Article 14 in this document, stipulating the protection of privacy, family, home, correspondence, honour and reputation, is simply a replica of the above quoted Article 17 of the ICCPR. Since the handover of Hong Kong, the right to privacy has acquired a constitutional status by virtue of Article 39 of the Basic Law of the Hong Kong and this has been compounded by the subsequent case law as well. Suffice to say that a constitutional framework of privacy law is already in place in Hong Kong. Personal records have been with us for as long as the written word has, but computerisation of them has become widespread only since the second half of the twentieth century. This development has revolutionised personal record-keeping, because of the ease of storing, retrieving, combining and transferring data.3 On the one hand, technology has significantly enhanced the quality of human life, but on the other public concern has arisen about the privacy implications of the resulting large-scale dissemination of personal data. This situation has called for increased lawmaking on information privacy.

2. ICCPR, 1966 3. See Reform of the Law relating to Information Privacy, prepared by the Privacy sub-committee of the Law Reform Commission, 1993, available at: http://www.hkreform.gov.hk/en/publications/infoprivacy.htm.

xxvi

00_Data Protection_prelims.indd 26

2016/6/27 1:57:54 PM

Preface

Hong Kong has taken the lead in the field of data protection. In 1995, the Personal Data (Privacy) Ordinance (Cap 486) was adopted to implement information privacy protection. The introduction of this law has imposed security safeguards on the keeping of personal data by a “data user” and granted the individual (as “data subject”) the right to obtain copies of, and correct, personal data which relates to him. Most significantly for Hong Kong, the Office of the Privacy Commissioner for Personal Data, an independent statutory body, was set up to oversee the enforcement of the Ordinance in 1996. Since the enactment of the law and the establishment of the Office of the Privacy Commissioner for Personal Data, Hong Kong has made great achievements in the protection of the right to privacy in general, and of personal data (privacy) in particular. The Hong Kong experience deserves praise along with wider dissemination and recognition. From a law professor’s perspective, the primary purpose of printing this book, Personal Data (Privacy) Law in Hong Kong: A Practical Guide on Compliance, is three-fold: firstly, to provide an easy reference to legal professionals, governmental officials, and corporate staff, who are the major data users; secondly, to provide the general public with quick and direct access to the personal data (privacy) law of Hong Kong; and thirdly, to disseminate Hong Kong’s experience to a wider international audience through international publication distribution channels. City University of Hong Kong Press is proud to be part of this significant enterprise. Personally, I am honored to be invited to co-edit this important work. For this, I am particularly grateful to Mr. Stephen Kai-yi WONG, the Privacy Commissioner for Personal Data, for his kind and friendly invitation, and also to his dedicated colleagues whose professionalism and efficiency has greatly impressed me. Last but not least, I wish to record my sincere thanks to my colleagues from the Press and in particular, to Edmund CHAN and Joanna PIERCE. I cherish this experience of collaboration between the two institutions very much.

Guobin ZHU, PhD Professor of Law Director of City University of Hong Kong Press July 2016

xxvii

00_Data Protection_prelims.indd 27

2016/6/27 1:57:54 PM

00_Data Protection_prelims.indd 28

2016/6/27 1:57:54 PM

Acknowledgments

VOLUME EDITORS

Mr. Stephen Kai-yi WONG LLM (LSE), FHKIArb, QDR Barrister (HK & Australia) Adjunct Professor, School of Law, City University of Hong Kong Privacy Commissioner for Personal Data, Hong Kong



Professor Guobin ZHU BA, MA, LLM (Renmin U, China), LLM (HKU) PhD and Habilitation (Aix-Marseille U, France) Professor, School of Law, City University of Hong Kong Director, City University of Hong Kong Press

00_Data Protection_prelims.indd 29

2016/6/27 1:57:54 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

KEY MEMBERS OF THE EDITORIAL TEAM

Ms Brenda KWOK LLB (University of London) Solicitor Chief Legal Counsel, Office of the Privacy Commissioner for Personal Data, Hong Kong



Ms Sandra LIU LLB (HKU), LLM (CityU, HK) Solicitor Senior Legal Counsel, Office of the Privacy Commissioner for Personal Data, Hong Kong Ms Catherine CHING LLB (HKU) Solicitor Legal Counsel, Office of the Privacy Commissioner for Personal Data, Hong Kong

ACKNOWLEDGMENTS LIST

Mr. Roderick B. WOO, JP Solicitor Former Privacy Commissioner for Personal Data, Hong Kong (2005–10)



Mr. Allan CHIANG, S.B.S. Former Privacy Commissioner for Personal Data, Hong Kong (2010–15)

All past and present staff members of the Office of the Privacy Commissioner for Personal Data, Hong Kong

xxx

00_Data Protection_prelims.indd 30

2016/6/27 1:57:54 PM

Chapter 1 Introduction

1.1

The Personal Data (Privacy) Ordinance (Cap 486) (“the Ordinance”) is different from other ordinances in Hong Kong in that it is principlebased and generally more instructive than prohibitive. Its core provisions are encapsulated in the six data protection principles which are found in Schedule 1 of the Ordinance. These principles are the cornerstones of the Ordinance which aims to protect the privacy of individuals in relation to their personal data.

1.2

The Ordinance was holistically amended upon the passing of the Personal Data (Privacy) (Amendment) Ordinance in June 20121 and changes were introduced to some of the data protection principles which took effect on 1 October 2012.

1.3

The intention behind the six data protection principles was the creation of a new culture in effecting the handling of personal data during its whole life cycle from collection to destruction. The principles do not regulate the conduct of the data users in detail. In most cases, contraventions of the principles do not constitute criminal offences. It is when a data user fails to comply with the terms of an enforcement notice issued by the Privacy Commissioner for Personal Data (“the Commissioner”) after a finding of a contravention that he becomes liable to be punished under the Ordinance. A data user will also commit an offence if he, having complied with an enforcement notice, intentionally performs the same act or makes the same omission in contravention of the requirement under the Ordinance as specified in the enforcement notice. An enforcement notice issued by the Commissioner to the offending data user after an investigation will direct the

1. The Amendment Ordinance was gazetted on 6 July 2012.

01_Data Protection.indd 1

2016/6/27 1:58:33 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

data user to take steps to remedy and, if appropriate, prevent recurrence of the contravention. Contravention of a data protection principle can also form the basis of a civil suit against the data user by the aggrieved individual for compensation of damage suffered2 whether or not an enforcement notice has been issued. 1.4

Since the collection and use of personal data has become part of daily life in the age of data and as contravention of any of the data protection principles may lead to legal sanctions, it is in every data user’s interest to understand them. However, understanding their literal meaning may not be sufficient in every case. This is because the principles are not expressed in definitive terms. A data user will benefit from expert explanations and advice in certain situations.

1.5

Up to now there has not been a large body of judicial decisions providing authoritative interpretations on all the principles. Be that as it may, the Commissioner has, over the last twenty years, dealt with many enquiries and complaints in respect of alleged contraventions of the data protection principles. The Commissioner’s decisions, based on his interpretation of the principles in the Ordinance, have occasionally been tested in the Court and in the course of appeals to the Administrative Appeals Board (“AAB”),3 whose determinations carry quasi-judicial authority.

1.6

Against this background, it is certainly in the public interest for the Commissioner to state openly the criteria and principles upon which he, as the statutory regulator, has interpreted the six data protection principles as well as some related provisions of the Ordinance.



In so doing he may: • help data users to comply with the requirements under the Ordinance in a way that will minimise the risk of sanction by the Commissioner regarding their handling of personal data;

2. Section 66 of the Ordinance. 3. To which, pursuant to the Ordinance and the Administrative Appeals Board Ordinance (Cap 442, Laws of Hong Kong), appeals from certain decisions of the Commissioner may be brought.

2

01_Data Protection.indd 2

2016/6/27 1:58:33 PM

Chapter 1. Introduction

• help the legal advisors of both data users and data subjects in giving practical advice to their clients; • help individuals to understand the Commissioner’s likely position on a particular issue before they consider lodging a complaint; • provide reference material for consideration by the Court or the AAB in cases before them involving the six data protection principles; and • provide academics and other interested persons with material for further study and research.

The Regulatory Approach 1.7

The Commissioner’s regulatory approach is consistent with the general common law rules on statutory interpretation and in particular the principles of interpretation4 laid down by the Interpretation and General Clauses Ordinance (Cap 1, Laws of Hong Kong), in particular, section 2A(1) which provides as follows: All laws previously in force shall be construed with such modifications, adaptations, limitations and exceptions as may be necessary so as not to contravene the Basic Law and to bring them into conformity with the status of Hong Kong as a Special Administrative Region of the People’s Republic of China.



and section 19 which provides that: An Ordinance shall be deemed to be remedial and shall receive such fair, large and liberal construction and interpretation as will best ensure the attainment of

4. These include the “literal rule” which accords primacy to the literal meaning of the language used in the legislation; the “golden rule” with the presumption that an absurd result is not intended; and the “mischief rule” that legislation has targeted a particular mischief and provided a remedy for it.

3

01_Data Protection.indd 3

2016/6/27 1:58:33 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

the object of the Ordinance according to its true intent, meaning and spirit.5

1.8

The Commissioner is constantly mindful of the generally recognized principle of “presumption against absurdity” in statutory interpretation,6 which is explained in Bennion on Statutory Interpretation7 as follows: Section 312. Presumption that “absurd” result not intended (1) The court seeks to avoid a construction that produces an absurd result, since this is unlikely to have been intended by Parliament. Here the courts give a very wide meaning to the concept of “absurdity”, using it to include virtually any result which is unworkable or impracticable, inconvenient, anomalous or illogical, futile or pointless, artificial, or productive of a disproportionate counter-mischief.8 (2) In rare cases there are overriding reasons for applying a construction that produces an absurd result, for example where it appears that Parliament really intended it or the literal meaning is too strong.

1.9

Hence, in dealing with a case involving a particular data protection principle that, according to its language, seems to be open to more than one interpretation, the Commissioner will adopt the interpretation that does not produce an absurd or impractical result, bearing in mind that the primary purpose of the Ordinance is to protect individuals’ right to privacy in relation

5. In how to apply the rule of “fair, large and liberal” construction and interpretation, reference can be made to the Court of Final Appeal in the case of The Medical Council of Hong Kong v David Chow Siu Shek [2000] 2 HKLRD 674. In determining the proper interpretation of sections 21(1) and 25(3) of the Medical Registration Ordinance, Cap 161 as to whether there is automatic restoration of the name of the medical practitioner who was removed for a specified period, the Court had taken the following five interpretative factors into account, namely, (i) striking a balance; (ii) interpretation in the context of other statutes dealing with comparable matters; (iii) avoiding circularity; (iv) according meaning and substance to each provision; and (v) reluctance to find a radical change through a side-wind. 6. Otherwise also known as the “golden rule” of interpretation, that whatever the literal meaning of the language which the legislature used, there was a presumption that it did not truly intend to bring about an absurd result. 7. Sixth Edition, Butterworths. 8. The rule was followed in the case of HKSAR v Hung Chan Wa [2005] 3 HKLRD 291 concerning the proper interpretation of section 47 of the Dangerous Drugs Ordinance, Cap 134 in which the Court stated clearly that “... any exercise in statutory interpretation should seek an interpretation, that does not result in absurdity, provided it is reasonably possible so to do”. (paragraph 58 of the judgment).

4

01_Data Protection.indd 4

2016/6/27 1:58:33 PM

Chapter 1. Introduction

to their personal data. When in doubt, he is inclined to take the line which results in providing such protection. 1.10 The Commissioner will attempt to apply a consistent interpretation in dealing with complaints and enquiries. However, the Commissioner may find it necessary to reconsider a stance he has previously adopted in light of his regulatory experience and changes in circumstances. Such circumstances may include amendments to the Ordinance; the possibility that an interpretation previously adopted may later be shown to be erroneous or incomplete by the Court or the AAB; views of judicial authorities; and developments in the handling and processing of personal data and social values.

Disclaimer 1.11 Statements made or views expressed in this Book are intended for reference only. They shall not give rise to any liability on the part of the Commissioner nor to any defence or estoppel of any kind in proceedings involving the Commissioner. They shall not bind the Commissioner in the exercise of his statutory functions in any way. Readers are urged to exercise independent judgment on the interpretation of the data protection principles in any given situation and, where appropriate, to seek professional advice.

Abbreviations Used in This Book 1.12 “AAB” means the Administrative Appeals Board established under section 5 of the Administrative Appeals Board Ordinance (Cap 442, Laws of Hong Kong).

“Amendment Ordinance” means the Personal Data (Privacy) (Amendment) Ordinance 2012.



“Book” means this book.



“Commissioner” means the office of the Privacy Commissioner for Personal Data established under section 5(1) of the Personal Data (Privacy)

5

01_Data Protection.indd 5

2016/6/27 1:58:33 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Ordinance (Cap 486, Laws of Hong Kong) in general and where the context otherwise permits, also means and includes the person appointed by the Chief Executive under section 5(3).

“DPP” means data protection principle(s).



“Eastweek case” means the case of Eastweek Publisher Limited & Another v Privacy Commissioner for Personal Data [2000] 2 HKLRD 83.



“HKID” means Hong Kong Identity Card.



“LRC” means the Law Reform Commission of Hong Kong.



“Ordinance” means the Personal Data (Privacy) Ordinance (Cap 486, Laws of Hong Kong).



“PICS” means the notification given under DPP1(3) and commonly known as Personal Information Collection Statement.



“PPS” means the Privacy Policy Statement incorporating the privacy policy and practices adopted by the data user to be made generally available under DPP5.



“Website” means the Commissioner’s website unless otherwise expressly provided in this Book.

1.13 Unless the context requires otherwise, all words in the masculine gender appearing in this Book include the feminine gender and the neuter gender, and all words in the singular include the plural, and vice versa.

6

01_Data Protection.indd 6

2016/6/27 1:58:33 PM

Chapter 2 The Meaning of “Personal Data”

The main questions: • What constitutes “data”? • What constitutes “personal data”? • In particular, how does each of the conditions laid down in paragraphs (a), (b) and (c) of the definition of personal data apply? • Are IP addresses, email addresses, fingerprints, examination scripts and mobile phone numbers personal data? • Is fabricated information about an individual his personal data?

The questions discussed in this Chapter concerning the meaning of “personal data” have been selected on the basis of their practical importance in light of the Commissioner’s own experience. Before reading this Chapter, readers should read paragraphs 1.7 to 1.11 in Chapter 1—Introduction, which contain important general information on using this Book.

02_Data Protection.indd 7

2016/6/27 1:58:39 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Meaning of the Term “Data” 2.1

The definition of the term “data” is given in section 2(1) of the Ordinance as follows: “ data” means any representation of information (including an expression of opinion) in any document, and includes a personal identifier. [emphasis added]

2.2

The term “document” is in turn defined in section 2(1) as follows: “ document” includes, in addition to a document in writing – (a) a disc, tape or other device in which data other than visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced from the disc, tape or other device; and (b) a film, tape or other device in which visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced from the film, tape or other device.

2.3

It follows from the above that, in order for any information to constitute data, such information must have been recorded in a document as defined. This point may seem obvious enough, but it is worth making this clear at the outset to avoid misunderstandings.

2.4

Information not represented in any document (hence not constituting personal data) may be found in situations where, for example, there is real-time CCTV monitoring of activities without the recording function being switched on, and information committed to a person’s memory or information spoken (but not recorded). The question whether verbal utterance amounts to disclosure of personal data was considered in AAB No. 21/1999 where a civil servant came to know certain sensitive personal information about the complainant through handling the complainant’s complaint. Since there was no evidence to prove that the sensitive personal information ever existed in a recorded form, the AAB ruled that no personal data was involved and thus the case fell outside the jurisdiction of the Commissioner. In AAB No. 6/2004, the verbal replies (not recorded) given by certain employees to the employer in relation to the number of private

8

02_Data Protection.indd 8

2016/6/27 1:58:39 PM

Chapter 2. The Meaning of “Personal Data”

telephone calls made by a particular staff member and the contents thereof did not constitute personal data of that staff member.

Definition of “Personal Data” 2.5

The definition of the term “personal data” is provided under section 2(1) of the Ordinance as follows: “ personal data” means any data – (a) relating directly or indirectly to a living individual; (b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and (c) in a form in which access to or processing of the data is practicable.”

2.6

As explained above, the meaning of the term “data” is reasonably clear. Whether any data constitutes personal data, therefore, depends on whether such data satisfies all of the three conditions laid down in paragraphs (a), (b) and (c) in the definition of personal data. However, given the generic nature of the terms used in those paragraphs, it is not surprising that uncertainty may sometimes arise in their application as discussed below.

Paragraph (a) — “Relating Directly or Indirectly to a Living Individual” 2.7

The condition laid down in paragraph (a) in the definition of personal data requires the data in question to be “relating directly or indirectly to” a living individual. However, given that the concept of “relatedness” is very much a matter of degree, this may give rise to difficulty in the application of paragraph (a).

2.8

The question of “relatedness” was considered by the UK court in detail. In Durant v Financial Services Authority [2003] EWCA Civ 1746, it was held that what constituted information that related to an individual being personal data was:

9

02_Data Protection.indd 9

2016/6/27 1:58:39 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

• whether the information was biographical in a significant sense; and • that the information should have the individual as its focus rather than some other person with whom he may have been involved.

This judicial ruling became useful authority followed by the UK privacy authority in interpreting the meaning of personal data under the Data Protection Act 1998. However, application of the arguments or principles in this English authority to Hong Kong cases must be considered with great care. As pointed out by the learned judge in Wu Kit Ping v. Administrative Appeals Board [2007] HKLRD 849: I have come to the conclusion that the substantial differences between the English legislation and the Hong Kong legislation means that great care must be taken in attempting to apply either arguments or principles used in the English cases when considering issues arising under the Ordinance. Consequently, rather than attempt to approach the issues on same point of view as the English courts, I have found it more appropriate to examine the language of the legislation and to attempt to discern its true interpretation.9

2.9

In the case of data that bears only an indirect relationship to an individual, it is questionable whether there in fact exists a certain point (and, if so, how to determine such a point) beyond which the relationship may be considered to be so remote that it fails to satisfy the condition laid down in paragraph (a). For example, while it should be reasonably obvious that in the case of an unincorporated business owned by an individual, data about debts owed by the business relates directly to the sole proprietor, whether or not a relationship exists may become progressively less clear in other cases where, say, the business is owned by a partnership in which the individual is one of the partners, or where the business is owned by a company and the individual is merely one of many shareholders, and so forth.

2.10 In the case of Wu Kit Ping, the complainant made a data access request to a data user asking them to supply her with written statements concerning

9. The cases of Durant and Wu Kit Ping have been referred to by the Hon. Bharwaney J in his judgment in Chan Yim Wah Wallace v. New World First Ferry Services Limited [HCPI 820/2013]. See paragraphs 12.78 to 12.81 in Chapter 12 for detailed discussion.

10

02_Data Protection.indd 10

2016/6/27 1:58:40 PM

Chapter 2. The Meaning of “Personal Data”

her health condition which had been given by medical officers to the data user. The data user supplied the relevant documents to the complainant but made certain redactions which can be divided into three categories: (i) in several letters and a statement concerning the diagnosis, treatment and use of medications of the complainant, the names of the writers and recipients, not being the complainant; (ii) in a letter from a writer to a recipient, who was not the complainant, the writer’s statement concerning his conduct of the treatment of the complainant in his professional capacity; and (iii) the writer’s general statements made in a letter. 2.11 The Court considered that the names of the writers and recipients in category (i) were personal data of the writers and recipients, not the complainant, nor did they fall within the scope of personal data “relating directly or indirectly” to the complainant. The redactions were therefore lawful. In respect of category (ii), the Court considered that the redacted part was an opinion related directly to the complainant, hence her personal data, and should have been disclosed to the complainant. Since the general statements in category (iii) had broad general application and did not directly or indirectly relate to the complainant, the Court concluded that they were not her personal data. 2.12 Indeed, even for data that relates directly to an individual, questions may arise as to whether the relationship is so trivial that it would appear absurd for the data to give rise to obligations or liability under the Ordinance. Take the example of a simple note informing a colleague that, in his absence, a friend has called and asked him to return the call. Such a note would apparently satisfy the condition under paragraph (a) (and those under paragraphs (b) and (c)) of the definition of personal data, thus constituting the personal data of the colleague concerned. The same may be said, for example, about a seating plan for students in a classroom. 2.13 In AAB No. 49/2001, a sentence contained in the minutes of a meeting stating that “. . . as Mr. X did not have the contact telephone number of Mr. Y . . .” was ruled not to be personal data collected about Mr. Y but merely

11

02_Data Protection.indd 11

2016/6/27 1:58:40 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

recording the reason why Mr. Y could not be reached for an appraisal interview and thus it was proper to have edited out the sentence when complying with the data access request made by Mr. Y. 2.14 The question as to whether the views and opinions expressed by an owner in an Owners’ Committee meeting were his personal data was examined in AAB No. 28/2010. The AAB held that the views and opinions expressed by the owner on how the Owners’ Committee should be conducted and how the observer should behave during the meetings did not amount to personal data of the owner as these views and opinions were not related directly or indirectly to the owner. It can therefore be seen that while the definition of data includes the expression of opinion under the Ordinance, such opinions must relate directly or indirectly to a living individual for it to form an essential ingredient of personal data protected under the Ordinance. 2.15 From a plain reading of the section, it is perhaps difficult to infer a strict requirement in paragraph (a) that the relationship in question must be important and not trivial. However, when dealing with a complaint, the Commissioner may be inclined to avoid an absurd result if the data in the complaint that relates to a complainant is none but trivial, and may exercise his discretion to refuse to investigate such a complaint on the grounds of triviality provided under section 39(2)(b) of the Ordinance. 2.16 In AAB No. 14/2007, the AAB considered that an invoice, which was a document relevant to legal proceedings to which the concerned individual was a party, was not personal data of the individual. According to the AAB, the invoice, though addressed to a named individual, related to the trading price in a business transaction rather than to the individual personally. 2.17 The Ordinance protects the personal data of a living individual and does not extend to that of a deceased person. This is illustrated in the decision of AAB No. 27/2005 where a complainant, who was the son-in-law and lawful guardian of an elderly woman, complained about a social worker because she had disclosed to the coroner the fact that the elderly woman had died. The AAB held that for the Ordinance to apply, the personal data must relate to a living individual and did not include that of a deceased person.

12

02_Data Protection.indd 12

2016/6/27 1:58:40 PM

Chapter 2. The Meaning of “Personal Data”

Paragraph (b) — “From Which It Is Practicable for the Identity of the Individual To Be Directly or Indirectly Ascertained” 2.18 In applying the condition laid down in paragraph (b) to personal data, the first thing that should be taken note of is that the word “practicable” wherever it appears in the Ordinance, is defined under section 2(1) to mean “reasonably practicable”. 2.19 In the case of AAB No. 16/2000, the appellant made a complaint to the Commissioner about a public transport company, due to the fact that whenever he entered or exited through the toll gates using his senior citizen concessionary payment card, indicator lights flashed and an alarm went off. This would reveal to all persons nearby that he was over 65 which, according to him, amounted to disclosure of his personal data. In its decision, however, the AAB confirmed the Commissioner’s view that the payment card in question (not being a personalised card) did not contain personal data belonging to the appellant and the card could be purchased or possessed by anyone. Thus, the fact that the light and sound were emitted when the appellant used the concessionary payment card to pass through the toll gate did not make it reasonably practicable for the identity of the appellant to be directly or indirectly ascertained. The light and sound signals only identified the type of card used, not the person using it. 2.20 Secondly, in deciding whether certain data held by a party satisfies the condition laid down in paragraph (b) and, in particular, in considering the meaning of the words “from which” in that paragraph, the Commissioner takes the view that reference to the individual should be able to be construed from the context of all the relevant information controlled by the data user, of which the personal data of that individual forms part. For example, an employer holding a personnel file on one of his employees would not necessarily have the name of or other identifying information about the employee explicitly stated on every page. If the employer should be asked whether the information contained on one such page constitutes the personal data of the employee, it would be unreasonable and contrary to the Commissioner’s regulatory view for the employer to say “no” simply because that particular page alone does not reveal the identity of the

13

02_Data Protection.indd 13

2016/6/27 1:58:40 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

employee. Conversely, when it is not practicable on the face of the data or from other information that it holds for the identity of the data subject to be directly or indirectly ascertained, the condition laid down in paragraph (b) is not satisfied. 2.21 In applying the condition laid down in paragraph (b), the Commissioner will take into account all relevant data controlled by the party in question. If it is practicable for that party to ascertain from the totality of such data the identity of the individual, each and every part of the data (including, in the example given above, any individual page within the personnel file) also satisfies the condition laid down in paragraph (b). This totality approach is equally applicable to the situation where the data is contained in several documents, which, when read or construed together, constitutes the personal data of an individual. For example, when a separate note of address is found attached to a personnel file created for a particular employee, although no name is specifically stated on the note, it is likely to be construed as personal data belonging to the employee when read with other documents in the file and taking into account the nature of the matter as a whole. 2.22 This can be illustrated in the case of collection of fingerprint data by an employer for recording attendance. While it may not be practicable for the identity of an employee to be ascertained solely from the fingerprint data, it can be linked with other data held by the employer, for example, the staff number assigned to each employee, which in turn will point to the identity of a particular staff member. It will then become practicable for the employer to ascertain the identity of the employee who swiped his thumb image on the fingerprint scanner installed for recording attendance in order to gain access to the office premises. 2.23 By way of contrast, it may not be practicable to determine the item of data that belongs to a particular individual where a number of individuals’ personal data is collected concurrently for the same purpose. In an investigation conducted into a theme park for collecting fingerprint data of visitors, the complainant had purchased four “stay and play” tickets for use by him and his family members who visited the theme park together. As the tickets were not separately personalised, it would not be practicable for the theme park to ascertain to whom specific fingerprint data belonged from

14

02_Data Protection.indd 14

2016/6/27 1:58:40 PM

Chapter 2. The Meaning of “Personal Data”

the holders of the four tickets.10 In that situation, the Commissioner took the view that the condition laid down in paragraph (b) was not met. 2.24 On the other hand, where part of the personal data is anonymous so that it is not reasonably practicable for the identity of the data subject to be ascertained from it, the Commissioner will generally regard the condition laid down in paragraph (b) not to be met, hence failing to satisfy the definition of personal data. 2.25 The question whether it is practicable to ascertain an individual’s identity from the data was determined in a complaint where an individual complained about his name being uploaded onto the web page of a discussion forum set up by the residents of an estate. The individual alleged that the three Chinese characters of his name were used in a poetic expression posted in the forum. The Commissioner opined that it was not practicable to identify the individual from the data as such and decided not to investigate the complaint. On appeal, in AAB No. 67/2005, the AAB took into account the individual’s own interpretation of some other characters and numbers displayed in the forum as his nickname and address, and concluded that the data, taken together, was personal data as the forum browsers, who are mostly residents of the estate, could easily ascertain the flat owner from the poetic expression.11

Paragraph (c) — “in a Form in Which Access to or Processing of the Data is Practicable” 2.26 Regarding paragraph (c) of the definition of personal data, the question as to the meaning of the word “form” arose in a complaint to the Commissioner relating to a data access request. In his decision, as one of the alternative grounds to support the finding of no contravention, the Commissioner

10. See media statement released by the Commissioner on 30 July 2010 on the findings of the investigation, available on the Website. 11. In AAB No. 4/2015, a narrow approach was adopted by the AAB in deciding that the visa status of the appellant was not personal data, as it was not reasonably practicable for the appellant’s identity to be ascertained from the relevant statement concerning the visa status by itself (instead of the whole document).

15

02_Data Protection.indd 15

2016/6/27 1:58:40 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

observed that, insofar as the requested minutes of the meeting could not be located by the hospital to whom the request was made, such minutes (even if they existed somewhere in the hospital’s records) might not have satisfied the requirement in paragraph (c) of the definition of personal data to constitute the complainant’s personal data at all. On appeal by the complainant to the AAB in AAB No. 24/1999, the AAB expressed its view that the information contained in the minutes was not personal data of the complainant and even if it were, there was no evidence to suggest that the hospital had lied about its existence in refusing to comply with his data access request. 2.27 The complainant then applied for judicial review of the decision of the AAB (Tso Yuen Shui v. Administrative Appeals Board, HCAL 1050/2000) which was heard by Yeung J. 2.28 While upholding the AAB’s decision, Yeung J. commented on the alternative grounds relied on by the Commissioner referred to above. In particular, he accepted the complainant’s submission that the word “form” (appearing in the Chinese text as “存在形式”) refers to the physical shape, structure, type, etc. of the data in question. The inability of the hospital to locate the minutes in question had nothing to do with the form in which the minutes might have existed. 2.29 In illustrating the point, Yeung J. cited an example in which the form of the data is indeed relevant, that is, where the data user, although in physical possession of certain computerised data, has no access to the decoder necessary for decoding encoded data. Yeung J. also pointed out that other cases may be less clear, for example, where certain minutes of a meeting exist in the form of a paper document, but are contained in a time capsule buried 100 feet beneath a building. 2.30 On appeal by the complainant (CACV 960/2000), the decision of Yeung J. was confirmed by the Court of Appeal. Accordingly, it is now clear that the mere impracticability of locating certain data (which impracticability, however, has nothing to do with the form of the data in the sense of their physical shape, structure, type, etc.) does not prevent such data from being personal data according to its definition. The word “form” is given a wider meaning, embracing not just the physical form of the data but also its state of existence, which paradoxically seems closer to the meaning of the Chinese text.

16

02_Data Protection.indd 16

2016/6/27 1:58:40 PM

Chapter 2. The Meaning of “Personal Data”

2.31 In AAB No. 52/2011, an ex-employee made a data access request to his then employer. Some of the requested data was stored in a laptop computer which crashed, making it difficult for the employer to retrieve the requested data without technical assistance. The AAB took the view that although the employer had to engage IT experts to recover the data contained in the back-up files of the computer and time and expense had to be incurred, it could not be said that the personal data requested by the ex-employee did not exist in a form in which access to or processing of the data was not practicable. The employer should therefore comply with the data access request made under the Ordinance.

Consideration of Certain Types of Information IP Addresses 2.32 An IP address is a specific machine address assigned by the Internet Service Provider to a computer and is therefore unique to a specific computer. In AAB No. 16/2007, the Commissioner received a complaint relating to the disclosure of an internet subscriber’s information, including the IP address of the computer that disseminated the information. The Commissioner expressed the view that an IP address was information about an inanimate computer (not an individual) and it did not contain information related to an individual. Further, it was noted that an IP address alone could not reveal the identity of the computer user, and thus lacked the characteristic of identifying an individual directly or indirectly. However, in certain circumstances an IP address can constitute personal data when it is read together with other information, provided that the identity of an individual can be ascertained. The AAB agreed that the information collected by the Internet Service Provider in this case (namely, the business address and email account provided by the subscriber which did not on their own reveal the identity of the internet subscriber) together with the IP address disclosed did not amount to personal data of the complainant. It further opined that when an IP address was coupled with verified personal information such as name, identity card number and address, it would, indeed, constitute personal data. 2.33 In reaching its decision, the AAB had considered the following excerpt from the judgment in Cinepoly Records Co. Ltd. and others v Hong Kong

17

02_Data Protection.indd 17

2016/6/27 1:58:40 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Broadband Network Ltd. and others [2006] 1 HKLRD 255: 12. . . . An IP Address itself does not directly reveal the identity of the subscriber. But the ISP can track the IP address at a specific time or period to the records of their subscribers, which include names, Hong Kong ID card numbers and addresses. 13. In short, by cross checking the IP address marked at a specific time or period with the ISP’s records, the identity and address of the subscriber, whose computer has been used to upload the music files on the Internet by P2P program, including the WinMX software, can be revealed. 14. Accordingly, with the assistance of the ISPs, the cloak of anonymity can be pierced and the true identity of the infringers may be revealed.

2.34 The AAB concluded that: Short of CCTV evidence, it would not be reasonably practicable from such information to ascertain that it was actually the Appellant who used the computer identified by the IP address to send out the relevant email at the material time. It could have been anyone, as long as he had access to that computer (or had the necessary password if one was required at all).

Email Addresses 2.35 An email address identifies the destination (i.e. email box) to which email messages are delivered. An email address (comprising alphanumeric characters) can be created easily and quickly. Very often, an individual is free to create an email address which does not reveal his full name or contain any clue as to his identity. It is therefore difficult for the identity of an email address holder to be properly identified solely from an email address. 2.36 Whether an email address may constitute personal data of the email account holder was considered in AAB No. 16/2007. In the appeal, the AAB stated that they did not consider the email address of “huoyan_1989” to be the complainant’s name, nor was it the complainant’s personal data. 2.37 In AAB No. 25/2008, the AAB decided that an email address in some circumstances could be information from which the identity of an

18

02_Data Protection.indd 18

2016/6/27 1:58:40 PM

Chapter 2. The Meaning of “Personal Data”

individual may be directly or indirectly ascertained. However, the AAB did not accept that an email address comprising the initials of the complainant was, without any further information, sufficient to lead to the conclusion that the complainant’s identity would become reasonably ascertainable from such an address. The AAB decided that the email address in question was not the complainant’s personal data. 2.38 In AAB No.25/2012, the complainant sent an email enquiry to a government bureau through the address and signed as “Lau TL”. Subsequently, the bureau copied the reply email (attaching the complainant's enquiry email) to the Judiciary for information without her consent. The AAB considered that it was not practicable from the abbreviated name and email address (even when read together) for the identity of the complainant to be directly or indirectly ascertained. In any event, the fact that the complainant might have been known to the Judiciary because of some unrelated previous events did not turn the abbreviated name and the email address into personal data within the meaning of the Ordinance.

Biometric Data Such As DNA and Fingerprint Data 2.39 Biometric data possesses the characteristics of being both unique to the individual and measurable.12 It includes physiological data which individuals are born with (examples include DNA samples,13 fingerprints,14 palm veins, hand geometry and iris, retina and facial images) and behavioural data which are characteristics developed by an individual after birth (examples

12. Description in the “Working Document on biometrics” adopted by Article 29 Data Protection Party of EU on 1 August 2003. The description was updated in the “Opinion 4/2007 on the concept of personal data” adopted by Article 29 Data Protection Party of EU on 20 June 2007 which was followed in the “Opinion 3/2012 on development in biometric technologies” adopted by Article 29 Data Protection Party of EU on 27 April 2012. According to these Opinions, “biometric data” may be defined as “biological properties, behavioural aspects, physiological characteristics, living traits or repeatable actions where those features and/or actions are both unique to that individual and measurable, even if the patterns used in practice to technically measure them involve a certain degree of probability”. 13. See Case Note No. 2004C01 (available on the Website), in which the Commissioner accepted DNA as personal data. 14. See Case Note No. 2005C12 (available on the Website), in which the Commissioner accepted fingerprints as personal data.

19

02_Data Protection.indd 19

2016/6/27 1:58:40 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

include handwriting pattern, typing rhythm, gait and voice pattern).15 They are sensitive in nature, considering that they are not artificial information which can be rendered obsolete when the individual finds necessary. For instance, an individual whose wallet is stolen may apply for cancellation or renewal of a credit card immediately, but in no circumstances can an individual be disconnected from his unique biometric data. 2.40 While it may not be reasonably practicable for a lay person to ascertain the identity of an individual by merely looking at the individual’s fingerprint images or their numeric representations, when the biometric data is linked with personal data in another database, a particular individual can be identified. In one complaint, a company installed a fingerprint recognition system to record attendance of its staff. Instead of collecting the fingerprints of the staff, the system collected certain features of the fingerprints and converted the features into numeric representations for record purposes. The Commissioner’s view was that although the system adopted by the company did not collect the whole image of the fingerprint, the system could ascertain the identity of the staff by linking the features of the fingerprints with other identifying particulars held by it and so the data collected was personal data as defined by the Ordinance.16

Examination Scripts 2.41 Students’ answers to examination questions generally do not relate to the students and hence are not the students’ personal data. If an examination script was marked with the examiner’s comments or an evaluation of the student’s answers, those comments and evaluation would be the student’s personal data. In AAB No.7/2007, the AAB held the view that in general an answer given by a candidate in an examination did not amount to personal data of the candidate, but “if an examination script of the appellant was marked with the examiner’s comments or evaluation of the appellant’s answers, that examination script would be a document containing personal data of the appellant”.

15. See the Guidance on Collection and Use of Biometric Data, available on the Website. 16. See Investigation Report No. R09-7884, available on the Website.

20

02_Data Protection.indd 20

2016/6/27 1:58:40 PM

Chapter 2. The Meaning of “Personal Data”

2.42 The rationale of the above AAB decision was followed by the Commissioner in handling a complaint lodged by a student who made a data access request to a University for copies of his examination answer books and coursework. The University refused to comply with the data access request on the grounds that the requested documents were not the student’s personal data as the identity of the student was never an item of information that affected their comments and marking. The Commissioner took the view that evaluation of the performance of a student in an examination constituted the personal data of the student. Since the scores and the examiner’s written remarks on the marking sheets were the evaluation given by the examiner about the performance of the student, they constituted that student’s personal data. Hence, the University should comply with the data access request and provide the student with copies of his examination answer books and coursework together with the examiners’ markings and comments thereon.17

Mobile Phone Numbers 2.43 Generally speaking, a mobile phone number alone may not constitute the personal data of an individual as the phone number may be registered by a corporation, or the actual user of the phone number may be different from the registered individual user. However, when other identifying data, such as a name and address are also collected, the data user may be able to link the mobile phone number with a specific individual. The Commissioner will look at the totality of the relevant information and evidence put before him when deciding whether a mobile phone number constitutes personal data of the data subject in each case. 2.44 In a complaint case involving the making of direct marketing calls by an agent on behalf of a telecommunications company, the complainant objected to receiving persistent direct marketing calls notwithstanding his opt-out requests. The agent in this case had managed to gather a list of mobile phone numbers for the purpose of making direct marketing calls. According to the arrangement entered into with the telecommunications company, the agent would send the list to the telecommunications company

17. See Investigation Report No. R08-10578, available on the Website.

21

02_Data Protection.indd 21

2016/6/27 1:58:40 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

to check it against the opt-out list maintained by the latter before making any direct marketing calls. However, the agent failed to take this step. Both the telecommunications company and the agent claimed that the complainant’s mobile phone number was generated by random selection, which did not involve any personal data. However, it was discovered during investigation that the telecommunications company held other identifying particulars of the complainant. Despite the fact that the mobile phone number was generated by random selection by the agent, the telecommunications company was able to ascertain the identity of the complainant as its customer from the number. The Commissioner found that personal data of the complainant was involved and the telecommunications company had to be held liable for the failure to comply with the complainant’s opt-out request.18

Is Fabricated Information Personal Data? 2.45 Naturally, a person will disagree with any information written or recorded about him which he regards as untrue or fabricated. Information that is untrue or fabricated is not personal data under the Ordinance as it cannot be regarded as data relating directly or indirectly to an individual. The AAB has expounded this view in AAB No. 29/2001 which involved a complainant who, after being interviewed by a magazine, disputed the contents of the article published by it which he alleged to contain fabricated information. The AAB considered that “the Ordinance protects the personal data of an individual and not fabrication” and “a lie or a fabrication always remains a lie or a fabrication and can never be converted into personal data”. The definition of personal data clearly excludes any fabrication or lies told about a person.19 The AAB also commented that if the complainant was so badly misquoted or misreported, it might justify an action in defamation.20

18. See Investigation Report No. R10-4422, available on the Website. 19. The rationale was followed in AAB No. 49/2005. 20. In AAB No. 4/2015, the AAB took the view that an inaccurate personal data may be, at the same time, a lie or fabrication.

22

02_Data Protection.indd 22

2016/6/27 1:58:41 PM

Chapter 3 The Meaning of “Collect”

The main questions: • What is the meaning of the word “collect” as applied to personal data, in the light of the ruling made in the Eastweek case? • How does the ruling affect the scope and interpretation of the Ordinance? • What are the different kinds of privacy interests and which of them is protected under the Ordinance?

These questions are discussed in this Chapter concerning the Eastweek case and the meaning of “collect”. They have been selected on the basis of their practical importance in light of the Commissioner’s own experience. Before reading this Chapter, readers should read paragraphs 1.7 to 1.11 in Chapter 1 — Introduction, which contain important general information on using this Book.

03_Data Protection.indd 23

2016/6/27 1:58:47 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

The Eastweek Case 3.1

The Eastweek case is of cardinal importance in the following two aspects: • it defines the meaning of the word “collect” as it applies to personal data; and • in addition, it contains other important judicial dicta which help to provide clarification on the scope of the Ordinance.

3.2

The case arose from a complaint lodged with the Commissioner. The complainant, while walking on the street one day, was photographed by a magazine photographer without her knowledge or consent. The photograph was subsequently published in the magazine accompanied by unflattering and critical comments on her style of dress. The matter caused embarrassment and inconvenience to the complainant amongst her clients and colleagues.

3.3

After conducting an investigation of the case, the Commissioner decided that the magazine in question contravened DPP1(2)(b) of the Ordinance on the grounds that the personal data of the complainant in the photograph was collected by the magazine by unfair means. The magazine publisher took the decision to the Court for judicial review and applied for an order of certiorari to quash the Commissioner’s decision.

3.4

In the judicial review held in the Court of First Instance, Keith JA dismissed the application and the magazine publisher appealed to the Court of Appeal.

3.5

The Court of Appeal, by a 2-1 majority, reversed the decision of the Court of First Instance, and quashed the Commissioner’s finding of contravention. In its judgment delivered by Ribeiro JA, the Court of Appeal held that in deciding whether there was contravention of DPP1(2)(b), two elements must be proved, i.e. (i) an act of personal data collection; and (ii) doing this by means which are unfair in the circumstances of the case. Although a photograph of a person constitutes his personal data within the definition of the Ordinance, the Court ruled that in all the circumstances of the present case, there had been no “collection” of personal data by the magazine publisher and hence DPP1 was not engaged at all. The tests applied by the

24

03_Data Protection.indd 24

2016/6/27 1:58:47 PM

Chapter 3. The Meaning of “Collect”

Court in deciding whether “collection” took place or not set out the judicial interpretation of “collect” as provided in the Ordinance.

The Meaning of “Collect” 3.6

The following statement from the judgment of Ribeiro JA (at 90I), which was repeated almost word for word in the judgment given by Godfrey VP (at 102D), is of particular importance for the purposes of understanding an act of collection of personal data: It is . . . of the essence of the required act of personal data collection that the data user must thereby be compiling information about an identified person or about a person whom the data user intends or seeks to identify.

3.7

The above statement lays down two conditions for an act of collection of personal data: • the collecting party must be thereby compiling information about an individual (“Condition A”); and • the individual must be one whom the collector of information has identified or intends or seeks to identify (“Condition B”).

3.8

Furthermore, the following statement from Ribeiro JA’s judgment (at 93C) clarifies the requirements of Condition B: In my view, many of the other provisions of the Ordinance and in the data protection principles can only operate sensibly on the premise that the data collected relates to a subject whose identity is known or sought to be known by the data user as an important item of information. [emphasis added]

3.9

Elsewhere in Ribeiro JA’s judgment, reference was made to the facts of the case as well as other hypothetical scenarios. Referring to the facts of the case, the judge stressed the irrelevance of the identity of the person photographed to the appellant that published the photograph in its magazine, and the appellant’s indifference to such identity (91E to H). In an example quoted, he referred to the lack of concern on the part of market surveyors about the identity of respondents (91J to 92B). In yet another example, he mentioned

25

03_Data Protection.indd 25

2016/6/27 1:58:47 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

the lack of interest on the part of the photographers and publishers of newspapers in the identity of individuals whose photographs were published in newspapers (93B), etc. All these were considered factors leading to the conclusion that there was no collection of personal data. 3.10 From the above, it appears that Condition B may be refined by the addition of the following condition: • the identity of the individual must be an important item of information21 to the collecting party (“Condition C”). 3.11 Indeed, before the Court of Appeal’s decision in the Eastweek case, the Commissioner himself, and probably many others, had tended to interpret the term “collect” in a purely mechanical sense, as meaning the act of physical acquisition and then applied that meaning to the term “collection of personal data”. 3.12 In contrast, the three conditions arising from the Eastweek case seem to imply a subjective element in the notion of collection of personal data. For Condition B to apply, the collecting party must have already identified the individual in question or, at least, must seek or intend to seek to identify the individual. Furthermore, under Condition C, the identity of the individual must be an important item of information to the collecting party. 3.13 As for the application of Condition A, additional reference may be found in the following dictum in Ribeiro JA’s judgment (94I): This entitlement (to make a data access request under DPP6) can only make sense if the data user has compiled the data collected in relation to each identified data subject. [emphasis added]

3.14 In most situations, Conditions B and C will follow simply as a corollary to Condition A. This is because when one is compiling information about a

21. What is viewed as an important item of information is illustrated by Ribeiro JA in his judgment that the information shall be such as would enable a search against the requesting individual’s name or other personal identifiers to yield an answer to a data access request made under section 18 of the Ordinance, or to identify the data subject under section 30 (matching procedure) to obtain his consent, or to give the opt out choice under section 34 (now repealed and replaced by Part 6A) when direct marketing activities are engaged in (93C to 94I of his judgment).

26

03_Data Protection.indd 26

2016/6/27 1:58:47 PM

Chapter 3. The Meaning of “Collect”

certain person, it is usually important to the compiler that the information regarding that person is not confused with that regarding any other person. Hence, the “identification” of the person is more often than not “an important item of information” to the compiler. 3.15 It is important to note that, while the Eastweek case, involving an anonymous individual, was clearly a case where Conditions B and C were not satisfied, there can be other cases where the identity of the individual is known, but Condition A is not satisfied. In all these cases, by applying the rationale and tests laid down in the Eastweek case, the result is the same in that there is no collection of personal data. 3.16 The importance of Condition A may be illustrated by the following examples. First, in the case of the minutes of a business meeting on a particular subject matter being recorded, information is compiled about that subject matter only, and usually there is no compilation of information about any member or employee (whose identity is, of course, known to the organisation) who spoke at that meeting, unless the subject matter happens to be about the individual speakers. In AAB No. 24/1999, the complainant made a data access request for a copy of minutes kept by the data user as records of a meeting. The complainant attended the meeting and the subject matter covered in the minutes was about a report of an accident with a boiler. On appeal against the Commissioner’s finding of no contravention, the Chairman of the AAB ruled that the contents of the minutes did not amount to the personal data of the complainant but was primarily concerned with the piece of equipment in question, although it had recorded some of the remarks made by the complainant. The complainant applied for judicial review of the AAB’s decision. In the judicial review (HCAL 1050/2000) the Court of First Instance applied the Eastweek case and ruled that the minutes concerned issues arising from the maintenance and repair of the boiler only, and the identity of the complainant was not an important piece of information to the data user. In the circumstances, the Court held that the contents of the minutes did not contain the complainant’s personal data. The decision of the Court of First Instance was confirmed by the Court of Appeal (CACV 960/ 2000). If there is no compilation of information about the member or employee, then Condition A is not satisfied; hence, according to the judgment of the Eastweek case, there is no collection of

27

03_Data Protection.indd 27

2016/6/27 1:58:47 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

personal data of any members or employees present at the meeting whose discussion may happen to be recorded in the minutes. 3.17 In an investigation22 carried out by the Commissioner into a management company operating a car park, a staff member of the management company was found to have conducted searches with the Transport Department using licence plate numbers he had collected with a view to finding out the names and contact addresses of the registered car owners. Direct marketing leaflets were then sent to these owners. The management company in this case had clearly shown an intention to compile and did compile information about individuals whom it intended or sought to identify. The act (of physical receipt of the information) coupled with the requisite intention (of the data user to compile or seek to compile information about a specific individual) constitute collection of personal data under the Ordinance. 3.18 Furthermore, the clandestine taking of photos by a reporter of a targeted individual without his knowledge or consent could amount to collection of his personal data when the above conditions are met. This was the case in two investigation reports23 in which three artistes, engaged in personal activities in their private residences were photographed from a distance outside using cameras with tele-focus lenses. There was no doubt that the intention of the photographers was to compile information about the artistes’ private lives to be published in a magazine. 3.19 The actual circumstances must be examined on a case by case basis to determine whether or not there has been any “collection” of personal data concerning an individual.

Consequence of Absence of “Collection” 3.20 Apart from providing judicial meaning to the term “collect” and a data user’s act of “collection of personal data”, the Eastweek case contains other dicta

22. See Investigation Report No. R12-3428, available on the Website. 23. See Investigation Reports Nos. R12-9159 and R12-9164, available on the Website.

28

03_Data Protection.indd 28

2016/6/27 1:58:47 PM

Chapter 3. The Meaning of “Collect”

that seem to confine the scope of the Ordinance. Examples were quoted in the judgment (92G to I) of photos taken and published in the newspaper by the business editor in order to illustrate a social phenomenon, such as a crowd jostling in a queue for an initial public offering of shares or the purchase of flats in a new property development. A features editor may also publish photographs of teenagers smoking cigarettes in an article on health concerns. Likewise, a sports editor may publish a picture of racegoers at Happy Valley to illustrate attendance in record high numbers. Though the persons being photographed in these situations might not like the idea of having pictures containing their images published, insofar as their identities are not known to the publisher and there is no evidence to prove that their identities are of relevant concern to the publisher, it does not amount to collection of their personal data, according to the dicta in the Eastweek case. 3.21 Particularly noteworthy is the following passage in Ribeiro JA’s judgment (92J) after quoting the examples mentioned above: . . . in none of those cases is the publisher or editor in question seeking to collect personal data in relation to any of the persons shown in the photographs and, in my view, the taking of such pictures and their use in such articles would not engage the data protection principles . . .” [emphasis added]

3.22 Of the six data protection principles in Schedule 1 of the Ordinance, DPP1 deals with the collection of personal data. It follows that, without collection of personal data, DPP1 would not be engaged. Where DPP1 is not engaged (i.e. there has not been a collection of personal data) in a given situation, the Ordinance is not applicable. 3.23 The Court’s judicial interpretation of the term “collect” clarifies the regulatory remit. Given the very wide definition of “personal data” in section 2(1), the application of the requirements under the Ordinance in a mechanical manner could lead to practical difficulties, not to mention anomalies in relation to activities where the handling of personal data is not in issue.

29

03_Data Protection.indd 29

2016/6/27 1:58:48 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Practical Example: Whether the Use of CCTV24 for Security or Monitoring Purposes Amounts to Collection of Personal Data 3.24 The use of CCTV devices for monitoring purposes is a prevalent practice in Hong Kong, for a variety of reasons. For instance, law enforcement agencies may install CCTV to prevent and detect the crime of dropping objects from a height, or to monitor pedestrians and traffic flow at busy and strategic locations. Banks may install CCTV at bank premises for security reasons, and employers may install CCTV for both security reasons and to monitor staff attendance. The management company of a building may also install CCTV inside lifts to ensure the personal safety of the residents and visitors. 3.25 Three scenarios are considered below to illustrate whether there is collection of personal data. The first scenario relates to the installation of CCTV which does not have a recording function or where the operator of the CCTV does not activate the recording function. The sole purpose of installation is for deterring crime. In these cases, the Ordinance does not apply since the activities of the individuals are not recorded at all and hence no personal data is involved. 3.26 The second scenario concerns the use of CCTV which records the activities of individuals who are within its recording range, but the operator does not intend to collect any particular individual’s images as he is indifferent to the identities of the persons whose images are being recorded. It is only when an incident happens or is reported that the operator may seek to identify the individuals concerned for the purpose of taking immediate or follow-up action. For example, a bank may install a CCTV overlooking an ATM machine. The recorded images will be erased regularly or the tapes will be overwritten at certain time intervals. However, if a robbery which happened within the viewing range of the cameras is reported, the police may view the recorded images to identify the suspect and gather evidence about the crime. As held in the Eastweek case, there is collection of personal data where the police (not the bank) intend to collect personal data of the suspect, the victim and other related parties.

24. See Privacy Guidelines: Monitoring and Personal Data Privacy at Work, available on the Website.

30

03_Data Protection.indd 30

2016/6/27 1:58:48 PM

Chapter 3. The Meaning of “Collect”

3.27 In AAB No. 5/2011, the complainant complained about the installation of CCTV in a community centre which recorded his activities without his knowledge. The AAB upheld the Commissioner’s findings that there was insufficient evidence to show that the centre had collected the personal data of the complainant. The CCTV was installed by the centre for security and management purposes only. The operation of the CCTV did not target the complainant or any particular person and the identities of the persons whose images were recorded by the CCTV were not of interest to the centre. 3.28 In AAB No. 50/2014, the complainant complained about his neighbour's installation of CCTV which would possibly capture images of the complainant and his family entering or leaving their premises. The AAB adopted the test laid down in the Eastweek case and concluded that the installation of the CCTV was for security purposes and not aimed at collecting the personal data of the complainant and his family. Hence, the data protection principles were not applicable. 3.29 The third scenario is the case where the use of the CCTV is explicitly for the purpose of collecting personal data. If personal data is collected by the recording devices, the operator should take heed of the requirements under the Ordinance and implement appropriate personal data protective measures.4 It is not uncommon for employers to use CCTV to monitor and record the attendance of their employees. This amounts to collection of personal data of the employees concerned. It is good practice for the employers to conduct a privacy impact assessment before deciding to engage in monitoring activities and to resort to the use of less privacy intrusive alternatives whenever applicable.25

Information Privacy and Other Privacy Interests 3.30 Another important point from the judgment delivered by Ribeiro JA in the Eastweek case is that he has made clear the scope of privacy interests as

25. See Guidance on CCTV Surveillance and Use of Drones, available on the Website.

31

03_Data Protection.indd 31

2016/6/27 1:58:48 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

protected under the Ordinance as follows (95I to 96E): Personal data protection and not a general right to privacy. Mr. Griffiths stressed the limited protection to privacy afforded by the Ordinance. As its long title states, it is “an ordinance to protect the privacy of individuals in relation to personal data, and to provide for matters incidental thereto or connected therewith.” It is therefore not intended to establish general privacy rights against all possible forms of intrusion into an individual’s private sphere or, as an American judge succinctly put it in an early textbook, a general right “to be let alone” (Judge Cooley in Cooley on Torts, (2nd ed.) p.29, cited in Warren & Brandeis, The Right to Privacy (1890) 4 Harv LR 193). The distinction between other interests in privacy and the protection of personal data is well recognized. Thus, the Law Reform Commission of Hong Kong, whose Report on Reform of the Law Relating to the Protection of Personal Data provided the basis for the Ordinance as enacted, cited four privacy “interests” identified by the Australian Law Reform Commission as follows: (a)

the interest of the person in controlling the information held by others about him, or “information privacy” (or “informational self-determination”) as it is referred to in Europe;

(b) the interest in controlling entry to the “personal place” or “territorial privacy”; (c)

the interest in freedom from interference with one’s person or “personal privacy”;

(d) the interest in freedom from surveillance and from interception of one’s communications, or “communications and surveillance privacy”. The Law Reform Commission made it clear that it was only concerned in its Report with “information privacy.” Protection of that particular interest is plainly also the aim of the Ordinance.

3.31 Sometimes a complainant who believes that his privacy right may have been infringed, for instance, by being stalked by someone, lodges a complaint with the Commissioner.26 Unless it can be shown that information about

26. This comes within the area of stalking. See the LRC’s Report on Stalking, October 2000 and the Consultation Paper on Stalking issued by the Constitutional and Mainland Affairs Bureau in December 2011. The Commissioner had submitted his views in response to the consultation, details of which are available on the Website. The Bureau issued a paper on the summary of the views received on the Consultation Paper in November 2012 (LC Paper No. CB(2)196/12-13(04)) and another paper on overseas experience in implementing anti-stalking legislation in December 2013 (LC Paper No. CB(2)471/13-14(03)).

32

03_Data Protection.indd 32

2016/6/27 1:58:48 PM

Chapter 3. The Meaning of “Collect”

him has been recorded and collected as a result, e.g. by being photographed or recorded, the infringement of personal privacy as opposed to personal data privacy is a matter outside the remit of the Ordinance. 3.32 Communications and surveillance privacy cover issues such as intrusion (by electronic or other means) into private premises and the interception of communications which sometimes overlap in certain situations. It should however be noted that surveillance activities, though causing interference with the personal privacy of the individual, do not necessarily involve the collection of “personal information”.27 Surveillance activities carried out by law enforcement agencies are regulated under the Interception of Communications and Surveillance Ordinance, Cap 589, Laws of Hong Kong and the personal data collected as a result is by virtue of section 58A exempt from the provisions of the Ordinance. 3.33 While personal privacy may be interpreted to mean the right to seclusion or solitude, the Hong Kong Law Reform Commission (“LRC”) addressed the issue in its Report on Stalking, October 2000, concerning reform of the law relating to domestic violence and stalking. The LRC recommended that when a person pursues a course of conduct that amounts to harassment of another which he knows or ought to know amounts to harassment of the other, he should be guilty of an offence. In the area of media intrusion upon the privacy of individuals, the LRC recognised the limitation of the Ordinance as it is not intended to establish general privacy rights against all possible forms of intrusion into an individual’s private sphere.28 3.34 To follow up on the report, the government issued a consultation document in 2011 inviting views on issues including whether there is a need for legislation against stalking, whether stalking should be made a criminal offence, the level of penalty and the recommended defences. Consideration was also given to the provision of civil remedies for victims. In response to the consultation, the Commissioner expressed general support for more stringent regulation against stalking as a stalker may engage in a series of acts like collection and dissemination of the personal data of the victim. Given

27. See the LRC's Report on Privacy: Regulating the Interception of Communications, December 1996, paragraphs 6 to 9. The Privacy Guidelines: Monitoring and Personal Data Privacy at Work issued by the Commissioner focuses on the monitoring activities carried out by employers where personal data of employees are collected. 28. See the LRC's Report on Privacy and Media Intrusion, December 2004, at paragraph 9.39.

33

03_Data Protection.indd 33

2016/6/27 1:58:48 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

the wide definition of stalking, a data user’s persistent and unfair collection of the data subject’s personal data may be considered as stalking. There are scenarios where a breach of personal data privacy rights would overlap with the act of stalking, for instance, the pursuit of covert photography of artistes by the media. While the Commissioner agrees that it would be reasonable for the media to pursue a course of conduct in order to report on a matter of public interest, if the story is about the private life of an individual with no public interest involved, the media should not pursue the individual to the point of causing alarm or distress to the individual. A balance is needed between press freedom and other fundamental human rights, including the right to privacy. The Commissioner supports the creation of a separate defence on “legitimate news gathering activities”. In debt collection related activities, the Commissioner takes the view that establishing stalking as a criminal offence would be a more direct sanction against abusive debt collection practices, such as repeated telephone calls and posting up copies of a debtor or guarantor’s identity card with an abusive message. The Commissioner supports legislating against stalking and making it a criminal offence with civil remedies available to victims. 3.35 The views received during the public consultation on stalking in 2011/12 indicated that while there was support for introducing an anti-stalking legislation to afford better protection to the victims, there were also serious concerns expressed over the implications that such legislation may have on constitutional rights such as freedom of the media and freedom of expression. Having considered the views received from the public consultation, the Government decided in 2014 that there were “no favourable conditions to pursue the matter further”. 3.36 Since the law as it presently stands does not afford an aggrieved party the general civil remedy for invasion of the different types of privacy interests (other than information privacy), it would no doubt be helpful if a general tort on invasion of privacy be introduced so as to widen the channel for redress to an individual whose privacy right has been infringed.29

29. Recently, there has been some development in the area of a general tort of privacy. The Ontario Court of Appeal, in the case of Jones v Tsige, 2012 ONCA 32, for the first time introduced a general common law tort of privacy, in relation to intrusion upon seclusion.

34

03_Data Protection.indd 34

2016/6/27 1:58:48 PM

Chapter 3. The Meaning of “Collect”

3.37 For a data subject who suffers damage as a result of the contravention of a requirement under the Ordinance, section 66 confers a right on the aggrieved data subject to commence civil proceedings to seek compensation from that data user for the damage suffered. Damage may include injury to feelings.30 Up until now, few actions have been filed against data users under section 66. Data subjects may have been inhibited from instituting a civil law suit which is often costly and time-consuming. This situation has been redressed under the Ordinance31 by the Commissioner’s new power to grant legal assistance to an aggrieved individual to claim compensation from a data user for any damage suffered as a result of infringement of his personal data privacy when certain criteria are met.

30. In Dr. Alice Li Miu-ling v The Hong Kong Polytechnic University, DCEO 1/2004, the plaintiff claimed for damage suffered as a result of the delay of the defendant in providing her with all the personal data requested in her data access request. The Court ruled that there was no evidence to show that the plaintiff had suffered any damage or loss or in what way her feelings were injured as a result of the defendant’s delay in complying with her data access request. In view of the broad scope of personal data requested by the plaintiff, the Court accepted that the defendant needed more time and resources to locate the requested data and was satisfied that the defendant had exercised due diligence and taken reasonable care to provide the plaintiff with her requested personal data. A defence was successfully made out by the defendant under section 66(3). 31. Section 66B of the Ordinance confers power upon the Commissioner to grant assistance in respect of proceedings instituted to seek compensation under section 66 if (a) the case raises a question of principle; or (b) it is unreasonable, regarding the complexity of the case or the applicant’s position in relation to the respondent or another person involved or any other matter, to expect the applicant to deal with the case unaided.

35

03_Data Protection.indd 35

2016/6/27 1:58:48 PM

03_Data Protection.indd 36

2016/6/27 1:58:48 PM

Chapter 4 The Meaning of “Data User”

The main questions: • What is the meaning of the term “data user”? • What is the significance of the Eastweek case and how is it applied in the AAB cases? • How is the meaning affected by section 2(12)? • How does the term “data user” apply to an individual and the government? • Can two or more persons be jointly accountable as data users? • What is the relationship between a “data user” and a “data processor”? • How does section 4 affect the obligations and liabilities of data users?

The questions discussed in this Chapter concerning the meaning of “data user” are selected on the basis of their practical importance in light of the Commissioner’s own experience. Before reading this Chapter, readers should read paragraphs 1.7 to 1.11 in Chapter 1 — Introduction, which contain important general information on using this Book.

04_Data Protection.indd 37

2016/6/27 1:58:54 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Meaning of “Data User” with Reference to the Eastweek case 4.1

The term “data user” is defined in section 2(1) of the Ordinance as follows: “Data user”, in relation to personal data, means a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data.

4.2

A person who satisfies the definition of a “data user” is obliged to observe and comply with the relevant provisions and requirements under the Ordinance. As mentioned in Chapter 3, the Court of Appeal judicially defined the meaning of the word “collect” in the Eastweek case. Thus, it could be inferred that a person who passes the tests laid down in the Eastweek case is a “data user” within the definition under section 2(1) as a person who “. . . controls the collection . . . of the data”.

4.3

In AAB No. 22/1997, the AAB ruled that a secretary who was merely responsible for transmitting the document passed to her by another staff member of the company did not fall within the definition of a data user as she did not “control the collection, holding or processing of the data contained in the document” and there was no evidence to show a breach of DPP4 when the document was lost in transit.

4.4

Mere physical possession of a newspaper or magazine does not render the reader a data user in relation to the personal data of individuals mentioned in the newspaper or magazine. However, the situation might be different if the reader of the newspaper or magazine intends to compile information about an identified individual, for example, a celebrity or public figure for the purpose of, say, subsequent publishing of a dossier about that person. It might then be argued that the reader became a data user through his act of collection of the personal data in question.

4.5

While Eastweek is the landmark case which judicially defines the word “collect” and therefore has an important bearing on the meaning of the term “data user”, there was an earlier AAB decision on the issue of the meaning of “data user”. The AAB came to the same conclusion as was reached at the subsequent Eastweek case. In AAB No. 4/1997, a hospital employee lodged a complaint about an incident in which three hospitals had permitted an

38

04_Data Protection.indd 38

2016/6/27 1:58:54 PM

Chapter 4. The Meaning of “Data User”

open letter written by an employee, which contained the personal data of the complainant, to be posted on their noticeboards. On appeal, the AAB upheld the Commissioner’s decision not to investigate the case further. The AAB further observed: Even if the hospitals had allowed or given consent for such posting, the hospitals could not be taken as data users, since they only permitted the posting of the letters but they had no control on the content or data mentioned in the open letter.

4.6

If one were to apply the Eastweek rationale to this AAB case, it might be argued that by not having compiled information about the complainant, the hospitals did not “collect” the complainant’s personal data in the Eastweek sense, which as a result, did not render the hospitals “data users” vis-à-vis the personal data in question.

Meaning of “Data User” with Reference to More Recent AAB Cases 4.7

In the case of AAB No. 55/2006, an individual, on behalf of an organisation, wrote two letters to a regulatory body concerning a complaint against a company. The regulatory body forwarded the two letters to the company for their reply to the individual directly. The individual then asked the company for copies of those two letters together with the covering letter from the regulatory body, but the company refused to comply. The individual complained to the Commissioner that, in contravention of section 19 of the Ordinance, the company had failed to provide him with copies of the requested letters within forty days of his request. The Commissioner found that: • the company had received the two letters from the individual on behalf of the organisation for the purpose of dealing with the complaint made to the regulatory body; • the correspondence between the company and the regulatory body was about the complaint and did not concern the individual personally; and • there was no collection of personal data about the complainant by the company and therefore the Ordinance did not apply.

39

04_Data Protection.indd 39

2016/6/27 1:58:54 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance



Based on the above findings, the Commissioner considered that no investigation or further investigation was necessary. On appeal, the AAB upheld the Commissioner’s decision and ruled that: A person who does not collect, hold, process or use the personal data is not a data user in relation to that data. He is not obliged to comply with a data access request in relation to that data.

4.8

In the case of AAB No. 3/2005, a student complained against a school for failing to comply with his data access request. The school denied that it was the data user because it did not hold or control the requested data. The school then diverted the request to a closely connected college, which was the data user, for processing the request. The complainant insisted that the school had to comply with his request. The AAB ruled that the school and the college were separate legal entities. Although the school was closely connected to the college in that it had control over the college on policy matters, the school was not the data user of the requested personal data in that it did not control the collection, holding, processing or use of the requested data. The college collected the personal data for its own use. There was no evidence that the college had ever transferred the requested data to the school or that the school had control over the requested data.

4.9

In AAB No.8/2005, a student filed a complaint against his school for disclosing the examination results of an academic programme to his classmate before they were due for release. His suspicion was fueled by the fact that he had received an email from his classmate notifying all persons enrolled in the academic programme (of which his name was included in the list of recipients) of the arrangements for making a trip to the mainland to attend the graduation ceremony. The school denied that it had disclosed the examination results as alleged, and maintained that there was no evidence to show that the school was the data user in respect of the student’s personal data in the email sent by his classmate. The AAB upheld the decision of the Commissioner that the school was not the data user.

4.10 In the case of AAB No. 16/2007, the AAB considered the question whether a data user’s control over personal data could have been vitiated when the data user was compelled by the operation of PRC law to disclose the personal data. The AAB decided that in such circumstances the data user retained

40

04_Data Protection.indd 40

2016/6/27 1:58:54 PM

Chapter 4. The Meaning of “Data User”

control over the personal data; the disclosure of the relevant information under compulsion of law did not and could not vitiate their control.

Section 2(12) 4.11 Another point worth noting regarding the meaning of “data user” is the exclusion under section 2(12), which provides: A person is not a data user in relation to any personal data which the person holds, processes or uses solely on behalf of another person if, but only if, that first-mentioned person does not hold, process or use, as the case may be, the data for any of his own purposes.

4.12 The meaning of data being held, processed or used “solely on behalf of another person” and not for one’s “own purposes” is of particular relevance. 4.13 For example, a janitor was engaged for the service of regularly disposing of documents that might contain personal data. Unless it can be shown that he collected the personal data that might be found in the documents for his own purposes, generally he is not considered, merely by collecting documents that might contain personal data for the purpose of disposal, to come within the definition of a data user. Another example is found in the case of the warehouse operators providing storage cubicles for use by their customers. Chattels and documents may be stored but the operators generally have no intention to collect the personal data that is found in these documents. 4.14 In AAB No.12/2013, a court clerk collected the personal data of a complainant before taking notes in a magistrate’s court room. Since the purpose of collection was for the management of the court but not for the court clerk’s own purpose, the AAB took the view that the court clerk was not the data user.32

32. In AAB No.232/2013, it was ruled that a rock climbing club, instead of the trainer retained by the club to provide training and sign the certificate of completion of training, was the data user in question.

41

04_Data Protection.indd 41

2016/6/27 1:58:54 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

4.15 Nowadays, the use of a third party contractor, such as a cloud service provider to store electronic data on behalf of individuals and companies has become increasingly popular. If the cloud service provider simply provides an electronic storage medium but does not have any intention to collect the personal data which may be transmitted to it for storage, it is to that extent not a data user as excluded under section 2(12). 4.16 By the same token, a service company providing secretarial services to a number of shelf companies/individuals using its premises as a registered office is not a data user when its staff collects incoming mail addressed to named individuals. This is because the service company does not have its own purpose to serve in collecting the personal data contained in the mail. 4.17 The requirements of the Ordinance do not apply to a person who is not a data user by operation of section 2(12). However, an organisation engaging the services provided by such person as an agent may be liable as principal under section 65(2) of the Ordinance in respect of the personal data that was entrusted to the agent for handling.

Meaning of “Person” in the Context of Data User 4.18 Although one would expect that the Ordinance primarily seeks to address the abuse of personal data by institutional data users, there is nothing in the definition of “data user” to confine its meaning to institutions alone. Accordingly, insofar as an individual “controls the collection, holding, processing or use” of personal data, the individual is a data user in relation to the personal data and will consequently be subject to the full force of the requirements under the Ordinance. 4.19 Another point to note in relation to the interpretation of “data user” is the meaning of the word “person” and whether it extends to cover the Government as well. In this connection, reference could be made to the interpretation of the word “person” as defined in section 3 of the Interpretation and General Clauses Ordinance (Cap 1): “person” includes any public body and any body of persons, corporate or unincorporate, and this definition shall apply notwithstanding that the word

42

04_Data Protection.indd 42

2016/6/27 1:58:54 PM

Chapter 4. The Meaning of “Data User”

‘person’ occurs in a provision creating or relating to an offence or for the recovery of any fine or compensation.

4.20 The term “public body” is, in turn, defined in section 3 of Cap 1 as follows: “public body” includes – (a) the Executive Council; (b) the Legislative Council; ... (ca) any District Council; ... (d) any other urban, rural or municipal council; (e) any department of the Government; and (f) any undertaking by or of the Government.

4.21 The Government as a whole is in possession of a substantial amount of personal data in relation to the residents of Hong Kong. Such data has been collected and is retained by various government bureaux and departments, according to their respective functions, such as law enforcement, revenue, social welfare, medical services etc. 4.22 In light of the wide definitions of the terms “data user”, “person” and “public body”, such terms may be interpreted to refer to either individual government bureaux and departments as separate data users, or the entire Government (being a body of persons) collectively as one single data user. However, in view of the vast array of functions the Government performs in relation to individual residents which involve the collection and use of personal data, the collective interpretation would effectively empower the Government to collect, virtually without limitation as to the scope of the personal data, and the exchange of such data among its various bureaux and departments. This would give rise to an anomalous result contrary to one of the principal tenets of the Ordinance, namely, to protect the personal data privacy of individuals by reference to the purpose of collection of the data and its intended use by the relevant data user in relation to that purpose.

43

04_Data Protection.indd 43

2016/6/27 1:58:54 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

4.23 Hence, so far as the relationship between the Government and residents is concerned, the operational stance taken by the Commissioner is to interpret such terms to refer to each individual government bureau and department as a separate data user.33 Accordingly, under DPP1(1), a government department is not allowed to collect personal data in excess of that required for its own function and activity (as opposed to those of other government departments). Furthermore, the transfer of data amongst bureaux or departments is subject to the relevant restrictions under DPP3. For a more comprehensive discussion of DPP1(1)(c) and DPP3, readers are referred to paragraphs 5.1 to 5.29 in Chapter 5 and Chapter 7. 4.24 To further illustrate this point, a government department may operate through different district offices or branch offices under its supervision and control. In the event of any breach of a requirement under the Ordinance by a staff of one of these offices, the Commissioner will look to the government department in question as the data user and hence the target of investigation. This is because the government department concerned is viewed as a single person who is capable of devising, reviewing, supervising and controlling the personal data policies and practices to be followed by all the district offices or branch offices operated under it. The same applies, for example, to the case of the Hospital Authority which manages and supervises a number of public hospitals in Hong Kong.

Joint Data Users 4.25 The definition of the term “data user” extends to situations where more than one person is found to be in control of the collection, holding, processing or use of the data, in which case they are jointly regarded as data users who are obliged to observe and comply with the requirements under the Ordinance.

33. There may, however, be certain exceptions to this general rule, including, for example, the case of a civil servant who is posted to different departments from time to time. In this situation, the government as a whole may be regarded as the data user of personal data about the civil servant relating to his employment.

44

04_Data Protection.indd 44

2016/6/27 1:58:55 PM

Chapter 4. The Meaning of “Data User”

4.26 An example is found in the case in which two or more persons who jointly or in common hold the legal title of real property leased it out to a tenant for rental profits. They may have collected the tenant’s personal data in circumstances where they jointly control the holding, processing or use of such data. Thus, when a dispute arises or a complaint is lodged by the tenant regarding the improper handling of his personal data, all of the owners who satisfy the definition of data user will be jointly held accountable for the act or practice in question. 4.27 Another common situation in which more than one person may qualify as a data user is found in cross-marketing activities whereby the personal data of customers held by company A (the transferor company) is transferred to another company, company B (the partner company) for the purpose of conducting activities in the nature of a joint marketing campaign. The joint marketing campaign may involve the marketing of products or services of A or B or both to customers of A and/or B. When A and B jointly control the collection, holding, processing or use of the data, they will be regarded as joint data users under the Ordinance.34 4.28 When a potential customer’s personal data is first used for marketing purposes, the data user is obliged under section 35F(1) of the Ordinance to inform him of his right to opt-out of such marketing activities and to comply with the opt-out request pursuant to section 35G(3). If the data user continues to use personal data about the individual for direct marketing after receiving his opt-out request, he may be considered as having committed an offence under section 35G(4).35 In order to comply with the statutory requirements under section 35G(3), a data user shall keep and maintain an opt-out list of individuals who have chosen not to receive further marketing approaches. If direct marketing activities are carried out by the partner company and a customer exercises his opt-out right, the partner company should inform the transferor company about the request made by the customer. The partner company as well as the transferor

34. Even if the joint marketing campaign does not involve transfer of customers’ personal data, A and B may still be considered as joint data users as long as they jointly control the collecting, holding, processing or use of the data. 35. Under section 35G(4), a data user who contravenes the requirements is liable to a maximum fine of $500,000 and to imprisonment for three years.

45

04_Data Protection.indd 45

2016/6/27 1:58:55 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

company have to maintain the opt-out list and must not make any further marketing approaches to those customers who have opted out36 from the direct marketing activities in question. In AAB No. 20/2009, the crux of the complaint was the repeated receipt by the complainant of direct marketing materials sent by companies A and B which were joint promotion partners. The Commissioner took the view that upon the receipt of an opt-out request from the complainant by company A, it should have informed company B about it so that the latter would cease using the complainant’s personal data for direct marketing purposes.

What is the Relationship between a Data User and a Data Processor? 4.29 The Amendment Ordinance made changes to DPP2 and DPP4 by introducing the term “data processor” which is defined as follows: “Data processor” means a person who – (a) processes personal data on behalf of another person; and (b) does not process the data for any of the person’s own purposes.

4.30 It is common business practice these days for a data user to outsource the processing of personal data to a contractor, for example, to a document shredding company for carrying out safe destruction of confidential documents, and to an IT contractor to manage and maintain the staff attendance and payroll IT systems. 4.31 These data processors are not data users as they do not control the collection, holding and processing of the personal data and therefore are not subject to the regulatory remit of the Ordinance. From the Commissioner’s regulatory experience, quite a number of data breaches were committed by

36. See New Guidance on Direct Marketing, available on the Website.

46

04_Data Protection.indd 46

2016/6/27 1:58:55 PM

Chapter 4. The Meaning of “Data User”

the contractors or agents appointed by the data users to process personal data on their behalf.37 4.32 To address this issue, the Amendment Ordinance sought to strengthen the protection of personal data by imposing a duty on data users who engage these data processors to use contractual or other means to ensure that the personal data that was transferred to the data processors was not kept longer than is necessary and to take reasonably practical steps for the security of the data. For details on how these new obligations are to be observed by the data user, readers may refer to Chapters 6 (on DPP2) and 8 (on DPP4).

Section 4 4.33 If a person falls within the definition of “data user”, section 4 of the Ordinance applies to govern his act and conduct: 4.

A data user shall not do an act, or engage in a practice, that contravenes a data protection principle unless the act or practice, as the case may be, is required or permitted under this Ordinance.

4.34 The six data protection principles set out in Schedule 1 of the Ordinance are of vital importance to guide the act or practice in handling personal data. For this reason, they are the topics for discussion in the subsequent Chapters.38 Section 64A(1) which makes contravention of a requirement under the Ordinance an offence, specifically excludes data protection principles. Although non-compliance with any of the data protection principles does not per se attract criminal sanction, when coupled with other provisions in the Ordinance that are relevant to the application of the

37. For instance, the leakage of complainants’ sensitive personal data, which was the subject matter of the Commissioner's Investigation Report No. R06-2599, was caused by the uploading of the complainants’ personal data (including names, addresses and HKID numbers) by the IT contractor onto a location of the server to which members of the public had access. 38. A checklist for data users in ensuring compliance with the requirements under the Ordinance is found in Appendix V of this Book. The remedies that a data subject may resort to if his personal data privacy right is infringed are summarized in Appendix VI.

47

04_Data Protection.indd 47

2016/6/27 1:58:55 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

data protection principles, the wrongful act or practice may constitute an offence under the Ordinance. For instance, section 19 of the Ordinance obliges the data user to comply with a data access request and it is a statutory requirement in relation to compliance with DPP6. Similarly, section 26 provides for the erasure of personal data no longer required and it is also a statutory requirement applicable to compliance with DPP2(2). In addition, where contravention of a data protection principle is found after an investigation, the Commissioner may issue an enforcement notice to the data user directing them to take steps to remedy and, if appropriate, prevent any recurrence of the contravention.39 Failure to comply with the enforcement notice is an offence.40 Moreover, under the Amendment Ordinance, a data user may be considered as committing an offence if, having complied with an enforcement notice, he intentionally does the same act or makes the same omission in contravention of the requirement under the Ordinance.41 4.35 Certain acts are permitted in Part 8 (“the exemption provisions”) under the Ordinance which would otherwise be a contravention of the data protection principles. The application of these exemption provisions are discussed in detail in Chapter 12.

39. See section 50(1). 40. See section 50A(1)(a). A data user is liable, on first conviction, to a fine at level five and to imprisonment for two years; and if the offence continues after the conviction, to a daily penalty of $1,000. Under section 50A(1)(b), a data user is liable on a second and subsequent conviction to a fine at level six and to imprisonment for two years; and if the offence continues after the conviction, to a daily penalty of $2,000. 41. See section 50A(3). A person is liable on conviction, to a fine at level five and to imprisonment for two years; and if the offence continues after the conviction, to a daily penalty of $1,000.

48

04_Data Protection.indd 48

2016/6/27 1:58:55 PM

Chapter 5 Data Protection Principle 1

The main questions: • What are the general requirements under DPP1(1)? • In particular, for the purpose of DPP1(1)(a), how is the function and activity of a data user ascertained? • What are the general requirements under DPP1(2)? • What are the common examples of collection of personal data by unfair means? • What are the general requirements under DPP1(3)? What are the changes introduced by the Amendment Ordinance? • When do such requirements apply to the collection of personal data, and how? What are the points to note when collecting personal data for direct marketing purposes?

The questions of the purpose and manner of collection of personal data discussed in this Chapter concerning DPP1 have been selected on the basis of their practical importance in light of the Commissioner’s own regulatory experience. Before reading this Chapter, readers should read paragraphs 1.7 to 1.11 in Chapter 1 — Introduction, which contain important general information on using this Book.

05_Data Protection.indd 49

2016/6/27 1:59:01 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

DPP1(1) 5.1

Data Protection Principle 1(1) in Schedule 1 of the Ordinance provides as follows: Principle 1 – purpose and manner of collection of personal data (1) Personal data shall not be collected unless – (a) the data is collected for a lawful purpose directly related to a function or activity of the data user who is to use the data; (b) subject to paragraph (c), the collection of the data is necessary for or directly related to that purpose; and (c) the data is adequate but not excessive in relation to that purpose.

5.2

The drafting of DPP1(1) appears to allow wide interpretation. The Commissioner will therefore take into account all relevant factors according to the circumstances42 and be mindful of the proper application of the rules of interpretation stated in paragraphs 1.7 to 1.9 in Chapter 1.

5.3

For the purpose of DPP1(1)(a), in the case of a government bureau or department or a public body being the data user, the Commissioner will generally regard the function and activity of the data user as being restricted to its generally recognized functions, whether conferred on it by statute or otherwise. Hence, a government department should not collect personal data for the sole purpose of assisting another department, where such collection is directly related to the function and activity of the other department, but not to that of its own.43

5.4

The same approach is adopted in the case of data users that are private organisations. It is also noted that the functions or activities of a private or

42. For enquiries made to the Commissioner concerning the application of DPP1(1) to the collection of personal data in particular situations, readers may refer to relevant cases in the Complaint and Enquiry Case Notes Section on the Website. 43. For a discussion of the treatment of different government bureaux and departments as separate data users, readers may refer to paragraphs 4.19 to 4.24 in Chapter 4.

50

05_Data Protection.indd 50

2016/6/27 1:59:01 PM

Chapter 5. Data Protection Principle 1

commercial organisation may change in response to external changes in the social or business environment. 5.5

Indeed, given the advent of low cost and high performance technology for information storage, an organisation may easily be tempted to collect from a variety of sources and hoard personal data (especially those of prospective customers or clients) just in case such data may become useful in future. Insofar as there is an intention on the part of the data user to compile information about these identified or identifiable individuals in the Eastweek sense,44 the personal data of these data subjects is treated as having been collected. The indiscriminate collection of personal data, especially where it involves sensitive personal data, is likely to be viewed by the Commissioner as a contravention of DPP1(1), in that it may not be considered as directly related to, or be considered as excessive for, the organisation’s functions and activities.

5.6

Three codes of practice have so far been issued by the Commissioner under section 12(1) of the Ordinance setting out the scope of personal data that, in the opinion of the Commissioner, may be collected under DPP1(1) in respect of the relevant industries and/or fields of activity.45 For instance, under the Code of Practice on Human Resource Management, an employer should not collect a copy of the identity card of a job applicant during the recruitment process unless and until the individual has accepted an offer of employment.46 The collection of personal data by a data user in excess of that expressly permitted under the Code of Practice may result in contravention of DPP1(1) under section 13 of the Ordinance.47

5.7

In other situations where there are no applicable codes of practice for ensuring compliance with DPP1(1), a data user should nonetheless, before collecting any personal data, give due consideration to the relevant factors including:

44. See Chapter 3 on the Eastweek case and the meaning of “collect”. 45. See Appendix IV of this Book for the following Codes of Practice issued by the Commissioner: a. Code of Practice on the Identity Card Number and Other Personal Identifiers; b. Code of Practice on Consumer Credit Data; and c. Code of Practice on Human Resource Management. 46. Paragraph 2.2.4 of the Code of Practice on Human Resource Management. 47. See section 13(2) and (4) of the Ordinance.

51

05_Data Protection.indd 51

2016/6/27 1:59:01 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

• the particular function or activity to which the collection of the data concerned is directly related; • the sensitivity of such data; • the legitimate purposes to be served in collecting such data and the possible adverse impact on data privacy protection; • whether there is a real need for the data to be collected in order to carry out that function or activity; • whether there is any less privacy intrusive alternative for attaining the purpose of collection.

Some examples are given below to illustrate the application of DPP1(1).

Collection of HKID Numbers and Copies of HKID 5.8

A data user should be cautious when collecting HKID numbers and copies of HKID so as to comply with DPP1(1) and to observe the restrictions imposed by clauses 2.3 and 3.2 of the Code of Practice on the Identity Card Number and other Personal Identifiers.

5.9

The general principle is that unless it is authorised by law, a data user should not compulsorily require a data subject to furnish his HKID number or a copy of his HKID. In relation to authorisation by law, for instance, Schedule 2 of the Anti-Money Laundering and Counter-Terrorists Financing (Financial Institutions) Ordinance, Cap 615, provides for the circumstances under which a financial institution48 must discharge the duty of due diligence and keep records of documents used for verifying the identities of the customers. A financial institution is therefore obliged to keep copies of the HKID of its customers for such purposes.

5.10 The Commissioner has found that the collection of HKID numbers is justifiable where it falls squarely within one of the circumstances outlined in Clause 2.3 of the Code of Practice on the Identity Card Number and other

48. For the definition of “financial institution”, see Part 2 of Schedule 1 of the Anti-Money Laundering and CounterTerrorists Financing (Financial Institutions) Ordinance, Cap 615.

52

05_Data Protection.indd 52

2016/6/27 1:59:01 PM

Chapter 5. Data Protection Principle 1

Personal Identifiers, and no less privacy intrusive method is available given the purpose of collection. These circumstances also include cases where the collection and use of the HKID number by the data user is necessary: • for the prevention or detection of crime, the apprehension, prosecution or detention of offenders, or any other purpose outlined in Section 58(1) of the Ordinance (clause 2.3.2.2 of the Code of Practice on the Identity Card Number and other Personal Identifiers); • to advance the interests of the HKID holder, e.g. a doctor may require a patient to provide his HKID number to ensure that the correct previous medical records of the patient are obtained for use in medical consultation and treatment (clause 2.3.3.1 of the Code of Practice on the Identity Card Number and other Personal Identifiers); • to safeguard against any damage or loss of the data user, which is more than trivial in the circumstances, e.g. a driver in a car accident may collect the HKID number of the other driver in order to facilitate any future claim (clause 2.3.3.3 of the Code of Practice on the Identity Card Number and other Personal Identifiers); or • to be inserted in a document to be executed by the HKID holder which is intended to establish or evidence a legal or equitable right, interest or liability not of a transient nature or trivial in the circumstances, e.g. the HKID number of an individual may be inserted into a contract (involving substantial interests) to which he is a party (clause 2.3.4.1 of the Code of Practice on the Identity Card Number and other Personal Identifiers). 5.11 In a complaint involving collection by a management company of the HKID numbers of drivers who visited the car park of a commercial building which was open to the public, the Commissioner found contravention by the management company of DPP1(1) and clause 2.3 of the Code of Practice on the Identity Card Number and other Personal Identifiers. As the management company failed to provide any figures on the number of crimes committed in the car park, there was insufficient evidence to show that such collection was necessary for the prevention of crime as alleged. The management company subsequently appealed against the enforcement notice issued by the Commissioner. In AAB No. 41/2004, the appeal was dismissed by the AAB and the decision of the Commissioner was upheld.

53

05_Data Protection.indd 53

2016/6/27 1:59:02 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

5.12 In another complaint lodged with the Commissioner, a food company required purchasers of its food products who wished to be registered for a lucky draw to provide their names, contact information, HKID numbers and dates of birth. Prizes of the lucky draw included free credit card spending and gift vouchers worth tens of thousand dollars. Upon investigation, the Commissioner found that there were two categories of lucky draw tickets, namely tickets placed inside the products all bearing the same lucky draw number, and tickets that were attached to the boxes of other products with unique lucky draw numbers. The Commissioner decided that for those participants issued with unique lucky draw numbers, the company would have been able to meet the purpose of authentication when winners presented their tickets and HKIDs for prize collection by checking the lucky draw numbers together with their names and contact information previously registered with the company. In all the circumstances of the case, the collection of the HKID numbers of these participants was excessive and in contravention of DPP1(1). As for those participants who held the same lucky draw numbers, the Commissioner considered that collection of their HKID numbers was acceptable in view of the high value of the prizes and the risk of misdelivery of prizes. Such collection would avoid damage or loss which was more than trivial in the circumstances as permitted under clause 2.3.3.3 of the Code of Practice on the Identity Card Number and other Personal Identifiers. The Commissioner also considered that it was unnecessary for the company to collect the participants’ dates of birth for the purpose of contacting them and verifying their identities as argued.49 5.13 In relation to the collection of a copy of an individual’s HKID, clause 3.2 of the Code of Practice on the Identity Card Number and other Personal Identifiers has prescribed circumstances under which such collection is allowed, some of which are similar to those specified in paragraph 5.10 above. However, clause 3.3.1 of the Code makes it clear that the collection of a copy of a HKID will not be allowed merely to safeguard against clerical error in recording the name or HKID number of the individual. There was a complaint against a government department for taking a photograph of the complainant’s HKID for the purpose of verifying the complainant’s identity as a witness. The Commissioner took the view that such an act was contrary

49. See Investigation Report Number R09-3658, available on the Website.

54

05_Data Protection.indd 54

2016/6/27 1:59:02 PM

Chapter 5. Data Protection Principle 1

to DPP1(1) and clause 3.3.1 of the Code. The government department eventually agreed that the collection of the copy of the complainant’s HKID was unnecessary and deleted the image stored in the digital camera. 5.14 In another investigation,50 the Commissioner found that the collection by a fitness centre of copies of HKIDs or Home Visit Permits from applicants/ members during the handling of membership applications/renewals, breached DPP1(1), as such collection was unnecessary and excessive for the purposes put forward by the fitness centre. The fitness centre claimed that the collection was necessary in order to verify the identity of each member for establishing a legal relationship; enabling the fitness centre to take legal action where necessary; facilitating internal administration and external audits; and discouraging its staff (who earn extra commission based on the number of memberships sold) from fraudulently creating membership accounts. The Commissioner found that such reasons for collection were not justified as there were less privacy intrusive alternatives available, e.g. the fitness centre could have required members to enter into the membership agreement under their legal names instead of pseudonyms, and auditors could verify the fitness centre’s income based on bank statements, etc. In particular, the Commissioner found that the fitness centre’s collection of copies of HKIDs or Home Visit Permits for the claimed prevention of fraud by its staff was not justified under paragraph 3.2.1.251 of the Code of Practice on the Identity Card Number and other Personal Identifiers in the absence of any supporting statistics or cogent evidence. He was of the view that the fitness centre could have considered implementing other monitoring measures to tackle the problem of employee fraud instead of collecting members’ HKID or Home Visit Permit copies at the expense of their personal data privacy. 5.15 However, after examining the membership agreement and past incidents of legal actions brought against the members in respect of unpaid membership fees or for claiming damages for broken equipment, etc. as well as other evidence available, the Commissioner found that the fitness centre’s

50. See Investigation Report Number R13-12828, available on the Website. 51. Under paragraph 3.2.1.2, a data user may collect the copy of an identity card for any of the purposes mentioned in section 58(1) of the Ordinance (the prevention or detection of crime, the apprehension, prosecution or detention of offenders, the assessment or collection of any tax or duty, etc.).

55

05_Data Protection.indd 55

2016/6/27 1:59:02 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

collection of the members’ HKID numbers was justified under paragraphs 2.3.3.352 and 2.3.4.153 of the Code of Practice on the Identity Card Number and other Personal Identifiers. He considered that the fitness centre’s intention to establish or to evidence a legal right or interest or liability on the part of the members at the time of signing the membership agreement, and the right, interest or liability covered by the said agreement was not of a transient nature, nor was it trivial in the circumstances. As noted by the Commissioner, the collection of a copy of a HKID is subject to stricter control and greater protection as the copy does not only contain a unique identifying number, but also the full name, photograph and date of birth of the holder. The indiscriminate collection and improper handling of copies of HKIDs may infringe the privacy of the data subject and create opportunities for fraud and identity theft. 5.16 Another case considered by the Commissioner involved the collection by a service operator of the HKID numbers of applicants who applied for Autotoll electronic toll collection services, for the purposes of avoiding any damage or loss arising from Autotoll users passing through toll lanes with a negative balance in the Autotoll account. The Commissioner found that such collection was not inconsistent with DPP1(1) and paragraphs 2.3.3.3 and 2.3.4.1 of the Code of Practice on the Identity Card Number and other Personal Identifiers. This decision was upheld by the AAB in AAB No.24/2013. The AAB expressed the view that: one should (not) approach paragraph 2.3.3.3 of the Code by merely counting dollars and cents. The nature of the loss and damage is equally, if not more, important … the line should be drawn by distinguishing genuine commercial loss essential to the very operation of the service of a service provider from artificially created loss such as bonus points and cash rewards.54



The AAB considered that the collection of undercharge and unpaid tolls

52. Paragraph 2.3.3.3 covers the situation of collection of identity card number by a data user to safeguard against damage or loss on the part of the data user which is more than trivial in the circumstances. 53. Paragraph 2.3.4.1 concerns the collection of identity card numbers for insertion in a document to be executed by the holder of the identity card to establish or to evidence any legal or equitable right, interest or liability on the part of any person other than any right, interest or liability of a transient nature or which is trivial in the circumstances. 54. Paragraph 59 of the decision given in AAB No. 24/2013.

56

05_Data Protection.indd 56

2016/6/27 1:59:02 PM

Chapter 5. Data Protection Principle 1

went right to the heart of the Autotoll’s business and it was vital to its business that it could collect the same from the account holders. The AAB agreed with the approach adopted by the Commissioner by looking at the total loss across the board that would be suffered by the service operator in this case. Given the large customer base, a small debt per customer can build up to a very substantial sum. The AAB also considered that if the collection of HKID numbers was disallowed, Autotoll might be forced to take other measures to protect their business interests. The measures might include a zero credit policy whereby customers who failed to top up their accounts in time by mere inadvertence would suffer and Autotoll might as a result be flooded with complaints of poor customer service. Other operators would suffer too as they would need to recover payments directly from the registered vehicle owners (who may or may not be the culpable account holders). In view of the far reaching implications this might have on Autotoll’s business and in the interests of the tunnel and toll road operators, the AAB did not assume any right to interfere with legitimate business operations in the name of data protection. The AAB also agreed that the nature of the “right, interest or liability” involved was crucial to the proper operation of the Autotoll electronic toll collection service and was neither transient nor trivial, hence falling within paragraph 2.3.4.1 of the Code of Practice on the Identity Card Number and other Personal Identifiers. 5.17 However, it should be stressed that the above AAB decision does not provide a licence for the collection of HKID numbers by business data users. It must be distinguished from other situations where data users have failed to demonstrate with concrete evidence how the collection of unpaid charges goes right to the heart of their business.

Collection of HKID Numbers for Customer Loyalty Programmes 5.18 In the widely reported Octopus card incident55 in 2010, the Commissioner found that Octopus Rewards Limited (“ORL”) had contravened DPP1(1) by collecting HKID numbers/passport numbers/birth certificate numbers, and month and year of birth from the subscribers to the Octopus Rewards

55. See Investigation Report No. R10-9866, available on the Website.

57

05_Data Protection.indd 57

2016/6/27 1:59:02 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Programme for the purpose of customer authentication. The Octopus Rewards Programme allowed subscribers to earn “reward dollars” on their Octopus card every time they made a purchase at ORL’s business partners. Such reward dollars could then be used to redeem certain goods and services from ORL’s business partners. ORL claimed that the collection of their customers’ data was necessary for customer authentication as the reward dollars were personal to each customer. Since an Octopus card could store reward dollars up to a maximum of only $1,000, the Commissioner found that ORL had failed to justify their claim that the collection of the HKID number was necessary to safeguard against damage or loss to ORL, which was more than trivial in the circumstances. Further, since the customer could be properly identified by his name, address and contact phone number held by ORL, the collection of HKID numbers was not justified under paragraph 2.3.3.3 of the Code of Practice on the Identity Card Number and other Personal Identifiers, and was found to be excessive. The same rationale applied to the collection of the customers’ month and year of birth, passport number and birth certificate number, which was also found to be excessive and unjustifiable. 5.19 The practice of collecting a partial HKID number was also examined in an investigation56 concerning the MoneyBack Programme run by A.S. Watson Group Limited through ParknShop. The MoneyBack Programme was a customer rewards scheme whereby customers were rewarded for their loyalty by redemption offers of goods and services as well as marketing offers. The application form for the scheme required applicants to provide their names, addresses, telephone numbers, the first four digits of their HKID numbers and their months and years of birth. The collection of the partial HKID number was for the purpose of identifying the customer in the event of report of loss of the card and also as default password to log in to the Programme’s website. The Commissioner did not accept such collection was necessary. First, the telephone number of the applicant, as noted in the application form, could also be used as default password. In addition, any other set of numbers or characters could be generated and assigned to the customer as a default password. As in the Octopus Card case, the

56. See Investigation Report No. R12-3888, available on the Website.

58

05_Data Protection.indd 58

2016/6/27 1:59:02 PM

Chapter 5. Data Protection Principle 1

Commissioner was of the view that the name, home address and telephone number were sufficient data for customer identification purposes. 5.20 Having considered that the contract entered into between the company and the customer involved only bonus points and discount privileges and that the low value (less than $1,000) of the reward points likely to be accumulated by the average subscriber, the Commissioner found that the collection of the partial HKID number did not fall within the permitted circumstances under the Code of Practice on the Identity Card Number and other Personal Identifiers.57 In coming to this conclusion, the Commissioner rejected the argument that the partial HKID number should not be deemed as a personal identifier, considering that it could be combined with other personal data collected to ascertain the identity of the customer. The company was thus found to have contravened DPP1(1).58

Collection of HKID Numbers through Mobile Apps 5.21 Nowadays, organisations use a mobile application (“app”) as a means to reach out to customers and collect and process a wide range of personal data. It is pertinent that before seeking to collect personal data, they consider whether the items are necessary and not excessive in complying with the requirements under DPP1(1).59 5.22 In an investigation, the Commissioner found that a travel agency had contravened DPP1(1) by requiring its customers to provide their HKID numbers and date of birth when using its mobile app for online enquiries about the reward points. Having purchased travel products with the travel agency, customers could join its loyalty programme and earn reward points. Upon enrolment with the loyalty programme, customers were assigned with

57. Paragraphs 2.3.4.1 of the Code of Practice on the Identification Card Number and other Personal Identifiers. 58. As regards the month and year of birth, the Commissioner however accepted the argument that these data was primarily collected for designing targeted promotional offers in order to better understand members’ background and make offers more suited to their needs. The Commissioner was of the view that the collection of the data was directly related to the purposes of the Programme and found no evidence to suggest that such collection was excessive. 59. The Commissioner has issued a Best Practice Guide for Mobile App Development providing practical guidance on privacy protection to mobile app developer, available on the Website.

59

05_Data Protection.indd 59

2016/6/27 1:59:02 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

membership numbers. Instead of using the membership numbers to identify its customers, the travel agency required the customers to key in their HKID numbers and date of birth for account enquiry or reward points redemption through the mobile app. The Commissioner rejected the travel agency’s argument that the collection was necessary for identifying the customers. Furthermore, the Commissioner found that the travel agency had accepted member enrolment without providing these items of personal data.60

Collection of Personal Data for Direct Marketing Purposes 5.23 In deciding what kinds of personal data are to be collected for direct marketing purposes, a data user shall comply with the requirements in DPP1(1) to ensure that only necessary, adequate but not excessive personal data is collected. In this respect, it is still useful to refer to the views expressed by the Commissioner and the AAB decisions before the new law came into operation.61 The Commissioner considered the names and contact details of data subjects to be generally sufficient for making a direct marketing approach. 5.24 In a complaint handled by the Commissioner, telemarketers collected names, gender, mobile phone numbers, residential addresses and partial HKID numbers from target customers over the phone by offering them a free medical check-up as an incentive, and then passed such data to an insurance broker for use in direct marketing. The Commissioner was of the view that for contact purposes in direct marketing activities, the collection of the name, phone number and address of a target customer would suffice. Hence, the insurance broker’s collection of the complainants’ partial HKID numbers was excessive and in contravention of DPP1(1)(c). However, the insurance broker might collect the HKID number from a customer after he has agreed to purchase the insurance product in response to the direct marketing activities.62

60. See Investigation Report Number R14-9945, available on the Website. 61. The Amendment Ordinance imposes stringent requirements on the collection of personal data in direct marketing. The amendments took effect on 1 April 2013. 62. See Investigation Report Number R13-1138, available on the Website.

60

05_Data Protection.indd 60

2016/6/27 1:59:02 PM

Chapter 5. Data Protection Principle 1

5.25 While some personal data may be useful to the data user for profiling the customers so that a target marketing strategy can be adopted for designing and promoting goods, facilities or services that the customers may be interested in, a data user should refrain from indiscriminately collecting as much personal data as possible. The data user should be mindful that the personal data collected has to be necessary for the lawful functions and activities of the data user. Under the revised direct marketing regime, the kinds of personal data to be collected for use in direct marketing shall be clearly stated so that the data subject can be fully informed before giving his consent or indicating no objection to the use of his personal data (see paragraphs 5.91 to 5.108 below).

Collection of Health Data of Employees 5.26 It may be a job requirement that an employee must be physically fit. For example, for the sake of public safety, a driver of public vehicles may need to show that he is not suffering from illness that will render him physically unfit to operate the vehicles. If the employee’s health data is required to satisfy such job requirements, the employer should ensure that only necessary, adequate but not excessive health data is collected. 5.27 The collection by Cathay Pacific Airways Limited (“CX”) of past medical data of its cabin crew members was the subject matter of an investigation carried out by the Commissioner in 2008.63 CX required its cabin crew members who took long or frequent sick leave to consent to the release of their medical data which related to the causes of their absences for the previous twelve months. The Commissioner found that the collection of medical data under the specific circumstances of the case was necessary, adequate but not excessive for the purpose of rehabilitation and assessment of the cabin crew members’ suitability to perform the inherent requirements of the job, and thus there was no contravention of the requirements under DPP1(1).

63. See AAB No. 3 /2007.

61

05_Data Protection.indd 61

2016/6/27 1:59:02 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

5.28 There are situations where more personal data from an employee is required before his supervisor can grant approval for a medical leave application. For instance, in AAB No.23/2013, an employee produced a certificate issued by a hospital confirming attendance by the employee of a “health talk” to support his medical leave application. Since the mention of the “health talk” in the certificate alone was not sufficient to show that it was related to the sickness of the employee, the employer asked the employee to produce the medical appointment slip for processing his leave application. The AAB agreed with the Commissioner that the collection of the medical appointment slip in the circumstances of the case was necessary to support that the leave applied for was related to the employee’s medical condition.

Collection of Criminal Records of Prospective Employees 5.29 A prospective employer should be careful when collecting personal data of a sensitive nature, such as health data, credit data and criminal records from a job applicant. In relation to the collection of criminal records of sex offenders, the Government introduced, on 1 December 2011, an administrative measure, known as Sexual Conviction Record Check Scheme,64 whereby a prospective employer can, with the consent of the job applicant, seek confirmation from the police of any criminal records of the job applicant relating to a list of sexual offences covered under the Scheme. The employer may consider collecting the information if the prospective employee will be involved, or will be likely to be involved in frequent or regular contact with children or mentally incapacitated persons. The Scheme does not operate to give prospective employers a blanket right to ask for the sex offence related criminal records from job applicants unless the stated circumstances of the Scheme are satisfied and it is necessary for the prospective employers to collect such criminal records. Further, employers should note that section 2 of the Rehabilitation of Offenders Ordinance (Cap 297) provides that if an individual was sentenced to imprisonment not exceeding three months or to a fine not exceeding HK$10,000, such individual will be treated as not having been convicted for the offence, if a period of three years has elapsed without further conviction. Previous record

64. The details on the Scheme can be found on the website of the Hong Kong Police Force.

62

05_Data Protection.indd 62

2016/6/27 1:59:02 PM

Chapter 5. Data Protection Principle 1

of this kind or failure to disclose the conviction will not form lawful grounds for dismissing or excluding an individual from any office, profession, occupation or employment.

DPP1(2) 5.30 Data Protection Principle 1(2) in Schedule 1 of the Ordinance provides as follows: (2) Personal data shall be collected by means which are – (a) lawful; and (b) fair in the circumstances of the case.

5.31 DPP1(2)(a) requires a data user to collect personal data by lawful means. The means of collection is unlawful if it is prohibited under any law. The theft of one’s credit card or bank account information is a typical example of collection by unlawful means. An example of the collection of personal data by lawful means is the lawful interception of a person by the police in exercise of the powers conferred under relevant enabling legislation65 and the subsequent recording in the police notebook of the particulars of the person as shown on his identity card with the aim of investigating and preventing crime.66 5.32 An obvious example of data being obtained by unfair and perhaps also unlawful means is personal data obtained through deception or coercion, for instance, the offering of free gifts on the street by a survey conductor to attract passers-by to complete a questionnaire and to provide their personal data without making known to them that the purpose is, in fact, to collect and amass personal data for sale in bulk to direct marketing companies for profits. 5.33 In a complaint case, telemarketers made cold calls to target customers and offered them free medical check-ups in return for their provision

65. Section 54 of the Police Force Ordinance. 66. See Wong Tze Yam v Tang King-shing, Commissioner of Police and Secretary for Justice, CACV 199/2009.

63

05_Data Protection.indd 63

2016/6/27 1:59:02 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

of personal data including names, contact details and HKID numbers. The collected personal data was passed to an insurance broker for use in direct marketing activities. The telemarketers provided false or misleading information to the complainants by describing themselves as representatives from an “Association” (and omitting the word “Limited”) so as to mislead target customers to believe that it was a non-profit-making body connected with the Government. They also falsely claimed that any personal data provided would be completely destroyed after the medical check-up. The Commissioner considered that the use of such misleading or arguably deceitful communication by the data users to collect personal data had contravened DPP1(2).67 5.34 The improper use of personal data mentioned in the preceding paragraph is addressed with greater regulatory vigour under the new requirements of the Ordinance68 which imposes a duty on the data user to provide prescribed information and obtain the written consent of the data subjects before the data is provided to a third party for use in direct marketing. See paragraphs 5.91 and 5.108 below for further details.

Collection of Personal Data through Blind Recruitment Advertisements 5.35 Another example of collecting personal data by unfair means is the use of “blind advertisements” inviting job applicants to apply for positions without disclosing the identity of the employer or recruitment agent, resulting in job applicants being lulled into sending resumes and other personal data to an unknown party.69 The situation is worse where there is in fact no recruitment exercise and the advertisement is placed solely as a pretext to collect personal data for use in conjunction with other purposes, such as the compilation of a list of individuals in order to provide it to a third party for carrying out direct marketing activities. Blind advertisements could also be exploited as an unscrupulous means to collect personal data for fraudulent activities, thus causing nuisance or financial loss to the persons affected.

67. See Investigation Report Number R13-1138, available on the Website. 68. Section 35J. 69. See clause 2.3.3 of the Code of Practice on Human Resource Management.

64

05_Data Protection.indd 64

2016/6/27 1:59:03 PM

Chapter 5. Data Protection Principle 1

5.36 In light of the acuteness of the problem of blind advertisements, the Commissioner commenced investigations against advertisers of seventyone blind advertisements; forty-eight of the investigations were completed in May 2014 and a report was published70 by the Commissioner in the same month. Some advertisers admitted non-compliance with DPP1(2), and others explained that they were ignorant of the legal requirements (which was found by the Commissioner not to be a valid defence). However, some advertisers argued that the collection of personal data was fair in the circumstances, as the data user’s identity could be discerned from the abbreviated version of its name (e.g. its initials) that appeared on the advertisement or from the full company name incorporated in the return email address. The Commissioner did not accept this argument as he found that the abbreviated name or email address of the data user did not provide sufficient and unambiguous information for the data subject to identify the advertisers. Other advertisers raised the argument that the advertisement did not include an express solicitation for the job applicant’s personal data. Taking into account the disparity of bargaining power between the employer and the job seeker, the Commissioner considered that the advertisements as presented would more than likely lure an ordinary job seeker to provide his full curriculum vitae in an attempt to secure the job, even if there was no express solicitation of personal data in the advertisements. He therefore decided that the advertisers had contravened DPP1(2). 5.37 The Commissioner conducted similar investigations in May 201571 and found that the situation had improved. A total of 12,849 advertisements placed in seven recruitment media were examined and only fifty-nine blind advertisements which warranted investigation were identified. The proportion of blind advertisements had dropped from 3.45% (in the 2014 survey) to 0.46% (in the 2015 survey).

Collection of Personal Data by Covert Means 5.38 A similar, but perhaps less clear, situation in which the issue of DPP1(2)

70. See Investigation Report No. R14-6242, available on the Website. 71. See Investigation Report R15-8107, available on the Website.

65

05_Data Protection.indd 65

2016/6/27 1:59:03 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

(b) may arise, relates to the capturing and recording the visual image of an individual by means of a camera, video recorder or other device.72 The Commissioner’s position in this regard is illustrated in the investigation report published73 in respect of the covert videotaping of the activities of a female hostel inmate of a university by her friend using a hidden camera installed in her room without her knowledge. The Commissioner found that the manner of collecting the complainant’s personal data was highly privacy intrusive and that the means which were adopted without the knowledge and consent of the complainant were unfair in the circumstances of the case, and hence in breach of DPP1(2). 5.39 Another investigation74 carried out by the Commissioner on the issue of covert surveillance was in relation to the installation of pinhole cameras by a property management company responsible for managing a private residential estate with a car park. The relevant facts are that two of the employees of the property management company were dismissed as they were found lingering for long periods of time in the changing room while on duty. Such conduct was discovered as a result of their images being captured by the pinhole cameras installed by the employer on the wall of the staircase leading to the changing room. The employees were not aware of the existence of the pinhole cameras and lodged complaints to the Commissioner on the grounds that their personal data was collected by means which were unfair. 5.40 The employer explained that after it had received complaints from the residents of the estate that promotional materials were placed on the

72. For collection of employees’ personal data through telephone, email, internet or video monitoring carried out by an employer, the Commissioner has, in the exercise of his powers under section 8(5) of the Ordinance, issued a Privacy Guidelines: Monitoring and Personal Data Privacy at Work in December 2004 (available on the Website) which gives practical guidance for employer’s consideration. The three A’s concept was introduced, i.e. assessment, alternatives and accountability for the employer to take into account before deciding whether to engage in any employee monitoring activity. 73. See Investigation Report No. R97-1948, available on the Website. See also Investigation Report No. R05-7230 in respect of the collection of employees’ personal data by an employer for a suspected crime of theft through the installation of pinhole cameras. The employer was found to have contravened DPP1(2) in collecting employees’ personal data by unfair means in the circumstances of the case. 74. See Investigation Report No. R12-4839, available on the Website.

66

05_Data Protection.indd 66

2016/6/27 1:59:03 PM

Chapter 5. Data Protection Principle 1

windscreens of cars in the car park, the pinhole cameras were installed to investigate the complaints and for security reasons, not for staff monitoring. Following the Eastweek case, the Commissioner found that the employer had collected the personal data of the employees when their act of lingering was recorded by the pinhole camera which the employer relied on when terminating their employment. As overt surveillance devices, i.e. CCTVs, were already installed for security reasons inside the car park which should have been sufficient to detect and deter the conduct complained about by the residents of the estate, the employer had failed to give valid reasons for installing the pinhole cameras, which were in fact used for the purpose of monitoring employees. Having considered the intrusive nature of engaging in covert monitoring activities without sufficient justification, the Commissioner found the employer to have contravened DPP1(2). 5.41 The act of covertly collecting an employee’s web-browsing activities was criticized by the AAB in its decision, AAB No. 14/2006. In this case, the employer asked for the computer log-in password of the employee and used the password to access the computer assigned for use by the employee after he had left the office. The employer collected the cookies recording usage of the computer and used the information to terminate the contract of employment of the employee. According to the policy of the employer, the computer was the employer’s property and could only be used for work purposes. The employee was found to have used the computer for browsing non-work related websites. The AAB expressed the view that while the computer was the property of the employer, there existed other less privacy intrusive alternatives to collect the information contained in the computer which might include personal data of the employee, for instance, by collecting the web-browsing activities through the server administrator or collecting the data in the presence of the employee. Following the AAB’s directive to investigate further into the case, the Commissioner found that the employer had in the circumstances failed to show that the personal data was collected by fair means. 5.42 In a case concerning the secret recording of conversations, the Commissioner considered that the personal data of the complainant was collected by unfair means. The conversations were secretly recorded by a teacher during a lunch meeting that took place between him and his

67

05_Data Protection.indd 67

2016/6/27 1:59:03 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

supervisor. The purpose of the lunch meeting was to discuss the teacher’s performance and to offer counseling to the teacher. The recording was made without the knowledge of the supervisor and the recorded conversations were subsequently uploaded onto a website accessible by the public. The case went on appeal to the AAB in AAB No. 46/2006. The AAB took the view that the subsequent use of the recorded conversations indicated that the recording was not made bona fide in that it was not simply for keeping a record of the meeting. The AAB agreed that the means of collection of the personal data contained in the recorded conversations were unfair, contrary to DPP1(2).75 5.43 In another case concerning employee monitoring, the AAB in its decision in AAB No.25/2013 agreed with the Commissioner that the collection of the personal data, by searching the employer’s own computer system and the office email account for use of the complainant, was not unfair because the monitoring conformed with the employer’s IT policy. The complainant was informed of the policy when she signed the employment letter. Such policy covered the monitoring activities complained of which had been undertaken after some serious allegations against the complainant’s supervisor were made and the irregularities about the complainant’s application to sit for a qualifying examination were raised. Furthermore, the scope and duration of the monitoring activities were appropriate in view of the purpose. 5.44 The use of covert monitoring devices to collect personal data without the data subject’s knowledge is generally taken to be highly privacy intrusive, more so if these devices have been installed in places where there is a legitimate expectation of privacy, for example, in changing rooms or bedrooms. In the Privacy Guidelines: Monitoring and Personal Data Privacy at Work issued by the Commissioner, data users are advised to carefully evaluate the need for engaging in covert monitoring which should only be used as a last resort after taking into account the following factors, namely: •

that there is a reasonable suspicion to believe that an unlawful activity is about to be committed, is being committed or has been committed;

75. Dissatisfied with the AAB decision, the teacher applied for leave for judicial review, and the application was refused by the Court, see HCAL 90/2011.

68

05_Data Protection.indd 68

2016/6/27 1:59:03 PM

Chapter 5. Data Protection Principle 1

•

that the need to resort to covert monitoring to detect or collect evidence of that unlawful activity is absolutely necessary in the circumstances;

•

that the use of overt monitoring would likely prejudice the detection or the successful gathering of the evidence of that unlawful activity; and

•

that covert monitoring can be limited in scope so that it targets only those areas in which the unlawful activity is likely to take place and it is undertaken on a limited duration basis.76

Collection of the Activities of Individuals That Take Place inside a Private Residence by Systematic Surveillance and Using a Long-Focus Lens 5.45 The adoption of systematic surveillance and use of long-focus lens cameras to record images of three artistes were the key issues considered by the Commissioner in his investigations against Sudden Weekly Limited and Face Magazine Limited (the magazines).77 The images were published in the magazines depicting the daily life of the artistes and intimate acts, with intent to be suggestive of their cohabiting. The primary issue before the Commissioner was whether the images (being the personal data of the artistes) were collected by unfair means in the circumstances. 5.46 The Commissioner considered the following factors in his deliberations, namely, (i) whether the artistes had a reasonable expectation of privacy in the circumstances of being watched and photographed; and (ii) whether the publishers’ collection of the artistes’ personal data involved any public interest. 5.47 For factor (i), while an artiste may welcome some publicity in public places or when engaged in public activities, the Commissioner was of the view that he has a reasonable expectation of privacy in his own home. It transpired from the facts that the photographs were taken from a far distance and the artistes were at their places of residence which were not easily visible to the public.

76. See Paragraph 2.3.3 of the Guidelines, available on the Website. 77. See Investigation Reports Nos. R12-9159 and R12-9164, available on the Website.

69

05_Data Protection.indd 69

2016/6/27 1:59:03 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance



The photographs were taken over a period of days and some of the images were captured at night. Although the artistes might expect that entertainment reporters would take photographs of them, they would not reasonably expect someone to stay at the site, night and day for several days to take photographs of them by means of a long-focus lens camera. The Commissioner found the photographers’ act of prolonged and systematic surveillance of the artistes’ activities inside their residences and the shooting of the photographs of these artistes from a long distance by special photographic equipment had seriously intruded upon their privacy. Intrusive acts of this sort could only be justified on the grounds of overriding public interest.

5.48 For factor (ii), the Commissioner considered that the distinction should be drawn between the acts of reporting facts capable of contributing to a debate of general public interest and making tawdry descriptions about an individual’s private life. If the reporting does not involve a matter of public interest and its purpose is merely to expose an artiste’s private life, the media must collect the artiste’s personal data by fair and not privacy intrusive means. 5.49 Having taken the above factors into account, the Commissioner found that the magazine publishers’ acts (committed through their photographers) of collecting the artistes’ personal data in the circumstances were unfair. The Commissioner emphasised the importance of striking a proper balance between the freedom of the press and privacy protection, referring to the judgment of the Eastweek case: 49. …. There is no such thing as unqualified freedom of the press or absolute right of the individual. This is not a case of freedom of the press versus the right of the individual both of which are bulwarks of a free society. It is a case of the co-existence of two great principles that need to be carefully balanced. A free press is, after all, a responsible press. Freedom, of whatever form, will only thrive under law.

5.50 In the subsequent appeal against the Commissioner’s decisions in these cases concerning the artistes (AAB No. 5 & 6 of 2012), the AAB upheld the decision of the Commissioner and agreed that the collection of the photographs of the artistes in question was by means which were unfair in

70

05_Data Protection.indd 70

2016/6/27 1:59:03 PM

Chapter 5. Data Protection Principle 1

the circumstances, in contravention of DPP1(2). The AAB accepted that public interest was one of the factors to be considered, and that where there were competing considerations, it is a question of balancing the fairness in collecting the personal data against the public interest in knowing the truth. In the circumstances of these cases, the AAB found that what the appellants sought to expose (namely, the cohabitation between the artistes in question) was not in the interest of the public. The AAB agreed with the observation made by the LRC of Hong Kong (in paragraph 7.72) in its Report on Civil Liability for Invasion of Privacy that the “mere fact that a person is an artiste or is engaged in some occupation which brings him into public notice is not of itself enough to make his private life a matter of public interest”. What may interest the public is not necessarily something in the public interest.

Employees Providing Past Medical Records and Consequential Disciplinary Actions 5.51 The fairness of the means of collection was also considered in the CX case mentioned in paragraph 5.27 above. Although the collection of the cabin crew members’ medical data was considered necessary under DPP1(1) in view of the airline’s duty to comply with the Civil Aviation Directives to ensure that cabin crew members were physically fit to perform cabin crew duties, the Commissioner found that there was an element of threat in the manner the airline expressed this requirement especially through its newsletter in which it was indicated that failure to provide consent would be treated as a disciplinary matter. To that extent, the Commissioner concluded that the means of collection of the past medical data by the airline was unfair in the circumstances. On appeal to the AAB in AAB No. 3/2007, the AAB upheld the decision of the Commissioner. 5.52 CX subsequently applied to the Court of First Instance of the High Court for a judicial review of the decisions made by both the Commissioner and the AAB.78 The High Court held that in circumstances where disclosure of personal data was properly rendered mandatory, it was necessary for CX to advise the cabin crew of the adverse consequences of failing to make

78. HCAL 50/2008.

71

05_Data Protection.indd 71

2016/6/27 1:59:03 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

disclosure, hence, the advice given by CX to its cabin crew members did not of itself pose a threat or amount to an exertion of undue influence on the latter. The Court quashed the decisions of the Commissioner and the AAB. 5.53 In its judgment, the Court observed that the disquiet expressed by the Commissioner and the AAB, “was to a material degree, based on the blunt and brusque manner in which certain information concerning the failure to consent to deliver up medical records under the [airline’s relevant policy] was conveyed to cabin crew members” in a “threatening or oppressive tone of relevant literature”. In the learned judges’ views, “fairness is a broad principle and, as to the manner in which personal data is to be collected, is capable of encompassing the form in which relevant information is conveyed as well as the substance of that information”.

Giving Misleading Information to Obtain a Credit Report from a Credit Reference Agency 5.54 The meaning of fairness in the context of personal data privacy protection can also be illustrated by the case of collecting consumer credit data pursuant to the Code of Practice on Consumer Credit Data issued by the Commissioner. Clause 2.11 of the Code states that for requests made to access the database of a credit reference agency by a credit provider, the credit provider shall confirm the purpose of access to the data in order to prevent arbitrary or indiscriminate access to sensitive personal data. 5.55 The Code was revised in 2011 to permit credit providers to access the mortgage count79 of an individual through a credit report under prescribed circumstances.80 Clause 2.11 of the Code was extended to impose an obligation on the credit provider to confirm the purpose of access to the mortgage count data. 5.56 The Code also explicitly prohibits81 access to the consumer credit data of an

79. “Mortgage count” means the number of mortgage loans under which an individual is a borrower, mortgagor and/ or guarantor. 80. Paragraph 2.9A of the Code. 81. Paragraph 2.12 of the Code.

72

05_Data Protection.indd 72

2016/6/27 1:59:03 PM

Chapter 5. Data Protection Principle 1

individual by a credit provider for the purpose of offering or advertising the availability of goods, facilities or services to such individual.

Collection of Personal Data from the Public Domain 5.57 The Ordinance does not exempt the application of DPPs to personal data collected from the public domain, such as public telephone directories, members’ directory maintained by a trade or professional body or public registers maintained by various government departments. It may be tempting for a data user, in particular a direct marketer, to harvest personal data from the public domain and use it in direct marketing activities. Some relevant cases decided by the Commissioner or heard by the AAB are discussed below. 5.58 In a complaint about the receipt of car park promotional offers sent by a car park management company with the complainant’s name, address and vehicle registration number, the Commissioner carried out an investigation.82 The evidence before the Commissioner showed that the company had arranged its staff to conduct searches at the Transport Department for vehicle owners’ registered particulars. The Transport Department required applicants for the Certificate of Particulars of Motor Vehicle to certify in the application form that the information provided was true and complete. Under the relevant ordinance,83 any person who makes any statement which is false for the purpose of obtaining the Certificate commits an offence. The car park management company’s staff declared in the application form that the purpose of obtaining the vehicle owners’ personal data provided in the Certificate of Particulars of Motor Vehicle was “for legal proceedings”, where in fact the information collected was used for sending promotional offers to the vehicle owners. There was no evidence to show that the company had taken steps to prevent its staff from making a false statement in the application forms. Concluding the investigation, the Commissioner found that the company had collected personal data by unfair means in the circumstances.

82. See Investigation Report No.12-3428, available on the Website. 83. Section 111(3) of the Road Traffic Ordinance, Cap 374, Laws of Hong Kong.

73

05_Data Protection.indd 73

2016/6/27 1:59:03 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

5.59 For the purpose of providing consumer credit reference services to credit providers, the Code of Practice on Consumer Credit Data84 permits the collection by a credit reference agency of data contained in official records that are publicly available and relating to any action for the recovery of a debt or judgment for monies owed that is entered against an individual. This issue formed the subject matter of AAB No.5/2010 where a complaint was lodged against a credit reference agency for collection of information about a civil monetary claim involving the complainant. The information was obtained from a public search of court actions. The civil monetary claim had been settled between the relevant parties, but the settlement agreement was not a public document and the credit reference agency did not know about it. The complainant maintained that the collection of his personal data relating to the court action by the credit reference agency without his knowledge prevented him from updating the record held by the credit reference agency on settlement of the claim. The AAB noted that the information was relevant in putting credit providers on notice to find out the outcome of the civil action, albeit the approval of credit facilities might be delayed. It accepted that there was no requirement under the Ordinance or the Code for the credit reference agency to notify the complainant before collecting his personal data from court records. Hence there was no contravention of the Code or the Ordinance.

Collection of Biometric Personal Data, Such as Fingerprint Data and Consent 5.60 The question as to whether fingerprint data is personal data was discussed in Chapter 2. It is a unique identifier of an individual which remains unchanged throughout his lifetime. Given the sensitive nature of biometric data, collection of such data should be handled cautiously. Before seeking to collect biometric data from data subjects, a data user should assess the privacy risks and impact of such collection and consider whether the purpose of collection can be effectively achieved by other less privacy intrusive alternatives. In seeking consent from the data subject for the provision of his fingerprint data, it is important that the data subject is free and able to give

84. Clause 3.1.3A of the Code.

74

05_Data Protection.indd 74

2016/6/27 1:59:03 PM

Chapter 5. Data Protection Principle 1

such consent voluntarily, not under undue pressure, influence or threat. If a data user compulsorily collects the personal data of the data subjects without any legal basis or reasonable grounds and takes adverse action against those who are not willing to provide their data, such means of collection would not be regarded as fair. Furthermore, the Commissioner will consider if the data user has provided information to the data subjects to enable them to clearly understand the possible impact of collection of their fingerprint data, including any adverse impact and whether other less privacy intrusive options have been offered to the data subjects to make a well-informed decision. 5.61 Children of school age or individuals who are incapable of managing their own affairs are vulnerable, warranting greater protection of their personal data privacy. Collection of fingerprint data from these groups, if challenged, will be critically examined by the Commissioner. A primary school’s practice of collecting the fingerprint data of its students for the purpose of recording the use of the canteen and library facilities was found to be unnecessary and excessive.85 5.62 In a complaint case where an employer collected fingerprint data to record staff attendance, the Commissioner considered the keeping of an effective and accurate staff’s attendance record was not sufficient grounds to justify the collection of biometric personal data of a sensitive nature. Particularly as the employer had also installed surveillance cameras to monitor staff attendance and the system that collected the fingerprint data also offered the option of using passwords for staff identification, the collection of the fingerprint data was unnecessary and excessive. The Commissioner also found that the staff were under undue pressure to oblige for fear of the termination of their employment. Taking further into account that the employer had not provided the staff with sufficient information to enable them to make informed decisions, the Commissioner found the employer had adopted unfair means to collect the fingerprint data in all the circumstances of the case, and contravened DPP1(2)(b).86

85. See case note no. 2005C12, available on the Website.. 86. See investigation Report No. R09-7884, available on the Website.

75

05_Data Protection.indd 75

2016/6/27 1:59:04 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

5.63 Similarly, in another investigation case,87 the Commissioner considered that an employee’s consent to providing fingerprint data to her employer was neither genuine nor informed. In that case, a high-end fashion trading company collected employees’ fingerprint data for the purposes of safeguarding office security and monitoring staff attendance. The employer had failed to duly inform employees of relevant matters such as whether the whole or partial images of fingerprints were collected; how the fingerprint recognition devices operated; the class of persons to whom fingerprint data might be transferred; the privacy risk associated with the collection and use of fingerprint data and the measures to prevent abuse or improper handling of the data; the channel for employees to inquire about the accuracy of their attendance data collected; the retention period of their fingerprint data and the persons who could access the fingerprint data, etc. Therefore, the Commissioner took the view that the collection of the employees’ fingerprint data by the employer was not fair in the circumstances, and was thus a contravention of DPP1(2). Another finding related to the security of the premises. To safeguard its property, the employer had already installed several security devices including CCTV cameras, digital locks, ordinary door locks and a chain lock. In particular, the installation of CCTV cameras was proven effective in identifying the culprits involved in several day-time theft incidents experienced by the employer, all committed by its staff and customers, who were authorised to access the premises. The Commissioner considered that the installation of fingerprint recognition devices to prevent unauthorised entry would not help prevent these thefts. Besides, the company had only twenty employees. Hence, it would be relatively easy to monitor staff attendance by other less privacy intrusive alternatives such as using a password or a smartcard that carries an identification number instead of using a fingerprint recognition device. These alternative means could well involve no additional collection or retention of personal data. Therefore, the Commissioner also considered that the employer’s collection of the employee’s fingerprint data was unnecessary and excessive in the circumstances, in contravention to the requirements under DPP1(1).

87. See Investigation Report No. R15-2308, available on the Website.

76

05_Data Protection.indd 76

2016/6/27 1:59:04 PM

Chapter 5. Data Protection Principle 1

5.64 The Commissioner respects a data subject’s free will to provide his biometric data for his daily or social activities, such as for gaining access to an amusement theme park. In an investigation carried out by the Commissioner, the theme park in question gave options to its customers to choose between the provision of fingerprint data and photographs for identification, and no fingerprint data of children aged 11 and below was collected.88 Where the data subjects are sufficiently informed of the adverse impact brought about by the collection of their fingerprint data and they are given an option not to provide the data, there is no issue of unfairness. Data users who intend to collect the fingerprint data of data subjects for performing its lawful functions and activities may refer to the Guidance on Collection and Use of Biometric Data issued by the Commissioner.89

DPP1(3) 5.65 Data Protection Principle 1(3) of Schedule 1 to the Ordinance provides as follows: (3) Where the person from whom personal data is or is to be collected is the data subject, all practicable steps shall be taken to ensure that – (a) he is explicitly or implicitly informed, on or before collecting the data, of – (i) whether it is obligatory or voluntary for him to supply the data; and (ii) where it is obligatory for him to supply the data, the consequences for him if he fails to supply the data; and (b) he is explicitly informed – (i) on or before collecting the data, of – (A) the purpose (in general or specific terms) for which the data is to be used; and

88. Case No. 2009C10 of Complaint Case Notes, available on the Website. 89. See the Guidance on Collection and Use of Biometric Data, available on the Website.

77

05_Data Protection.indd 77

2016/6/27 1:59:04 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

(B) the classes of persons to whom the data may be transferred; and (ii) on or before first use of the data for the purpose for which it was collected, of – (A) his rights to request access to and to request the correction of the data; and (B) the name or job title, and address, of the individual who is to handle such request made to the data user, unless to comply with the provisions of this subsection would be likely to prejudice the purpose for which the data was collected and that purpose is specified in Part 8 of this Ordinance as a purpose in relation to which personal data is exempt from the provisions of data protection principle 6.

5.66 DPP1(3) requires a data user to notify the data subject of prescribed information (outlined further below) on or before the collection of his personal data. This requirement is generally only applicable where a data user collects personal data directly from the data subject, except in respect of personal data used for direct marketing purposes (see paragraph 5.107 below). However, the data user is still required to comply with DPP3, i.e. without the data subject’s prescribed consent it cannot use the personal data for any purpose other than the original purpose for which it was collected from the data subject or a directly related purpose (DPP3 is discussed in further detail in Chapter 7).

Application of DPP1(3) 5.67 DPP1(3) provides, at the outset, “Where the person from whom personal data is or is to be collected is the data subject,...” there is a duty to inform the data subject of the prescribed matters where the data in question is collected directly from the data subject. Hence, the notification requirement under this principle is generally considered by the Commissioner not to be applicable where the personal data in question is: • collected from a third party;

78

05_Data Protection.indd 78

2016/6/27 1:59:04 PM

Chapter 5. Data Protection Principle 1

• unsolicited and supplied by the data subject; or • generated by the data user itself (considering the definition of “data”, as explained in paragraph 2.1 of Chapter 2, includes an expression of opinion in a document). 5.68 The notification obligation under DPP1(3) arises in commonly encountered situations of collection of personal data, such as where: • an individual is asked to provide written information about himself (e.g. by filling in a form); • the individual is asked to provide oral information to be recorded (e.g. making a statement to the police); • personal data is generated by the data user in the course of its conduct with the data subject (e.g. entering into employment or banking transactions); or • personal data about the individual is obtained through automatic or scientific devices (e.g. recording a telephone conversation, conducting a medical checkup, etc.).

Obligation Not Absolute — “All Practicable Steps” 5.69 DPP1(3) requires “all practicable steps” to be taken by the data user to ensure that the data subject is informed of the matters mentioned therein on or before the collection of the data. “Practicable”, as provided under section 2(1), means “reasonably practicable”. 5.70 Accordingly, the requirement under DPP1(3) does not apply in those situations where it is not reasonably practicable to inform the data subject, examples of which include: • law enforcement — where it is necessary in the course of law enforcement to collect the personal data of an individual without prior notification; • employment — where personal data is collected as evidence of an employee’s dereliction of his duty or misconduct, e.g. video images showing that an employee was sleeping while on duty (AAB No. 23/2008

79

05_Data Protection.indd 79

2016/6/27 1:59:04 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

and AAB No. 7/2011) or photographs taken of a uniformed security guard who was found behaving in an objectionable manner in a public place (AAB No.29/2008); and • receiving unsolicited data from the data subject — where personal data is received without having been requested. In relation to such data, it is impractical in most cases to expect the recipient to give notice pursuant to DPP1(3) to the sender, for example, the voluntary sending of a job resume or name card to a company to seek employment or solicit business. 5.71 In situations where a data user is required to inform the data subject from whom personal data is collected about the matters mentioned in DPP1(3), the next question to ask is whether the effort made to inform the data subject sufficiently constitutes “all reasonably practicable steps” as required under DPP1(3). For example, where a notice has been posted up, matters such as the prominence of the notice, whether and how the data subject has been told about the existence of the notice are relevant factors to consider. Where direct communication with the data subject is not possible, the adoption of practical alternatives to bring the notice to the attention of the data subject is also a matter that needs to be taken into account in deciding whether “all reasonably practicable steps” have been taken in compliance with DPP1(3). In AAB No. 25/1999, the AAB found a hospital in breach of DPP1(3) for failing to take all reasonably practicable steps to draw the attention of its private patients to the PICS as the notice displayed in the waiting room was not prominent enough. 5.72 The manner in which the terms and conditions contained in a credit card application form were presented by a bank was scrutinized by the AAB in AAB No.38/2009. By signing the application form, the customer agreed to the use of his personal data by the bank to market the services or products of the bank and their selected companies. One of the observations made by the AAB concerning the application form was that “… the print was so small that no one could reasonably be expected to be able to read the content without the aid of some form of magnifying glass …, the very design of this application form in our view simply discourage people from reading the fine print”. The AAB was of the view that if the data user intended to provide the personal data to a third party, it must be clearly stated in a legible manner.

80

05_Data Protection.indd 80

2016/6/27 1:59:04 PM

Chapter 5. Data Protection Principle 1

The AAB upheld the decision of the Commissioner that the bank had not taken sufficient steps to make sure that the relevant terms and conditions (in connection with the purposes of use of personal data and its transfer to third parties) were brought to the attention of the complainant when she filled in the application form. 5.73 The views of the AAB were followed in subsequent decisions made by the Commissioner, most notably in the Octopus Card case90 where the terms and conditions appearing in the registration form for joining the Octopus rewards programme were found to have been printed in small print and cramped into a single paragraph containing forty-two lines in English and thirty-two lines in Chinese, making it difficult to read and comprehend. The Commissioner was of the view that the operator of the Octopus Card had not taken all practicable steps to clearly and dutifully inform the applicants of the specific clause concerning the use and transfer of personal data under the rewards programme. 5.74 With the proliferated use of mobile apps to enhance customer services, it is increasingly common for data users to collect personal data through mobile apps. Data users must ensure compliance with the legal obligations under DPP1(3). In an investigation conducted by the Commissioner, two travel agencies were found to have contravened DPP1(3)(b) by failing to provide the requisite information to the mobile app users on or before the collection of personal data.91

Notification Requirements 5.75 The specific matters of which an individual needs to be informed under DPP1(3) are set out in paragraphs (a) and (b). For those matters falling under paragraph (a), the individual should be “explicitly or implicitly” informed. The Commissioner takes the view that explicit notification of those matters will not be required where it is obvious from the

90. See Investigation Report No. R10-9866, available on the Website. See also paragraph 5.18 of this Chapter. 91. See Investigation Report No. R14-9945, available on the Website.

81

05_Data Protection.indd 81

2016/6/27 1:59:04 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

circumstances. For example, where there is an invitation to submit contact data for a lucky draw, it is not necessary to state explicitly that the provision of the data is purely voluntary, which is obvious from the circumstances. Another example is where a policeman, in discharging his duties, asks a person in the street to provide his name and address in circumstances where it is obvious that such a request is obligatory. However, in situations where a data subject is given an option to decide whether to supply voluntarily his personal data for use by the data user for a number of different purposes, it is good practice for the data user to give clear indication of the choices to be given to the data subject to avoid misunderstanding. 5.76 In contrast, under paragraph (b) a data user is required to take all reasonably practicable steps to ensure the individual is “explicitly” informed of the matters mentioned therein. Accordingly, notification is necessary even if it may appear to be stating the obvious. There is, however, no requirement for the notification under DPP1(3) to be in writing, although the Commissioner would consider this to be good practice, especially for organisational data users. It is common practice for the notifications required under DPP1(3) to be conveniently included in one written statement, generally referred to as a PICS. 5.77 To facilitate understanding of the data user’s obligations under DPP1(3), the Commissioner has published a Guidance Note on Preparing Personal Information Collection Statement and Privacy Policy Statement which serves as general reference for data users when preparing PICS and PPS.92

The Purposes of Use 5.78 Under DPP1(3)(b)(i), the data subject is to be explicitly informed by the data user of “(A) the purpose (in general or specific terms) for which the data is to be used, and (B) the classes of persons to whom the data may be transferred”, on or before the collection of the data. 5.79 Of the various kinds of information of which a data subject has to be informed under DPP1(3), the above item (A) is perhaps the most important.

92. The Guidance Note is available on the Website.

82

05_Data Protection.indd 82

2016/6/27 1:59:04 PM

Chapter 5. Data Protection Principle 1

This is because many of the requirements of the Ordinance (including, for example, those under DPP1(1), DPP2, DPP3, DPP5 and section 26, as well as some of the exemptions under Part 8) apply with reference to the “purpose” of the collection of the data. Hence, a data user should make sure that such purpose is reflected correctly and adequately in the PICS. It is noteworthy that the purpose as stated in the PICS is one of the relevant factors, though not necessarily the sole factor, that the Commissioner will look at in determining whether there is contravention of any of the provisions of the Ordinance. For a detailed discussion of those other factors that are also considered relevant in ascertaining the permitted purpose of use, readers are referred to Chapter 7. 5.80 While a data user is allowed to state the purpose of use of personal data in compliance with paragraph (A) of DPP1(3)(b)(i) in general terms, it should ensure that the data subject can ascertain with a reasonable degree of certainty the purpose of use. In the Octopus Card case mentioned above, one of the purposes of use was stated to be “as a source of information and data for other related purposes”. The Commissioner found the purpose of use too loosely worded as it could well include a “remotely related purpose” as opposed to “direct related purpose”. 5.81 The same view was adopted by the Commissioner in the investigation into the collection and use of personal data of the subscribers to the MoneyBack Programme run by A. S. Watson Group (Hong Kong) Limited (“ASW”)93 where a PICS was given to data subjects, which provided for the use of personal data for “marketing goods and/or services by [the ASW], our agent, our subsidiaries, or Our Partners”. Having considered the nature of the programme, the Commissioner considered the purpose of use too vague. Without specifying in detail the nature of the businesses of ASW’s subsidiaries and partners, the scope for marketing the goods or services to include those offered by the subsidiaries and partners was found to be too broad. It should have specified the types of products or services that would be potentially marketed by these subsidiaries and partners, which could be totally different from the products and services offered and covered

93. See Investigation Reports No. R12-3888 and R12-3890, available on the Website.

83

05_Data Protection.indd 83

2016/6/27 1:59:04 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

by the programme. Hence, it is likely that the purpose of the use of data, nature of subsidiaries’ and partners’ business, and scope of marketing would fall outside the reasonable expectation of the programme members. The Commissioner was of the view that when the statement of purposes of use was drafted in such a manner that there was no clear limit, it could not meaningfully be qualified as a purpose, whether in general or specific terms, for the purposes of DPP1(3)(b)(i)(A). (See paragraphs 5.91 to 5.108 below for details on the new requirements regarding direct marketing.) 5.82 In another investigation, the Commissioner looked at the situation where frontline telemarketers of an association approached the data subjects by phone. The telemarketers asked the call recipients to provide contact data on the pretext of sending gifts to them when in fact the data was transferred to an insurance company to facilitate its direct marketing activities. As a result, the call recipients were not able to ascertain with a reasonable degree of certainty the purposes of use of their personal data and the classes of transferees. The Commissioner found that the association was in breach of DPP1(3)(b)(i).94

The Classes of Persons to Whom the Data May Be Transferred 5.83 Paragraph (B) of DPP1(3)(b)(i), which concerns the classes of persons to whom the data may be transferred, is also very often the bone of contention between the data user and the data subject. For example, a transaction involving the collection of personal data from an individual may entail the further transfer of such data to a third party for a purpose directly related to the original purpose of collection but the individual may not be able to foresee the further transfer. In this connection, a specific transferee clause in a PICS will help avoid any unpleasant surprise or dispute. The transfer of personal data of a debtor by a credit provider to a debt collection agent for the purpose of debt recovery is a case in point. In AAB No. 21/2009, a telecommunications company transferred the personal data of a customer who had defaulted in payments of the service fee to a debt collection agent.

94. See Investigation Report No.13-1138, available on the Website.

84

05_Data Protection.indd 84

2016/6/27 1:59:04 PM

Chapter 5. Data Protection Principle 1

The AAB found the telecommunications company had failed to expressly include the debt collectors in the class of transferees in the PICS on or before collection of his personal data. The telecommunications company was found to have contravened DPP1(3)(b)(i)(B). Again, in AAB No. 51/2011, the AAB ruled that the telecommunications company in question should have specified clearly that the debt collectors (instead of “agent”) were a permitted class of transferee. 5.84 It is also important to note that the word “use”, in relation to personal data, is defined in section 2(1) of the Ordinance to include acts to “disclose” or “transfer” the data. In other words, “transfer” is one type of “use”. On this basis, the Commissioner takes the view that paragraph (B) in DPP1(3)(b)(i) should be read subject to paragraph (A). Put simply, the transfer of data to a third party coming within paragraph (B) may only arise where the purpose for such transfer comes within paragraph (A), but not otherwise. 5.85 The issue on what constitutes a class of person under paragraph (B) of DPP1(3)(b)(i) to whom personal data may be transferred was also examined in the Octopus Card case and the MoneyBack Programme case mentioned above. In the Octopus Card case, the classes of transferees of the personal data included “any other person under a duty of confidentiality to us …” This catch-all clause in effect suggested that it was entirely up to the operator of the Octopus Card to decide what and to whom the personal data was to be transferred. The Commissioner did not accept that the operator of the Octopus Card had discharged its obligations under DPP1(3)(b)(i) (B) by adopting such loose descriptions of the classes of transferees in the PICS on the grounds that the data subjects would be unable to ascertain with a reasonable degree of certainty the classes of transferees to whom their personal data would be transferred. In other words, the data subjects’ right to control the use of their personal data would be compromised and surrendered to the data user. 5.86 In the case of the MoneyBack Programme mentioned above, the Commissioner found the classes of data transferees, such as “our Partners”, “Group” and “third parties” to be ill-defined as they enabled ASW to transfer the personal data of its customers to practically any companies within its group of related companies, business partners and even third parties. While

85

05_Data Protection.indd 85

2016/6/27 1:59:04 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

the goods and facilities provided to the customers under the MoneyBack Programme were specific types of consumer products, the business of the hundreds of companies in the Group was very diversified (comprising property, hotels, retail, telecommunications, finance and investments). To permit the transfer of the personal data of the MoneyBack Programme customers to all of these companies would exceed the reasonable expectation of these customers. 5.87 Regarding the matters to be notified to a data subject under DPP1(3)(b)(ii), it should be noted that they differ from those under DPP1(3)(b)(i) in that the notification is required to be given “on or before first use of the data for the purpose for which it was collected”. It is therefore permissible under DPP1(3)(b) for a data user, on or before the collection of personal data, to give the data subject notification under DPP1(3)(b)(i) first, and later, on or before first using such data, to give a separate notification under DPP1(3) (b)(ii). However, save in exceptional situations, there would seem to be little advantage in adopting a two-step process. Instead, it would be more sensible and practicable for a data user to give a comprehensive PICS in compliance with both sets of requirements at the same time.

The Right to Request Access to and Correction of the Data 5.88 Similar to DPP1(3)(b)(i), DPP1(3)(b)(ii) also consists of two paragraphs (A) and (B). The requirement under paragraph (B) was revised by the Amendment Ordinance. Prior to the legislative revision, a data user was required to notify the data subject of “the name and address of the individual to whom any (data access or correction) request may be made”. The law as it now stands permits the data user to notify the data subject of “the name or job title, and address of the individual who is to handle any such request made to the data user”. The legislative revision took into account the inevitable event of personnel changes in an organisation. 5.89 It should be noted that there is an express exemption under DPP1(3) in that compliance with that subsection is unnecessary where such compliance: would be likely to prejudice the purpose for which the data was collected and that purpose is specified in Part 8 of this Ordinance as a purpose in relation to which personal data is exempt from the provisions of data protection principle 6.

86

05_Data Protection.indd 86

2016/6/27 1:59:04 PM

Chapter 5. Data Protection Principle 1



The reason is that in many of the situations where personal data is exempt from DPP6 under one of the relevant exemptions provided for in Part 8 of the Ordinance, it is also likely to be exempt from DPP1(3). In AAB No. 23/2008, the AAB considered that the purpose of recording the video image of an employee sleeping while on duty was to determine the suitability for continued employment under section 55 of the Ordinance. It would not be necessary for the employer to comply with DPP1(3) on or before making the recording. A more obvious example is where the police collect data evidence from a target suspect, the police would not be in a position or obliged to notify the suspect before collecting the data.

5.90 To ensure that a PICS is effective, it is necessary for the data user to take into consideration the following factors: • whether the layout and presentation of the PICS (including the font size, spacing, underlining, use of headings, highlights and contrasts) have been designed so that the PICS is easily read by customers with normal eyesight; • whether the PICS is presented in a conspicuous manner (e.g. the PICS is inserted as a standalone section of the document and its contents are not buried among the terms and conditions for the provision of the data user’s services contained in the same document); • whether the language used in the PICS is easily comprehensible and intelligible (e.g. the choice of simple rather than difficult language and the avoidance of legal terms or convoluted phrases and sentences); • whether further assistance from the data user such as help desk or enquiry service is available to enable the customer to understand the contents of the PICS.

Specific Requirements on Notification when Collecting Personal Data for Direct Marketing Purposes 5.91 The Amendment Ordinance introduced, inter alia, major changes by creating a new Part 6A under the Ordinance to regulate (i) the use of personal data by the data user for its own direct marketing activities; and (ii)

87

05_Data Protection.indd 87

2016/6/27 1:59:05 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

the provision of personal data by the data user to a third party for the latter’s use in direct marketing.

Application of the Direct Marketing Requirements 5.92 Direct marketing means the offering, or advertising of the availability, of goods, facilities or services or the solicitation of donations or contributions for charitable, cultural, philanthropic, recreational, political or other purposes through direct marketing means, i.e. by sending information or goods addressed to a specific named person via mail, fax, email or other forms of communication.95 Therefore, any unsolicited marketing communications not addressed to a specific person by name (e.g. telephone calls or text messages sent to randomly generated telephone numbers), will generally not fall within the scope of Part 6A of the Ordinance. However, the Unsolicited Electronic Messages Ordinance (Cap 593) may apply in these cases, suffice to say that electronic messages do not include real time personto-person calls. 5.93 In addition, direct marketing communications addressed to a data subject by name, but made to his office address, email or telephone number, may in some cases not fall within the ambit of Part 6A of the Ordinance. The Commissioner takes the view that it would not be appropriate to enforce Part 6A of the Ordinance in clear-cut cases where the product or service being marketed is clearly targeted at and intended for the exclusive use of the data subject’s corporation and is sent to the data subject in his official capacity but not in his personal capacity. The Commissioner will assess the circumstances on a case-by-case basis taking into account the purpose of collection of the personal data, the nature of the products or services being marketed (i.e. whether they are for personal use or use by a corporation), and whether the marketing is targeted at the corporation or the data subject as an individual. 5.94 The provisions in Part 6A of the Ordinance also do not apply in relation to the offering, or advertising of the availability of: (a) social services run, subvented or subsidized by the Social Welfare Department; (b) healthcare

95. Section 35A(1).

88

05_Data Protection.indd 88

2016/6/27 1:59:05 PM

Chapter 5. Data Protection Principle 1

services provided by the Hospital Authority or Department of Health; or (c) any other social or health care services which, if not provided, would be likely to cause serious harm to the physical or mental health of the individual to whom the services are intended to be provided, or any other individual.96 5.95 The Amendment Ordinance also provides a grandfathering arrangement under section 35D(1), which is set out in paragraphs 5.103 to 5.105 below, in relation to personal data which had already been held and used for direct marketing purposes by the data user at the time the Amendment Ordinance came into force (i.e.1 April 2013).

Consent 5.96 A data user who intends to use or provide the personal data of a data subject to others for use in direct marketing shall take specified action to inform the data subject of certain prescribed information (see paragraphs 5.99 and 5.100 below) and provide the data subject with a response channel through which the data subject may give his consent. “Consent”, in the context of direct marketing activities regulated under Part 6A of the Ordinance, includes an indication of no objection to the intended use or provision of personal data for direct marketing,97 e.g. the data subject ticking a box in an application form to indicate that he does not object to receiving direct marketing materials. The indication of “no objection” must be explicit, and silence or a non-response will not amount to consent for direct marketing purposes. 5.97 If consent is obtained orally, the data user must supply the data subject with a written confirmation within fourteen days of receiving the oral consent, to confirm: •

the date of receipt of the consent;

•

the personal data to which the consent relates, e.g. name, address, etc.; and

96. Section 35B. 97. Sections 35C and 35J.

89

05_Data Protection.indd 89

2016/6/27 1:59:05 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

•

the permitted marketing subjects (e.g. the classes of goods or services) to which the consent relates.

5.98 It should be noted that if consent is being sought for the transfer of a data subject’s personal data to a third party for use in direct marketing, the data user must obtain the data subject’s consent in writing.

Notification Requirements 5.99 In addition to the data user’s notification obligations under DPP1(3) (see paragraphs 5.65 to 5.90), the following prescribed information98 has to be given to the data subject when the data user intends to use the personal data collected for its direct marketing activities: •

that the data user intends to use the personal data of the data subject for direct marketing;

•

that the data user may not so use the personal data unless the data user has received the data subject’s consent to the intended use;

•

the kinds of personal data that will be used for the direct marketing (e.g. address, name, telephone number, etc.);

•

the classes of marketing subjects99 in relation to which the data is to be used; and

•

the response channel through which the data subject may, without charge by the data user, communicate the data subject’s consent to the intended use.

5.100 If the data user intends to provide a data subject’s personal data to another person (including any subsidiary or affiliate of the data user) for use by that other person in direct marketing, it must provide the data subject with the following prescribed information in writing:100

98. Section 35C(2). 99. Under section 35A(1), “marketing subject”, in relation to direct marketing, means (a) any goods, facility or service offered, or the availability of which is advertised; or (b) any purpose for which donations or contributions are solicited. 100. Section 35J(2)(b).

90

05_Data Protection.indd 90

2016/6/27 1:59:05 PM

Chapter 5. Data Protection Principle 1

•

that the data user intends to provide the personal data of the data subject to another person for use by that person in direct marketing;

•

that the data user may not so provide the data unless it has received the data subject’s written consent to the intended provision;

•

whether the provision of the personal data to the other person is in return for gain;101

•

the kinds of personal data to be provided;

•

the classes of persons to which the personal data is to be provided;

•

the classes of marketing subjects in relation to which the data is to be used; and

•

the response channel through which the data subject may, without charge by the data user, communicate the data subject’s consent to the intended provision in writing.

5.101 The additional notification and consent requirements relating to the transfer of personal data to another person for use in direct marketing (outlined in paragraph 5.100 above), do not apply to the transfer of the personal data to the data user’s agent, for the purposes of carrying out marketing of the data user’s products or services on the data user’s behalf.102 The data user’s direct marketing and data transfer notification obligations under section 35C(2) and DPP1(3) respectively will apply in this case (see paragraphs 5.65 to 5.90 and 5.99). 5.102 The above information should be presented in a conspicuous manner that is easily understandable and, if in written form, easily readable. In this regard, a reasonable test should be adopted in deciding what is easily readable and easily understandable. The description of marketing subjects and transferees must be sufficiently specific, so as to enable the data subject to ascertain the goods, facilities or services that will be marketed and the persons to whom their personal data may be transferred, with a reasonable degree of certainty.

101. Under section 35A(2), a person provides personal data for gain if the person provides personal data in return for money or other property, irrespective of whether (a) the return is contingent on any condition; or (b) the person retains any control over the use of the data. 102. Section 35I(2).

91

05_Data Protection.indd 91

2016/6/27 1:59:05 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Vague and loose terms such as “marketing goods and/or services by us, our agents, our subsidiaries, or our partners”, “providing carefully selected offers, promotions and benefits by us, our subsidiaries, affiliates and/or our partners”, and “such type of services and products as the company may from time to time think fit” will fall short of meeting the requirement.

Section 35D(1): Pre-existing Data 5.103 The requirements for a data user to notify the data subject of his intention to use the latter’s personal data in direct marketing and to obtain the data subject’s consent or indication of no objection to the intended use under the new regulatory regime takes effect on a prospective basis.103 Such notification and consent requirements do not apply to the use of personal data by a data user for direct marketing purposes (including the use of the data by the data user’s agent for marketing the data user’s products or services)104 in relation to personal data over which the data user had control before the entry into force of the new provisions (i.e. 1 April 2013) if: •

the data subject had been explicitly informed by the data user, in a manner which is easily understandable and (if informed in writing) easily readable of the intended use of the data subject’s personal data in direct marketing in relation to a class of marketing subjects;

•

the data user has so used any of the data;

•

the data subject had not required the data user to cease to use any of the data; and

•

the data user had not in relation to such use contravened any provision of the Ordinance as in force at the time of the use.

5.104 For example, if a bank had obtained a customer’s mobile phone number, residential address and residential telephone number as well as his email address before 1 April 2013, explicitly and clearly notified its customer that such personal data would be used for marketing banking and insurance services, and the bank had so used the mobile phone number before 1 April 2013, and such use had not been vitiated by the customer’s indication of

103. Section 35D(1). 104. Section 35I(2).

92

05_Data Protection.indd 92

2016/6/27 1:59:05 PM

Chapter 5. Data Protection Principle 1

opting out, then not only would the mobile phone number be exempted but the use of the other personal data already held by the bank prior to 1 April, 2013, viz. residential address, email address and residential telephone number would also be exempted from the notification and consent requirement. 5.105 The grandfathering arrangement also applies to updates of personal data held by a data user before 1 April 2013. For instance, if a data user held a data subject’s residential address before 1 April 2013 and the data subject moved after 1 April 2013, the data user may use the new residential address for continued marketing of the services without the need to notify the data subject and obtain his consent anew. 5.106 For the avoidance of doubt, the grandfathering arrangement does not apply to, and the notification and consent obligations outlined in paragraphs 5.96, 5.97, 5.99, 5.100 and 5.101 must be complied with in relation to: •

the use of the personal data of the data subject in relation to a different class of marketing subjects from that previously made known and/or consented to by the data subject prior to 1 April 2013;

•

new personal data collected or acquired by the data user after 1 April 2013; and

•

the transfer of personal data to another person for that other person's use for direct marketing, irrespective of whether or not notification was provided and consent obtained from the data subject prior to 1 April 2013.

Section 35D(2): Data Collected from a Third Person 5.107 Data users should be reminded that the duty to inform the data subject of their intention to use the data subject’s personal data in direct marketing is absolute and not dependent on whether the personal data is collected from the data subjects directly or not. It is not uncommon that a data user may obtain personal data from a partner, an associate or a subsidiary company in a cross-marketing scheme. If the data user is planning to use the data received from a third party for direct marketing, the data user is still required to inform the data subject of the intention to use the data for direct marketing unless the third party confirms that:

93

05_Data Protection.indd 93

2016/6/27 1:59:05 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

•

it has given written notice to the data subject and obtained his written consent to the provision of personal data to the class of transferees to which the data user belongs; and

•

the products or services that the data user intends to market fall within the class of marketing subjects to which the data subject has consented.105

5.108 The requirements under Part 6A regulating the consent (and its withdrawal) of data subjects for use and provision for use of their personal data in direct marketing will be examined in Chapter 7. Readers may also refer to the Guidance Note (as revised) issued by the Commissioner for practical guidance and recommended good practices when using personal data for direct marketing.106

Online Behavioural Tracking 5.109 Website operators or owners often collect information regarding their users’ online interaction with the websites. Information such as the online user’s identity, display and/or language preference, web pages visited, items purchased and transactions performed may be collected and recorded. The information collected is useful to track the behaviour and preferences of an online user which may be used by the website operators or owners to build detailed profiles of the users for marketing or advertising purposes. 5.110 Online behavioural tracking poses privacy risks to online users as very often the users’ information or browsing habits are collected and transferred to other parties without their knowledge or consent. 5.111 Whether the behavioural information collected from online users constitutes personal data is judged on a case-by-case basis. Personal data will deem to have been collected if it is reasonably practicable to ascertain the identity of the individual directly or indirectly from the behavioural tracking

105. Section 35D(2). 106. See New Guidance Note on Direct Marketing, available on the Website.

94

05_Data Protection.indd 94

2016/6/27 1:59:05 PM

Chapter 5. Data Protection Principle 1

information collected, for instance, the information contains a unique identifier, such as an account name or number. 5.112 If online tracking information (such as shopping experiences) is determined to be personal data and it is collected for direct marketing purposes, data users must follow Part 6A of the Ordinance to obtain consent from data subjects before using their personal data for direct marketing purposes. 5.113 If online tracking information is collected for other purposes, data users should, in the interests of transparency and fairness: • inform the data subjects what information is being collected or tracked by them, the purpose of collecting the information, how the information is collected (for example, through cookies), whether the information will be transferred to third parties and, if so, the classes of such third parties and the purposes of transfer and how long the information will be kept; • inform the data subjects whether any third party has been engaged in collecting or tracking their behavioural information, the purposes and means of collection and the retention period; and • offer the data subjects a way to opt-out of the tracking and inform them of the consequences of opting out. If it is not possible to opt out of tracking while using the website, explain the reason why it is not possible so that the online users (data subjects) can decide whether they wish to continue to use the website.107

107. Reference can be made to the Information Leaflet on “Online Behavioural Tracking” issued by the Commissioner, available on the Website.

95

05_Data Protection.indd 95

2016/6/27 1:59:05 PM

05_Data Protection.indd 96

2016/6/27 1:59:05 PM

Chapter 6 Data Protection Principle 2

The main questions: • What are the general requirements for accuracy of personal data under DPP2(1), and how do they apply? • What are the general requirements for retention of personal data under DPP2(2) and section 26, and how do they apply? • What are the changes introduced by the Amendment Ordinance? Who is a “data processor”? • How to comply with the new requirements under DPP2(3) when personal data is outsourced to a “data processor”?

The questions of accuracy and duration of retention of personal data discussed in this Chapter concerning DPP2 and section 26 have been selected on the basis of their practical importance in light of the Commissioner’s own experience. Before reading this Chapter, readers should read paragraphs 1.7 to 1.11 in Chapter 1 — Introduction, which contain important general information on using this Book.

06_Data Protection.indd 97

2016/6/27 1:59:13 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

DPP2(1) 6.1

Data Protection Principle 2(1) in Schedule 1 of the Ordinance provides as follows: Principle 2 – accuracy and duration of retention of personal data (1) All practicable steps shall be taken to ensure that – (a) personal data is accurate having regard to the purpose (including any directly related purpose) for which the personal data is or is to be used; (b) where there are reasonable grounds for believing that personal data is inaccurate having regard to the purpose (including any directly related purpose) for which the data is or is to be used – (i) the data is not used for that purpose unless and until those grounds cease to be applicable to the data, whether by the rectification of the data or otherwise; or (ii) the data is erased; (c) where it is practicable in all the circumstances of the case to know that – (i) personal data disclosed on or after the appointed day to a third party is materially inaccurate having regard to the purpose (including any directly related purpose) for which the data is or is to be used by the third party; and (ii) that data was inaccurate at the time of such disclosure, that the third party – (A) is informed that the data is inaccurate; and (B) is provided with such particulars as will enable the third party to rectify the data having regard to that purpose.

6.2

The requirement under DPP2(1) is not an absolute one. As mentioned in the previous Chapters, the word “practicable” as used throughout the Ordinance is defined in section 2(1) to mean “reasonably practicable”. It follows that the duty of a data user under DPP2(1) is to take all reasonably practicable steps in ensuring (as opposed to, say, guaranteeing) the accuracy

98

06_Data Protection.indd 98

2016/6/27 1:59:13 PM

Chapter 6. Data Protection Principle 2

of all personal data held by it. Indeed, the fact that DPP2(1) does not impose an absolute standard is understandable, given the inevitability of human error. 6.3

As for the meaning of the word “accurate”, this can be inferred from the definition of “inaccurate” in section 2(1) which, in relation to personal data, means the data is “incorrect, misleading, incomplete or obsolete”.

6.4

In this connection, however, it is also relevant to note that DPP2(1)(a) speaks of personal data being accurate “having regard to the purpose for which (it) is to be used”. The Commissioner is fully cognizant of the fact that the standard of accuracy varies according to the circumstances and there is no hard and fast rule to be universally applied. For instance, a greater degree of care would need to be taken to ensure the accuracy of such data, the inaccuracy of which may involve serious consequences, as opposed to data concerning trivial matters.

6.5

The mere fact that the personal data kept by a data user is found to be inaccurate by the data subject does not necessarily result in a breach of DPP2(1)(a). In AAB No. 12/2008, which deals with a complaint by an employee about the inaccurate personal records provided by her employer in compliance with her data access request, the AAB considered that [The requirement of DPP2(1)(a)] does not mean that data held by the data user must be correct in all respects. The requirement is this: provided that the data user has taken all practicable steps to ensure the personal data kept by him is accurate, it is no breach of this requirement if the data is subsequently found to be incorrect by the data subject. If that happens, the data subject may, pursuant to section 22 of the Ordinance, ask the data user to correct the inaccuracies. Thus, there is no contravention of a requirement of the Ordinance where the personal data kept by the data user is inaccurate but it would be a contravention if the data user refused to correct the inaccuracies when the data subject lodged a data correction request with him.

6.6

If the result of an investigation reveals that the error committed was attributed to some identifiable defect in the data handling system or procedures of the data user, the Commissioner is likely to form the view that there is contravention of DPP2(1). By way of remedial action, the

99

06_Data Protection.indd 99

2016/6/27 1:59:13 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Commissioner will normally require the data user to take appropriate steps to improve its data handling system or procedures, with a view to preventing recurrence of similar inaccuracies in the future. 6.7

In an investigation conducted by the Commissioner,108 the Inland Revenue Department (“IRD”) was found to have failed to take all practicable steps to ensure the accuracy of a taxpayer’s address. The IRD received a request for change of address from the complainant and an officer of the IRD inadvertently input the complainant’s new address into the database as the address reported by another taxpayer. As a result, the tax demand note was sent to the wrong address and was returned by the post office. In an attempt to rectify the mistake, another IRD officer input the wrong flat number in the complainant’s address. The tax demand was again sent to a wrong address. The mistake was not discovered until the complainant sent an email to the IRD complaining about non-receipt of the tax demand note. The multiple human errors in this case reflected the lack of awareness of data accuracy not only on the part of a single staff member but across different units of the IRD. Considering the sensitive nature of the personal data used for tax purposes, the Commissioner took the view that the IRD should have adopted a higher degree of care in handling taxpayers’ personal data, and the IRD was found to have contravened DPP2(1). As a result, the IRD revised its procedures to eliminate the incidents of mismatching of data when a request for address change was received and strengthened the daily supervisory checking to ensure compliance by its staff of the procedures, guidelines and checklists issued by the IRD to ensure data accuracy.

6.8

In contrast, complaints may be lodged with the Commissioner by one individual against another involving an ongoing dispute about the “inaccuracy” of allegations, sometimes defamatory in nature, made by one party against the other concerning certain events which may arguably be his personal data. In this regard, the Commissioner would, in general, decline to investigate such type of cases, insofar as the true essence of the complaint lies not so much in the inaccuracy of personal data held, but in the dispute

108. See Investigation Report No. R11-1178, available on the Website.

100

06_Data Protection.indd 100

2016/6/27 1:59:13 PM

Chapter 6. Data Protection Principle 2

between the parties.109 It is the court or tribunal of competent jurisdiction, rather than the Commissioner, that is the appropriate forum for adjudicating such a dispute. The same applies where the individual, having taken the further step of making a data correction request to the other party, complains to the Commissioner about the refusal to “correct” the data in the way he wanted. Comments made about a particular employee in a dismissal letter are inherently contentious and the appellant in AAB No. 22/2000 sought to correct the comments by making a data correction request. The AAB dismissed the appeal and ruled that the proper channel for redressing the dispute was to commence proceedings in the Labour Tribunal, not by way of a data correction request. (For further discussion on data correction requests, readers are referred to Chapter 11). 6.9

In AAB No. 14/2011, a patient took out a claim in the Small Claims Tribunal against a hospital for compensation. He obtained two medical reports from the attending doctor and disputed the accuracy of the symptoms described of him as recorded in the reports. The Commissioner refused to carry out an investigation as the alleged inaccurate information was the medical opinion of the doctor and the Commissioner was not in a position to determine its accuracy or otherwise. The AAB upheld the Commissioner’s decision not to investigate the complaint as the accuracy of medical opinion was outside the purview of the Ordinance and the Commissioner could not compel the doctor to amend his medical opinion.

6.10 In AAB No. 2/2011, a credit report of the appellant issued by a credit reference agency was found to contain incorrect personal data. The appellant’s name in English, gender and previous addresses were wrongly stated. The report also showed that the appellant was the principal of a credit card account with a past-due amount for which in fact the appellant was not the principal debtor. The fact that the incorrect data might have been relied upon and used by other credit providers caused concern and the AAB directed the Commissioner to consider investigating further into the conduct of the relevant credit providers to see if the credit reference agency

109. Under section 39(2)(ca) of the Ordinance, new statutory grounds were provided for the Commissioner to refuse to carry out or decide to terminate an investigation if he is of the opinion that the primary subject matter of the complaint is not related to the personal data privacy of individuals.

101

06_Data Protection.indd 101

2016/6/27 1:59:13 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

was under a duty to make the correction and supply that correction with reasons to those who had previously requested and received the inaccurate credit report. In its decision, the AAB expressed the following views: 94. ….Such duty arises from the moment inaccurate data was provided. The reason is that it is only right in the interest of the recipient of the inaccurate data that they should be notified of the inaccuracy, that it is commercial common sense that this should be done, that it is in the public interest to ensure the integrity of a credit reference agency, and that it is in our view a duty that should be readily implied, as a matter of law into the contractual relationship between [the credit reference agency] and the credit providers receiving the credit report. Any restriction or limitation of such duty on the part of [the credit reference agency] creates the possibility of lack of any sufficient safeguards for [the credit reference agency] to provide accurate data.

6.11 There are situations where the Commissioner is not in a position to decide whether an expression of opinion is inaccurate, as illustrated in AAB No. 12/2011. The appellant, a former member of a religious organisation, had a dispute with a female member concerning whether the appellant had behaved inappropriately towards that female member contrary to the faith of the religious organisation. The appellant requested correction of his personal data mentioned in a letter sent by the religious organisation leading to the removal of the appellant’s administrative rights in the organisation. Upholding the Commissioner’s decision not to investigate the complaint, the AAB expressed the following views: 45. … We think that this data is “opinion” within the definition of section 25(3) of the Ordinance. What is to be considered “inappropriate conduct” should, in the present context, be judged by what is considered such by the [religious organisation] rather by the Commissioner. In other words, this is a matter which is best left to the [religious organisation] … It is not a matter which the Commissioner can competently (in the words of section 25(3)) “verify”. Nor, we might add, would it be something which, given the particular circumstances of this case, is practicable for him to verify …

102

06_Data Protection.indd 102

2016/6/27 1:59:13 PM

Chapter 6. Data Protection Principle 2

DPP2(2) and Section 26 6.12 Data Protection Principle 2(2) provides as follows: (2) All practicable steps must be taken to ensure that personal data is not kept longer than is necessary for the fulfillment of the purpose (including any directly related purpose) for which the data is or is to be used.

6.13 The Amendment Ordinance made changes to DPP2(2) by clarifying that a data user is only required to take all (reasonably) practicable steps to comply with this data retention principle. The amendment brings about a consistent legislative requirement in respect of the duties that are imposed upon a data user under DPP2(1) and DPP2(2). Before the law was amended, DPP2(2) had generally been interpreted to impose an absolute duty on the data user to ensure that personal data was not kept longer than is necessary. Similar amendments were made to section 26(1) concerning erasure of personal data no longer required, which provides as follows: 26(1) A data user must take all practicable steps to erase personal data held by the data user where the data is no longer required for the purpose (including any directly related purpose) for which the data was used unless – (a) any such erasure is prohibited under any law; or (b) it is in the public interest (including historical interest) for the data not to be erased.

6.14 In connection with the penalty for contravention of section 26(1), it is relevant to note section 64A(1) of the Ordinance which provides as follows: (1) A data user who, without reasonable excuse, contravenes any requirement under this Ordinance commits an offence and is liable on conviction to a fine at level 3.

6.15 Section 64A(1) does not apply to a contravention of a DPP and section 26(1) does not relate to a DPP. A contravention of section 26(1) without reasonable excuse constitutes an offence under section 64A(1). Thus, backed

103

06_Data Protection.indd 103

2016/6/27 1:59:13 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

by section 26(1), DPP2(2) seems to impose a more stringent obligation on the data user than the other DPPs (except for DPP6, which is backed by parallel provisions in Part 5 of the Ordinance, as discussed in Chapters 10 and 11). 6.16 The central concept, by reference to which both DPP2(2) and section 26(1) operate, is the purpose for which the data in question was, or is to be, used. Indeed, the concept of purpose is important not only for the operation of DPP2(2) and section 26(1), but also for the operation of the other requirements under the Ordinance. How the permitted purposes of use are to be ascertained will be discussed in detail in Chapter 7. 6.17 In the absence of any statutory requirements or strong evidence supporting a genuine need for a data user to do so, the Commissioner is unlikely to accept retention of personal data indefinitely. In a case handled by the Commissioner in 2008, a former insurance agent abandoned copies of a huge amount of documents containing personal data of the agent’s former clients collected more than four years ago. The former insurance agent was prosecuted for contravention of section 26(1) of the Ordinance, and was fined accordingly. 6.18 In a complaint investigated by the Commissioner in 2007, an unsuccessful insurance applicant complained to the Commissioner against an insurance company for retaining the applicant’s personal data. During the investigation, it was revealed that the insurance company did not have a specific retention policy and would retain the personal data of unsuccessful applicants indefinitely. The Commissioner found that the insurance company was in breach of DPP2(2). The Commissioner was of the view that the optimal period for retention of personal data for unsuccessful insurance applications with and without money transaction involved should be no more than seven and two years respectively. 6.19 In another case,110 a bank customer complained that the bank continued to retain information about his bankruptcy (i.e. his name, HKID number, bankruptcy number and date of the bankruptcy order) even though his

110. See Investigation Report No. R11-6121, available on the Website.

104

06_Data Protection.indd 104

2016/6/27 1:59:14 PM

Chapter 6. Data Protection Principle 2

bankruptcy had been discharged a long time ago. According to the bank, its practice was to retain the said information supplied by the Official Receiver’s Office (“ORO”) for ninety-nine years. ORO provided the information to banks to remind them of their obligation under section 52 of the Bankruptcy Ordinance, i.e. to inform the Official Receiver and the trustee of the existence of deposits of an undischarged bankrupt. The reasons put forward by the bank for retaining the information for ninety-nine years included that the information would be used for the purpose of complying with requests that it might receive from the Government or law enforcement agencies; for consideration of a credit facilities application and for processing collection action related to the individual concerned. The Commissioner did not accept that sufficient justifications existed as normally a bankruptcy order should be discharged between four and eight years after commencement of bankruptcy. It was also noted that the Hong Kong Monetary Authority, the regulator of the banking industry, did not prescribe a retention period for bankruptcy data. The bank was found to have contravened DPP2(2) and section 26(1). Consequent to the Commissioner’s findings, the bank revised its policy and practice and ceased keeping the bankruptcy data of its customers for longer than eight years. 6.20 The Commissioner is of the view that, for prudent business and good privacy practice, data users should devise a clear privacy policy and practice to erase personal data when its purpose of collection has been met to ensure compliance with DPP2(2).111 For instance, where biometric data, such as fingerprint data, of employees is collected for recording attendance purpose, the data should be safely erased by the employer when the employee in question leaves employment. 6.21 Sometimes, personal data may be kept longer than usual to comply with specific requirements provided by statutes, code of practices or guidelines applicable to a particular trade or industry. For example, in cases of suspected money laundering activities, the banks are required to comply with the Antimoney Laundering and Counter Terrorist Financing (Financial Institutions) Ordinance, Cap 615 and the Guidelines on Prevention of Money Laundering

111. See Guidance on Personal Data Erasure and Anonymisation, available on the Website.

105

06_Data Protection.indd 105

2016/6/27 1:59:14 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

issued by the Monetary Authority to combat money laundering and retain records for that purpose.112 Some statutes,113 codes of practices114 or guidelines may prescribe periods of retention for documents containing personal data in which case data user may be obliged to comply.115 6.22 Practical difficulty may arise where personal data is collected at different times for various purposes. Strict compliance with DPP2(2) and section 26(1) may oblige the data user to painstakingly go through the items of personal data held and deleting the data that has outlived their purposes on a regular basis. In this respect, a clearly promulgated retention policy may facilitate the data users, especially organisational ones, in implementing appropriate measures, such as the deployment of automated software to ensure the unnecessary data is properly erased. As long as all reasonably

112. Chapter 8 of The Guideline on Anti-Money Laundering and Counter Terrorist Financing issued by the Monetary Authority under section 7(3) of the Banking Ordinance. 113. For instance, in complying with section 51C of the Inland Revenue Ordinance, Cap 112, on keeping business records for not less than seven years, personal data contained in such records shall be so retained. Under section 59(3) of the Police Force Ordinance, Cap 232, the police who arrested a person and took identifying particulars of the arrested person, such as photographs and fingerprints, may retain the identifying particulars if the arrested person had been previously convicted of any offence or was the subject of a removal order under the Immigration Ordinance, Cap 115. The retention period of twelve months for the identifying particulars was specified in the Hong Kong Police Force Procedures Manual. Another example is found in the four pieces of anti-discrimination legislation, namely, the Disability Discrimination Ordinance, Cap 487; the Family Status Discrimination Ordinance, Cap 527; the Sex Discrimination Ordinance, Cap 480 and the Race Discrimination Ordinance, Cap 602 which permit an individual to make a claim to the District Court against another person for an act of discrimination against him before the end of the period of two years from (a) the time when the act complained of was done; or (b) if there is a relevant report in relation to the act, the day on which the report was published or made available for inspection. The relevant documents containing personal data may therefore be kept for responding to a possible claim brought by the employee or ex-employee. 114. Clause 1.3.3 of the Code of Practice on Human Resource Management issued by the Commissioner provides that personal data in respect of recruitment-related data held about job applicants be retained for not longer than two years and that personal data in respect of employment-related data about an employee be kept for not longer than seven years. Clause 3.3 of the Code of Practice on Consumer Credit Data issued by the Commissioner provides that credit reference agency may retain account repayment data revealing material default (i.e. default in payment for a period in excess of sixty days) for five years either from the date of final settlement of the amount in default or from the date of the individual’s discharge from bankruptcy, whichever is the earlier, irrespective of any write-off by the credit provider of the amount in default in full or in part at any time after such default occurred. 115. In AAB No. 15/2015, the AAB dismissed the appeal lodged by a complainant who requested a credit reference agency to remove the records of his Individual Voluntary Arrangement in his credit report. The AAB took the view that credit history was an essential element to a credit provider to assess the risk of extending credit to an individual. There was no valid ground to depart from the retention period of seven years from the date of the event shown in the official record as provided under Clause 3.6.1 of the Code of Practice on Consumer Credit Data.

106

06_Data Protection.indd 106

2016/6/27 1:59:14 PM

Chapter 6. Data Protection Principle 2

practicable steps are taken by a data user to erase personal data that is no longer required when the purpose of use is met, the data user is considered to have complied with the requirements under DPP2(2) and section 26(1). 6.23 In addition to the practical difficulty mentioned above, in considering the application of DPP2(2) and section 26, it is also relevant to give due regard to the Eastweek case where the Court held, inter alia, that where no personal data is collected by a data user (as defined in the case), the DPPs will not be engaged. On that basis, it seems a person need not worry about accidental contravention of DPP2(2) or section 26(1) in respect of any information that happens to be in his physical possession, unless he has “collected” such personal data in the sense that he has compiled information about the relevant individual whom he has identified or intends or seeks to identify. To give a simple illustration, a newspaper may publish an article about a named individual which, in a technical sense, constitutes that individual’s personal data. According to the Eastweek case, a person who merely holds a copy of the newspaper need not worry about compliance with DPP2(2) or section 26(1), but the situation may change if the newspaper clippings are retained and filed by that person as part of his compilation of information about that data subject mentioned in the clippings.116 6.24 Finally, according to section 26(1), it is to be noted that the erasure of personal data is not required under two alternative conditions, namely: (a) where the erasure of the data is prohibited under any law,117 or (b) where it is in the public interest (including historical interest) for the data not to be erased.118 Hence, in a case where one of the two conditions mentioned in section 26(1) is satisfied, the data in question may be retained even though the purpose of use is fulfilled.

116. For enquiries made to the Commissioner concerning whether the proposed retention of personal data in particular situations is likely to be consistent with DPP2(2) and section 26, readers may refer to relevant cases in the Complaint and Enquiry Case Notes Section on the Website. 117. For example, under section 56(3) of the Employment Ordinance, Cap 57, an employment agency shall retain records of all job applicants for a period of not less than twelve months after expiration of each accounting year of the employment agency concerned. 118. For example, the Government Records Service of Hong Kong manages and records information for the HKSAR Government through its Public Records Office by developing a record-keeping programme that enables bureaux and departments to manage information resources appropriate to their purposes. The public can access Hong Kong’s archives through documents, movies, photographs, posters or other records kept by it.

107

06_Data Protection.indd 107

2016/6/27 1:59:14 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

New Requirements under DPP2(3) and (4): Personal Data Transferred to “Data Processor” for Processing 6.25 The trend of outsourcing and entrusting personal data processing work by data users to their agents is increasingly common. Personal data leakage incidents were often found to be caused by insufficient steps being taken by the data processors to protect the personal data entrusted to them for handling. The damage caused to the data subjects could be substantial and irreparable, particularly if it involves an online data breach. The Amendment Ordinance sought to tighten the control over the outsourcing activities by imposing a new obligation upon the data user under DPP2(3) which provides as follows: (3) Without limiting subsection (2), if a data user engages a data processor, whether within or outside Hong Kong, to process personal data on the data user’s behalf, the data user must adopt contractual or other means to prevent any personal data transferred to the data processor from being kept longer than is necessary for processing of the data.

6.26 The natural question to ask is who is a “data processor”? DPP2(4) provides a definition as follows: (4) Data processor means a person who – (a) processes personal data on behalf of another person; and (b) does not process the data for any of the person’s own purposes.

6.27 The following are some examples of outsourcing the processing of personal data by a data user to a “data processor”: • a service provider engaged to input personal data to computer systems of the data user; • a contractor engaged to shred confidential documents which contain personal data; • a marketing company engaged to carry out customer opinion survey using customers’ personal data provided by the data user.

108

06_Data Protection.indd 108

2016/6/27 1:59:14 PM

Chapter 6. Data Protection Principle 2

6.28 DPP2(3) does not provide further the specific terms that have to be incorporated into a data processing contract in order to comply with the requirements. Given the vast variety of outsourcing activities, arguably no exhaustive list can be drawn up to cover all kinds of these activities. A data user is in the best position, having regard to its business nature and the extent of the privacy risks to which it is exposed, to decide what contractual obligations it should impose upon the data processor. A data user should also take steps to ensure that the contractual obligations are duly observed by its data processor. 6.29 Sometimes, a data user may not be able to enter into a contract with its data processor to protect the personal data entrusted to it for handling. DPP2(3) provides flexibility by allowing the use of “other means” of compliance. Whilst “other means” is not defined under the Ordinance, data users may engage non-contractual oversight and auditing mechanisms to monitor their data processor’s compliance with the data protection requirements. 6.30 The duty to comply with the new requirement under DPP2(3) aside, a data user remains accountable under section 65(2) of the Ordinance for the acts done and practices engaged in by the data processor who acts as its agent and with its express or implied authority. 6.31 Data users may make reference to the information leaflet issued by the Commissioner119 to facilitate understanding of and compliance with the new obligations. The information leaflet gives examples of the types of obligations to be imposed on data processors by contract and measures to be adopted in engaging non-contractual oversight and audit mechanisms to monitor data processors’ compliance with the data protection requirements. It also provides recommendations for good practice where personal data is transferred outside Hong Kong for processing by data processors.

119. See information leaflet on Outsourcing the Processing of Personal Data to Data Processors, available on the Website.

109

06_Data Protection.indd 109

2016/6/27 1:59:14 PM

06_Data Protection.indd 110

2016/6/27 1:59:14 PM

Chapter 7 Data Protection Principle 3

The main questions: • What are the general requirements under DPP3? • What is a new purpose? • How is the original purpose of collection ascertained? • What constitutes the use of personal data for a purpose directly related to the original purpose of collection? • Is sale of personal data a directly related purpose of use? • What constitutes “prescribed consent” of the data subject? Can a person give prescribed consent on behalf of a data subject? • How can a data subject’s consent be obtained under the new requirements on direct marketing? • Can a data subject withdraw his consent previously given?

The questions of use of personal data discussed in this Chapter concerning DPP3 have been selected on the basis of their practical importance in light of the Commissioner’s own experience. Before reading this Chapter, readers should read paragraphs 1.7 to 1.11 in Chapter 1 — Introduction, which contain important general information on using this Book.

07_Data Protection.indd 111

2016/6/27 1:59:21 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Importance of DPP3 7.1

DPP3 governs the use of personal data and is of great practical importance and concern to both the data users and the data subjects. It is also the data protection principle in relation to which the Commissioner receives the largest number of complaints.

7.2

Data Protection Principle 3(1) provides as follows: Principle 3 – use of personal data (1) Personal data shall not, without the prescribed consent of the data subject, be used for a new purpose.

What Amounts to Use? 7.3

“Use”, in relation to personal data, is defined in section 2(1) of the Ordinance to include the disclosure or transfer of the data. In addition to the conventional examples of disclosure or use (e.g. transferring personal data to another organisation, or posting the personal data on a notice board), the uploading or posting of personal data on the internet would also amount to disclosure and would fall within the scope of DPP3(1).

What Is a New Purpose? 7.4

“New purpose” is defined in DPP3(4): (4) In this section –

new purpose, in relation to the use of personal data, means any purpose other than – (a) the purpose for which the data was to be used at the time of the collection of the data; or (b) a purpose directly related to the purpose referred to in paragraph (a).

112

07_Data Protection.indd 112

2016/6/27 1:59:21 PM

Chapter 7. Data Protection Principle 3

7.5

Any use (including disclosure or transfer to a third party) of the personal data, which is not directly related to the original purpose for which the personal data was collected, will amount to a “new” use calling for the prescribed consent of the data subject. Failure to obtain the prescribed consent of a data subject prior to such use may contravene the requirements under DPP3. Data users must ascertain the lawful and permitted purpose(s) of use which is relevant not only in respect of the application of DPP3, but also for the application of other purpose-related provisions of the Ordinance, such as DPP1(3), DPP2(2), DPP5 and section 26.

The Original Purpose of Collection 7.6

DPP3(1) and DPP3(4)(a) allow the use of personal data for the purpose for which the data was originally collected. In ascertaining the original purpose of collection, the following factors are relevant for consideration: • the explicit purposes stated in the PICS given under DPP1(3); • the function or activity of the data user; • the restrictions of use imposed by the data subject or the transferor of the data; and • personal data collected in the public domain.

The Purposes of Collection Stated in the PICS 7.7

It was mentioned in Chapter 5 that DPP1(3) requires a data user, on or before the collection of personal data from a data subject, to take all reasonably practicable steps to ensure that the data subject is informed, inter alia, of the purpose for which his data is to be used. The informed purpose obviously reflects the data user’s then expectation regarding the use of the data collected. But to what extent does this also reflect the expectation of the data subject?

7.8

Insofar as the data subject allows the collection of his personal data with the knowledge of the informed purpose on or before such collection, pursuant to the data user’s compliance with DPP1(3), he is expected to have implicitly

113

07_Data Protection.indd 113

2016/6/27 1:59:21 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

agreed to the use of his personal data for such purpose and therefore to be bound by it. Notwithstanding the aforesaid, the Commissioner will also consider the following in assessing the original purpose of collection of the personal data. 7.9

First, in most, if not all, cases of data collection, the PICS tends to be a statement through which the collection purposes are prescribed by the data user, and are not drafted as a result of negotiations between the data user and the data subject. This is especially so where the activity giving rise to the collection of data is one involving the provision of an essential service (e.g. educational, medical or other social service, public utility or banking service), or is otherwise important to the data subject (e.g. concerning his employment), or compulsory in nature (e.g. the collection of data at an immigration checkpoint). In all these situations, it would be unrealistic to expect the data subject to refrain from such activity solely because he is not satisfied with the PICS.

7.10 It is also common to find the purposes stated in the PICS couched in highly legalistic language, appearing in fine print among other lengthy and complicated standard terms and conditions of contract. Some data users may have a tendency to frame the intended purposes in terms as general and as wide as possible for the sake of flexibility. It would render the protection of personal data intended under DPP3 virtually meaningless if the data user was allowed to unilaterally dictate the purposes of collection as it would exceed its lawful functions and activities and the reasonable expectation of the data subject. To take a hypothetical example, where an individual applies for a particular service, the application form may contain the following statement: Any information provided in this application may be transferred by the Company to any other companies inside or outside Hong Kong for such purpose as the Company may in its absolute discretion deem fit.

7.11 Such broad drafting of the PICS, coupled with the fact that the balance of power is usually in the data users’ favour (e.g. data users are in a position to deny essential services to the data subject if the data subject does not agree to the conditions and terms imposed by the PICS and refuses to provide his personal data), will be taken into account by the Commissioner when

114

07_Data Protection.indd 114

2016/6/27 1:59:21 PM

Chapter 7. Data Protection Principle 3

determining whether or not a particular use of personal data is inconsistent with the original purpose of collection. The Commissioner will have due regard for the data subject’s reasonable expectation that the data he has provided to the company is to be used only for purposes directly related to the purpose for which he provided his personal data. For example, where a data subject applies to a data user for the provision of a service, the data subject would reasonably expect his personal data to be used for application processing, service provision, billing and debt recovery, etc., but not for any other unrelated purpose, such as the sale of his personal data by the data user to third parties. This is the view taken by the Commissioner in the Octopus card incident120 which will be discussed below.

The Lawful Functions and Activities of the Data User 7.12 As prescribed in DPP1(1), personal data shall be collected for a lawful purpose directly related to the data user’s function or activity. Thus, the lawful function and activity of the data user is a primary factor in deciding whether the use is proper, particularly in situations where no PICS is given or where the drafting of the PICS is ambiguous. For example, where the personal data of job applicants is received in a recruitment exercise by company A (not being an employment agency), the referral by it of such job applications to unrelated parties or other prospective employers without the job applicants’ consent may exceed its normal functions and activities and thus constitute a new purpose of use. 7.13 However, sometimes the function or activity of the data user may entail the disclosing of personal data to another party. In a complaint that came before the Commissioner, flat owner A repeatedly complained to the management company about water dripping from the flat owned by B. As a result of the complaint, the management company collected the personal data of B and, upon the request of A, the personal data was disclosed to A who subsequently commenced civil proceedings against B. On appeal in AAB No. 66/2003, the AAB upheld the Commissioner’s finding that since B’s personal data was collected for the purpose of handling and following up on the dispute in

120. See Investigation Report No. R10-9866, available on the Website.

115

07_Data Protection.indd 115

2016/6/27 1:59:21 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

question, the disclosure of B’s personal data by the management company to A was for a purpose consistent with the original purpose of collection and hence no prescribed consent from B was required prior to the disclosure. 7.14 Another example can be found in AAB No.25/2012, where an enquiry made by the complainant to a government department was referred by that government department to the Judiciary, as it believed that the subject matter of the enquiry fell within the Judiciary’s purview. The AAB affirmed the Commissioner’s view that by forwarding the email containing the enquiry to the Judiciary for their information, the government department was referring the enquiry to the appropriate department for further handling and was using the data for the purpose for which it was intended at the time of collection, namely to deal with the complainant’s enquiry. 7.15 It can be seen from the examples provided that the function and activity of a data user is of particular relevance in ascertaining the lawful purpose of use of personal data. It is especially so in relation to unsolicited data or data provided by third parties.

Restrictions of Use Imposed upon Data User by Data Provider or Data Subject 7.16 On some occasions, the person who provides the data (who may be the data subject himself or a third party) may make an express stipulation on the use of the personal data. Generally speaking, if the recipient has no intention to compile information about the individual in the Eastweek sense,121 such restrictions on use imposed, if any, might not have a part to play and the Ordinance has no application as the recipient did not collect the personal data in question. However, if the recipient subsequently compiled information about the individual whom it has identified or intends to or seeks to identify, the restrictions on use imposed by the data provider may then become a relevant factor for consideration. 7.17 Sometimes, an express stipulation imposed by the data subject may not be accepted by the Commissioner as properly restricting the use of the personal

121. See Chapter 3.

116

07_Data Protection.indd 116

2016/6/27 1:59:22 PM

Chapter 7. Data Protection Principle 3

data, if it is unreasonable in the circumstances and taking into account the purpose for which the data subject provided his data. In a complaint that came before the Commissioner, a bank customer provided his data to a bank officer in an application for a particular service. He requested his data to be handled only by that particular bank officer. Subsequently, in accordance with the bank’s normal procedures, the bank officer transferred the data to other bank officers for further processing, in order to provide the customer with the service applied for. Such passing on of the data within the bank contrary to the data subject’s request (which may, however, be considered to be unreasonable) was considered by the Commissioner not to amount to use of the data contrary to DPP3(1). 7.18 In other cases that were brought before the Commissioner, the data subjects had lodged complaints with various authorities and requested non-disclosure of their identities to the parties complained against. The Commissioner found that in some of these cases, where anonymity did not affect the effective and fair handling of the complaint in question, the request would, in the Commissioner’s view, have the effect of limiting the purposes of use for which the identity data in question was collected, so that its disclosure to the party complained against might amount to contravention of DPP3(1). 7.19 In AAB No. 4/2010, a resident was dissatisfied with the management of her residential complex and filed numerous complaints. She wrote to the members of the Incorporated Owners and asked for individual responses. The letters were subsequently passed on to the management office for reply. The appeal related to whether there was a breach of DPP3 by the Incorporated Owners as a result of the transfer of the letters. The bone of contention was the declaration made by the complainant at the end of her letters sent to the Incorporated Owners, which stated that her letters should not be passed on to the management office. Upon examination of the declaration, the AAB found that it was a “request” and should not be interpreted as a “prohibition” against the disclosure of the letters to the management office. The AAB accepted that the appointment of a management company to handle enquires or complaints made by owners and other related persons was very common and was based on valid legal grounds, i.e. the power conferred upon the Incorporated Owners under the Building Management Ordinance (Cap 344). Therefore, the AAB found

117

07_Data Protection.indd 117

2016/6/27 1:59:22 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

that there was no prima facie evidence of contravention on the part of the Incorporated Owners or its individual members. 7.20 In AAB No. 41/2006, the complainant complained to the management company about the detection of a foul smell along the corridor outside her flat. The management company reported the matter to the police for investigation. Later, the complainant lodged a complaint against the management company for, contrary to a prior agreement, disclosing her personal data, including her name, address and contact telephone number, to the police without her consent. The AAB ruled that when the management company provided the complainant’s personal data to the police upon request, the management company was using the complainant’s personal data for a purpose directly related to the purpose for which her data was collected in the first place (i.e. for investigation of the complaint of foul smell). Accordingly, the AAB found that there was no contravention of DPP3.122 7.21 Generally, when a data subject has imposed a condition on the data user to keep his personal data confidential, the most prudent practice is for the data user to obtain the data subject’s prior consent before disclosing his personal data to a third party, and to inform the data subject of the consequences of him failing to provide such consent (e.g. inability to effectively deal with a complaint lodged by the data subject). It is worth noting that the potential opportunity for a data subject to expressly stipulate the purposes of use in relation to his personal data, exists only on or before the collection of the data. It is generally not open to a data subject, whose personal data has already been collected or even used by a data user, to unilaterally introduce thereafter any restriction on or modification to the purposes of use. 7.22 For personal data that is intended by the data subject to be held by the data user in confidence, the mere fact that there might exist a duty of confidentiality

122. The AAB went on to examine the application of section 58(2)(a) to exempt from DPP3 the use of the data for a purpose under section 58(1)(a), i.e. the prevention or detection of crime. The complaint to the management company related to one of the acts of deliberate nuisance committed by some unidentified person or persons. In order to properly investigate the complaint, the police needed the basic information, including the complainant’s name, address and telephone number. The AAB found that the use of the data was for a purpose falling within the scope of section 58(1) and hence exempted from the requirements of DPP3.

118

07_Data Protection.indd 118

2016/6/27 1:59:22 PM

Chapter 7. Data Protection Principle 3

does not thereby necessarily render the disclosure by the data user a breach of DPP3(1). The tenet is the purpose of disclosure. A complainant in his complaint to the Commissioner alleged that his employer had wrongfully disclosed the fact that he was subject to disciplinary proceedings (which he claimed to be a confidential matter) to his doctor when requesting a medical certificate as to his mental and physical fitness to attend the proceedings. The evidence supplied showed that the disciplinary proceedings had been postponed several times as a result of his production of sick leave certificates. The Commissioner found that the personal data was collected for deciding the employment matter of the complainant and the disclosure of such disciplinary proceedings to his doctor for certifying his fitness to attend the proceedings was, in the circumstances of the case, proper as it was for the same or directly related purpose under DPP3. This view was, on appeal by the complainant, upheld by the AAB in AAB No. 26/2004.

Transferring Personal Data between Data Users 7.23 Sometimes, personal data is transferred by a data user (“the transferor”) to another data user (“the recipient”). Such transfers of personal data must comply with DPP3(1), i.e. if the transfer amounts to a new purpose, prescribed consent must be obtained from the data subject unless it falls within one of the exemptions under the Ordinance.123 However, transferors should exercise caution when seeking to rely on an exemption under the Ordinance as the basis for transferring personal data without obtaining the data subjects’ prescribed consent pursuant to DPP3(1). 7.24 The transferor may also specify to the recipient the purpose for providing the personal data to it in order to avoid misuse. Once so specified, any future use of the data by the recipient will be restricted under DPP3(1). However, there are cases where the transferor does not stipulate any purpose of use. The purpose of collection will then have to be ascertained by considering the circumstances of the case. In case of doubt, it is prudent practice for the recipient to seek the prescribed consent of the data subject before making further use of his personal data.

123. Part 8 of the Ordinance.

119

07_Data Protection.indd 119

2016/6/27 1:59:22 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Personal Data Collected from the Public Domain 7.25 A common misconception is that personal data collected from the public domain (for example, from a public register) or which is made publicly available (for example, from the internet), is free to be used for whatever purpose the data user wishes. However, the Ordinance does not differentiate or exempt from its application personal data collected or made available in the public domain. With a view to assisting data users to comply with the requirements under the Ordinance in using personal data obtained from the public domain, the Commissioner published a Guidance Note on the Use of Personal Data Obtained from the Public Domain in August 2013 (“Guidance Note”).124 The Guidance Note stresses that a data subject’s personal data that can be obtained from the public domain should not be taken to mean that the data subject has given blanket consent for re-use of his personal data for whatever purposes. The Guidance Note highlights the relevant factors to be considered in assessing the permitted purposes of use of the personal data. These factors include: • ascertaining the original purpose for which the personal data was placed in the public domain; • the restrictions, if any, imposed by the data user who made the data available on the public domain; and • the reasonable expectation of the personal data privacy of the data subjects. 7.26 The tests to be applied are: whether the intended reuse of the data falls within the scope of the original purpose of collection; and if not, or if the original purpose is not clear, whether a reasonable person in the data subject’s situation would find the reuse of the data unexpected, inappropriate or otherwise objectionable. 7.27 Data users should note that the use of personal data kept in public registers is governed by the terms and conditions prescribed by the operators of the

124. See Guidance Note on the Use of Personal Data Obtained from the Public Domain, available on the Website.

120

07_Data Protection.indd 120

2016/6/27 1:59:22 PM

Chapter 7. Data Protection Principle 3

registers or the relevant ordinances establishing such registers.125 Some public registers have specified the purposes for which the personal data is held or may be used. Certain public records may expressly restrict the purposes for which the information, including the personal data, contained in the records may be used, including in relation to direct marketing. Where the lawful perimeters for making further use of the data so obtained are defined or inferred, the subsequent data user will be liable and accountable for any misuse or improper use of the personal data. If there is no such stated purpose, the Commissioner may consider the underlying legal principles, statutory requirements and the reasonable expectation of the data subjects on the further use of their publicly disclosed data. 7.28 For instance, in a case that came before the Commissioner, a data user had subscribed for the provision of an online bulk service for public records from a public registry, which contained personal data of third parties. The subscription contract with the public registry contained provisions stipulating that the information obtained should not be sold for the purpose of commercial gain. The data user subsequently developed and explored new search engines enabling name searches to be undertaken by its own subscribers. The act was viewed as a change in the purpose of use in contravention of DPP3. Sometimes, the purpose of use is spelt out in the enabling legislation126 and sanctions may be imposed for improper use of the personal data.127 The purpose statement may serve to define or limit the scope of lawful uses to be applied by the data user to the personal data obtained from the public registry.

125. In July 2015, the Commissioner published a survey report on the protection of personal data contained in ten commonly-used public registers, namely Bankruptcy Register, Births Register, Business Register, Companies Register, Land Register, Marriage Register, Register of Notice of Intended Marriage, SFC Register of Licensed Persons, Register of Vehicles and Register of Electors. The survey report containing recommendations on safeguarding personal data contained in the registers, available on the Website. 126. For example, section 136(4) of the Securities and Futures Ordinance, Cap 571 stipulates that the purposes of the register of licensed persons and registered institutions available for public inspection are to enable members of the public to ascertain whether he is dealing with a licensed person or a registered institution in matters connected with any regulated activity, etc. 127. See, for example, section 22(3) of the Electoral Affairs Commission (Registration of Electors)(Legislative Council Geographical Constituencies)(District Council Constituencies) Regulation, Cap 541A for sanctions imposed for improper use of information obtained from the voters’ register.

121

07_Data Protection.indd 121

2016/6/27 1:59:22 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

7.29 Another illustration of the Commissioner’s position in this regard may be found in the investigation report published in respect of a smartphone application (“app”) which enabled users to search for a person’s litigation, bankruptcy and company director’s data. The personal data made available through the app had been compiled by the data user from data obtained from various public registries and websites, including those maintained by the Judiciary, the Companies Registry and the Official Receiver’s Office. In deciding whether the disclosure of such data through the app contravened DPP3, the Commissioner first considered the original purpose of making the complainants’ data publicly available by the Judiciary, the Companies Registry and the Official Receiver’s Office: •

Criminal litigation information: the Daily Cause List posted up in the Courts and Judiciary website clearly states that the information therein is to facilitate witnesses, defendants and/or related persons to attend the designated Court at the scheduled time. Furthermore, the Judiciary will remove the hard copies posted up the day following the conclusion of the trial while electronic copies will be removed after three days.

•

Civil litigation information: the Cause Books, writ of summons and judgments are made publicly available by the Judiciary in accordance with the relevant ordinances and the principle of open justice. While members of the public may use the parties’ names or other keywords to search relevant judgments uploaded on the website of the Judiciary, they can only use the proceedings numbers or Court document filing dates (but not the parties’ names or HKID numbers) as search criteria to retrieve the writ of summons or the basic information128 of a particular case as recorded in the Cause Books.

•

Bankruptcy information: the main purpose of the Official Receiver’s Office in publishing the bankruptcy orders in the Gazette and maintaining a public register is to inform the public that the named

128. The information recorded in the Cause Books includes action number, name of the solicitor taking out the writ, plaintiff’s name, defendant’s name, claim nature and claim amount.

122

07_Data Protection.indd 122

2016/6/27 1:59:22 PM

Chapter 7. Data Protection Principle 3

person was bankrupt and all related debts should be paid to the trustee to settle the debts of the bankrupt. Furthermore, the register was maintained for handling bankruptcy cases. •



Annual returns of company: the main purpose for which the Companies Registry makes available the company registration information is to enable members of the public to authenticate, when dealing with a company, the identity of the person holding himself as the director or other officer of the company. The terms and conditions of the search services of the Companies Registry stipulate that users of the services undertake not to sell the data and documentation provided by the services in any form or make copies of the documentation from which products may be derived for resale without the prior written consent of the Registrar of Companies.

The Commissioner was of the view that the disclosure of the litigation, bankruptcy and company directors’ data of the complainants through the app had exceeded their reasonable expectation regarding how such information in the public domain would be used. It was not consistent with or directly related to the purposes of collection, or the purposes for which the data was originally made publicly available by the Judiciary, the Official Receiver’s Office and the Companies Registry. Hence, the data user who compiled the database for access by users of the app was found to have contravened DPP3.129

7.30 In AAB No.54/2014, the AAB affirmed the Commissioner’s decision that the appellant had breached DPP3 by revealing the complainant’s name in three hyperlinks on the appellant’s website connecting to three anonymised judgments in the Legal Reference System of the Judiciary’s website. These judgments concerning the complainant’s divorce proceedings handed down in open Court were originally made available by the Judiciary on its website. In 2010 and 2012, the Judiciary replaced the original judgments in the Legal Reference System with the parties’ names anonymised at the complainant’s

129. Details of the Commissioner’s findings can be found in the Investigation Report No. R13-9744, available on the Website.

123

07_Data Protection.indd 123

2016/6/27 1:59:22 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

request. It transpired that when one subsequently entered the complainant’s name in the “search people” box of a website called “Webb-site”, it would still lead to a page showing the complainant’s information. The appellant’s website is a database platform providing online access to information relating to the directors of Hong Kong listed companies, members of public statutory and advisory boards, licensees under the licensing regime of the Securities and Futures Commission, etc. Particularly, there were three hyperlinks with the judgments’ titles (referring to the names of the complainant and her former husband) on the page. By clicking on the hyperlinks, one would be taken to the three anonymised judgments in the Legal Reference System, thereby revealing the complainant’s identity. 7.31 In the above case, the AAB considered that in subsection (4) of DPP3, the phrase “the purpose for which the data was to be used at the time of the collection of the data” refers to the purpose for which the data was originally collected. In this case, such original purpose would refer to the purpose of the Judiciary as the data user who first collected the relevant data. The AAB did not accept that the purpose of the appellant (the operator of Webb-site) for using the complainant’s personal data (i.e. reporting and publication for general use) can be said to be consistent with the Judiciary’s purposes of publishing the judgments (i.e. to enable their judgments to serve as “legal precedents on points of laws, practice and procedure of the Courts and of public interests”). There was nothing to suggest that the appellant’s purpose was in any way related to law. As the appellant used the relevant personal data for a “new purpose”, the Commissioner was correct in concluding that the appellant had contravened DPP 3. The AAB rejected the appellant’s contention that such application of DPP3 to restrict the repetition of public domain personal data was in violation of the principle of freedom of press and expression as enshrined under the Basic Law of the Hong Kong Special Administrative Region of the People’s Republic of China and the Bill of Rights Ordinance (Cap 383).The AAB ruled that it was not unreasonable for the Commissioner to come to a decision in favour of protecting the personal data of the complainant in the three edited judgments. 7.32 In AAB No.25/2009, three career representatives of an insurance company made cold calls to a civil servant using the name and office telephone number obtained from the telephone directory of the Hong Kong

124

07_Data Protection.indd 124

2016/6/27 1:59:22 PM

Chapter 7. Data Protection Principle 3

Government accessible through its website, which had a use restriction clause stating that: • the information was not intended for direct marketing activities, or for the dissemination or circulation of unsolicited publicity or advertising materials; • advertisers should not use the information to promote their products or services; and • the information contained therein should not be transferred for commercial gain.

The Commissioner was of the view that since the restriction clause had made clear that the data obtained from the website could be used only for the facilitation of official communication with the complainant and not for direct marketing, the three career representatives had contravened DPP3. As the principal of the three career representatives, the insurance company was also found liable by reason of section 65 of the Ordinance.

7.33 In another investigation130 carried out by the Commissioner, the personal particulars of registered vehicle owners obtained from the public register of the Transport Department, had been used by a management company for the purposes of promoting monthly parking privileges. In his findings, the Commissioner gave due consideration to the following matters: •

the purpose of establishing the Register of Motor Vehicles stated in the enabling legislation was “to provide for the regulation of road traffic and the use of vehicles and roads (including private roads) and for other purposes connected therewith”;

•

the use of the personal data as stated in the search records was confined to transport and traffic matters and did not include the use of the personal data for commercial benefits; and

130. See Investigation Report No. R12-3428, available on the Website.

125

07_Data Protection.indd 125

2016/6/27 1:59:22 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

•



the complainant’s reasonable privacy expectation when providing his personal data to the Transport Department did not extend to cover the use of his personal data in direct marketing.

Since the use of the personal particulars of the complainant in question for direct marketing was entirely unrelated to transport and traffic matters, the Commissioner found the act in question a contravention of DPP3.

Purposes Directly Related to the Original Purpose of Collection 7.34 DPP3(4)(b) allows personal data to be used for a purpose directly related to the original purpose of collection. This makes sense as in many cases not all purposes of use of personal data can be definitively stated on or before the collection of the personal data by the data user. The concept of “directly related purpose” is of great practical significance, without which the use of personal data for various incidental and innocuous purposes by the data user may be hampered. 7.35 In assessing whether the act in question is done for a “directly related purpose” and thus covered by DPP3(4)(b), the Commissioner will take into account factors such as: • the nature of the transaction giving rise to the need to use the personal data; and • the reasonable expectation of the data subject. 7.36 The need of the transaction in question is regarded as relevant because one would expect that a data subject provides his personal data in order to enable or facilitate the transaction with the data user. It would therefore be within the reasonable contemplation of the data subject that the use of his personal data will consist of all such uses as would be necessary to effect the intended transaction. In AAB No. 24/2009, the complainant was named as a referee by his son in a loan application which was submitted to an intermediary for the approval of the loan by a finance company. The complainant complained to the Commissioner against the disclosure of his personal data by the intermediary to the finance company. Having considered the nature

126

07_Data Protection.indd 126

2016/6/27 1:59:22 PM

Chapter 7. Data Protection Principle 3

of the transaction, the Commissioner took the view that the disclosure of the referee’s personal data to the finance company was for a directly related purpose, i.e. for processing the loan application and hence was consistent with DPP3. The decision of the Commissioner was upheld by the AAB. 7.37 In another appeal AAB No.46/2014, a salaried partner of a law firm complained against the equity partners of supplying his personal data to a credit provider in a loan application for the law firm as the borrower. The complainant maintained that he was not made a borrower or guarantor personally in the application and hence his signature was not required. The AAB accepted and agreed with the Commissioner that the relevant personal data was provided by the equity partners to the credit provider for the purpose of verifying the complainant’s identity as one of the partners of the law firm in order to satisfy the due diligence measures under the AntiMoney Laundering and Counter-Terrorist Financing (Financial Institutions) Ordinance (Cap 615); and therefore, such purpose was directly related to the original collection purpose, i.e. for the legitimate purpose of verifying the identity of the partners of the law firm. 7.38 In commercial transactions, relating to services, such as the hire purchase or credit sale of goods, the provision of banking or financial services, the provision of utility or telecommunications services, etc., service providers have a legitimate interest to ensure the full and prompt settlement of all sums due and owed by the party to the transactions for services rendered. Hence, it is generally viewed that debt collection is a directly related purpose for the provision of the paid services and the creditor may transfer the personal data of the debtor to the debt collection agent or its solicitors to take recovery action.131 7.39 However, pursuant to DPP1(3), service providers must ensure that the data subject was informed on or before the collection of his personal data that his personal data may be transferred to a debt collection agent (see paragraph 5.83 above).

131. In AAB No. 19/1999, the AAB decided that there was no change in the purpose of use of the customer’s personal data by a telecommunications company in passing the data to a debt collection agent to pursue a debt owed by the customer.

127

07_Data Protection.indd 127

2016/6/27 1:59:23 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

7.40 In another case of AAB No. 39/2006, the complaint concerned a credit provider for having transferred the complainant’s personal data to a debt collector, who subsequently disclosed the personal data in a public place in the course of collecting a debt owed by the son of the complainant. The Commissioner found that the personal data of the complainant had been provided to the credit provider in a loan application form as a family member of the son and in the capacity of referee when the son applied for a loan from the credit provider. The credit provider explained to the Commissioner that the application form was prepared by its agent and it did not require the personal data of the family members of a loan applicant at all. When it passed the loan application form to the debt collector for recovery of the son’s debt, the complainant’s personal data was not intended to be used by the debt collector. The AAB came to the view that the credit provider should have withheld the personal data of the complainant from the debt collector since it was not intended to be used by the debt collector. As the credit provider had disclosed the complainant’s personal data to the debt collector, the credit provider had contravened DPP3. 7.41 In the field of human resources management, employees’ personal data is collected for human resources purposes, such as promotion or renewal of contracts or termination of employment, etc. Examples of the use of employees’ personal data by employers for directly related purposes include: the disclosure to Mandatory Provident Fund providers for administering the MPF scheme; integrity checking warranted by the inherent nature and needs of the job; enrolling an employee in a medical insurance plan; conducting disciplinary proceedings or compiling performance appraisal reports. In a complaint that came before the Commissioner, the complainant contended that her employer was wrong in disclosing her medical records to the Medical Board convened for the purpose of determining her fitness for employment. The Commissioner found that the disclosure of her medical records was necessary for the purpose of the Board’s hearing and hence were directly related to her employment under DPP3. Not satisfied with the finding of no contravention, the complainant appealed to the AAB. The appeal was subsequently dismissed.132

132. AAB No. 17/2002. In the course of hearing the evidence, it emerged that the complainant did in fact give her written consent to the disclosure of her medical records to the Medical Board. In another AAB case, AAB No. 11/2004, an educational institution’s disclosure of the evaluation questionnaire on a staff member completed by students to an academic committee for the staff assessment review was held to be a directly related purpose in the circumstances of the case.

128

07_Data Protection.indd 128

2016/6/27 1:59:23 PM

Chapter 7. Data Protection Principle 3

7.42 In some circumstances, an authority or organisation who receives a complaint may find it necessary to disclose the details (including personal data of the complainant) to the person being complained against for the purpose of investigating the complaint. In AAB No. 33/2012, the AAB pointed out that when a person is faced with a serious accusation of having committed a criminal offence, and where the credibility of his accuser is crucial to the law enforcer’s decision as to whether or not to launch a criminal prosecution, it is only fair that the accused person be informed of the identity of his accuser, so that he may respond to the accusation and explain why the accusation should not be pursued. The disclosure of the accuser’s identity in that case was considered important and desirable for the purpose of conducting a fair and proper investigation, and thus there was no contravention of DPP3. Similar decisions were reached by the AAB in AAB No. 8/2014 and AAB No. 1/2015.133 Both cases involved the disclosure of complaint details received by an organisation to the person being complained against for the purposes of resolving the disputes or investigating the complaint. In each case, the AAB considered the circumstances of the cases and decided that such disclosure was directly related to the original purpose for which personal data contained in the complaint was collected. However, it should be assumed that the identity of an informant should or may be disclosed to the accused person by the investigating authority or organisation in every case. There may well be statutory provisions or common law principles which prohibit such disclosure. The relevant data user should always observe the requirements under DPP3 (unless an exemption applies) and consider if the disclosure would be justifiable in the circumstances.

Data User to Avoid Disclosing Unnecessary and Excessive Personal Data 7.43 Notwithstanding that there may be legitimate purpose(s) for transferring personal data to a third party, care should be taken to ensure that the amount and the kind of personal data used are necessary for attaining such a purpose. For instance, the transfer of a copy of the identity card of a debtor by a creditor to debt collection agents may not be necessary for the purpose of debt recovery and as such may contravene DPP3(1). The provision of the address and contact data of a debtor would generally suffice for the purposes of locating and contacting the debtor.

133. See also paragraph 12.47

129

07_Data Protection.indd 129

2016/6/27 1:59:23 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

7.44 Any excessive disclosure of personal data not necessary for the purpose of use will risk contravening DPP3, in particular where such personal data is made public and the damage that is likely to occur to a data subject upon wrongful disclosure may be significant, having regard to the nature and the type of personal data involved. Sometimes the extent of disclosure may exceed the reasonable privacy expectation of the data subject, and thus might become the subject of a potential dispute. 7.45 This principle of non-disclosure of unnecessary and excessive data can be illustrated in the self-initiated investigation by the Commissioner against employment agencies for domestic helpers.134 Having considered the unique job nature of foreign domestic helpers who must reside in their employers’ residence and who have to interact intimately with the employers’ family, the Commissioner accepted that the posting on an employment agencies’ websites of job applicants’ photographs and background information (including their build, age, work experience, education level, nationality, habits (e.g. smoker or not), religion, marital status, number of children, number of siblings and the applicants’ ranking among them) will facilitate initial screening by prospective employers. However, the disclosure of the name, address and passport/HKID number of the applicants and the personal data of their family members and past employers was unnecessary and excessive. The Commissioner commented that, unlike presenting the job applicant’s profile to the prospective employer in person when the latter visits the agencies’ offices, the display of the job applicant’s personal data online is subject to unrestricted access by unidentified third parties, who may copy the data, retain the data permanently, integrate or correlate the data with other fragmented data of the same person from different sources. The possible secondary use of such data is beyond a person’s anticipation or comprehension and definitely very difficult to control. 7.46 The extent of disclosure of personal data was also considered in a complaint handled by the Commissioner. A government department collected a witness statement for the purpose of prosecuting an offender and the standard form witness statement contained the personal particulars of the witness, such as

134. See Investigation Report No.R14-1382, available on the Website.

130

07_Data Protection.indd 130

2016/6/27 1:59:23 PM

Chapter 7. Data Protection Principle 3

his name, address, HKID number, date of birth and place of employment, etc. The department furnished the unedited version of the witness statement in its entirety to the defendant. While it was accepted that the disclosure of the contents of the statement made by the witness to the defendant was necessary for the defendant to answer the charge, the disclosure of such personal particulars of the witness, such as his HKID number, address, date of birth and place of employment, was not justified in the circumstances of the case. Based upon the findings of the Commissioner, the government department concerned agreed to revise its operation manual so that unnecessary personal particulars of the witness would be redacted before the witness statement was sent to other parties to the proceedings.135 7.47 A data user’s obligation to ensure that only necessary and relevant personal data should be used or disclosed is best illustrated in the various scenarios of handling property owners or occupiers’ personal data by property management companies and owners corporations136 discussed below. 7.48 A management committee is required by law137 to display a notice concerning particulars of the legal proceedings to which the owners’ corporation is a party in a prominent place in the relevant building. It is generally sufficient for the capacity of the parties (rather than their names), the case number, the forum of the case, the nature of the case and the amount claimed or remedies sought under the Court action to be disclosed in such notice.138 7.49 The AAB considered the public display of letters/notices in building management in two other cases. In AAB No. 10/2006, an open letter addressed to the complainant inviting her to attend an owners’ meeting to

135. A similar approach was adopted in Wong Kar Gee Mimi v Hung Kin Sang Raymond & another [2011] 5 HKLRD 241, which is a case concerning the making of an application for inspection by a shareholder of a company on various documents. The Court granted the application and under the proper purpose requirement, the applicant was entitled to inspect the payroll records of the employees which were confined to the names and the amount of the employees’ salary. Other personal data, i.e. the addresses, telephone numbers, HKID numbers, email details and bank account details of the employees had to be blanked out. 136. See Guidance on Property Management Practices issued by the Commissioner, available on the Website. 137. Section 26A of the Building Management Ordinance, Cap 344, Laws of Hong Kong 138. Reference can be made to A Guide on Building Management Ordinance (Cap 344) issued by the Home Affairs Department.

131

07_Data Protection.indd 131

2016/6/27 1:59:23 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

discuss two pending litigations between the Owners’ Corporation and the complainant was posted up at the lift lobbies of the estate. Such public display of the letter was ruled by the AAB to be unnecessary and have contravened DPP3 since the letter was also sent to the mailboxes of the residents concerned. Similarly, in AAB 18/2014, the Incorporated Owners of an estate disclosed the appellant’s name and address in a letter posted on the notice board of the estate and circulated it to all residents of the estate. It was found by the AAB that disclosure of such data was not necessary for the purpose of rebutting the allegations raised by the appellant against the management committee of the Incorporated Owners in respect of its handling of the repair work of the estate. 7.50 In AAB No. 13/2011, in response to a query raised at the owners’ meeting by a resident as to why there were police vehicles frequently entering the estate, the chairman read out an incident report. The complainant’s surname, gender and address were disclosed in relation to her complaint made to the police against another resident for using the car park for washing and repairing vehicles, thereby causing a nuisance. The AAB took the view that the chairman’s act went beyond what was reasonably required for the effective or efficient management of the estate. In discharging his duty as chairman of the committee to answer a query from one of the residents, he could have simply stated that a resident of the estate had made a complaint to the police about a nuisance caused by another resident without disclosing any of the complainant’s personal data. The AAB found that the motive of the chairman in this case was relevant in deciding whether there was contravention of DPP3. 7.51 It can be seen from the above cases that although property management bodies are charged with the duty to keep the owners informed about the management affairs which affect their interests, they have to carefully consider and assess the necessity and extent of the data disclosed about an individual, in particular when sensitive personal data is involved. Information of an individual which is not necessary for the purpose of the disclosure should be redacted or omitted from the document wherever practicable before public display.

132

07_Data Protection.indd 132

2016/6/27 1:59:23 PM

Chapter 7. Data Protection Principle 3

Is Sale of Personal Data a Directly Related Purpose of Use? 7.52 In this electronic age, it is easy and inexpensive for large quantities of personal data to be collected, amassed and commercially exploited, e.g. for use in direct marketing. The proliferation of the use of personal data by data users for gain has raised grave privacy concerns. Unlike other commodities, personal data can often be used without the knowledge of the data subjects. 7.53 The provision of personal data by a data user to another party for monetary gain was examined in AAB No. 38/2009. The case concerned the transfer of the personal data of a credit card account holder by the bank to an insurance company for promoting the insurance products of the latter and in return, the bank received monetary gain. In upholding the Commissioner’s finding that such use of the personal data contravened DPP3, the chairman of the AAB made the following comments: …We failed to see how such kind of commercial activity is something that [the customer] can be said to have already given her prescribed consent …. Such use of [the customer’s] data is not the purpose for which it was first collected and its use by the Bank cannot be said to relate directly to the original purpose the data was collected, namely, the purpose was quite simply the application for a credit card and vetting of the applicant for the purpose of considering the application.

7.54 The Octopus Card case is the landmark case handled by the Commissioner prior to the Amendment Ordinance relating to the transfer of customers’ personal data by Octopus Rewards Limited (“ORL”) to third parties for gain.139 In this case, ORL entered into contracts with its business partners, including insurance companies and market research companies, for the sharing of Octopus card members’ personal data. Monetary benefits, in the form of set up fees, bonuses and commissions were received in return. The transactions in essence involved the sale of personal data.

139. See also paragraphs 5.18, 5.73, 5.80 and 5.85 in Chapter 5 for discussion on this case.

133

07_Data Protection.indd 133

2016/6/27 1:59:23 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

7.55 Although the sale of personal data by ORL was not, per se, an act prohibited under the Ordinance, the Commissioner took the view that it could not be regarded as the original purpose or a directly related purpose of the collection of customers’ personal data. The members would have expected the Octopus Rewards Programme to operate as a customer loyalty scheme but not as an arrangement for ORL to sell their personal data. The sale of personal data was not stated in the Terms and Conditions of the Programme and members’ signatures to the application form could not be construed as consent for the sale of personal data. For these reasons, ORL was found to have contravened DPP3. 7.56 In another case involving a bank’s provision of personal data of its credit card account customers to an insurance company for promotion of its insurance products, the insurance company had to pay a list rental fee to the bank and if the customers purchased any product, the insurance company had to pay the bank a service fee. The Commissioner considered that the bank’s action was in substance a sale of customers’ personal data to the insurance company, which fell outside the reasonable expectation of the customers. The bank was therefore found to have contravened DPP3 in disclosing the personal data for obtaining benefit.140 7.57 In another complaint handled by the Commissioner, telemarketers collected personal data from targeted customers over the telephone by “offering” them free medical check-ups, and then passed such data to an insurance broker for use in direct marketing. The so-called “administration fee” received by the telemarketers from the insurance broker was not a cost recovery charge based on the number of promotional calls made, but in effect the monetary reward for the provision of personal data. The Commissioner considered that the true purpose of the offer of free medical check-ups by the telemarketers was to entice target customers to provide their personal data for sale in bulk to the insurance broker. The Commissioner found that neither the transfer of the complainants’ personal data to the insurance broker by the telemarketers nor the subsequent use of their personal data

140. See also Investigation Report No. R11-1745 for similar views expressed by the Commissioner, available on the Website. In 2014, the Commissioner published the Guidance on the Proper Handling of Customers’ Personal Data for the Banking Industry providing guidance on the requirements under the Ordinance, which can also be downloaded from the Website.

134

07_Data Protection.indd 134

2016/6/27 1:59:23 PM

Chapter 7. Data Protection Principle 3

by the insurance broker for direct marketing fell within the stated purpose of use when the data was collected, or the reasonable expectation of the complainants. In the absence of the complainants’ prescribed consent, both the telemarketers and insurance broker had contravened DPP3.141 7.58 The impact of the misuse and sale of personal data for direct marketing purposes (as shown in particular in the Octopus Card case) on privacy prompted the government to tackle this issue of public concern by strengthening the regulatory framework of the Ordinance. The new requirements on the use of personal data in direct marketing under Part 6A of the Ordinance, as amended, became effective on 1 April 2013. More details about the new regulatory framework are provided in paragraphs 7.74 to 7.86 of this Chapter.

Prescribed Consent 7.59 When the use of personal data does not fall within the original purpose of collection or its directly related purpose, or where the data user is uncertain as to the proper use of the personal data, the prescribed consent from the data subject will have to be obtained to ensure compliance with DPP3(1), unless the exemption(s) set out in Part 8 of the Ordinance applies.142 The term “prescribed consent” is defined under section 2(3) of the Ordinance: (3) Where under this Ordinance an act may be done with the prescribed consent of a person (and howsoever the person is described), such consent – (a) means the express consent of the person given voluntarily; (b) does not include any consent which has been withdrawn by notice in writing served on the person to whom the consent has been given (but without prejudice to so much of that act that has been done pursuant to the consent at any time before the notice is so served).

141. See Investigation Report No. R13-1138, available on the Website. 142. For discussion of the Part 8 exemptions, readers may refer to Chapter 12.

135

07_Data Protection.indd 135

2016/6/27 1:59:23 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

7.60 There are two important points to note regarding paragraph (a) of the above definition. First, prescribed consent has to be in an explicit form. In other words, no consent is to be implied by the data subject’s conduct, silence or omission. However, there is no requirement for such consent to be in writing,143 which means that it may be given orally. For the purpose of obtaining the best evidence, it would be helpful if the prescribed consent is in writing. 7.61 Prescribed consent should not be deemed to have been given merely by the fact that the data subject does not respond or object to the giving of such consent. In one complaint, an estate agent notified its client that he would automatically become a member of a club operated by the estate agent’s related company (which offered multifarious services other than estate agency services) if he failed to object. The client did not respond and as a result the estate agent transferred his personal data to the club. Since such transfer was not for a purpose directly related to the original purpose of collection, the prescribed consent of the data subject was needed. The Commissioner found that the non-response of the data subject could in no way be construed as consent expressly given within the meaning of “prescribed consent” and, for this reason, the estate agent was in breach of DPP3(1). 7.62 The other important point to note from section 2(3)(a) of the Ordinance is that prescribed consent must be “given voluntarily”. 7.63 It is trite law that “consent” obtained by misrepresentation or duress is no consent at all and thus cannot possibly amount to “prescribed consent”. The Commissioner considers that by including the element of voluntariness in section 2(3)(a), the legislature intends to impose a higher standard than merely the absence of misrepresentation or duress. 7.64 With this in mind, in ascertaining whether the consent is voluntarily given, the Commissioner would give due regard to factors such as disparity of

143. It should be noted that under Part 6A of the Ordinance, the term “consent” instead of “prescribed consent” is used. “Consent”, for the purpose of Part 6A relating to use of personal data in direct marketing, includes an indication of no objection from the data subject.

136

07_Data Protection.indd 136

2016/6/27 1:59:23 PM

Chapter 7. Data Protection Principle 3

bargaining powers and whether the data subject is in fact free to choose to give consent or otherwise, without fear of any adverse consequence. In this connection, “adverse consequence” may include, for example, the denial to the data subject of any benefit or any service (especially essential service) by the data user, or the termination of the data subject’s employment with the data user, if the data subject chooses not to give his consent. 7.65 Hence, a data subject may adduce contrary evidence to show that the consent purportedly given was not voluntary. The Commissioner will look at all the relevant evidence and circumstances of the case before deciding whether prescribed consent was indeed given by the data subject. 7.66 The manner in which a data user sought to obtain the data subject’s consent for use of his personal data for direct marketing was the subject of an investigation.144 In this case, the bank entered into an agreement with an insurance company to promote the insurance products of the latter. The bank transferred selected credit card customers’ personal data to the insurance company. According to the records from the opening of the accounts, the bank sought customers’ consent to disclose their personal data to any company (not necessarily members of the same group as the bank) for marketing purposes. The Commissioner noted that there was only one place for the account holder to sign in the account opening form. The bank had not given its customers a choice as to whether they agreed to the transfer of their personal data to an external company for marketing purposes. The consent given was “bundled” in such a way that the customer could not give consent to the terms and conditions relating to the application for the credit card service without also consenting to the use of his personal data in direct marketing. The Commissioner found, in the circumstances of the case, that no voluntary consent was obtained from the customers for the provision of their personal data to the insurance company for use in direct marketing. 7.67 It is also clear that under section 2(3)(b), prescribed consent does not include any consent which has been withdrawn by notice in writing served to the person to whom the consent had been given. However, for the avoidance of doubt, acts done pursuant to the consent before the notice

144. See Investigation Report No. R11-2853, available on the Website.

137

07_Data Protection.indd 137

2016/6/27 1:59:24 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

withdrawing such consent is served are not affected. Hence, it is noted that although prescribed consent is not statutorily required to be given in writing, written as opposed to verbal notice in withdrawing the consent is required under this provision for the purpose of clarity and ensuring there is no misunderstanding on the part of data users. 7.68 Sometimes the data subject does not have sufficient understanding of what is proposed to him for consent, owing to age or mental incapacity. In cases involving minors and persons with disabilities, consideration should be given as to whether the person has “sufficient understanding and intelligence”145 to enable him to fully understand what is proposed to him. This concern was addressed by the Amendment Ordinance with changes made to DPP3 permitting the giving of prescribed consent by a relevant person on behalf of a data subject in specific circumstances mentioned below.

Prescribed Consent Given by a Relevant Person 7.69 DPP3(2) was introduced by the Amendment Ordinance which provides as follows: (2) A relevant person in relation to a data subject may, on his or her behalf, give the prescribed consent required for using his or her personal data for a new purpose if – (a) the data subject is – (i) a minor; (ii) incapable of managing his or her own affairs; or (iii) mentally incapacitated within the meaning of section 2 of the Mental Health Ordinance (Cap 136); (b) the data subject is incapable of understanding the new purpose and deciding whether to give the prescribed consent; and

145. This is a test derived from a UK Court decision in Gillick v West Norfolk and Wisbech Area Health Authority and Another [1986] AC 112.

138

07_Data Protection.indd 138

2016/6/27 1:59:24 PM

Chapter 7. Data Protection Principle 3

(c) the relevant person has reasonable grounds for believing that the use of the data for the new purpose is clearly in the interest of the data subject.

7.70 This legislative amendment aims to protect the vital interests of certain classes of vulnerable data subjects, particularly in connection with the provision of essential services, such as healthcare, education and social services. It also facilitates a data user to overcome the practical difficulty in obtaining the prescribed consent from those data subjects who are incapable of understanding the privacy impact of giving or withholding consent when their personal data is to be used for a new purpose. A relevant person may be in a better position to decide whether it is in the data subject’s interest to consent to the use of his personal data for a new purpose. 7.71 Who is a “relevant person” for the purpose of DPP3(2)? According to section 2(1) of the Ordinance, a relevant person in relation to an individual (howsoever the individual is described), means – (a) where the individual is a minor, a person who has parental responsibility for the minor; (b) where the individual is incapable of managing his own affairs, a person who has been appointed by a Court to manage those affairs; (c) where the individual is mentally incapacitated within the meaning of section 2 of the Mental Health Ordinance (Cap 136) – (i) a person appointed under section 44A, 59O or 59Q of that Ordinance to be the guardian of that individual; or (ii) if the guardianship of that individual is vested in, or the functions of the appointed guardian are to be performed by, the Director of Social Welfare or any other person under section 44B(2A) or (2B) or 59T(1) or (2) of that Ordinance, the Director of Social Welfare or that other person.

7.72 As a further safeguard against abuse or misuse, DPP3(3) requires a data user to make necessary enquiries in order to form a reasonable belief that the

139

07_Data Protection.indd 139

2016/6/27 1:59:24 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

new purpose of use is clearly in the data subject’s interest. DPP3(3) provides as follows: (3) A data user must not use the personal data of a data subject for a new purpose even if the prescribed consent for so using that data has been given under subsection (2) by a relevant person, unless the data user has reasonable grounds for believing that the use of that data for the new purpose is clearly in the interest of the data subject.

7.73 Therefore, new privacy legislative safeguards have been built in to protect vulnerable data subjects. Firstly, the class of persons who can give prescribed consent on behalf of a data subject is limited to a “relevant person” as defined in section 2(1). Secondly, the relevant person must be satisfied that the new purpose of use of the data subject’s personal data is in the data subject’s interest. Lastly, the data user (not just the relevant person) must also reasonably believe that the use of the data subject’s personal data for the new purpose is clearly in the data subject’s interest, even if the relevant person has provided his consent. If any of the foregoing conditions are not met, the data subject’s personal data should not be used for a new purpose. It would be prudent for a data user to conduct an assessment on whether the new purpose of use is clearly in the interest of the data subject, rather than in the business interest of the data user. It is recommended as good practice for the data user to document the assessment process and record the factors that it has taken into account. The written assessment is useful for future reference in handling disputes which may arise.

Part 6A of the Ordinance: Consent for Use or Provision of Personal Data in Direct Marketing 7.74 Part 6A of the Ordinance (i.e. sections 35A to 35M), which took effect on 1 April 2013, contains provisions regulating the use and the provision for use of personal data in direct marketing.146

146. Section 34 of the Ordinance which regulated the use of personal data in direct marketing was repealed.

140

07_Data Protection.indd 140

2016/6/27 1:59:24 PM

Chapter 7. Data Protection Principle 3

7.75 A data user who intends to use or provide the personal data of a data subject to another person for use in direct marketing147 is required to inform the data subject of certain prescribed information and to provide the data subject with a response channel through which the data subject may indicate his consent.148 The specific information that the data user must inform the data subject of prior to obtaining his consent is further detailed in Chapter 5. 7.76 “Consent” is defined under section 35A(1) of the Ordinance as follows: consent, in relation to a use of personal data in direct marketing or a provision of personal data for use in direct marketing, includes an indication of no objection to the use or provision.



Whilst “consent” for the purpose of Part 6A is defined to include an “indication of no objection”, silence or no response will not constitute valid consent. The data subject must have explicitly indicated that he does not object to the use and/or transfer of his personal data to another person for the purposes of direct marketing.

7.77 One will readily notice that the term “consent” used in Part 6A is different from “prescribed consent” as used in DPP3(1) and the rest of the Ordinance. Sections 35H and 35M of the Ordinance expressly acknowledge the difference. Section 35H provides as follows: 35H. Despite section 2(3), where a data user requires, under data protection principle 3, the prescribed consent of a data subject for using any personal data of the data subject in direct marketing, the data user is to be taken to have obtained the consent if the data user has not contravened section 35C, 35E or 35G.

147. Part 6A does not apply in relation to the provision of personal data to another for use by that other person in offering or advertising the availability of social services run, subvented or subsidised by the Social Welfare Department, or healthcare services provided by the Hospital Authority, the Department of Health or any other social or healthcare services which, if not provided, is likely to cause serious physical or mental harm to the individual to whom the services are intended to be provided or any other individual, so long as such provision of personal data is not for gain (section 35I). 148. Sections 35C and 35J.

141

07_Data Protection.indd 141

2016/6/27 1:59:24 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance



In short, section 35C stipulates the specified actions that must be taken by a data user before it uses personal data in direct marketing; section 35E prohibits a data user from using personal data without the data subject’s consent, and section 35G demands a data user cease using personal data in direct marketing if so required by the data subject. It must be stressed that the law does not prohibit the use of personal data in direct marketing but merely sets out what constitutes lawful direct marketing using personal data. So long as the data user complies with the requirements under those three provisions, it may use the personal data for direct marketing purposes lawfully.

7.78 A similar provision is found in section 35M of the Ordinance, which relates to the transfer of personal data from a data user to another for use by that other person in direct marketing. Section 35M provides as follows: 35M. Despite section 2(3), where a data user requires, under data protection principle 3, the prescribed consent of a data subject for providing any personal data of the data subject to another person for use in direct marketing, the data user is to be taken to have obtained the consent if the data user has not contravened section 35J, 35K or 35L.



Sections 35J, 35K and 35L stipulate the specified actions which must be taken by a data user before it can provide personal data to a third party for use in direct marketing, and that such provision of personal data should not be done unless it has obtained the data subject’s consent, and that the data user must stop providing the personal data to a third party for use in direct marketing if so required by the data subject.

7.79 If the data user intends to use the data subject’s personal data in direct marketing, the data user shall provide the data subject with the prescribed information149 either orally or in writing, the data subject’s reply to the data user indicating his consent or no objection may reciprocally be given either orally or in writing. If the consent or indication of no objection is given orally, the data user must, before using the personal data in direct marketing,

149. See paragraphs 5.99 and 5.100 of Chapter 5 on what “prescribed information” is required under the Ordinance.

142

07_Data Protection.indd 142

2016/6/27 1:59:24 PM

Chapter 7. Data Protection Principle 3

confirm in writing to the data subject within fourteen days from the date of receipt of the consent or indication of no objection the following: • the date of receipt of the consent or indication of no objection; • the permitted kind of personal data for use in direct marketing; and • the permitted class of marketing subjects150 for use in direct marketing. 7.80 However, where the data user intends to provide the data subject’s personal data (whether for gain or not) to another person for that person’s use in direct marketing, the data user must provide the prescribed information151 to the data subject in writing. Before the data user proceeds to provide the data, it must have received a reply in writing from the data subject indicating that the data subject consents or does not object to the data user doing so. 7.81 It is an offence for a data user to use or provide personal data to another person for use in direct marketing without taking the requisite actions or obtaining the data subject’s consent.152 On conviction, an offender is liable to a maximum fine of HK$500,000 and imprisonment for three years.153 If the non-compliance relates to the provision of personal data to another person for use in direct marketing for gain, the penalty level is raised to maximum fine of HK$1,000,000 and five years’ imprisonment.154

Consent and Use Regarding Pre-existing Data 7.82 The amended direct marketing requirements under Part 6A, which took effect on 1 April 2013, only have a prospective effect and do not generally

150. See also footnote 57 in Chapter 5 for the meaning of “marketing subjects”. 151. Section 35J(2). 152. Sections 35C(1) and 35E(1). 153. Sections 35C(5) and 35E(4). A storage service provider took over the business of another company and sent direct marketing email to a customer of that company without taking the specified actions as required under section 35C(1) and (2). On 14 September 2015, the storage service provider was convicted upon its guilty plea of the offence under section 35C(5) and was fined HK$10,000 (Case No. ESS 26904/2015). 154. Sections 35J(5) and 35K(4). In December 2015, a real estate agent was convicted, after trial, of his failure to take specified action and obtain the data subject's consent before providing his personal data to a third party for use in direct marketing. The real estate agent was fined HK$5,000 (Case No. ESS 24178/2015).

143

07_Data Protection.indd 143

2016/6/27 1:59:24 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

apply to personal data collected prior to 1 April 2013 (save in certain circumstances). Further details regarding this “grandfathering” arrangement are set out in paragraphs 5.103 to 5.105 of Chapter 5.

Data Subject Withdrawing Consent (Opt-out Right) under Part 6A 7.83 The Amendment Ordinance does not make changes to the duty of the data user to notify the data subject of his opt-out right. Under section 35F(1), a data user must, when using a data subject’s personal data in direct marketing for the first time, inform the data subject that the data user must, without charge to the data subject, cease using the data in direct marketing if the data subject so requires. A data user who fails to notify the data subject in accordance with section 35F(1) commits an offence. This obligation applies even if the personal data has been obtained by the data user from a third party, and not the data subject himself. 7.84 A data subject may require the data user to cease using or providing his personal data for direct marketing purposes, notwithstanding that he may have given his consent previously to the data user.155 He may also ask the data user to notify any person to whom his data has been so provided to cease using the data in direct marketing.156 Although there is no requirement under the Ordinance for the opt-out to be given by the data subject in writing (verbal indication of withdrawal of consent suffices), the Commissioner recommends that data subjects should make written opt-out requests to avoid any miscommunication or misunderstanding, and retain a copy of the written opt-out request for reference which may be called for in case of a future dispute. 7.85 A data user must, without charge to the data subject, comply with the optout request received from the data subject.157 Non-compliance is an offence and the data user is liable upon conviction to a fine up to HK$1,000,000 and imprisonment for five years if provision of the personal data is for gain and

155. Sections 35G(1) and 35L(1)(a). 156. Section 35L(1)(b). 157. Sections 35G(3) and 35L(3).

144

07_Data Protection.indd 144

2016/6/27 1:59:24 PM

Chapter 7. Data Protection Principle 3

in any other cases, a maximum fine of HK$500,000 and imprisonment for three years.158 When a request is received from a data subject requiring the data user to notify a person to cease using the data subject’s personal data in direct marketing, the Ordinance requires that the data user must so notify the person in writing.159 A person who receives such a written notification must cease using the personal data in direct marketing in accordance with the notification.160 7.86 For the purpose of facilitating compliance by the data users of the legal requirements under part 6A of the Ordinance, as amended, regulating the use and the provision of personal data in direct marketing, the Commissioner issued New Guidance on Direct Marketing.161 Practical advice with examples are given in this guidance note. An information leaflet, Exercising your Right of Consent to and Opt-Out from Direct Marketing Activities under the Personal Data (Privacy) Ordinance162 was also issued by the Commissioner to assist data subjects in exercising their rights under the Ordinance.

158. Sections 35G(5) and 35L(6). On 9 September 2015, a telecommunications service provider was convicted, after trial, of failing to comply with the requirement from a data subject to cease using his personal data in direct marketing, contrary to section 35G(3), and was fined by the magistrate HK$30,000 (Case No. TWS 6311/2015). In this case, a staff member of the telecommunications services provider left a voice message through the mobile phone of the customer (who had already lodged an opt-out request in writing) informing him of the termination of his service contract and at the same time promoting their services to him. In November 2015, a body check service company was convicted of failure to comply with an opt-out request of its ex-customer, after pleading guilty to the charge. The company was fined HK$10,000 (Case No. TMS 10294/2015). 159. Section 35L(4). 160. Section 35L(5). 161. Available on the Website. 162. Available on the Website.

145

07_Data Protection.indd 145

2016/6/27 1:59:24 PM

07_Data Protection.indd 146

2016/6/27 1:59:24 PM

Chapter 8 Data Protection Principle 4

The main questions: • What are the general requirements regarding security of personal data under DPP4 and how are they applied? • What is the Commissioner’s practical advice to data users on data security in particular situations? • What are the data security issues for a data user when outsourcing the processing of personal data to a data processor?

The questions of security of personal data discussed in this Chapter concerning DPP4 have been selected on the basis of their practical importance in light of the Commissioner’s own experience. Before reading this Chapter, readers should read paragraphs 1.7 to 1.11 in Chapter 1— Introduction, which contain important general information on using this Book.

08_Data Protection.indd 147

2016/6/27 1:59:31 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

The General Requirements of DPP4 8.1

Data Protection Principle 4(1) provides as follows: Principle 4 – security of personal data (1) All practicable steps shall be taken to ensure that personal data (including data in a form in which access to or processing of the data is not practicable) held by a data user are protected against unauthorised or accidental access, processing, erasure, loss or use having particular regard to – (a) the kind of data and the harm that could result if any of those things should occur; (b) the physical location where the data is stored; (c) any security measures incorporated (whether by automated means or otherwise) into any equipment in which the data is stored; (d) any measures taken for ensuring the integrity, prudence and competence of persons having access to the data; and (e) any measures taken for ensuring the secure transmission of the data.

8.2

“Practicable” is defined in section 2(1) to mean “reasonably practicable”. It follows that DPP4(1) does not require a data user to provide an absolute guarantee for the security of personal data held by it, but rather, only to take such steps as may be reasonably practicable in the circumstances, having regard to the matters mentioned in paragraphs (a) to (e). The word “loss” in DPP4(1) was added by the Amendment Ordinance to clarify that a data user is required to take similar security measures to also prevent loss of personal data.

8.3

Of the said paragraphs (a) to (e), the “harm test” covered by paragraph (a) is an important consideration. The security measures to be undertaken by the data user with respect to the data held should be proportionate to the degree of sensitivity of the data and the harm that may result from accidental or unauthorised access to such data. For example, in respect of the personal data held by a bank about its customers, DPP4 would require a higher

148

08_Data Protection.indd 148

2016/6/27 1:59:31 PM

Chapter 8. Data Protection Principle 4

degree of care in handling personal data such as the bank statements of its customers as opposed to direct marketing or promotional materials sent to customers. 8.4

With the increasing provision of online services for consumers, such as paying utility bills online, e-banking and online shopping, coupled with the increasing use of online services by data users to store or transmit personal data (e.g. cloud services), data users should take extra care to ensure system security and protection of their customers’ personal data, which is stored and transmitted online, from unauthorised or accidental access or alteration by, for example, computer hackers or unintended users.

8.5

Given the flexibility inherent in the drafting of “all reasonably practicable steps”, it is not surprising that the steps required of a data user may vary widely from case to case. Nevertheless, based on the Commissioner’s experience from cases he has handled regarding the application of DPP4, the following precautionary steps (without in any way limiting or affecting the Commissioner’s exercise of his powers according to the particular circumstances of each case) are generally accepted as examples of the appropriate measures that may be taken by data users in the situations listed below:

149

08_Data Protection.indd 149

2016/6/27 1:59:31 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

For paper documents containing personal data, data users may consider implementing the following security measures: Situation

Appropriate Steps

Storage of data in paper files

• keep files under lock and key or in a secure area • allow access only by authorised personnel on a need-toknow basis • shred files after use • have a clear-desk policy requiring employees to lock up sensitive papers when they are not working on them

Transmission of data by fax or mail

• use sealed envelopes • make sure no sensitive data (e.g. HKID number) is visible through the envelope window • mark mail “private and confidential” if intended for the eyes of the addressee only • make sure a dedicated fax machine, if available, is used at the receiving end • notify the recipient of the incoming fax in advance • double-check the accuracy of the fax number before dialing

163. See Law Society circulars 98-293 (issued on 2 November 1998) and 08-417 (issued on 21 July 2008).

150

08_Data Protection.indd 150

2016/6/27 1:59:31 PM

Chapter 8. Data Protection Principle 4

Situation

Appropriate Steps

Service of legal documents1

• deliver documents in sealed envelopes marked “private and confidential” and, where appropriate, “to be opened by addressee only” • do not leave documents in common areas or places to which any passers-by may have access • do not leave documents with unrelated parties such as neighbours or caretakers • do not show the documents to unrelated parties such as caretakers or passers-by • ensure correctness of the address for service • do not disclose contents of documents to unrelated parties for the purpose of obtaining an acknowledgement receipt of the documents (The above suggested steps are subject to any statutory requirements that may apply to the mode of service of particular documents.)

When handling personal data stored electronically, data users may consider implementing the following security measures: Situation

Appropriate Steps

Governance

• consider adopting privacy by design and privacy management programme to oversee data protection at corporate level • establish formal data protection and security organisation including defining roles and responsibility of individuals involved • integrate data protection and security into the human resource process including employment contract terms and ongoing data protection and security awareness training • carry out regular risk assessments in order to appraise the level of risk in a systematic way, and develop appropriate controls commensurate with the risk and the type of personal data held • develop compliance monitoring strategy and procedures

151

08_Data Protection.indd 151

2016/6/27 1:59:31 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Situation

Appropriate Steps

IT policy and controls

• develop managerial policies, guidelines and procedures to protect personal data stored electronically to ensure confidentiality and integrity of the data and accountability of those who handle it, including (where applicable): – information inventory and classification – physical and logical access control standards to personal data, applications, systems and network – data retention and erasure policies – acceptable use policy for IT facilities – engagement of contractors guidelines – data breach incident handling and notification procedures – encryption requirements, standards and password protection – mobile device management (including bring-yourown-device) strategy – use of social media by employees guidelines

152

08_Data Protection.indd 152

2016/6/27 1:59:31 PM

Chapter 8. Data Protection Principle 4

Situation

Appropriate Steps

IT operations

• develop operational policies, guidelines and procedures to protect personal data stored electronically to ensure confidentiality and integrity of the data and accountability of those who handle it, including (where applicable): – user access rights approval, management, assignment and removal procedures – password complexity, retry, reset and expiry guidelines to prevent passwords from being compromised – change control approval and management – segregation of production, testing and development environments policy – IT asset disposal and erasure standards to ensure no leakage of personal data – portable storage device use and protection – anti-malware strategy and execution – security patch and vulnerability management for software, computers and servers – end-point security and data loss prevention policies – wired and wireless network security and access control standards – logging and monitoring of systems, user and IT access procedures – data centre and equipment physical protection guidelines – backup strategy and protection policy164

164. If the file can be accessed through a URL, then even when there are no hyperlinks to the file, it can be searched and “published” by search engines.

153

08_Data Protection.indd 153

2016/6/27 1:59:31 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Suggested security measures when handling personal data by using various technologies: Situation

Appropriate Steps

Websites

• scan websites for common vulnerability before launch and thereafter at regular intervals • develop controls to prevent files containing personal data from being inadvertently stored on websites, even when they are not referred to by any hyperlinks • use adequate encryption and access control to avoid unauthorised interception, access or alteration • anonymise personal data displayed whenever possible • deploy adequate account protection: – develop proper controls over password complexity, retries, reset and periodic change to prevent passwords from being compromised – avoid the use of “obvious” default account names or passwords, such as data user’s HKID number, date of birth or telephone number – consider deploying two-factor authentication where the sensitivity of the personal data warrants a high degree of account protection • adopt, where applicable, the following additional technical safeguards: – install and configure properly firewall and/or intrusion detection/prevention systems to guard against intrusion – utilise three-tier architecture to isolate database servers from becoming directly accessible from the internet – conduct regular vulnerability or penetration assessments – never use easily predictable methods (such as using sequential or receipt numbers) in hyperlinks to retrieve personal data, so as to avoid unauthorised access by those who would guess the hyperlinks – disallow the storing of files containing personal data in webservers without adequate access control or encryption protection

154

08_Data Protection.indd 154

2016/6/27 1:59:31 PM

Chapter 8. Data Protection Principle 4

Situation

Appropriate Steps

Use of portable electronic storage devices (“PSD”)

• carry out risk assessments to determine an organisation’s real need in using PSDs • develop policies on the use, distribution and disposal of PSDs • limit and control the circumstances of downloading specific types and amount of personal data to certain types of PSDs under specific conditions by predefined users • apply proper access controls (both logical and physical) and/or encryption to protect personal data in PSDs when applicable

Bring your own device (“BYOD”)

• carry out risk assessments to determine an organisation’s real need in BYOD and its technical capability to manage it • develop BYOD policy to cover the following specific areas: – roles, responsibility and obligation of organisations and individual users – what criteria organisations would use to allow personal data to be accessible by/held in BYOD equipment – security measures to protect personal data collected and held by the organisation that is being accessed/ held by BYOD equipment – ways in which the personal data privacy of the BYOD owners (and those who use the BYOD equipment for personal use) may be respected • extend organisational retention, secondary use, security and data access/correction policies to cover personal data held in BYOD equipment where appropriate • periodically review and assess BYOD policy to keep up with technological development and business practice

155

08_Data Protection.indd 155

2016/6/27 1:59:31 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Situation

Appropriate Steps

Developing mobile apps

• deploy privacy by design approach to determine whether and what types of data should be accessed, collected, stored, shared and/or disclosed, and to provide transparent privacy policies to app users • use reliable and/or official versions of software development tools to guard against Trojan horses or backdoors for accessing the mobile device information by third parties • follow the industry’s best practice in secure coding to ensure its robustness; perform code review and testing of the mobile apps before launching them to check for bugs and any unintended access to information inconsistent with the design specifications • properly encrypt all information transmitted to and from the mobile apps to avoid interception • protect all information stored in back-end servers by access control and encryption • keep abreast of the latest changes and development of the mobile operating systems that may affect how apps behave

156

08_Data Protection.indd 156

2016/6/27 1:59:31 PM

Chapter 8. Data Protection Principle 4

Situation

Appropriate Steps

Cloud computing165

• conduct a privacy impact assessment before entrusting a cloud service provider to handle personal data that may be sensitive or confidential • check with the cloud service providers the locations/ jurisdictions where the data will be stored • specify the jurisdictions where personal data will be stored so that data subjects can ascertain the level of privacy protection that the jurisdiction will offer and under what circumstances law enforcement agencies will be allowed access to the stored data • check if the cloud service provider will subcontract the service to other contractors and find out whether the controls are comparable to the level imposed on the cloud service provider • find out and/or specify the contractual remedies in the event of data breach by the cloud service provider and its subcontractors • ask the cloud service provider to provide customised service with security measures commensurate with the sensitivity of the personal data entrusted • find out if there are any independent reviews, audits and certifications to show the privacy compliance standard of the cloud service providers, and understand the scope and limitation of such reviews, audits and certifications • impose contractual duty on cloud service providers (and their subcontractors where applicable) to notify data users of any data breach • impose contractual duty on cloud service providers to timely erase personal data and/or return the personal data to the data users upon completion/termination of contract

165. “Cloud computing” is generally referred to as a pool of on-demand, shared and configurable computing resources that can be rapidly provided to customers with minimal management efforts or service provider interaction. The cost model is usually based on usage and rental, without any capital outlay.

157

08_Data Protection.indd 157

2016/6/27 1:59:31 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Data Breaches 8.6

A data breach generally refers to a suspected or actual breach of data security concerning personal data held by a data user; the exposure of the data to the risk of loss, unauthorised or accidental access, processing, erasure or use (for example, the loss of electronic devices containing or storing personal data); the unauthorised access and transfer of personal data stored in a database by hackers; the improper disposal of documents containing personal data, etc. A data user may contravene the requirements under DPP4 if it fails to take all reasonably practicable steps to protect the safety of personal data.

8.7

Although it is not mandatory under the Ordinance for data users to report a data breach to the Commissioner or the relevant data subjects affected by the data breach, the Commissioner has issued a Guidance on Data Breach Handling and the Giving of Breach Notifications containing recommended steps to follow by the data users in the event of a data breach.166

8.8

Some data breaches committed by data users in different industries and handled by the Commissioner are highlighted below as examples of when data users may find themselves in breach of DPP4(1). These examples are set out to assist data users in preparing their own security polices and safeguarding measures. Data users should carry out their own due diligence exercise to ensure that they identify potential risks and circumstances that may lead to unauthorised or accidental access, processing, erasure, loss or use of personal data, and to take reasonably practicable steps and implement appropriate security measures to minimise such risks. Some sectors, such as the financial sector, have their own security requirements imposed on them by the relevant regulatory bodies (e.g. the Hong Kong Monetary Authority). Data users are responsible for ensuring that they comply with any such requirements in addition to their compliance with the Ordinance.

166. The Guidance is available on the Website.

158

08_Data Protection.indd 158

2016/6/27 1:59:31 PM

Chapter 8. Data Protection Principle 4

(a) Banking and Insurance Industries 8.9

A bank was reported167 to have lost a server containing tens of thousands of its customers’ personal data during the course of renovation of its branch office. The Commissioner probed into the incident and, as a result, the bank stepped up security measures and gave an undertaking to the Commissioner to the effect that: • no computer server containing customers’ personal data would be left unattended during office refurbishment or relocation; • the staff or contractor entrusted by the bank to handle computer servers containing customers’ personal data are reliable, prudent and competent; and • customers’ personal data will not be stored in the branch office’s servers.

8.10 An insurance company wrongly sent a file containing personal data of some 1,880 customers to a bank by email. The wrong recipient was asked to delete the file. The insurance company was advised by the Commissioner to implement an action plan to strengthen data transmission security by using password protection and encryption, etc. and to conduct a special review by its internal auditor on data transmission process focusing on personal data protection. 8.11 Another insurance company was found to have leaked online through a website some 600 policy holders’ personal data (including their names, addresses, telephone numbers and insured amounts). The leakage was attributed to the inappropriate grant of access right by the insurance company to its agent to the personal data concerned. The agent uploaded and stored the data in a web file server at his home and as a result, the data could be accessed by the public through an internet search engine. Upon the conclusion of the investigation, the Commissioner served an enforcement notice to the insurance company requiring it to review its

167. See media statement released by the Commissioner on 14 August 2008, available on the Website.

159

08_Data Protection.indd 159

2016/6/27 1:59:32 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

operation procedures to strengthen control on access, transfer and security of the personal data of insurance policy holders.168

(b) Government and Public Bodies 8.12 A spate of reported data leakage incidents occurring in government departments between 2008 and 2012 was caused by file-sharing software found installed in computers. 8.13 It was reported by the newspapers in May 2008 that documents apparently belonging to the Immigration Department were leaked on the internet through the “Foxy” file-share software. These documents comprised internal memos and file minutes and some of these documents were marked “confidential”. The names, dates of birth and identification document types and numbers of some Hong Kong residents, visitors and immigration officers were leaked. In response to the compliance check carried out by the Commissioner, the Immigration Department gave an undertaking to the Commissioner169 to strengthen data security by taking a number of improvement measures including: • prohibiting the use of office documents as templates or sample case documents unless the identifying particulars of individuals concerned have been removed; • classifying all office documents (in both paper and electronic form) containing personal data according to the degree of sensitivity of the data; • prohibiting the taking or copying of such data for use outside office premises unless authorised; • specifying the measures to be taken by staff to protect personal data used outside office premises, e.g. encryption of personal data stored in

168. See Case Note No. 2006010, available on the Website. 169. See media statement issued by the Commissioner on 5 June 2008, available on the Website.

160

08_Data Protection.indd 160

2016/6/27 1:59:32 PM

Chapter 8. Data Protection Principle 4

electronic form and the prompt return and erasure of the personal data after use; and • providing proper training, guidance and supervision to the staff. 8.14 Another similar incident was reported in March 2009.170 According to the police, some police officers had used their personal computers to prepare police reports but unfortunately the reports stored in their computers were leaked through Foxy to other internet users. To prevent the recurrence of similar incidents, the police agreed to take remedial action including the setting up of a working group to identify information security risk factors; informing the Commissioner and the affected subjects of all data breach incidents; instructing all information systems security managers to conduct checks and inspections on all police terminals; reviewing police policies and relevant manuals on information security and data protection; exploring technical solutions to guard against data leakage; carrying out periodic sanitisation and inspection of all police common terminals to remove unauthorised data, etc. 8.15 However, despite such remedial action, further breaches by the police were discovered and reported by the media in August 2011 and September 2012, which again involved the leakage of personal data on the internet through Foxy. As a result, the Commissioner conducted an investigation in October 2012.171 Even though human error was found to be the direct cause of the relevant data leakage, the Commissioner pointed out the importance for organisations to institute comprehensive internal training and awareness programmes for their staff. Data users must be prepared for the initiative that the Commissioner will readily take to examine whether effective measures have been adopted to minimise human error. 8.16 In another investigation172 conducted against the police, the loss of police notebooks and fixed penalty tickets containing the personal data

170. See media statement issued by the Commissioner on 9 March 2009, available on the Website. 171. See Investigation Report No. R13-15218, available on the Website. 172. See investigation Report No. R13-0407, available on the Website.

161

08_Data Protection.indd 161

2016/6/27 1:59:32 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

of 285 individuals including victims of crimes, witnesses and suspects was involved. It was also found that the incidents not only involved negligence or carelessness on the part of the police officers concerned, but also gross insufficiency in the operational procedures of the police and notable deficiencies in their supervision and monitoring systems. The Commissioner concluded that the police had contravened DPP4 and served an enforcement notice on the police requiring them to adopt various measures to establish supplementary security procedures to prevent leaks and to tighten supervision. The police were further advised to undertake a general review of their equipment and uniform used for holding or conveying police documents, and to step up their training, incentive and disciplinary programmes to promote compliance with the police’s policies and procedures in relation to privacy and data protection. 8.17 In March 2010, a government department reported to the Commissioner that an employee had lost certain computer printouts when he was carrying out outdoor duties that required home visits.173 The lost printouts contained the names, gender, addresses and telephone numbers of 126 individuals. Although there was a genuine operational need for the staff to bring the printouts during home visits, he had taken more data than required to visit the twenty individuals on the day of the home visits. The guidelines of the department were revised as a result by specifying the amount of personal data that was required for conducting home visits on a particular day so as to ensure that no unnecessary personal data would be taken out by staff for performing home visits.

(c) Telecommunications Companies 8.18 Internet and telecommunications service providers possess substantial amount of personal data of their customers. It is essential for them to ensure data security to avoid leakage. Customers sometimes may have forgotten the passwords to access their account information. In such circumstances, service providers must be cautious in verifying the identity of the customer before rendering any assistance to access account information. The

173. See case reported in the Annual Report 2010-11 of the Commissioner, available on the Website.

162

08_Data Protection.indd 162

2016/6/27 1:59:32 PM

Chapter 8. Data Protection Principle 4

Commissioner received a complaint where the internet service provider reset a customer’s password upon the request of a person who knew the name and HKID number of that customer, even though the caller was not the customer and the customer was not aware of the request. Such practice was found to be insufficient to meet the standards required by DPP4 in ensuring data security. 8.19 Similarly, in another complaint handled by the Commissioner,174 the complainant’s creditor successfully gained access to the electronic telephone bills of the complainant by typing in his HKID number as the password for online access which as a result enabled the creditor to collect the telephone records of the complainant and to use them for making nuisance calls to his friends. The telecommunications company in question was found to have contravened DPP4 in failing to take all reasonably practicable steps to safeguard the complainant’s personal data. In the enforcement notice served by the Commissioner, the company was required to cease the practice of using HKID numbers as default passwords for its customers. Given the ease of guessing passwords of this kind and the likelihood of manipulation and unauthorised access, the service provider was advised to take steps to protect the security of the customers’ personal data by, for example, providing randomly selected passwords. 8.20 In another complaint, the complainant visited a telecommunications shop to subscribe for broadband and fixed-line services. The shop had an openplan design with some computer terminals set up in a public area and visitors were free to stroll around those terminals. When his subscription request was processed by the staff through the use of the computer terminal, the complainant noticed that his personal data displayed on the screen of the computer terminal was visible to people standing next to or behind the customer service officer. Since the receipt of the complaint, the telecommunications company has installed polarized filters, screen saver and software functions that automatically hide the data. It also adjusted the height and angle of the computer screens to make them less visible to bystanders. Notwithstanding the taking of these measures, the

174. See Case Note No. 2002C08, available on the Website.

163

08_Data Protection.indd 163

2016/6/27 1:59:32 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Commissioner was not satisfied that they could effectively prevent the unauthorised or accidental access to the personal data shown on the screen. An enforcement notice was served on the company directing it to remodel the design of its computer terminals so that the personal data displayed on the computer screens could not be viewed by passers-by.175

(d) Legal Practitioners 8.21 Personal data handled by solicitors is very often sensitive, for example, personal data used for litigation purposes, property transactions and matrimonial matters. Whilst solicitors are already bound by a duty to keep all information concerning their clients confidential, they should also take extra care and precaution to prevent any personal data used for the provision of legal services from being accessed by unauthorised persons. 8.22 In one case,176 a law firm arranged a messenger to serve legal documents relating to a divorce suit on a party to the proceedings at her office. The documents were placed inside a sealed envelope but there was a duplicate of the documents for the addressee to sign and acknowledge receipt. Since the duplicate documents were uncovered, the contents were read by the receptionist and other people passing by. The addressee of the documents was upset as her involvement in the divorce proceedings was as a result disclosed to others in the office. Upon enquiry made by the Commissioner, the law firm argued that only the front page of the duplicate documents containing the names of the parties and the suit number of the divorce proceedings were disclosed. The Commissioner observed that these documents contained personal data of a sensitive nature to the data subject, particularly in her workplace. The way that these documents were served made it possible for such personal data to be disclosed to unnecessary parties and caused distress to the complainant. The law firm was found to have contravened DPP4. 8.23 A similar situation relating to the service of legal documents was also

175. See Case Note No. 2009C09, available on the Website. 176. See Case Note No. 1997C18, available on the Website.

164

08_Data Protection.indd 164

2016/6/27 1:59:32 PM

Chapter 8. Data Protection Principle 4

considered by the Commissioner.177 In this case, the complainant specified a business centre’s address as her correspondence address. A messenger of a law firm delivered a letter to the complainant at the business centre’s address by hand. The receptionist called the complainant and read out part of the contents of the letter over the telephone to the complainant. The complainant complained to the Commissioner that the letter containing her personal data, including reference to Court actions involving the complainant, was unnecessarily disclosed by the law firm to the receptionist and the messenger. During the investigation, the law firm provided an undertaking to the Commissioner: • not to disclose the complainant’s personal data to any person other than the complainant when delivering any document to the complainant by hand at the address for service including the business centre, in the course of obtaining acknowledgment for service; and • to give clear instructions to its staff for the purposes of complying with the undertaking. 8.24 In another case,178 which related to service of a trial bundle to a litigant to a matrimonial case, the staff of a law firm left the bundle in the gap between the front door and the metal gate of the litigant’s residence. The bundle of documents was not sealed in an envelope and was easily accessible to passers-by or unrelated parties. The bundle was later picked up by a security guard on patrol. The law firm did not have written guidelines to advise its staff on the compliance with DPP4 regarding the manner of service of a legal document. It was therefore found to have contravened DPP4. The appropriate steps that a data user should take in similar situations include putting the documents to be served in a sealed opaque envelope or to make arrangements with the litigant to collect the same. 8.25 In a more recent case,179 it was decided by the AAB that the law firm in question did not contravene DPP4 by placing bundles of properly tied legal

177. See Case Note No. 2009A03, available on the Website. 178. See Case Note No. 2002C07, available on the Website. 179. AAB 19/2014

165

08_Data Protection.indd 165

2016/6/27 1:59:32 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

documents in sealed envelopes and leaving the same outside the appellant’s residence when effecting service of the documents. However, the AAB took the view that it was unnecessary for the law firm’s staff to exhibit the front page of each document bundle in the lobby of the building and to take photographs of the same in front of the building management staff. Such acts posed a risk that the personal data of the appellant might be disclosed to the management staff and passers-by.

(e) Hospitals and Clinics 8.26 Universal Serial Bus (“USB”) flash drives are widely used because of their portability and high storage capacity. However, their portability and compact size have also increased the risk of data loss as the USB flash drives containing the data may be misplaced or lost without the users noticing. An investigation180 carried out by the Commissioner against the Hospital Authority (“HA”) involved the loss of patients’ registration data (including name, HKID number, home address and contact number) and consultation records of a psychiatric nurse who was required to work in different clinics for providing psycho-social health services to pregnant women and postnatal mothers. In the course of carrying out her duties, she downloaded patients’ registration data and clinical consultation notes onto the password protected zone of the USB flash drive. One day, she discovered that the password protected zone of the USB flash drive was defective and she could not access the data kept in that zone. Instead of reporting the incident to the relevant supervisor, she chose to copy the data again from the master computer file and stored it in the non-password protected zone of the USB flash drive, which was later lost. The Commissioner found that HA, as the employer of the nurse, had breached DPP4 in failing to take all practicable steps to protect patients’ personal data in view of the deficiency of policies and practices regulating the use of mobile electronic storage devices and the lack of training provided to its staff. The series of reported data breach incidents in 2008 concerning the loss of patients’ personal data revealed the inadequacies of the patients’ data security system operated by HA. This prompted the Commissioner to carry out a self-initiated inspection under

180. See Investigation Report No. R08-1935, available on the Website.

166

08_Data Protection.indd 166

2016/6/27 1:59:32 PM

Chapter 8. Data Protection Principle 4

section 36 of the Ordinance resulting in a number of recommendations for HA to improve its data security system for patients’ data.181 8.27 More recently, an investigation182 was carried out by the Commissioner against HA which resulted in an enforcement notice being served to HA for contravention of DPP4. The investigation stemmed from two data leakage incidents in which hospital waste containing patients’ personal data and shredded strips of medical appointment slips were found abandoned outside the shredding factory of a waste disposal service provider engaged by HA. The Commissioner concluded that the precise cause of abandonment of the hospital waste was unknown but the leakage of the personal data in question was clearly an outcome of incomplete or improper shredding of the hospital waste. By virtue of section 65(2) of the Ordinance, even though HA had entrusted its service provider with the task of hospital waste collection, destruction and disposal, HA remained accountable as data user for any unauthorised or accidental access of the personal data in question. Furthermore, the contract between HA and its service provider was found by the Commissioner to be inadequate to ensure proper and complete shredding of hospital waste, and HA failed to competently manage the contract. The Commissioner therefore concluded that HA had contravened DPP4 as it had failed to take all reasonably practicable steps to ensure that patients’ personal data were protected against unauthorised or accidental access. HA was directed under the enforcement notice to exercise its reasonable endeavors to retrieve and destroy the abandoned hospital waste identified in the two incidents, review and revise the hospital waste disposal procedures and implement a series of improvement measures, etc., within a specified period. 8.28 In another case, a patient visited a clinic and discovered that his file containing his medical records had been lost. The clinic tried to track and trace the records but to no avail and it was unable to ascertain when the loss had occurred and who had caused the data loss. The Commissioner found that the clinic had no system in place to monitor the movement of

181. See Inspection Report No. R8-4232, available on the Website. 182. See Investigation Report No. R13-6740, available on the Website.

167

08_Data Protection.indd 167

2016/6/27 1:59:32 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

the files containing medical records and, owing to the busy movement of these files during consultation periods, any loss would easily escape the staff’s attention. After this reported incident, the clinic agreed to put in place a daily monitoring procedure by arranging a designated staff to check that all files retrieved each day were returned and properly stored. A log would also be kept to record the movement of files which could be retrieved for purposes other than medical consultations.

(f)

Mobile Application Developers

8.29 Mobile applications (“apps”) are now common and popular tools. Apps are used on mobile devices constantly, to check account balances, to purchase goods or services, to watch news, to search for information and to communicate with friends and relatives, etc. App developers often collect and process a wide range of personal data through these tools, and therefore they play a key role in privacy safeguards. It is incumbent upon them to keep abreast of the relevant trends and developments in technology so that they can update their apps to achieve enhanced functionality, but without compromising personal data privacy protection.183 8.30 A self-initiated investigation by the Commissioner against an app developer concerned the leakage of its customers’ personal data through a travel assistant app running on Apple Inc.’s iOS platform.184 The developer had outsourced the development of the app to a mainland contractor. The app provided online services to mobile device users (who were registered members or casual customers) including flight ticket reservation/purchase, flight itinerary management, information on destinations as well as other services. Both members and casual customers were required to input their personal data (full name, gender, date of birth, HKID or passport number) and a contact person’s name, telephone number and email address when they reserved or purchased flight tickets for the first time. For subsequent transactions through the app, registered members were recognised by their log-in account created during membership registration, while casual

183. The Commissioner has issued a “Best Practice Guide for Mobile App Development” providing practical guidance on privacy protection to mobile app developer, available on the Website. 184. See Investigation Report No.14-6453, available on the Website.

168

08_Data Protection.indd 168

2016/6/27 1:59:32 PM

Chapter 8. Data Protection Principle 4

customers were recognised by the unique MAC address185 of the mobile device using the app. Notwithstanding the subsequent launch of new features of the iOS7 platform (for reason of privacy protection), which would block the reading by apps of MAC addresses and provide a fixed number instead, the contractor failed to take appropriate steps to update the app. As a result, when a casual customer attempted to reserve/purchase tickets using a mobile device operating on iOS7, the app would show on the monitor of the mobile device not only that customer’s records (order histories and personal data) but also those of all other casual customers who had made transactions through the app.186 By virtue of section 65(2) of the Ordinance,187 the developer as principal was liable for its contractor’s misdeed. Therefore, the developer was found to have contravened DPP4(1) for failing to take all reasonably practicable steps to ensure that the personal data handled through the operation of its contractor was protected against unauthorised or accidental access.

Application of DPP4: Storage and Transmission of Data 8.31 It is important to note that DPP4 concerns only the way in which personal data is kept or transmitted, but not the way it is used (which is governed under DPP3). This distinction was explained by the AAB in the case of AAB No. 5/1999. 8.32 In that case, the Commissioner received a complaint from an individual against a newspaper for publishing his name and the address to which he had moved in a news report. The report related to an assault in which the complainant’s father was injured by a former neighbour. The publishing of

185. A media access control address (MAC address) is a unique identifier assigned to network interfaces for communications on the physical network segment. It is a 48-bit hexadecimal number most often assigned by the manufacturer of a network interface and exists in all mobile computing devices with network connectivity. 186. These casual customers were identified as one person based on the same fictitious MAC address under the new privacy protection feature of iOS7. 187. Section 65(2) of the Ordinance provides that any act done or practice engaged in by a person as agent for another person with the authority (whether express or implied, and whether precedent or subsequent) of that other person shall be treated for the purposes of the Ordinance as done or engaged by that other person as well as by him.

169

08_Data Protection.indd 169

2016/6/27 1:59:32 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

the address of the complainant was considered likely to cause risk of serious harm to him and his family, since the assailant, who remained at large, was a known dangerous individual suspected to be of unsound mind, and had previously committed a series of assaults on the complainant and his family. In fact, it was because of those previous attacks that the complainant and his family had moved to their current address which was exposed in the news report. 8.33 Despite the harm likely to be caused to the data subject by the disclosure of his personal data in the news report, the AAB reversed the Commissioner’s original finding of contravention of DPP4 against the newspaper publisher. In particular, the AAB observed that a newspaper uses personal data in publishing it. Once published, the public will inevitably gain access to such data. Accordingly, any access by the assailant to the address of the complainant in the case would not have been “unauthorised or accidental” within the meaning of DPP4.188 According to the AAB, therefore, the relevance of DPP4 is confined only to the security in storage and transmission of the data. There is a fine distinction between the use, especially the disclosure to the public or third parties of the personal data of the data subject which might involve a change in the purpose of use (which is a DPP3 concern) on the one hand, and the security requirements of the transit and storage of personal data to prevent unauthorised or accidental access to the personal data (which is a DPP4 issue) on the other.

Outsourcing the Processing of Personal Data to Data Processors 8.34 It is increasingly common for data users to outsource and entrust the processing of personal data to their agents. Data leakage sometimes occurs as a result of insufficient security measures being taken by the data processors to protect the personal data entrusted to them. This may cause substantial

188. Whether the publication of the address data by the newspaper publisher could have been regarded as giving rise to any requirement in the Ordinance other than DPP4 (e.g. DPP3) was not raised, and hence the issue was not decided by the AAB.

170

08_Data Protection.indd 170

2016/6/27 1:59:33 PM

Chapter 8. Data Protection Principle 4

and irrecoverable damage to the data subjects whose personal data was leaked online as a result.189 8.35 The Amendment Ordinance seeks to tighten the control and supervision of data processors through the data users by imposing a new obligation on data users under DPP4(2) to enhance data security as follows: (2) Without limiting subsection (1), if a data user engages a data processor, whether within or outside Hong Kong, to process personal data on the data user’s behalf, the data user must adopt contractual or other means to prevent unauthorised or accidental access, processing, erasure, loss or use of the data transferred to the data processor for processing.

8.36 “Data processor” has the same meaning as that provided by DPP2(4),190 i.e. “a person who: (a)

processes personal data on behalf of another person; and

(b) does not process the data for any of the person’s own purposes”. 8.37 By virtue of this definition, data processors are not limited to providers of IT processing service. They also include other contractors engaged to process personal data on behalf of the data user, for example, a business services company engaged by an organisation to administer its employee payroll function; a marketing company appointed by the organisation to carry out customer opinion survey; or contractors engaged by a data user to shred confidential documents which contain personal data. 8.38 Data users often define their rights and obligations and those of the data processers by way of a contract. To discharge the obligations under DPP4(2), data users may consider incorporating contractual clauses in the service contract, such as the following:

189. For instance, see online personal data leakage caused by file-sharing software installed in the computer of the IT contractor reported in Investigation Report No. R06-2599, available on the Website. See also paragraph 8.30 above for the personal data leakage through the travel assistant apps in mobile device (the Investigation Report R14-6453) 190. DPP4(3)

171

08_Data Protection.indd 171

2016/6/27 1:59:33 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

• specifying the security measures required to be taken by the data processor to protect the personal data entrusted to it for processing; • prohibiting use or disclosure of the personal data for other purposes; • restricting further sub-contracting of the service that it is engaged to provide; where sub-contracting is allowed by the data user, the data processor shall remain fully liable to the data user for the discharge of its obligations; • immediate reporting of any sign of abnormality or security breach by the data processor; and • data user’s right to audit and inspect how the data processor handles and stores personal data. 8.39 Data users may need to impose additional obligations on the data processor with regard to factors such as the amount of personal data involved, the sensitivity of the personal data, the nature of the data processing service and the harm that may result from a security breach. 8.40 As an alternative to exercising control through contractual means, DPP4(2) provides flexibility and allows the data user to use “other means” to ensure compliance with DPP4(1) by the data processors. Whilst “other means” is not further defined in the Ordinance, data users may consider adopting the following measures to monitor the data processors engaged by them to ensure the security of personal data: • data users will only select reputable data processors which offer sufficient guarantees in respect of the technical competence and organisational measures governing the processing of personal data to be carried out; • data users undertake to exercise due diligence and satisfy themselves that the data processors have in place robust policies and procedures and effective security measures for processing personal data and that adequate training is provided to their staff; and • data users should ensure that they have the right to audit and inspect how the data processors handle and store personal data.

172

08_Data Protection.indd 172

2016/6/27 1:59:33 PM

Chapter 8. Data Protection Principle 4

8.41 The Commissioner also recommends that data users should adopt the following good practices191 when personal data is or will be transferred to data processors for processing: • data users should make it plain to the data subjects in clear and understandable language when collecting their personal data that it may be processed by data processors, and should notify them of the classes of such data processors; • if data processors are not operating in Hong Kong, the data users should make sure that their contracts are enforceable both in Hong Kong and in the countries or places in which the data processors are operating; • both data users and data processors should keep proper records of all the personal data that has been transferred for processing; • data users should also consider the possibility of arranging all handling of the personal data to be performed within the premises of the data users, in order to minimise the risk of data loss; and • before entrusting personal data to data processors for system testing, data users have to consider whether the use of anonymised or dummy data by data processors can equally serve the purpose.

191. See Information Leaflet on Outsourcing the Processing of Personal Data to Data Processors, available on the Website.

173

08_Data Protection.indd 173

2016/6/27 1:59:33 PM

08_Data Protection.indd 174

2016/6/27 1:59:33 PM

Chapter 9 Data Protection Principle 5

The main questions: • What are the general requirements under DPP5? • How can a data user’s privacy policy and practices be made generally available? • What information is recommended to be made generally available?

The questions of a data user making information generally available as discussed in this Chapter concerning DPP5 have been selected on the basis of their practical importance in light of the Commissioner’s own experience. Before reading this Chapter, readers should read paragraphs 1.7 to 1.11 in Chapter 1 — Introduction, which contain important general information on using this Book.

09_Data Protection.indd 175

2016/6/27 1:59:39 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

The General Requirements of DPP5 9.1

Data Protection Principle 5 provides as follows: Principle 5 – information to be generally available All practicable steps shall be taken to ensure that a person can – (a) ascertain a data user’s policies and practices in relation to personal data; (b) be informed of the kind of personal data held by a data user; (c) be informed of the main purposes for which personal data held by a data user is or is to be used.

9.2

Although the obligation imposed under DPP5 is not an absolute one as it only requires a data user to take all reasonably practicable steps to comply with it, the Commissioner regards it as being of absolute importance for a data user who engages in acts or practices that involve regular collection of personal data in the course of its business or performance of its activities or functions to make known and be transparent about its personal data policies and practices. Good governance dictates that organisational data users, such as government departments or corporations, take heed of the increasing public concern that data subjects’ personal data privacy should be properly protected under a set of privacy policies and practices that is made generally available. In AAB No. 15/2000, the AAB upheld the Commissioner’s decision to issue an enforcement notice against a regulatory body whose daily operation involves the collection of sensitive personal data from the general public for failing to implement a privacy policy statement in compliance with DPP5.

9.3

DPP5 does not require the data user’s policies or practices to be laid down in writing. However, in order to effectively communicate its data handling policies and practices and for the avoidance of doubt, it is proper and prudent to have a written statement, which is commonly known as a Privacy Policy Statement, or in short, “PPS”. A PPS should be made generally available to anyone, in an easily accessible manner, whether personal data is collected by the data user in the physical or in the online world, directly from the data subject or otherwise.

176

09_Data Protection.indd 176

2016/6/27 1:59:39 PM

Chapter 9. Data Protection Principle 5

9.4

The PPS should be presented in an easily understandable and readable (if in writing) manner, taking into account factors such as content, language and font size used. Data users should avoid using technical or legalistic terms that may not be easily understood by the data subjects.

9.5

Where different PPSs are used by the data users for performing different functions and activities, the data users should consider consolidating and/or rearranging the PPSs so that they are clear and easily accessible.

What Goes into a PPS? 9.6

In order to meet the requirements of openness and transparency under DPP5, a PPS is required at all times if a data user controls the collection, holding, processing or use of personal data. The PPS covers generally a wider scope than a PICS and, in addition to some of the core elements of the latter, includes other privacy related policies and practices such as data retention policy, data security measures, data breach handling, and the use of special tools such as cookies on websites. The essential difference between the two is that a PICS is provided by a data user to a data subject when his personal data is being directly collected whereas a PPS is a general statement about a data user’s privacy policies and practices in relation to the personal data it handles.192

9.7

Typically, a PPS may contain • a statement of policy which expresses a data user’s overall commitment to protecting the privacy interests of the individuals; and • a statement of practices which include the kind of personal data held by the data user and the purposes for which it uses the data.

192. In AAB No.233/2013, the AAB took the view that a data user is not required to supply a tailor-made PPS to a particular data subject in particular circumstances but to cover the information regarding its privacy policies and practices, the types of personal data it held and main purposes of use for complying with DPP5.

177

09_Data Protection.indd 177

2016/6/27 1:59:39 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance



The kind of personal data collected should depend on the actual operational needs of the data user. For instance, they may include identification information, contact details, financial data, location information, and/or browser details. Common purposes for which these types of personal data are used may include the delivery of goods or services, the management of accounts, the processing of orders, the facilitation of website access, the compilation of aggregate statistics on website usage, etc.193

PPS to Be Made Generally Available 9.8

The PPS once in place has to be effectively communicated to the persons affected. Some of the common ways of dissemination are by putting up conspicuous notices displaying the PPS publicly, playing a pre-recorded PPS if personal data is collected through a telephone conversation,194 or incorporating it in the relevant documents at the same time when personal data is collected (for example, a membership registration page or a customer agreement page if personal data is collected online) or uploading the PPS onto the data user’s website, etc. A data user may explore other effective and appropriate means of keeping the data subjects informed of its updated personal data policies and practices.

9.9

The complainant in AAB No. 35/2003 claimed that a library failed to comply with DPP5 in not making known its privacy policies and practices in respect of personal data collected in the library’s prescribed forms. The appeal was dismissed and the AAB, in upholding the Commissioner’s decision not to investigate the complaint, decided that the publication through the library’s website of its privacy policy statement was sufficient compliance with DPP5.195 Nowadays, many organisational data users have their own websites intended for public access. The homepage has become an easily accessible means through which the PPS can be effectively communicated.

193. For more details, please refer to the Guidance on Preparing Personal Information Collection Statement and Privacy Policy Statement issued by the Commissioner, available on the Website. 194. See the Inquiry Case Note no. 2007E06, available on the Website. 195. See also AAB No. 17/2014.

178

09_Data Protection.indd 178

2016/6/27 1:59:39 PM

Chapter 9. Data Protection Principle 5

9.10 The principle of transparency has assumed increasing importance not only in relation to dealing with personal data in the business-to-customer market segment, but also in respect of employees’ personal data privacy rights. This is particularly so when an employer intends to carry out monitoring activities in the workplace where personal data of employers is collected through telephone, email, internet or video monitoring. Owing to its privacy intrusive nature, the employer should, as far as practicable, formulate and disseminate its monitoring policy in order to keep employees informed of the extent, scope and manner in which such activities are carried out and how their personal data will subsequently be used or transferred, as well as the possible adverse or disciplinary actions that may ensue. Employers must also ensure that new employees are aware of the existing PPS. In AAB No.14/2006, the AAB was of the view that an employer who failed to draw the attention of an employee employed in 2004 to an existing PPS issued in 2000 could be in breach of DPP5. The employer in question did not have procedures or guidelines in place to regularly or effectively communicate the PPS to its employees. 9.11 In facilitating compliance with the requirements of the Ordinance by the employer as data user and in exercise of the Commissioner’s powers under section 8(5) of the Ordinance, the Commissioner issued in December 2004 the Privacy Guidelines: Monitoring and Personal Data Privacy at Work.196 Where employee monitoring is justified for legitimate business purposes, an employer should take practicable steps to formulate and make known its monitoring policy and due regard should be given to the legitimate expectation of the employees of personal data privacy. It is generally accepted that by entering into employment relationships, the employees, though submitting themselves to the lawful instructions to be given by the employer, do not thereby forsake all their rights to personal data privacy. The employees’ legitimate expectation of privacy should extend to cover such matters as the installation of CCTV in toilets or changing rooms, the

196. In the Guidelines (available on the Website), the 3As concept (i.e. Assessment, Alternatives and Accountability) in assessing the appropriateness of employee monitoring and the 3Cs approach (i.e. Clarity, Communication and Control) were introduced in relation to the handling of personal data collected during monitoring. The DPP5 requirements were expounded in the Clarity and Communication concepts in devising and making known a Monitoring Policy. Employers are encouraged to follow the recommended good practices mentioned in the Guidelines.

179

09_Data Protection.indd 179

2016/6/27 1:59:39 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

indiscriminate collection of the contents of their personal emails or the recording of private calls without proper justification. The transparency of actions expressed through a clearly written and communicated PPS is indicative of the employer’s accountability for its monitoring policies and practices and is conducive to building mutual trust between employers and employees. 9.12 In a complaint that came before the Commissioner, a public organisation was found to have installed covert pinhole cameras for detecting theft of its property believed to be committed by its staff. Upon investigation, it was found that the use of pinhole cameras was extensive and out of proportion in relation to the objective of gathering evidence of crime and the means adopted were unfair. In view of the monitoring activities carried out by the organisation and the number of employees affected, the organisation was found not to have taken reasonably practicable steps (such as considering adoption of less privacy-intrusive means) to comply with DPP5 and failed to have in place a monitoring policy.197 9.13 In another complaint in relation to the collection of fingerprint data by an employer from its employees for the purpose of monitoring attendance,198 the Commissioner found that the employer’s assertion that “all fingerprint records will be handled according to the Privacy Ordinance and will not be leaked” without giving further particulars on how the records would be handled was plainly insufficient to make known its policies and practices in collecting the employees’ fingerprint data.

What Other Information Is Recommended to Be Made Available 9.14 If a data user intends to collect personal data from young people and/or its website contains content of interest to young people, it is recommended that a statement on its practices in relation to the collection of personal data

197. See Investigation Report No. R05-7230, available on the Website. 198. See Investigation Report No. R09-7884, available on the Website.

180

09_Data Protection.indd 180

2016/6/27 1:59:39 PM

Chapter 9. Data Protection Principle 5

from young people be included in its PPS. Generally, data users are not advised to collect personal data from minors without prior consent from a person with parental responsibility for the minor. 9.15 If technical means such as cookies are used to collect information from individuals without their knowledge, the data user should include statements on this practice in the PPS. Matters that should be covered in the PPS include when such means are used, what information is collected and if personal data is collected, what the purposes of use are. 9.16 The PPS may state in general terms for how long the personal data collected will be retained. It is advisable that information be given on how deletion of data is done and whether the personal data so deleted is permanently removed from the system. 9.17 If a data user collects sensitive personal data, such as data relating to health or finance, the data user should explain how it uses, processes, handles and transfers such data. If personal data will not be disclosed to other persons without the data subject’s express and voluntary consent, it is advisable for such policy to be stated in the PPS. If personal data will be disclosed to third parties or if the website will share visitors’ details (such as IP addresses and browser types) with other persons, all such practices should be made known in the PPS. 9.18 It is also good practice for the data users to state in the PPS how they ensure the security and proper access to the personal data collected, for instance, whether access to personal data is restricted on a “need-to-know” basis and whether encryption is applied to protect the personal data. This practice assures data subjects that their personal data is duly protected. If personal data will be outsourced to an agent or a data processor for handling on behalf of the data user, the PPS may include a statement on how the personal data will be transferred to such third parties and the personal data protection measures that will be adopted. 9.19 For the sake of transparency, it is advisable for a data user to state in the PPS its policy in handling a data access or correction request from an individual. It should include information on how the data user prefers to receive

181

09_Data Protection.indd 181

2016/6/27 1:59:40 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

such requests, what the data user requires in order to be satisfied that the requestor is properly authorised and entitled to make the request, and the amount of fee payable, if any. 9.20 The PPS may also include the contact details, for example, the office address, email address, telephone number, etc. of the officer in the data user’s organisation who will answer enquiries regarding the data user’s privacy policies and practices.

The Exercise of the Commissioner’s Enforcement Powers under Section 50 9.21 Section 50 was revised under the Amendment Ordinance to empower the Commissioner to serve an enforcement notice directing the data user who is found to have contravened a requirement under the Ordinance “to remedy and, if appropriate, prevent any recurrence of the contravention”. 9.22 In those cases where the contravention is attributed to a lack of or an inadequate privacy policy, the Commissioner may in the enforcement notice direct the relevant data user to take such steps to promulgate, amend or modify its personal data handling policies or practices to prevent similar breaches from occurring. 9.23 The Commissioner views favourably a systematic approach by data users in implementing a privacy management programme199 built upon a robust data privacy policy and practices that are properly executed, reviewed and assessed by designated data protection officer(s).

199. See Privacy Management Programme: A Best Practice Guide, available on the Website.

182

09_Data Protection.indd 182

2016/6/27 1:59:40 PM

Chapter 10 Data Protection Principle 6(a) to (d) and the Data Access Provisions in Part 5

The main questions: • What constitutes a data access request? • Who may make a data access request? • How can a data access request be made? • How can a data user comply with a data access request? What should a data user do if it does not hold the personal data requested? • What should a data user do if the requested data comprises personal data of other individual(s)? • What charge may a data user levy for complying with a data access request? • When may a data user refuse to comply with a data access request? • What steps must a data user take in refusing to comply with a data access request?

The questions discussed in this Chapter concerning data access requests and DPP6 and Part 5 of the Ordinance have been selected on the basis of their practical importance in light of the Commissioner’s own experience. Before reading this Chapter, readers should read paragraphs 1.7 to 1.11 in Chapter 1 — Introduction, which contain important general information on using this Book.

10_Data Protection.indd 183

2016/6/27 1:59:47 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

The Basis of a Data Access Request 10.1 The right to make a data access request is an important right vested in the data subjects under paragraphs (a) to (d) of Data Protection Principle 6 to ascertain whether a data user holds his personal data and, to obtain a copy of the data so held by the data user: Principle 6 – access to personal data A data subject shall be entitled to – (a) ascertain whether a data user holds personal data of which he is the data subject; (b) request access to personal data – (i) within a reasonable time; (ii) at a fee, if any, that is not excessive; (iii) in a reasonable manner; and (iv) in a form that is intelligible; (c) be given reasons if a request referred to in paragraph (b) is refused; (d) object to a refusal referred to in paragraph (c); . . .

10.2 In addition, Part 5 of the Ordinance contains detailed provisions and procedural requirements regarding how a data subject may make, and how a data user complies with, a data access request. Failure to comply with a data access request in accordance with the requirements under the Ordinance without reasonable excuse may constitute an offence and render the offender liable on conviction to a fine.200 In addition to the grounds provided under Part 5 which prescribe when a data user shall or may refuse to comply with a data access request, there are exemption provisions in Part 8 of the Ordinance which, when properly invoked, may exempt the data user from complying with a data access request.

200. A level three fine, see section 64A(1).

184

10_Data Protection.indd 184

2016/6/27 1:59:47 PM

Chapter 10. Data Protection Principle 6(a) to (d) and the Data Access Provisions in Part 5

10.3 There are stringent provisions under Part 5 of the Ordinance on the manner and the procedure of complying with a data access request that a data user has to observe. Thus, when a data access request is received, the data user shall handle it according to the relevant provisions in complying with or refusing to comply with, the data access request. 10.4 Salient points on the making of a data access request by a data subject or his relevant person,201 and on the handling and responding to such a request by the data user are set out below. The Guidance Note on Proper Handling of Data Access Request and Charging of Data Access Request Fee by Data Users issued by the Commissioner provides general guidance on compliance with a data access request.202

What Constitutes a Data Access Request? 10.5 The first question to consider is what constitutes a data access request under the Ordinance. In this connection, “data access request” is defined in section 2(1) as “a request under section 18”. 10.6 Section 18(1) provides as follows: (1) An individual, or a relevant person on behalf of an individual, may make a request – (a) to be informed by a data user whether the data user holds personal data of which the individual is the data subject; (b) if the data user holds such data, to be supplied by the data user with a copy of such data.

10.7 Section 18(1) is so drafted that neither the word “and” nor “or” appear between paragraphs (a) and (b). Taking the literal meaning that it bears, and in applying the rule of literal interpretation, paragraphs (a) and (b) could be construed to be two distinct categories of request. The Commissioner

201. As defined under sections 2(1) and 17A of the Ordinance. 202. Available on the Website.

185

10_Data Protection.indd 185

2016/6/27 1:59:47 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

adopts the view that the two paragraphs are not conjunctive and should be construed to cover two separate categories of request the choice between which a requestor, in making a data access request, is entitled to make. In other words, a data access request may consist of only a request under paragraph (a), or only a request under paragraph (b), or both. Section 18(2) also provides that if a data access request is made by the same requestor under both paragraphs (a) and (b), they shall be treated as a single request. 10.8 When a data access request is made under section 18(1)(a), section 18(3) of the Ordinance provides that the data user may, in the absence of evidence to the contrary, treat the data access request as one made under both section 18(1)(a) and (b). In addition to simply responding to the request made under section 18(1)(a), the data user can also choose to supply a copy of the personal data to the requestor pursuant to section 18(1)(b) of the Ordinance. 10.9 Prior to the Amendment Ordinance, it was unclear whether or not a data user could ignore a request made only under section 18(1)(b) if the data user did not hold the personal data requested. The Amendment Ordinance clarified this situation by amending section 19(1) to expressly require data users to inform a data requestor if it does not hold any of the requested data within forty days of receiving such a request.203 10.10 It should also be noted that reading paragraph (a) of section 18(1) alone, it is not clear whether “personal data” as used therein means that a requestor can ask for confirmation on whether or not a data user holds any of his personal data in general, or whether the requestor must identify a specific item of personal data in relation to which he is seeking confirmation. The Commissioner takes the view that the meaning of that term includes both. In other words, when making a data access request under paragraph (a),

203. The issue of whether a data user, in compliance with a data access request made under section 18(1)(a) of the Ordinance, may inform the requestor verbally that the data user does not hold the requested data, formed the subject matter of AAB No. 10/2010. The AAB referred the said question of law to the Court of Appeal for determination by way of case stated. The Court of Appeal, in CACV 229/2011, answered the question in the affirmative having considered the original provision of section 19(1) prior to the Amendment Ordinance, the purpose of the Ordinance and public policy, as well as the proposed amendments to section 19(1). See also paragraphs 10.29 to 10.31 for discussion on section 19(1).

186

10_Data Protection.indd 186

2016/6/27 1:59:47 PM

Chapter 10. Data Protection Principle 6(a) to (d) and the Data Access Provisions in Part 5

the requestor may choose to ask a data user the general question of “do you hold any of my personal data in the personnel file?” or, alternatively, the more specific question of “do you hold my appraisal report dated xxx?” (the appraisal report being a specific document that contains the requestor’s personal data). 10.11 It should also be noted that no reference is made in paragraph (a) or (b) of section 18(1) to a description or list of data (if any) being held. Accordingly, where a data access request is phrased in terms such as “give me a list of all my data held by you”, the Commissioner is inclined to take the view that this does not strictly constitute a data access request within the meaning of section 18(1) obligating compliance by the data user under the Ordinance. It has been confirmed in the case of AAB No. 24/2001 (discussed in paragraph 10.37 below) that a data subject has no right to demand an exhaustive list of all his data held by a data user. A data user, however, may sometimes choose to provide such a list to facilitate its handling of a data access request, especially a request under section 18(1)(b). 10.12 Similarly, the Commissioner has received complaints about failures to comply with data access requests that are worded as follows: “give me in writing the reason for (my dismissal, your rejecting my application, etc.)”. In this connection, it is important to remember that the term “data” is defined in section 2(1) as the representation of information in a document. Hence, unless the reason or explanation sought already exists in a document (which in most cases means in writing), the Commissioner takes the view that the data user has no obligation, upon receiving such a request, to document the reason or explanation being sought, i.e. to create data for the sake of complying with the data access request.

Who May Make a Data Access Request? 10.13 Section 18(1) provides that a data access request may be made by “an individual, or a relevant person on behalf of an individual”. “Relevant person” is defined in section 2(1) and its meaning is further expanded in section 17A of the Ordinance for the purpose of making a data access or correction request.

187

10_Data Protection.indd 187

2016/6/27 1:59:47 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

10.14 Section 2(1) provides as follows: “relevant person”, in relation to an individual (howsoever the individual is described), means – (a) where the individual is a minor, a person who has parental responsibility for the minor; (b) where the individual is incapable of managing his own affairs, a person who has been appointed by a Court to manage those affairs; (c) where the individual is mentally incapacitated within the meaning of section 2 of the Mental Health Ordinance (Cap. 136) – (i) a person appointed under section 44A, 59O or 59Q of that Ordinance to be the guardian of that individual; or (ii) if the guardianship of that individual is vested in, or the functions of the appointed guardian are to be performed by, the Director of Social Welfare or any other person under section 44B(2A) or (2B) or 59T(1) or (2) of that Ordinance, the Director of Social Welfare or that other person;

10.15 Section 17A provides as follows: Without limiting the definition of relevant person in section 2(1), in this Part – “relevant person”, in relation to an individual, also includes a person authorised in writing by the individual to make, on behalf of the individual – (a) a data access request; or (b) a data correction request.

10.16 When a data user receives a data access request made by a “relevant person”, it should ascertain the capacity of the requestor in order to satisfy itself that the requestor is a person specified under sections 2(1) or 17A of the Ordinance. The data user may request information as to the requestor’s capacity (such as written authorisation signed by the data subject), evidence showing the requestor’s parental relationship with the data subject who is a minor, or evidence showing that the requestor is the lawful guardian or

188

10_Data Protection.indd 188

2016/6/27 1:59:47 PM

Chapter 10. Data Protection Principle 6(a) to (d) and the Data Access Provisions in Part 5

person appointed by the Court to manage the affairs of the data subject who is incapable of managing his affairs. If a data user cannot reasonably establish the relationship between the requestor and the data subject, the data user must refuse to comply with the data access request. 10.17 Section 18(1) provides that a relevant person may make a data access request on behalf of a data subject. The provisions of the Ordinance, however, give no indication, of the kind of situation in which a data access request made by a relevant person is to be regarded as being so made “on behalf of” the individual. Doubt may arise as to whether a data access request is properly made by one of the parents as a relevant person on behalf of a minor in the following two situations: first, where the parent is physically separated from the minor, so that one may suspect the data access request is in fact made by the parent for his own purposes, so as to enable himself to locate the minor or the other parent of the minor rather than on behalf of the minor; secondly, where the minor could well be disinclined, if asked, to have his data released to the parent. 10.18 For example, a parent who has been denied physical access to his child by the Court or the custodian parent may try to lodge a data access request under the Ordinance with a social welfare organisation or the child’s school, seeking to obtain the personal data of the child, on the basis that he is the “relevant person” of that child. However, from the subject matter raised in the request (e.g. a request for information on the whereabouts of the child which is obviously known to the child in question) it may be argued that the parent requesting the data is making the data access request for his own benefit, rather than in the child’s interest. In situations like these, the Commissioner will be inclined to take the view that the request is not made “on behalf of” the child and does not therefore satisfy the requirements under section 18(1) of the Ordinance.

How to Make a Data Access Request? 10.19 The Ordinance does not prescribe any particular form or mode by which a data access request may be made. However, under sections 20(3)(a) and (e), if a data access request is not made “in writing in the Chinese or

189

10_Data Protection.indd 189

2016/6/27 1:59:47 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

English language” or the request is not made in the form prescribed by the Commissioner, these may constitute valid grounds on which the request may be refused. Even so, the data user is still bound to comply with the requirements applicable to such a refusal, as will be discussed in paragraphs 10.78 to 10.83 below. 10.20 Cases handled by the Commissioner suggested that the absence of any prescribed form for a data access request often caused confusion. In particular, a data user receiving such a request could easily be unaware of it being a data access request, hence failing its obligation to respond to it in strict compliance with the Ordinance. This has a significant impact on data users who have regular dealings with individuals. Even if a request is not meant to be made pursuant to the Ordinance (for example, a request made to a government department pursuant to the Code of Access to Information), the requested information may happen to contain the requestor’s personal data. 10.21 The Commissioner took the view that in a data access request intended to be made under the Ordinance (whether under section 18(1)(a), 18(1) (b) or both), the requestor should at least state or make reference to terms such as “personal data”, “Personal Data (Privacy) Ordinance”, “Cap 486”, “data access request”, etc. In order to prevent or reduce the risk of misunderstanding, the Commissioner has, since December 1999, pursuant to his power to specify forms under section 67(1) of the Ordinance, specified a Data Access Request Form204 by which data access requests are to be made. 10.22 The Data Access Request Form, by design, aims to make clear, both to the requestor and the data user, the following essential matters: • the fact that a data access request is made under the Ordinance; • the particular provision(s) under which such request is made (i.e. paragraph (a) or (b) of section 18(1), or both); • the precise scope of the data to which the request relates (in this regard, the data subject is guided to frame his request as specifically as possible);

204. Available on the Website.

190

10_Data Protection.indd 190

2016/6/27 1:59:48 PM

Chapter 10. Data Protection Principle 6(a) to (d) and the Data Access Provisions in Part 5

• how to handle (including the time for compliance with) such a request, and the possible consequences of failure to do so. 10.23 It is to be noted that failure to use the Data Access Request Form does not of itself render the data access request invalid nor does it exonerate the data user from responding to it in a manner prescribed by the Ordinance though it may afford the data user grounds under section 20(3)(e) to refuse compliance with it. Even if a request is not made by using the Data Access Request Form prescribed by the Commissioner, data users are still encouraged to comply with such a request if it substantially contains the details required, as the use of the prescribed form is merely a technical requirement. 10.24 In AAB No. 20/2014, the AAB took the view that a letter written by the complainant to a bank, requesting the bank to either retain certain CCTV footage until the complainant agrees to destroy the same or provide him with a copy of the CCTV footage, may not amount to a data access request made pursuant to section 18(1) of the Ordinance. The AAB had taken into account that the “request” was not made in the specified form and the letter itself did not contain the substance to qualify as a valid data access request. 10.25 The requestor in making a data access request must provide true and accurate information to the data user. A requestor who does not do so may commit an offence under section 18(5) and (6) of the Ordinance: (5) A person commits an offence if the person, in a data access request, supplies any information which is false or misleading in a material particular for the purposes of having the data user – (a) inform the person whether the data user holds any personal data which is the subject of the request; and (b) if applicable, supply a copy of the data. (6) A person who commits an offence under subsection (5) is liable on conviction to a fine at level 3 and to imprisonment for six months.

10.26 Such an offence is intended to deter persons from conducting fishing expeditions for personal data through providing false or misleading information to the data user when making a data access request.

191

10_Data Protection.indd 191

2016/6/27 1:59:48 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

How and When to Comply with a Data Access Request? 10.27 A data user, upon receiving a data access request, must comply with such a request (unless there are grounds which allow or require the data user to refuse to comply with it, under section 20 or Part 8 of the Ordinance). The next question is how and when to comply with such a request.

Statutory Period 10.28 First, it should be noted that a data user must respond within forty days after receiving the request. 10.29 Section 19(1)(a) and (b) provides as follows: (1) Subject to subsection (2) and sections 20 and 28(5), a data user must comply with a data access request within 40 days after receiving the request by – (a) if the data user holds any personal data which is the subject of the request – (i) informing the requestor in writing that the data user holds the data; and (ii) supplying a copy of the data; or (b) if the data user does not hold any personal data which is the subject of the request, informing the requestor in writing that the data user does not hold the data.

10.30 What should a data user do if it does not hold the personal data requested? Pursuant to section 19(1)(b) (as introduced by the Amendment Ordinance) a data user must inform the data requestor in writing within the statutory period of forty days after receiving the data access request that it does not hold the personal data.205 It is also advisable for the data user to inform the data requestor of the reason why it does not hold the personal data, for example, that the requested data has been destroyed after the purpose

205. This obligation is made subject to section 19(1A). For detailed discussion, please refer to paragraphs 10.49 to 10.52.

192

10_Data Protection.indd 192

2016/6/27 1:59:48 PM

Chapter 10. Data Protection Principle 6(a) to (d) and the Data Access Provisions in Part 5

for which the data was to be used has been served. This may ease the data requestor’s suspicion that the erasure is made in bad faith. For instance, examination papers may be destroyed by an education institution regularly in accordance with its data retention policy and after publication of the examination results. 10.31 However, if evidence suggests that a data user has deliberately destroyed the requested data after receiving the data access request with a view to avoiding its statutory obligation to supply a copy of data to the requestor, this may amount to non-compliance with the data access request. 10.32 Furthermore, it should be noted that a data access request under section 18(1)(b) is a request to be supplied with a copy of the data held, if any. In this connection, section 19(3)(a) provides as follows: (3) A copy of the personal data to be supplied by a data user in compliance with a data access request shall – (a) be supplied by reference to the data at the time when the request is received except that the copy may take account of – (i) any processing of the data – (A) made between that time and the time when the copy is supplied; and (B) that would have been made irrespective of the receipt of the request; . . .

10.33 It can be seen that the relevant point in time by reference to which personal data is said to be held by the data user is the time when the request is received by the data user and not any subsequent time when further personal data may be collected. That said, the data user may, but is not obliged to, take into account any processing of the data that would in any event take place prior to compliance with the data access request. 10.34 The operation of section 19(3)(a) may pose questions as to the application of the other provisions relating to compliance or non-compliance with the data access request. For instance, if a data user invokes the application of any of the Part 8 exemptions in refusing to comply with the data access

193

10_Data Protection.indd 193

2016/6/27 1:59:48 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

request, does it also mean that the exempting circumstances can only be ascertained at the time when the request was received and no account shall be taken of any exempting circumstances that existed after receipt but before compliance with the data access request? The view adopted by the Commissioner is that section 19(3)(a) concerns only the technical aspect of drawing the time line for the obligation of the data user to supply copies of the personal data. The right to refuse compliance, as provided under section 20 of the Ordinance, is not restricted insofar as it is properly invoked with reasons stated and the requestor is notified in accordance with section 21. 10.35 Sometimes, a data access request may be framed in such a way that it contains a subjective element (e.g. “all data that affects my reputation”). In complaints arising from this type of requests, the Commissioner has generally taken the view that a data subject who chooses to make his request in an unspecific manner will have to rely on the judgement of the data user in selecting the relevant data that needs to be provided.

Broad and Generic Requests for Personal Data 10.36 Often, a data subject may, in the data access request, ask for copies of “all personal data” relating to him held by the data user. This may, however, create serious practical difficulty for the data user, especially where there have been extensive dealings between the parties, during which a large amount of personal data may have been collected and/or created, e.g. where the data subject is or used to be employed by the data user for many years. In these circumstances, the data user may reasonably ask the requestor to provide further information in order to assist the data user to locate the requested personal data. Failure to provide such information may entitle the data user to refuse to comply with the data access request.206

However, a data user cannot refuse to comply with a request simply by relying on the excuse that the request is made in generic or broad terms. If it is still reasonably practicable for the data user to extract “all personal data” requested without requiring any further information from the requestor, the data user should comply with the data access request.

206. Section 20(3)(b) of the Ordinance.

194

10_Data Protection.indd 194

2016/6/27 1:59:48 PM

Chapter 10. Data Protection Principle 6(a) to (d) and the Data Access Provisions in Part 5

10.37 In the case of AAB No. 24/2001, the complainant asked for “all of [her] personal data” held by the appellant, including but not limited to certain named categories. Despite repeated requests for clarification from the appellant, the complainant refused to narrow the scope of her data access requests in any way. The appellant, having omitted to provide the complainant with some of her personal data, was found by the Commissioner to have failed to comply fully with the data access request. 10.38 Upon appeal by the appellant against the enforcement notice issued by the Commissioner directing it to conduct a “thorough search” for the requested data, the AAB found in favour of the appellant based on section 20(3)(b) of the Ordinance, which provides that: (3) A data user may refuse to comply with a data access request if –

... (b) the data user is not supplied with such information as the data user may reasonably require to locate the personal data to which the request relates; . . .

10.39 According to the AAB’s decision, it appears that section 20(3)(b), in addition to constituting grounds of refusal to comply with a data access request, may also operate to limit the scope of data which the data user is obliged to provide in compliance with the request even where no such formal refusal is made pursuant to section 21. In particular, where the data access request is of a general nature, and in the absence of any information from the requestor to specify or to otherwise assist in the location of the data requested, the data user’s duty of compliance may only extend to such data as it may reasonably and practicably be expected to provide (even if this may not necessarily be exhaustive of all data held by the data user that falls under the description of the data requested).207

207. Indeed, in a situation where the data access request is framed so widely that the type and scope of the data requested is obviously unclear so that further clarification is required before it can be complied with, the AAB in AAB No. 17/2004 took the view that the data access request may be regarded as unclear and should not have been accepted for processing and the time to comply with the data access request does not start to operate until a properly completed data access request is received.

195

10_Data Protection.indd 195

2016/6/27 1:59:48 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

10.40 In the case of CACV351/2006 (in relation to AAB No. 61/2005), the Court of Appeal held that a person making the data access request has a duty to: • make clear what personal data is being requested under the data access request; and • to supply any further information reasonably required by the data user to clarify what data is being requested.

Furthermore, the AAB has also decided in AAB No. 16/2008 that where the data user reasonably requires the data requestor to supply information to enable him to locate the relevant personal data, unless and until such information has been supplied, there is no valid data access request for the data user to comply with. Whether the request for information by the data user is reasonably made depends upon the circumstances and the facts of each case.

10.41 It is also important to note that the data requester is entitled to a copy of his personal data only, not every document which refers to him. This view is confirmed by the AAB in AAB No. 27/2006 and the Court of First Instance in Wu Kit Ping v Administrative Appeals Board [2007] HKLRD 849. The Court considered that If in a document, the maker of the document expresses an opinion about a data subject, that opinion will constitute personal data to which the data subject will be entitled to access. However, an opinion expressed in the same document, by the maker of the document, about the maker of the document himself, unless relating indirectly to the data subject, will not constitute the personal data of the data subject.

10.42 The judgment given in Wu Kit Ping’s case was considered by the AAB in AAB No. 20/2013. This case concerns a data access request made by an applicant for, inter alia, the full underwriting report held by an insurance company who turned down his insurance application. By following the reasoning of Wu Kit Ping’s case, the AAB took the view that while the data subject has a right to know what personal data the data user possesses, he is not entitled to access every document simply because there may be a reference to him. Having reviewed the full underwriting report, the AAB

196

10_Data Protection.indd 196

2016/6/27 1:59:48 PM

Chapter 10. Data Protection Principle 6(a) to (d) and the Data Access Provisions in Part 5

was satisfied that certain references to the applicant in the underwriting report were only made as part of the internal workflow within the insurance company and the handling of the applicant’s complaint by different personnel. The AAB found that the insurance company did not have to provide the applicant with those pages of the underwriting report containing the references.

Steps to Be Taken for Failure to Comply with a Data Access Request within the Statutory Period 10.43 As mentioned above, the time for compliance with a data access request is forty days after the data user’s receipt of the data access request. If the data user is “unable to comply” with a data access request within such fortyday period, the data user must act in accordance with section 19(2) of the Ordinance, which provides as follows: (2) A data user who is unable to comply with a data access request within the period specified in subsection (1) or (1A) shall(a) before the expiration of that period(i) by notice in writing inform the requestor that the data user is so unable and of the reasons why the data user is so unable; and (ii) comply with the request to the extent, if any, that the data user is able to comply with the request; and (b) as soon as practicable after the expiration of that period, comply or fully comply, as the case may be, with the request.

10.44 Section 19(2) does not lay down the precise situations in which a data user may legitimately claim to be “unable” to comply with a data access request within the prescribed period. In previous complaints, the Commissioner accepted as valid a data user’s claim that before complying, it needed to obtain legal advice, or clarification from the requestor on the scope of the request. It is however still important to observe the forty-day time limit imposed under section 19(2) to respond and give reasons for being unable to comply with the whole or part of the request. The application of section 19(2) was considered by the AAB in its decisions below.

197

10_Data Protection.indd 197

2016/6/27 1:59:48 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

10.45 In AAB No. 17/2004, a data access request was made by a patient for medical records kept by a hospital. The hospital charged for the expense of making copies of the requested data which was paid by the requestor near the expiry of the forty-day period. The hospital supplied the copies after receipt of the expenses but it was already some sixty days after receipt of the request. The AAB ruled that the hospital had contravened section 19(2) in failing to comply with the request within forty days. The AAB stated that: …if the data user imposes a fee for complying with the [data access request], the data user should notify the requestor of it within such time after receipt of the [data access request] as to enable payment to be made and the requested data be supplied to the requestor within the 40 day period…Of course, if the requestor refuses to pay the fee, the data user may refuse to comply with the request....If payment of the fee is made so near the end of the 40 day period so that the data user is unable to supply the requested data within that time, the data user may pray in aid of s. 19(2) and by notifying in writing the requestor of the reason for failing to comply within time, the data user may comply with the request after the 40 day period.

10.46 In AAB No. 21/2012, the data requestor made a data access request to a government department. The department clarified with the requestor the scope of his requested data and thereafter informed him close to the expiry of the forty-day period about the fee charged for supplying him with the copy of the requested data, and that the department was unable to comply with the data access request as they had to receive the fee before they could send him the requested data. The data requestor paid the fee after the forty-day period had expired and the department supplied him with the requested data the next day after receipt of the fee. The AAB found in these circumstances that the department had complied with section 19(2) by notifying the data requestor that they were not able to comply with the data access request within the forty-day time period and the reasons why.

Language and Format When Responding to a Data Access Request 10.47 A copy of the personal data requested should be provided in the language specified in the data access request or, if no such language is specified, then the language in which the data access request has been made (which must

198

10_Data Protection.indd 198

2016/6/27 1:59:48 PM

Chapter 10. Data Protection Principle 6(a) to (d) and the Data Access Provisions in Part 5

have been either English or Chinese).208 However, if the requested data is held by the data user in a different language, then the data user must provide a true copy of the document containing the data.209 10.48 A copy of the personal data requested must also be intelligible, in so far as is practicable, unless the copy being provided is a true copy that is in itself unintelligible on the face of it.210 It should also be provided in at least one of the forms (e.g. soft copy, hard copy, etc.) specified in the request in so far as this is practicable, or if no such form is specified, in any form that the data user thinks fit.211 In the event that it is not practicable for the data user to provide the requested data in the form specified in the request, then it must comply with section 19(4) of the Ordinance, which provides as follows: (4) Where(a) a data access request specifies the form or forms in which a copy of the personal data to be supplied in compliance with the request is or are sought; and (b) the data user concerned is unable to supply the copy in that form or any of those forms, as the case may be, because it is not practicable for the data user to do so, then the data user shall(i) where there is only one form in which it is practicable for the data user to supply the copy, supply the copy in that form accompanied by a notice in writing informing the requestor that that form is the only form in which it is practicable for the data user to supply the copy; (ii) in any other case(A) as soon as practicable, by notice in writing inform the requestor(I) that it is not practicable for the data user to supply the copy in the form or any of the forms, as the case may be, specified in the request;

208. Section 19(3)(c)(iii)(A) of the Ordinance. 209. Section 19(3)(c)(iii)(B) of the Ordinance. 210. Section 19(3)(c)(i) of the Ordinance. 211. Section 19(3)(c)(iv) and (v) of the Ordinance.

199

10_Data Protection.indd 199

2016/6/27 1:59:48 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

(II) of the forms in which it is practicable for the data user to supply the copy; and (III) that the requestor may, not later than 14 days after the requestor has received the notice, specify in writing one of the forms referred to in subsubparagraph (II) in which the copy is to be supplied; and (B) as soon as practicable, supply the copy(I) in the form specified in the response, if any, to the notice referred to in subparagraph (A); (II) if there is no such response within the period specified in subparagraph (A)(III), supply the copy in any one of the forms referred to in subparagraph (A)(II) as the data user thinks fit.

Data Access Request Made to the Hong Kong Police Force for Criminal Conviction Records 10.49 It is not uncommon for individuals to make data access requests to the police for personal data relating to their criminal records. Two kinds of services are provided by the police, namely, Certificate of No Criminal Conviction or Criminal Conviction Data Access. In processing the application for Certificate of No Criminal Conviction, if no criminal conviction is found, the police will send the certificate to the relevant consulate or immigration authority directly. In processing the application for Criminal Conviction Data Access, if no criminal conviction is found, the applicant will be notified verbally of the result. If a criminal conviction is found, the applicant will be given a summary of the conviction and charged a processing fee. 10.50 In AAB No. 1/2008, the complaint raised the question of whether or not, in response to a data access request, the police would have to confirm in writing if no criminal conviction records were found, rather than simply providing such confirmation orally. The police were concerned about possible abuses of the data if it was supplied in writing. 10.51 The concern has been alleviated after the introduction of a new provision, i.e. section 19(1A) by the Amendment Ordinance which specifically deals

200

10_Data Protection.indd 200

2016/6/27 1:59:48 PM

Chapter 10. Data Protection Principle 6(a) to (d) and the Data Access Provisions in Part 5

with the procedure for complying with a data access request by the police. Section 19(1A) provides as follows: (1A) Despite subsection (1)(b), if –



a.

a data access request is made to the Hong Kong Police Force as to whether it holds any record of criminal conviction of an individual; and

b.

it does not hold such record,

it must comply with the request by informing the requestor orally, within 40 days after receiving the request, that it does not hold such record.

10.52 The police can now rely on section 19(1A) to comply with a data access request for record of criminal conviction by giving verbal information to the data requestor if it does not hold such record.

Requested Data Comprising Personal Data of Another Individual 10.53 Data users should take note of the requirements under section 20(1)(b) and (2) when the requested data contains the personal data of individual(s) other than the data subject. 10.54 Section 20(1)(b) provides as follows: (1) A data user shall refuse to comply with a data access request –

….. (b) subject to subsection (2), if the data user cannot comply with the request without disclosing personal data of which any other individual is the data subject unless the data user is satisfied that the other individual has consented to the disclosure of the data to the requestor; …

10.55 It should be noted that when applying the definition of “personal data” under section 2(1), it is possible for an item of information to constitute simultaneously the personal data of two or more individuals. Take, for

201

10_Data Protection.indd 201

2016/6/27 1:59:49 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

example, a statement contained in a letter which reads, “John Doe is a distant cousin of Mary Doe”. Obviously, the statement constitutes the personal data of John Doe and, at the same time, that of Mary Doe, and it is impossible to separate one from the other. In other words, compliance with a data access request from one of the individuals may involve the disclosure of the personal data of the other. 10.56 In this situation, section 20(1)(b) requires that the data access request be refused, unless the other data subject has consented to the disclosure of the data to the requestor. However, section 20(1)(b) is expressly provided to be read subject to section 20(2), which provides as follows: (2) Subsection (1)(b) shall not operate – (a). so that the reference in that subsection to personal data of which any other individual is the data subject includes a reference to information identifying that individual as the source of the personal data to which the data access request concerned relates unless that information names or otherwise explicitly identifies that individual; (b). so as to excuse a data user from complying with the data access request concerned to the extent that the request may be complied with without disclosing the identity of the other individual, whether by the omission of names, or other identifying particulars, or otherwise.

10.57 In summary, the overall effect of section 20(1)(b) and section 20(2) of the Ordinance has been interpreted by the Commissioner as follows: (a)

Where the information requested under a data access request contains the personal data of any other individual, then either:



• the consent for the release of such data to the requestor must be obtained from such individual; or



• the data user must erase/redact from the copy of the data provided to the requestor, the personal data of the other individual.

202

10_Data Protection.indd 202

2016/6/27 1:59:49 PM

Chapter 10. Data Protection Principle 6(a) to (d) and the Data Access Provisions in Part 5

(b) It is not the data user’s obligation to ensure that the requestor cannot deduce or infer the identity of the other individual(s), so long as the name or other explicit identification particulars have been redacted. To require otherwise would impose an additional duty on the data user to ascertain the subjective knowledge of the requestor in relation to the identity of such third party, notwithstanding the erasure of the name or other explicit identification information from the copy provided to the requestor, and would be too onerous a burden to discharge and not in accordance with the letter and spirit of section 20(2). Against this background, the data user cannot therefore refuse to comply with a data access request on the grounds that the requestor can deduce or infer the identity of other individuals, so long as the identifying information of the other individuals (e.g. name, etc.) has been deleted from the copy of the data provided to the requestor. 10.58 For example, where in the data access request the requestor asks for written comments on himself made by a specified third party, the fact that the requestor already knows the identity of the third party does not, in the Commissioner’s view, give the data user any justification for refusing to comply with the data access request, for the sake of protecting the privacy of the third party involved. All that the data user needs to ensure is that the data as released does not contain the name or other identifying information of the third party. 10.59 This view was confirmed in the case of Wu Kit Ping by the Court of First Instance, in which the learned judge considered that . . . by s.20(2)(a), the restriction on the disclosure of personal data of one data subject, which might disclose the personal data of other data subject, operates only where the maker of the report, that is the source of the personal data to which the data access request is concerned, is named or explicitly identified. If the person who examined diagnosed and treated Ms Wu is not named in the report, it is likely that by deduction or inference Ms Wu will know the name of that person, if it had been given to her, for example, at the time of treatment. The fact that that deduction or inference may be made is not a barrier to the disclosure of Ms Wu’s personal data . . . But unless the data names or otherwise explicitly identifies the complainant, the fact that the complainant’s identity

203

10_Data Protection.indd 203

2016/6/27 1:59:49 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

might be determined by deduction or inference is not a barrier to the disclosure of the data . . . The effect of s.20(2)(b) is that if the data user can supply to the data subject his personal data, without the disclosure of the identity of the source of the information, then a means to supply the data must be found.

10.60 The AAB followed the reasoning in Wu Kit Ping’s case in other appeal cases. For instance, in AAB No. 15/2012, an employee made a data access request to his employer for his appraisal reports. The AAB found that the redaction of the names, post titles and signatures of those appraising officers, reviewing officers and countersigning officers in the appraisal reports was legitimate as the redacted particulars were not the personal data of the employee, and section 20(2)(b) applied as those names and information explicitly identified the officers.

Charge for Complying with a Data Access Request 10.61 For compliance with a data access request, a data user may levy a charge on the requestor in accordance with the following provisions in section 28 of the Ordinance: (1) A data user shall not impose a fee for complying or refusing to comply with a data access request or data correction request unless the imposition of the fee is expressly permitted by this section. (2) Subject to subsections (3) and (4), a data user may impose a fee for complying with a data access request. (3) No fee imposed for complying with a data access request shall be excessive. ... (5) A data user may refuse to comply with a data access request unless and until any fee imposed by the data user for complying with the request has been paid. . .

10.62 While section 28(3) prohibits the imposition of an “excessive” fee for complying with a data access request, what is “excessive” is not defined. In determining whether the fee imposed by the data user is excessive, the

204

10_Data Protection.indd 204

2016/6/27 1:59:49 PM

Chapter 10. Data Protection Principle 6(a) to (d) and the Data Access Provisions in Part 5

Commissioner regards it as important that the fee, if any, charged should not be set with a view to generating profit, or worse, deterring the data subject from exercising his data access right under the Ordinance. In cases handled by the Commissioner, the charging for the actual out-of-pocket expenses, such as the photocopying fee and postage incurred by the data user, was not regarded as excessive. A data user may be asked to justify the basis of calculation of the fee in determining whether the fee charged is excessive in the circumstances of the case. More detailed explanations can be found in the Guidance Note on Proper Handling of Data Access Request and Charging of Data Access Request Fee by Data Users212 issued by the Commissioner. 10.63 The Commissioner’s views on assessing the fee for complying with a data access request were examined by the AAB in AAB No. 37/2009. The case concerns three data access requests made by an individual to a government department and a substantial amount of personal data requested (which was estimated to involve around 6,000 pages of documents and covered a period of more than ten years). The department requested a fee of more than HK$14,000 for complying with the data access request which was disputed by the data requestor as being excessive. The AAB held that a purposive approach should be adopted when interpreting and applying the term “excessive” under section 28(3) and that the charging provision had to be construed strictly and must be cost related. According to the AAB, the data user is only allowed to charge the requestor for the costs which are “directly related to and necessary for” complying with a data access request. Any fee which exceeds the costs of compliance will be considered excessive. The AAB considered that what is “direct and necessary” is not the same as “reasonable” and a data user should consider the question of whether it is possible to comply with the data access request without incurring the individual item of cost. If the answer is “yes”, then the data user should not charge the cost incurred for that particular item.

212. Available on the Website.

205

10_Data Protection.indd 205

2016/6/27 1:59:49 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

10.64 The decision in AAB No. 52/2011213 further builds on the above fee-charging principle. Firstly, if a data user chooses to comply with a data access request in a form that is more costly, it is not able to charge a fee higher than what would otherwise be chargeable if it had complied with the request in a form that was less costly. In short, a data user is only entitled to recover those costs which are the lowest out of all the alternative courses available to the data user in order to comply with a data access request. Secondly, a data user bears the evidentiary burden to show that the costs incurred for complying with a data access request are not only directly related and necessary, but are also not “excessive” in the circumstances of the particular case. Hence, if the data user has created an extraordinary situation whereby excessive costs have been incurred, it might be against the clear words of section 28(3) to allow such costs to be borne by the data subject. 10.65 Some examples of expenses that data users might try to charge for complying with a data access request, which are individually examined below, include: •

fees for seeking legal advice or professional service;

•

office overheads;

•

direct labour costs and necessary expenses;

•

photocopying; and

•

flat-rate fee.

10.66 The Commissioner is of the view that the data user should not charge the data requestor for the costs incurred by a data user in seeking legal advice or the costs for its consultant or staff to study the requirements under the Ordinance, as these costs are incurred for the data user’s own protection but not strictly necessary for compliance with a data access request. 10.67 Regarding administrative or office overheads, such are costs which by their very nature are not directly related to or necessary for complying with a data access request, and therefore may not be charged to the data requestor. This issue was decided by the AAB in AAB No. 37/2009.

213. In this appeal case, the requested data was held in a laptop which crashed and the data user had to incur a huge fee to recover the data from its back-up tapes.

206

10_Data Protection.indd 206

2016/6/27 1:59:49 PM

Chapter 10. Data Protection Principle 6(a) to (d) and the Data Access Provisions in Part 5

10.68 However, a data user may take into account the direct costs attributable to the time spent by its staff and the actual out-of-pocket expenses for locating, retrieving and reproducing the requested data. The data user should consider the basic skills required to handle the data access request. Normally, clerical and administrative staff will be considered capable of performing the tasks such as retrieving, photocopying and redacting the data. A data user should calculate the labour cost with reference to the staff assigned for handling the data access request. If a data user has assigned a group of staff of the same rank for the task, the labour costs may be calculated by reference to the average staff cost of this staff rank. Unless it has a valid justification, the data user should not assign a professional or managerial staff to perform the tasks, otherwise the data access request fee will be increased unnecessarily. The data user may charge for labour cost attributable to the time spent on extracting (e.g. the costs incurred for technical assistance in duplicating and editing a tape to remove images of other individuals) or editing the requested data (e.g. redacting the names and identifying particulars of other individuals), provided that the tasks are directly related to and necessary for complying with the data access request. 10.69 The Commissioner takes the view that a data user should not include in the fee the redaction cost of personal data exempted from compliance with a data access request, because a data user may still choose to comply with the data access request without invoking any exemption. Such costs are incurred for the protection of the data user’s interests, hence not directly related to and necessary for complying with a data access request. 10.70 The cost of photocopying the documents containing the requested data are usually viewed as direct and necessary costs, but any photocopying costs charged to the requestor must still not be excessive.214 10.71 A data user may sometimes choose to charge a flat-rate fee for administrative convenience. The Commissioner is generally not opposed to the charging of a flat-rate fee provided the fee imposed is not higher than the directly related and necessary costs for complying with a data access request.

214. See the Guidance Note on Proper Handling of Data Access Request and Charging of Data Access Request Fee by Data Users, available on the Website.

207

10_Data Protection.indd 207

2016/6/27 1:59:49 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

When Must a Data User Refuse to Comply with a Data Access Request? 10.72 Section 20(1) provides as follows: (1) A data user shall refuse to comply with a data access request – (a) if the data user is not supplied with such information as the data user may reasonably require – (i) in order to satisfy the data user as to the identity of the requestor; (ii) where the requestor purports to be a relevant person, in order to satisfy the data user – (A) as to the identity of the individual in relation to whom the requestor purports to be such a person; and (B) that the requestor is such a person in relation to that individual; (b) … (c) in any other case, if compliance with the request is for the time being prohibited under this or any other Ordinance.

10.73 Section 20(1)(a) requires a data user to refuse to comply with a data access request lodged by a requester whose identity is in doubt. A data user must be careful to ensure that a copy of the personal data requested in a data access request is only provided to a person entitled to exercise the right to issue the relevant data access request.215 10.74 It is provided under section 20(1)(c) that a data user shall refuse to comply with a data access request where such compliance is “for the time being prohibited” under the Ordinance or another ordinance. There are few situations in which compliance with a data access request is expressly prohibited under the Ordinance, one of them is where a data access request is made to the Commissioner himself for personal data collected

215. See paragraphs 10.13 to 10.18 above.

208

10_Data Protection.indd 208

2016/6/27 1:59:49 PM

Chapter 10. Data Protection Principle 6(a) to (d) and the Data Access Provisions in Part 5

by the Commissioner in the course of his investigation under Part 7 of the Ordinance. With regard to such data, section 46(1) imposes on the Commissioner and officers of the Commissioner a duty to maintain secrecy, subject to certain exceptions provided for in section 46(2), (3), (7) and (8), and unless any of these exceptions apply, the Commissioner is obliged to refuse to comply with the data access request according to section 20(1)(c). 10.75 Another example of prohibition on disclosure of information can be found in the Securities and Futures Ordinance (Cap 571). A specified person of the Securities and Futures Commission is bound by statutory duty216 to preserve secrecy in respect of any matter that comes to his knowledge in the performance of the functions under the Securities and Futures Ordinance and shall not let any other person have access to the record or document which is in his possession. Where compliance with a data access request by a data user will result in it breaching the statutory requirements under another ordinance, the data user may seek to rely on section 20(1)(c) to refuse compliance. 10.76 In AAB No.10/2013, the AAB examined the application of section 20(1)(c) of the Ordinance, which was relied on by a bank in refusing to comply with a data access request lodged by a complainant for documents containing information about, inter alia, his foreign exchange margin trading account, which the bank had provided to the Hong Kong Monetary Authority (“HKMA”). The complainant confirmed that he had made a complaint to the HKMA about the acts and conduct of the bank when handling his foreign exchange trading account. The bank argued that it was prohibited by reason of the secrecy provisions under section 120 of the Banking Ordinance (Cap 155) from providing the complainant with the requested information which formed part of the investigation by the HKMA. Although the AAB ultimately concluded that the information requested concerning the transaction details (when they were not involved in actual transactions), including cut-off rates at the time intervals specified showing market movements, did not constitute the complainant’s personal data, the AAB commented that the requested information originated from the bank itself

216. Section 378 of the Securities and Futures Ordinance, Cap 571, Laws of Hong Kong.

209

10_Data Protection.indd 209

2016/6/27 1:59:49 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

and was not something it came to know or possess or obtain in the course of investigation by the HKMA, and therefore it would not have been in breach of the said secrecy provisions under the Banking Ordinance even if it had chosen to disclose the same to the complainant. 10.77 Another example is found in the case of AAB No. 233/2013 in relation to a data access request made by a complainant against the Ombudsman for his personal data collected by the officer-in-charge when handling his complaint against a government department. The Ombudsman refused to comply with his data access request on the grounds that it was bound by a duty of secrecy under the Ombudsman Ordinance,217 the non-observance of which was an offence. The AAB considered that the statutory duty of secrecy imposed upon the Ombudsman was sufficiently broad to cover the disclosure of personal data in compliance with a data access request made under the Ordinance and hence section 20(1)(c) of the Ordinance applied in the circumstances of the case for the Ombudsman to refuse compliance with the data access request.

When May a Data User Refuse to Comply with a Data Access Request? 10.78 Having considered the provisions in the Ordinance which oblige a data user to refuse to comply with a data access request, we turn to other situations where such refusal may be exercised by the data user. These are provided under section 20(3) as follows: (3) A data user may refuse to comply with a data access request if – (a) the request is not in writing in the Chinese or English language; (b) the data user is not supplied with such information as the data user may reasonably require to locate the personal data to which the request relates;

217. Section 15(1) of the Ombudsman Ordinance, Cap 397 requires the Ombudsman and its staff to maintain secrecy in respect of all matters that come to their knowledge in the exercise of their functions.

210

10_Data Protection.indd 210

2016/6/27 1:59:49 PM

Chapter 10. Data Protection Principle 6(a) to (d) and the Data Access Provisions in Part 5

(c) the request follows 2 or more similar requests made by – (i) the individual who is the data subject in respect of the personal data to which the request relates; (ii) one or more relevant persons on behalf of that individual; or (iii) any combination of that individual and those relevant persons, and it is unreasonable in all the circumstances for the data user to comply with the request; (d) subject to subsection (4), any other data user controls the use of the data in such a way as to prohibit the first-mentioned data user from complying (whether in whole or in part) with the request; (e) the form in which the request shall be made has been specified under section 67 and the request is not made in that form; (ea) the data user is entitled under this or any other Ordinance not to comply with the request; or (f) in any other case, compliance with the request may for the time being be refused under this Ordinance, whether by virtue of an exemption under Part 8 or otherwise.

10.79 Section 20(3)(a) and (e) have already been discussed above.218 Of the various other grounds of refusal provided for in section 20(3), the one under paragraph (f) is the broadest. In particular, Part 8 of the Ordinance provides for many situations in which personal data is exempt from access by the data subject (which will be discussed in Chapter 12). When a data user is uncertain whether any of the exemption provisions apply to a particular case, the prudent practice is to seek independent legal advice before relying upon the exemption to not comply with a data access request. The Commissioner takes the view that refusal of a data access request on invalid grounds (even if the data user subjectively believed them to be valid) technically constitutes contravention of section 19(1) by the data user. The burden of proof lies on the data user to properly invoke the exemption.

218. See paragraphs 10.19 to 10.24.

211

10_Data Protection.indd 211

2016/6/27 1:59:49 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

10.80 Of the remaining provisions in section 20(3), paragraph (d) also deserves mention. In fact, this paragraph needs to be read in conjunction with sections 21(1) and 18(4), which provide as follows:

Section 21(1) – (1) Subject to subsection (2), a data user who pursuant to section 20 refuses to comply with a data access request shall, as soon as practicable but, in any case, not later than 40 days after receiving the request, by notice in writing inform the requestor – (a) of the refusal; (b) subject to subsection (2), of the reasons for the refusal; and (c) where section 20(3)(d) is applicable, of the name and address of the other data user concerned.



Section 18(4) – (4) A data user who, in relation to personal data – (a) does not hold the data; but (b) controls the use of the data in such a way as to prohibit the data user who does hold the data from complying (whether in whole or in part) with a data access request which relates to the data,

shall be deemed to hold the data, and the provisions of this Ordinance (including this section) shall be construed accordingly.

10.81 In other words, where a data access request is refused pursuant to section 20(3)(d), there is an alternative for the requestor to make a request to the party that ultimately controls the use of the data (even if it does not physically hold such data).219 Section 20(3)(d) might not afford the data user valid grounds to refuse compliance with a data access request simply because there exists a duty of confidence between the data user and the

219. The data user who refuses to comply with a data access request under section 20(3)(d) is required to notify the requestor the name and address of the other data user under section 21(1)(c).

212

10_Data Protection.indd 212

2016/6/27 1:59:50 PM

Chapter 10. Data Protection Principle 6(a) to (d) and the Data Access Provisions in Part 5

party that ultimately controls the use of the data. Confidentiality is not a reason stipulated in the Ordinance to permit a data user to refuse to comply with a data access request. A party who ultimately controls the use of the data to prohibit compliance with the data access request will be deemed to hold the data by virtue of section 18(4) and has to observe the rights and obligations under the Ordinance. 10.82 The decision given in AAB No. 26/2013 concerns the application of sections 18(4) and 20(3)(d). The complainant in this case made a data access request to her prospective employer for the reference letter collected from her former employer. The prospective employer refused to comply with her data access request on the grounds that the reference letter was obtained after an assurance had been given to her former employer that “all information provided [would] be kept strictly confidential”. The prospective employer sought to rely upon section 20(3)(d) of the Ordinance. The AAB emphasised that confidentiality is not a reason stipulated in the Ordinance for a data user to refuse to comply with a data access request. Hence, under section 18(4) and section 20(3)(d), either the former employer or the prospective employer must comply with the data access request in accordance with the Ordinance. The AAB allowed the appeal and directed the Commissioner to further investigate the case and to enquire with the complainant’s former employer to ascertain its position with regard to section 18(4). If the former employer did prohibit the prospective employer from complying with the data access request, section 18(4) would be applicable to the former employer, who could direct the prospective employer to supply the complainant with the requested data in compliance with her data access request. If it did not so prohibit the supply of the data, section 20(3)(d) would not apply to extricate the prospective employer. 10.83 Also of interest to readers is paragraph (ea) of section 20(3) which permits a data user to refuse to comply with a data access request if it is entitled under the Ordinance or other ordinances not to comply with the request. This provision was introduced by the Amendment Ordinance to address the possible conflict which may arise when a person is bound to observe a statutory duty to keep confidential certain information specified under the applicable laws.

213

10_Data Protection.indd 213

2016/6/27 1:59:50 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Steps To Take in Refusing To Comply with a Data Access Request 10.84 Where a data user is entitled, on one of the grounds provided in section 20, to refuse to comply with a data access request, it does not mean that the data user can thereby completely ignore the request. Rather, there are two steps which the data user is required to take in relation to such refusal to comply, namely, putting a relevant entry in its log book as required under section 27(2), and notifying the requestor in accordance with section 21(1). 10.85 It should be noted that even though a data user may be legally entitled to refuse to comply with a data access request, it is still obliged to give the requestor written notification of the proscribed matter within forty days of receiving the request. Failure to comply with this requirement will result in contravention of section 21(1). 10.86 Pursuant to section 21(1)(a) and (b), a data user who refuses to comply with a data access request shall inform the requestor of the refusal and the reason for such refusal in writing. The intention behind such a requirement on the part of the data user is to give the requestor a fair chance to challenge the refusal. 10.87 In this connection, it is important also to note that where, in response to a data access request, a data user releases to the requestor only part of the data held and withholds the remainder of the data, the data user in effect refuses to comply with the data access request. The notification requirements under section 21(1) also apply to that part of the data that is withheld. In other words, in compliance with paragraph (a), the data user is obliged to notify the requestor, with reasons, of the fact that certain requested data is withheld. 10.88 In relation to notification under paragraph (b), one question is how specific the reasons should be. In this regard, the notification given should at least be specific enough to enable the requestor, if he so wishes, to challenge the refusal. In previous cases, the Commissioner considered the notification given by a data user to be sufficient where it mentioned the grounds relied on (e.g. “legal professional privilege”) or the exact section number of the relevant exemption provision (in the example just quoted, “section 60”).

214

10_Data Protection.indd 214

2016/6/27 1:59:50 PM

Chapter 10. Data Protection Principle 6(a) to (d) and the Data Access Provisions in Part 5

10.89 However, where the data user has failed to notify the requestor of the grounds relied upon under section 20(1) and (3) to refuse compliance with the data access request, even where valid grounds do exist to justify refusal, the data user is still regarded as having breached section 19(1) by failing to comply with a data access request. Care should thus be taken to ensure that where proper grounds of refusal are relied upon in refusing compliance with a data access request, the data subject should be informed of the same in accordance with section 21 of the Ordinance. 10.90 Prior to informing the requestor of the refusal and the reasons for refusing to comply with the data access request, a data user is required to keep a log entry of any refusal. In particular, section 27(1), (2)(a) and (3)(a) provide as follows: (1) A data user shall keep and maintain a log book – (a) for the purposes of this Part; (b) in the Chinese or English language; . . . (2) A data user shall in accordance with subsection (3) enter in the log book – (a) where pursuant to section 20 the data user refuses to comply with a data access request, particulars of the reasons for the refusal; ... (3) The particulars required by subsection (2) to be entered by a data user in the log book shall be so entered – (a) in the case of particulars referred to in paragraph (a) of that subsection, on or before the notice under section 21(1) is served in respect of the refusal to which those particulars relate; . . .

10.91 In this connection, it should be noted that “log book” is not defined in the Ordinance. One may therefore question whether, besides a bound book which is a generally accepted form of a “log book”, records kept in different forms, e.g. by electronic means, would also suffice as constituting a “log book” for the purposes of section 27(1). The liberal interpretation of “log book” would include one existing in electronic format so long

215

10_Data Protection.indd 215

2016/6/27 1:59:50 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

as the procedures prescribed under section 27(1) are followed and the Commissioner is not hindered from exercising his powers under section 27(4) to inspect and copy the log book at any reasonable time. 10.92 The question also arises as to whether section 27 actually requires every data user to have a blank log book, even before it refuses any data access request, i.e. before there is anything to record. The Commissioner takes the view that this would not be necessary so long as the refusal to comply with a data access request is properly recorded in accordance with section 27.

Proper Exercise of the Right To Access Personal Data 10.93 It should be emphasised that the data access right conferred upon a data subject under section 18 of the Ordinance should not be abused nor should it be exercised to substitute or replace other proper channels for discovery of documents readily available to the data subject. The Commissioner is vigilant in examining all the relevant circumstances of cases in ensuring that such right is not abused so as to become an instrument of harassment against the party to whom the request is made, the legislative intent of the Ordinance considered. 10.94 The use of a data access request shall not supplement the rights of discovery in legal proceedings. In the case of Wu Kit Ping, it was held that the right of an individual to obtain data is limited to that individual’s personal data and the entitlement of a data subject is to confined to knowing what personal data the data user holds. The learned judge took the view that the data subject’s entitlement is to a copy of the data, not to “see every document which refers to a data subject”. Furthermore, “it is not the purpose of the Ordinance to supplement rights of discovery in legal proceedings, and not to add any wider action for discovery for the purpose of discovering the identity of a wrongdoer either” under the Norwich Pharmaceutical discovery principle. The purpose of the Ordinance “is not to enable a data subject to locate information for other purposes, such as litigation”. 10.95 In a complaint lodged by a dismissed employee against his former employer, the employee claimed that the employer failed to comply with a series of

216

10_Data Protection.indd 216

2016/6/27 1:59:50 PM

Chapter 10. Data Protection Principle 6(a) to (d) and the Data Access Provisions in Part 5

his data access requests for various internal minutes, letters and records on incidents which concerned him by omitting or deleting data which he believed to belong to him. After examining the reply and documents supplied, the Commissioner took the view that the former employer had complied with his requests. It was also noted that the complainant had separately commenced legal action against his ex-employer for unlawful dismissal. The way and manner that the complainant conducted his complaint led the Commissioner to conclude that the complaint was frivolous, vexatious or not made in good faith under section 39(2)(c) of the Ordinance. Dissatisfied with the Commissioner’s finding, the complainant applied to the Court of First Instance for judicial review. 10.96 The Judge220 dismissed the application and ruled that since it transpired that the complainant had already obtained or would be able to obtain the documents he requested in the process of legal discovery in the separate lawsuits, the attempt to obtain his personal data by lodging data access requests against his ex-employer under section 18 of the Ordinance had become meaningless. The fact that in AAB No. 46/2004 the AAB accepted the fact that the complainant had obtained a copy of the document she requested in her data access request through other legal proceedings is a relevant factor for the Commissioner to consider in exercising his discretion to refuse to carry out any or further investigation under section 39(2)(d).221

220. Cheung J. in judgment given in Tsui Koon Wah v Privacy Commissioner for Personal Data [2004] 2 HKLRD 840. 221. Section 39(2)(d) provides that the Commissioner may refuse to carry out or decide to terminate an investigation initiated by a complaint if he is of the opinion that any investigation or further investigation is for any other reason unnecessary. According to the Complaint Handling Policy of the Commissioner, an investigation or further investigation may be considered unnecessary if there is no prima facie evidence of any contravention of the requirements under the Ordinance, or the investigation or further investigation cannot reasonably be expected to bring about a more satisfactory result given the circumstances of the case, etc.

217

10_Data Protection.indd 217

2016/6/27 1:59:50 PM

10_Data Protection.indd 218

2016/6/27 1:59:50 PM

Chapter 11 Data Protection Principle 6(e) to (g) and the Data Correction Provisions in Part 5

The main questions: • What is the relationship between a data correction request and a data access request? • Who can make and how to make a data correction request? • How can a data user comply with a data correction request? • When shall, or may, a data user refuse to comply with a data correction request? • What steps must a data user take in refusing to comply with a data correction request?

The questions discussed in this Chapter concerning data correction requests, DPP6 and Part 5 of the Ordinance have been selected on the basis of their practical importance in light of the Commissioner’s own experience. Before reading this Chapter, readers should read paragraphs 1.7 to 1.11 in Chapter 1 — Introduction, which contain important general information on using this Book.

11_Data Protection.indd 219

2016/6/27 1:59:57 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

The Relationship between a Data Correction Request and a Data Access Request 11.1 Paragraphs (e) to (g) of Data Protection Principle 6 provide for the exercise of the data subject’s data correction rights as follows: Principle 6 – access to personal data A data subject shall be entitled to – ... (e) request the correction of personal data; (f) be given reasons if a request referred to in paragraph (e) is refused; and (g) object to a refusal referred to in paragraph (f).

11.2 “Data correction request” is defined in section 2(1) as “a request under section 22(1)”. Section 22(1) provides as follows: (1) Subject to subsections (1A) and (2), where – (a) a copy of personal data has been supplied by a data user in compliance with a data access request; and (b) the individual, or a relevant person on behalf of the individual, who is the data subject considers that the data is inaccurate,

then that individual or relevant person, as the case may be, may make a request that the data user make the necessary correction to the data.

11.3 It should be noted that a data correction request applies only to personal data, a copy of which has been provided to the requestor pursuant to an earlier data access request.222 In other words, a data correction request must be preceded by a data access request.

222. In AAB No.5/2005, a data access request and a data correction request were made by a student against an academic institution for personal data held by it. The academic institution did not hold the personal data requested and asked the student to address his request to another data user. The AAB agreed with the Commissioner’s view that the academic institution was not a data user. Since no personal data was supplied to the student by the academic institution, there was no personal data that could be the subject of correction as requested by the student in his data correction request.

220

11_Data Protection.indd 220

2016/6/27 1:59:57 PM

Chapter 11. Data Protection Principle 6(e) to (g) and the Data Correction Provisions in Part 5

11.4 It also follows that where a data access request has been properly refused by a data user (for example, pursuant to an applicable exemption under Part 8 of the Ordinance), no subsequent data correction request can be made under Part 5 of the Ordinance in respect of the data in question. 11.5 Notwithstanding the above technical requirements, when a data user is satisfied that the personal data held by it is inaccurate, it should ensure compliance with DPP2(1) by taking all practicable steps to correct the personal data having regard to the purpose for which it is to be used.

Who Can Make and How to Make a Data Correction Request? 11.6 Similar to a data access request, section 22(1) allows a data correction request to be made by a data subject or by “a relevant person on behalf of” the data subject, the meaning of which has been discussed in paragraphs 10.14 to 10.18 in Chapter 10. 11.7 Where the data access request is made by a relevant person on behalf of the data subject, it does not follow that the relevant person must have the authority to request for correction of the personal data of the data subject. Section 22(1A) makes it clear that: (1A) If a person is a relevant person in relation to an individual only because the person has been authorized in writing by the individual to make a data access request on behalf of the individual, the person is not entitled to make a data correction request.

11.8 A data user should be mindful of the grounds provided under section 24(1) (b) that it shall refuse to comply with a data correction request when it is not satisfied with the identity of the relevant person. Section 24(1)(b) provides as follows: 24(1) Subject to subsection (2), a data user shall refuse to comply with section 23(1) in relation to a data access request if the data user is not supplied with such information as the data may reasonably require –

221

11_Data Protection.indd 221

2016/6/27 1:59:57 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

(a) … (b) where the requestor purports to be a relevant person, in order to satisfy the data user – (i) as to the identity of the individual in relation to whom the requestor purports to be such a person; and (ii) that the requestor is such a person in relation to that individual.

11.9 As in the case of a data access request, although section 24(3)(a) allows a data user to refuse to comply with a data correction request not made “in writing in the Chinese or English language”, the fact that this condition is not satisfied in the case of a data correction request does not, strictly speaking, prevent it from being a data correction request, albeit one that may be legitimately refused. A data user refusing the request on these grounds is still required to comply with the requirements applicable to such refusal, as will be discussed in paragraphs 11.34 to 11.42 below. 11.10 Section 22(1) does not specify that a data correction request has to be in writing. The question as to whether it can be made verbally was examined in AAB No. 12/2008 which concerned the accuracy of the personal records kept by an employer about an employee. The AAB took the view that “…we disagree that a data correction request can be made verbally for the simple reason that it would be difficult to verify not only whether a request has been made but also the requested correction”. Reference is also made to section 24(3)(a) which provides grounds for the data user to refuse to comply with a data correction request if it is “not written in the Chinese or English language”. 11.11 Similarly, neither section 22(1) nor any other provision in the Ordinance provides for any particular way in which a data correction request must be framed. However, since a data correction request must be preceded by a data access request, by the time the data user receives the data correction request, he should be aware of its relevance. 11.12 In this regard, after complying with a data access request, a data user should assess whether any subsequent correspondence from the requestor

222

11_Data Protection.indd 222

2016/6/27 1:59:57 PM

Chapter 11. Data Protection Principle 6(e) to (g) and the Data Correction Provisions in Part 5

would constitute a data correction request. If a requestor replies to the data user suggesting any inaccuracy in the copy of his personal data and requesting correction of such data, the correspondence could constitute a data correction request and it is prudent for the data user to observe the requirements under Part 5 of the Ordinance.

Compliance with a Data Correction Request 11.13 Section 23(1) of the Ordinance, which deals with compliance with a data correction request, provides as follows: (1) Subject to subsection (2) and section 24, a data user who is satisfied that personal data to which a data correction request relates is inaccurate shall, not later than 40 days after receiving the request – (a) make the necessary correction to the data; (b) supply the requestor with a copy of the data as so corrected; and (c) subject to subsection (3), if – (i) the data has been disclosed to a third party during the 12 months immediately preceding the day on which the correction is made; and (ii) the data user has no reason to believe that the third party has ceased using the data for the purpose (including any directly related purpose) for which the data was disclosed to the third party, take all practicable steps to supply the third party with a copy of the data as so corrected accompanied by a notice in writing stating the reasons for the correction.

11.14 The first point to note is that a data user is obliged to comply with a data correction request only if it is “satisfied that the personal data to which the data correction request relates is inaccurate”. For instance, if the data user is satisfied that the HKID number was inaccurately recorded, it should make the necessary correction. If the data in question was provided by a third party instead of being directly collected from the data subject, the data user may need to consult the third party on the accuracy of such data.

223

11_Data Protection.indd 223

2016/6/27 1:59:57 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

11.15 Where the data user is not satisfied that the data was inaccurate, he may refuse to comply with the data correction request in accordance with section 24(3)(b), to be discussed in paragraphs 11.24 to 11.33 below. 11.16 Another point to note is that “correction”, in relation to personal data, is defined in section 2(1) as meaning “rectification, erasure or completion”. How this has been applied by the Commissioner is illustrated in a complaint case, in which the complainant made a data correction request to a government bureau in relation to notes kept by the bureau. The notes, being the record of an interview with a third person, contained certain information about the complainant, which later proved to be inaccurate. The complainant therefore requested the deletion of his data contained in the notes. 11.17 Instead of deleting the data in question, the government bureau entered a note in the same file clearly pointing out the inaccuracy of the information. A copy of the note was provided to the complainant. Also, a marker was added to the relevant file to refer the reader to the note. 11.18 Although the complainant was dissatisfied with the manner in which his request had been complied with, the Commissioner took the view that what the government bureau had done was in effect “rectification” or “completion” of the relevant data, and as such, amounted to adequate compliance with section 23(1). The manner of compliance was regarded as more appropriate than simply deleting the data, as suggested by the complainant, so as to preserve a true record of what the third person had actually said in the interview, despite the inaccuracy of the information. 11.19 Except where there are valid grounds for refusing to comply with a data correction request under section 24, a data user is required to make the necessary correction and supply a copy of the corrected data to the requestor within forty calendar days after receiving a data correction request. 11.20 If the data user is unable to comply with the data correction request within the specified forty days, it must notify the requestor accordingly and comply with the request as soon as practicable as provided under section 23(2):

224

11_Data Protection.indd 224

2016/6/27 1:59:57 PM

.

Chapter 11. Data Protection Principle 6(e) to (g) and the Data Correction Provisions in Part 5

(2) A data user who is unable to comply with subsection (1) in relation to a data correction request within the period specified in that subsection shall – (a) before the expiration of that period – (i) by notice in writing inform the requestor that the data user is so unable and of the reasons why the data user is so unable; and (ii) comply with that subsection to the extent, if any, that the data user is able to comply with that subsection; and (b) as soon as practicable after the expiration of that period, comply or fully comply, as the case may be, with that subsection.

11.21 Finally, insofar as compliance with a data correction request involves providing a copy of the corrected data to the requestor, section 28(1) provides as follows: (1) A data user shall not impose a fee for complying or refusing to comply with a data access request or data correction request unless the imposition of the fee is expressly permitted by this section.

11.22 While section 28(2) expressly permits imposing a fee for compliance with a data access request, the Ordinance contains no similar provision in relation to complying with a data correction request. It follows that a data user cannot impose any fee for compliance with a data correction request. 11.23 When inaccurate personal data has been disclosed to a third party within twelve months preceding the day on which the correction is made and the data user has no reason to believe that the third party has ceased using the personal data in question, it shall take all practicable steps to immediately supply the third party with a copy of the corrected data giving reasons for the correction. The duty to supply the third party with a copy of the corrected data does not arise in the situation where the disclosure of personal data consists of the inspection of a register or other similar documents by the third party.223

223. Section 23(3) of the Ordinance.

225

11_Data Protection.indd 225

2016/6/27 1:59:57 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Circumstances in Which a Data User Shall or May Refuse to Comply with a Data Correction Request 11.24 The circumstances in which a data user shall refuse to comply with a data correction request are provided under section 24(1) as follows: (1) Subject to subsection (2), a data user shall refuse to comply with section 23(1) in relation to a data correction request if the data user is not supplied with such information as the data user may reasonably require – (a) in order to satisfy the data user as to the identity of the requestor; (b) where the requestor purports to be a relevant person, in order to satisfy the data user – (i) as to the identity of the individual in relation to whom the requestor purports to be such a person; and (ii) that the requestor is such a person in relation to that individual. (2) Subsection (1) shall not apply to a data correction request where the requestor is the same person as the requestor in respect of the data access request which gave rise to the data correction request.

11.25 It can be seen that these circumstances are similar to those provided for in section 20(1)(a), in which a data user receiving a data access request is obliged to refuse to comply with the request. 11.26 The circumstances in which a data user receiving a data correction request may refuse to comply with the request are provided under section 24(3) as follows: (3) A data user may refuse to comply with section 23(1) in relation to a data correction request if – (a) the request is not in writing in the Chinese or English language; (b) the data user is not satisfied that the personal data to which the request relates is inaccurate; (c) the data user is not supplied with such information as the data user

226

11_Data Protection.indd 226

2016/6/27 1:59:57 PM

Chapter 11. Data Protection Principle 6(e) to (g) and the Data Correction Provisions in Part 5

may reasonably require to ascertain in what way the personal data to which the request relates is inaccurate; (d) the data user is not satisfied that the correction which is the subject of the request is accurate; or (e) subject to subsection (4), any other data user controls the processing of the personal data to which the request relates in such a way as to prohibit the first-mentioned data user from complying (whether in whole or in part) with that section.

11.27 Again, most of the circumstances provided for in section 24(3) are largely similar to those provided for in section 20(3), under which a data user may refuse to comply with a data access request. In addition, it is grounds for refusal, under paragraph (b), when the data user is not satisfied that the personal data to which the request relates is inaccurate. A data user may be disinclined to correct personal data comprising an expression of opinion. “Expression of opinion” is defined in section 25(3) to include “an assertion of fact which (a) is unverifiable; or (b) in all the circumstances of the case, is not practicable to verify”. Hence, the defined term extends to cover more than the ordinary meaning of “opinion”. 11.28 What amounts to an “expression of opinion” hinges on the distinction between factual and evaluative statements and is often difficult to judge. While it is easy to ascertain and correct factual statements, for example, the name, age, address, or HKID number of the data subject, the evaluative statements made by one person against the other, such as, those made in an appraisal report or in a letter of termination of employment, are often the subject of dispute by the dissatisfied data subjects. Other courses of action, like a civil claim for defamation or the filing of an employee’s claim for unlawful dismissal seem to be the more suitable channels for redress. 11.29 In the case of AAB No. 22/2000, the complainant made a data correction request to his ex-employer regarding allegations made against him in his letter of termination. The Commissioner took the view that in refusing to amend the letter of termination as requested, the employer was not in breach of section 23(1). On appeal to the AAB, the AAB upheld the Commissioner’s view that the Ordinance was inapplicable to the case. In

227

11_Data Protection.indd 227

2016/6/27 1:59:57 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

particular, according to the AAB, if the employee was dissatisfied with the grounds of termination, he should seek to resolve the dispute through other legal channels, such as taking the case to the Labour Tribunal. In this respect, the Commissioner could not assume the role of a presiding officer of the Tribunal in deciding the validity of the grounds of termination.224 11.30 Statements made by an appraising officer in a performance appraisal report about the performance of the appraisee may consist mostly of expression of opinions (such as on the appraisee’s competence) and partly facts (such as the job duties and work performed by the appraisee). Where a data correction request is lodged and the data concerned is an opinion, it is unlikely and always impracticable that the accuracy of the opinion expressed can be objectively verified. On the contrary, if the dispute is about a fact, it is easier to gather evidence to ascertain whether the data is inaccurate. In refusing to comply with a data correction request, a data user must have reasonable justifications. 11.31 In AAB No. 12/2008, an employee complained to her employer claiming that she had received unfair treatment from her supervisor. Upon investigation, the employer found that the employee’s complaint was not substantiated. The employee subsequently made a data access request to the employer for a copy of all her personal records and the employer complied with the request. After receiving the documents from her employer, the employee complained to the Commissioner against the employer, claiming that there were sixteen “incorrect facts” in the documents. The Commissioner considered that the alleged “incorrect facts” concerned essentially employment disputes relating to unfair treatment and discrimination, and it was not for the Commissioner to resolve the disputes on errors of facts. The Commissioner decided not to carry out an investigation. On appeal, the AAB agreed that the Commissioner was not empowered to investigate such matters relating to the employee’s employment.

224. In AAB No. 8/2015, the AAB also agreed with the Commissioner that it was not grounds for using a data correction request to compel a doctor to change his opinion, as stated in a letter about terminating the doctorpatient relationship and the reasons for using a data correction request.

228

11_Data Protection.indd 228

2016/6/27 1:59:57 PM

Chapter 11. Data Protection Principle 6(e) to (g) and the Data Correction Provisions in Part 5

11.32 A similar approach was adopted in AAB No. 74/2011. The case concerned the making of a data correction request by an ex-member of a religious community about the comments expressed about him in two reports in connection with termination of his membership. The AAB commented as follows: 43. … We are troubled by the fact that the present appeal seems to be one motivated not by concerns of one’s privacy, but by personal feud. … The Appellant needs to understand that it is not the purpose of the [Ordinance] to help a person in his personal vendetta against another person or organisation. Rightly or wrongly, the [religious community] has made a decision to remove the Appellant’s name from its member roll. No doubt this decision was based on a number of considerations, not just the 2 Reports. It is not for the [Commissioner] or [AAB] whether by means of data correction requests or otherwise, to make the [religious community] “correct” this decision. It is something the Appellant has to settle with that organisation himself.

11.33 Often the data subjects and the data users may have contradictory views on the correctness of opinion data. For instance, a patient may disagree with a doctor’s diagnosis of mental illness. Pursuant to section 24(3), a data user may refuse to comply with a data correction request if the data user is not satisfied that the personal data to which the request relates is inaccurate. In respect of medical opinion, for instance, the Commissioner would not be in a position to comment on the accuracy or otherwise of an opinion made by a medical professional. In AAB No. 42/2006, the AAB stated in its decision: . . . [the AAB] is not in a position to find any error in the Commissioner’s view that he would not be in a position to determine whether the opinions concerning the mental condition of the Appellant contained in the Forms were accurate or not. That is clearly something beyond the scope of the Commissioner’s duty.

Steps To Take in Refusing to Comply with a Data Correction Request 11.34 Usually, where a data user refuses to comply with a data correction request, two basic steps should be taken: first, to put a relevant entry in its log book

229

11_Data Protection.indd 229

2016/6/27 1:59:57 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

as required under section 27(2)(c) and (3)(c), and secondly, to notify the requestor in accordance with section 25(1). 11.35 In this connection, section 27(2)(c) and (3)(c) provide as follows: (2) A data user shall in accordance with subsection (3) enter in the log book –

... (c) where pursuant to section 24 the data user refuses to comply with section 23(1) in relation to a data correction request, particulars of the reasons for the refusal;



...

(3) The particulars required by subsection (2) to be entered by a data user in the log book shall be so entered –

... (c) in the case of particulars referred to in paragraph (c) of that subsection, on or before the notice under section 25(1) is served in respect of the refusal to which those particulars relate; . . .

11.36 Section 25(1)(a) provides as follows: (1) A data user who pursuant to section 24 refuses to comply with section 23(1) in relation to a data correction request shall, as soon as practicable but, in any case, not later than 40 days after receiving the request, by notice in writing inform the requestor – (a) of the refusal and the reasons for the refusal . . .”

11.37 The requirements to enter into a log book the refusal to comply with a data correction request, and to give notification of such refusal to the requestor, are similar to the requirements of a data access request. Regarding the requirement for a data user to keep a log book under section 27(1), readers may refer to the discussion in paragraphs 10.90 to 10.92 in Chapter 10. A data user is required to keep a log entry containing the particulars of the reasons for the refusal of the data correction request for four years.

230

11_Data Protection.indd 230

2016/6/27 1:59:57 PM

Chapter 11. Data Protection Principle 6(e) to (g) and the Data Correction Provisions in Part 5

11.38 Finally, where the data correction request relates to data that constitutes an “expression of opinion”, the data user is required to take steps as required under section 25(2) and (3) as follows: (2) Without prejudice to the generality of subsection (1), where – (a) the personal data to which a data correction request relates is an expression of opinion, and (b) the data user concerned is not satisfied that the opinion is inaccurate, then the data user shall – (i) make a note, whether annexed to that data or elsewhere – (a) of the matters in respect of which the opinion is considered by the requestor to be inaccurate; and (b) in such a way that that data cannot be used by a person (including the data user and a third party) without the note being drawn to the attention of, and being available for inspection by, that person; and (ii) attach a copy of the note to the notice referred to in subsection (1) which relates to that request. (3) In this section, “expression of opinion” includes an assertion of fact which (a) is unverifiable; or (b) in all the circumstances of the case, is not practicable to verify.

11.39 The regulatory experience of how the Commissioner dealt with data correction requests relating to “expression of opinion” was explained in paragraphs 11.27 to 11.33 above. Data users must observe the procedural requirements laid down in section 25 to notify the data subject about the refusal. 11.40 An illustration of how section 25(2)(b)(i)(B) has been applied by the Commissioner can be found in a complaint brought against an educational institution, where it was found that the institution had kept, in two of its departments, the same record of an expression of opinion about a staff member. In response to a data correction request from the staff member,

231

11_Data Protection.indd 231

2016/6/27 1:59:57 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

the educational institution caused a note under section 25(2)(b)(i) to be annexed to the record kept in one department, but omitted to do the same to the record kept in the other department. As a result of this omission, the educational institution was found to have contravened section 25(2). 11.41 As provided by section 25(3), the meaning of “expression of opinion” shall include an assertion of fact which is unverifiable or in all the circumstances of the case, is not practicable to verify, such that the data user can likewise make a note in accordance with section 25(2)(b). In AAB No.50/2009, the appellant made a data correction request to her former employer claiming she was not a party to the four Small Claims Tribunal cases listed in her credit check report, which she also claimed was inaccurate. According to the report, the appellant was the plaintiff of two cases and the defendant of the other two cases. The Commissioner made enquiries with the Small Claims Tribunal and was able to verify that the appellant was indeed the plaintiffs in two actions by verifying the HKID number of the plaintiffs supplied by the Small Claims Tribunal. However, the identity of the defendants in the other two cases could not be identified because in one case, the Tribunal did not possess the HKID number or contact number of the defendant; while in the other case, the action number was incomplete. The AAB confirmed the Commissioner’s finding that the data in the report sought to be corrected as regards these two cases was an expression of opinion, and the subsequent action taken by the employer in adding to the report a written note next to the relevant data to the effect that she disputed the same satisfied the requirements under section 25(2). 11.42 Readers may refer to the Guidance on the Proper Handling of Data Correction Request by Data Users225 issued by the Commissioner for practical guidance in complying with the requirements under the Ordinance.

225. See Guidance on the Proper Handling of Data Correction Request by Data Users, available on the Website.

232

11_Data Protection.indd 232

2016/6/27 1:59:58 PM

Chapter 12 Exemption Provisions in Part 8 The main questions: • What are the different categories of exemptions under Part 8? • When is personal data held by a magistrate or a judicial officer exempt from the provisions of the DPPs under section 51A? Under what circumstances does the legal proceedings exemption under section 60B apply? • What is the scope of the “domestic purposes” exemption intended to be covered by section 52? • When do the employment-related exemptions in sections 53 and 54 and the evaluative process exemptions in sections 55 and 56 apply? • What is the effect of invoking the exemption under section 57, i.e. safeguarding security, etc. of Hong Kong in denying a data access request? What is the relevance of section 63 in relation to this exemption? • What are the Commissioner’s views on the operation of the exemption under section 58 on prevention of crime? • When do the health exemption in section 59 and the emergency situations exemption under section 63C apply? • Under what circumstances does section 59A apply to exempt the disclosure of personal data of minors for their care and guardianship? • When do the legal professional privilege exemption under section 60 and the self-incrimination exemption under section 60A arise? • What constitutes “news activity” under section 61? • What is meant by a “due diligence exercise” under section 63B? The questions discussed in this Chapter concerning the exemption provisions in Part 8 of the Ordinance have been selected on the basis of their practical importance in light of the Commissioner’s own experience. Before reading this Chapter, readers should read paragraphs 1.7 to 1.11 in Chapter 1 — Introduction, which contain important general information on using this Book.

12_Data Protection.indd 233

2016/6/27 2:00:04 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Exemptions in General 12.1 Section 51 in Part 8 of the Ordinance provides as follows: Where any personal data is exempt from any provision of this Ordinance by virtue of this Part, then, in respect of that data and to the extent of that exemption, that provision neither confers any right nor imposes any requirement on any person, and the other provisions of this Ordinance which relate (whether directly or indirectly) to that provision shall be construed accordingly.

12.2 Sections 51A to 63D provide for specific exemptions from all or some of the provisions of the Ordinance. Broadly speaking, the exemption provisions in Part 8 may be divided into the following categories: Section No.

Exemption

Application

51A

Performance of judicial functions

All DPPs, Parts 4 and 5 and sections 36 and 38(b)

52

Domestic purposes

All DPPs, Parts 4 and 5 and sections 36 and 38(b)

53

Employment – staff planning

DPP6 and section18(1)(b)

54

Employment – transitional provisions

DPP6 and section18(1)(b)

55

Relevant process

DPP6 and section18(1)(b)

56

Personal references

DPP6 and section18(1)(b)

57

Security, etc. in respect of Hong Kong

DPPs 3 and 6 and section18(1)(b)

58

Crime, etc.

DPPs 3 and 6 and section18(1)(b)

58A

Protected product and relevant records under Interception of Communications and Surveillance Ordinance

All provisions

234

12_Data Protection.indd 234

2016/6/27 2:00:04 PM

Chapter 12. Exemption Provisions in Part 8

Section No. 59(1) 59(2)

Exemption

Application

Health – personal data relating to physical or mental health of data subject

DPPs 3 and 6 and section18(1)(b) DPP3

Health – personal data relating to identity or location of data subject 59A

Care and guardianship of minors

DPP3

60

Legal professional privilege

DPP6 and section18(1)(b)

60A

Self-incrimination

DPP6 and section 18(1)(b)

60B

Legal proceedings, etc.

DPP3

61(1)

News – personal data held for the purpose of a news activity

DPP6 and sections18(1)(b), 36, 38(b) and 38(i)

61(2)

DPP3

News – personal data disclosed to a data user engaging in news activities 62

Statistics and research

DPP3

63

Exemption from section 18(1)(b) by virtue of section 57 or 58

Section18(1)(a)

63A

Human embryos, etc.

DPP6 and sections18(1)(a) and 18(1)(b)

63B

Due diligence exercise

DPP3

63C

Emergency situations

DPPs 1(3) and 3

63D

Transfer of records to Government Records Service

DPP3

235

12_Data Protection.indd 235

2016/6/27 2:00:04 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Section 51A — Performance of Judicial Functions 12.3 Section 51A provides as follows: (1) Personal data held by a court, a magistrate or a judicial officer in the course of performing judicial functions is exempt from the provisions of the data protection principles and Parts 4 and 5 and sections 36 and 38(b).

12.4 “Judicial officer” is defined in section 51A(2) to have the same meaning given by section 2 of the Judicial Officers Recommendation Commission Ordinance (Cap 92) (“JORCO”). Section 2 of JORCO defines “judicial officer” as “a holder of a judicial office”, as listed in Schedule 1 of JORCO (which includes a judge of the Hong Kong High Court, a Magistrate, a Coroner, etc.). This new exemption was introduced by the Amendment Ordinance and came into effect on 1 October 2012. Article 85 of the Basic Law states that the Courts of the Hong Kong Special Administrative Region shall exercise judicial power independently, free from any interference. In discharging his regulatory powers under the Ordinance, the Commissioner is mindful that the application of the Ordinance shall not fetter or disrupt the fundamental principle of judicial independence recognised under the Basic Law when personal data is handled by the judicial officers in the course of performing judicial functions. This section 51A is consistent with the position taken by the Commissioner and the AAB before the Amendment Ordinance came into effect.226 12.5 In AAB No. 39/2004, in support of his application to revive the hearing of a claim made before the Small Claims Tribunal, the plaintiff submitted his sickness certificate to the Tribunal for consideration. The Tribunal disclosed the sickness certificate to the defendant. The plaintiff complained against the Tribunal claiming that there was a breach of DPP3. The Commissioner found that such act was performed in the course of the exercise of the

226. In AAB No. 54/2014, an appellant (being a website operator) argued that the effect of section 51A of the Ordinance was that all personal data that appeared in Court judgments was exempted from all the data protection principles. He therefore claimed that his disclosure of the complainant’s identity relating to three anonymised Court judgments was exempted from DPP3 by virtue of section 51A. Rejecting the argument, the AAB explained that the appellant had never been a judicial officer and the relevant personal data was never held by him in such a capacity. Hence, section 51A did not apply to his case.

236

12_Data Protection.indd 236

2016/6/27 2:00:04 PM

Chapter 12. Exemption Provisions in Part 8

judicial function by the Tribunal, and hence outside the scope of the Ordinance and the Commissioner had no power to intervene. On appeal to the AAB, the AAB upheld the decision of the Commissioner and reiterated that the exercise of the judicial functions of the judicial officers was not subject to the jurisdiction of the Ordinance. 12.6 In another decision of AAB No. 22/2007, the complainant made a data access request to the Judiciary for obtaining, inter alia, the transcript of the hearing of her case at the Labour Tribunal. The AAB ruled that the transcript was a Court document and could not be accessed through a data access request under section 18 of the Ordinance. This was part of the judicial proceedings at the Labour Tribunal and outside the scope of the Ordinance. 12.7 The question of what amounts to the performance of a judicial function was considered in AAB No. 57/2011. The complainant was a defendant/ appellant in a criminal case and its subsequent appeals. He made a data access request to the appellate judge for documents which were excluded by the judge from the appeal bundle. The data access request was made after the conclusion of the Court proceedings and there were no pending judicial proceedings. The AAB considered that any party to the appeal may apply to the appellate Court for incorporation of documents they think relevant. Alternatively, with the leave of Court they may refer to documents not so incorporated in the appeal bundle. Therefore, the exclusion or inclusion of a particular document in the appeal bundle by the judge at the first instance does not affect the right of any party to the appeal to argue properly their respective case before the appellate Court. Hence, it is not appropriate to regard the assistance of the appellate judge in the preparation of the appeal bundle as his judicial act or function. The AAB further found that the appellate judge was not a data user in respect of the case file or the appeal bundle. These documents formed part of the Court record and the keeper or custodian of the Court record was the Registrar of the High Court. The ultimate responsibility of how to comply with the data access request lies with the Registrar of the High Court, not the appellate judge. As the complaint was lodged against the appellate judge who was not a data user, the AAB upheld the decision of the Commissioner not to investigate the complaint.

237

12_Data Protection.indd 237

2016/6/27 2:00:04 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Section 52 — Domestic Purposes 12.8 Section 52 exempts from application all of the data protection principles and other provisions of the Ordinance such as the access to or correction of personal data, etc. in respect of personal data held for management of personal, family or household affairs or recreational purposes. A common example would be the holding of an address and telephone list of friends and relatives by an individual for communication purposes (such as the sending of Christmas cards), or for social or recreational activities. 12.9 Section 52 provides as follows: 52. Domestic purposes

Personal data held by an individual and – (a) concerned only with the management of his personal, family or household affairs; or (b) so held only for recreational purposes,

is exempt from the provisions of the data protection principles, Parts 4 and 5 and sections 36 and 38(b).

12.10 Although section 52 appears to be a broad exemption in Part 8, the use of words such as “held”, “individual” and “only” in this section limits its application accordingly. First, as decided by the AAB in AAB No. 46/2006, section 52 only applies to data already held by an individual and has no application to DPP1 in respect of the collection of personal data. Second, section 52 applies to personal data held by an individual, as opposed to being held by a corporation. Third, the personal data must be held only for the management of personal, family, or household affairs or for recreational purposes. Thus, if personal data is not held solely for these reasons but for other purposes as well, section 52 exemption is not applicable. 12.11 In the case of AAB No. 46/2006, an employee secretly recorded his conversation with his supervisor during a lunch meeting and then uploaded the recorded conversation to websites and internet discussion forums inviting downloading. The Commissioner found the mode, magnitude, and extent of disclosure of personal data to have exceeded the original

238

12_Data Protection.indd 238

2016/6/27 2:00:04 PM

Chapter 12. Exemption Provisions in Part 8

purpose of collection (i.e. for handling personal affairs which was exempted under section 52) and hence contravened DPP3. The decision of the Commissioner was upheld by the AAB. 12.12 In AAB No.28/2010, the complainant was a member of an owners’ committee. She was tape-recorded by another member during two owners’ committee meetings in which she expressed her views on various matters. She lodged a data access request with the member requesting access to her views and conversations at the two meetings but was refused on the grounds that the recording did not contain her personal data. The AAB commented that even if the tape recordings amounted to the complainant’s personal data (which was not accepted), the exemption under section 52 would have applied in this case. There was nothing to cast doubt on the claim by the owner that she held the tape recordings for record purposes to manage her personal affairs, and there was no suggestion otherwise by the complainant. 12.13 Another common example in which section 52 is invoked is found in situations where an individual, without the consent of his relative or friend, uses his personal data as a credit reference for a loan or credit application. Subsequently the individual defaults in repayment resulting in the credit provider, or their appointed debt collection agent pursuing the referee to locate the whereabouts of the debtor for recovery of the outstanding loan, causing him annoyance and distress. When complaints of this nature are received, the Commissioner will look at the totality of the evidence and take into account factors such as whether any actual damage is suffered by the individual concerned, the relationship between the complainant and the party complained against and the purpose for which the personal data was held, processed or used before deciding whether section 52 is applicable to the case in question.

Sections 53 and 54 — Staff Planning and Employment 12.14 Section 53 is seen to be a straightforward provision which exempts from application DPP6 and section 18(1)(b) personal data consisting of

239

12_Data Protection.indd 239

2016/6/27 2:00:04 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

information relevant to a staff planning proposal to: (a) fill any series of positions of employment which are presently, or may become, unfilled; or (b) cease any group of individuals’ employment. . . .

12.15 It is clear that the drafting of this section is not intended to apply to any single position occupied by a particular employee, which would instead potentially fall within the scope of section 55. Section 53 applies to staff planning in general which concerns a series of positions or employment of a group of individuals. It is therefore only in a staff planning situation within the scope contemplated by section 53 that the employer can avail itself of this exemption and refuse to accede to a data access request made by a data subject. Furthermore, the Commissioner takes the view that section 53 should not apply where the data user merely anticipates possible staff planning in the future. 12.16 Section 54(1) is a seven-year transitional provision that expired on 3 August 2002. The practical effect of section 54(1) was that it exempted from application of DPP6 and section 18(1)(b) employment-related personal data held by the employer before 20 December 1996 (i.e. the date on which the Ordinance first came into operation), which was provided by the individual on the implicit or explicit condition that the data subject would not have access to the data. This transitional provision aimed to give employers time to adjust and familiarise themselves with the requirements introduced by the Ordinance without causing them undue hardship.

Section 55 — Relevant Process 12.17 Section 55(1) provides as follows: (1) Personal data the subject of a relevant process is exempt from the provisions of data protection principle 6 and section 18(1)(b) until the completion of that process.

240

12_Data Protection.indd 240

2016/6/27 2:00:04 PM

Chapter 12. Exemption Provisions in Part 8

12.18 “Relevant process” is in turn defined in subsection (2) as follows: “relevant process” – (a) subject to paragraph (b), means any process whereby personal data is considered by one or more persons for the purpose of determining, or enabling there to be determined – (i) the suitability, eligibility or qualifications of the data subject for – (A) employment or appointment to office; (B) promotion in employment or office or continuance in employment or office; (C) removal from employment or office; or (D) the awarding of contracts, awards (including academic and professional qualifications), scholarships, honours or other benefits; (ii) whether any contract, award (including academic and professional qualifications), scholarship, honour or benefit relating to the data subject should be continued, modified or cancelled; or (iii) whether any disciplinary action should be taken against the data subject for a breach of the terms of his employment or appointment to office; (b) does not include any such process where no appeal, whether under an Ordinance or otherwise, may be made against any such determination.

12.19 In other words, before the determination of the relevant process, the data user may refuse to comply with a data access request by invoking this exemption provision. As soon as the relevant process is completed, the exemption will no longer be available to the data user. However, it should be noted that pursuant to subsection (2)(b), this exemption does not apply to cases where the data subject has no right to appeal against any such determination. 12.20 The meaning of “appeal” in section 55(2)(b) was considered in a complaint in which the employer refused to comply with a data access request made by an employee based on the exemption under section 55(2)(b), as the employee had a right to appeal against the decision made against him in the

241

12_Data Protection.indd 241

2016/6/27 2:00:04 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

relevant process. The appeal referred to was in fact a possible review by the Chief Executive of his own decision. The Commissioner came to the view that neither the type of review mentioned nor the limited form of judicial review by the Courts in respect of the determination made pursuant to the relevant process, would constitute an appeal within the meaning of section 55(2)(b). For these reasons, the employer was not entitled to rely on the exemption and had to comply with the data access request.

Section 56 — Personal References 12.21 Section 56 concerns personal data held by a data user which consists of a personal reference: (a) given by an individual other than in the ordinary course of his occupation; and (b) relevant to another individual’s suitability or otherwise to fill any position of employment or office which is presently, or may become, unfilled, . . .

12.22 In order to ensure that personal references are given without fear of being accessed by candidates prior to the determination of the selection process and being disputed as to the accuracy of the contents (which in most cases will comprise subjective personal comments or opinion), section 56 provides for an exemption from the application of DPP6 and section 18(1)(b) unless the person who gave the reference: (i) . . . has informed the data user in writing that he has no objection to the reference being seen by the individual . . . (or words to the like effect); or (ii) in the case of a reference given on or after the day on which this section comes into operation, until the individual . . . has been informed in writing that he has been accepted or rejected to fill that position or office (or words to the like effect), whichever first occurs.

12.23 The condition (ii) mentioned above is in line with the completion of the relevant process mentioned in section 55(2)(a)(i)(A) whereby personal data

242

12_Data Protection.indd 242

2016/6/27 2:00:05 PM

Chapter 12. Exemption Provisions in Part 8

is considered for the purpose of determining the suitability, eligibility or qualifications of the data subject for employment or appointment to office. 12.24 It is worth noting that after the candidate has been informed in writing of the result of his job application, the data user could no longer rely on this exemption to refuse the compliance of a data access request in respect of references given on, or after the coming into effect of, section 56. However, in complying with the data access request so made, the data user shall, pursuant to section 20(1)(b) and 20(2), give copies of the requested data only after the omission or editing out of the identifying particulars of any other individuals (e.g. the referees) unless the data user is satisfied that they have consented to the disclosure of their personal data to the requestor. 12.25 Section 56 applies to a reference given by an individual other than in the ordinary course of his occupation. It does not therefore apply to the situation where a reference is furnished by a person, such as the personnel officer of a corporation whose duties include responding to reference checks made by prospective employers of its ex-employees. In AAB No.26/2013 which concerned the supply of a reference by an assistant manager of the complainant’s former employer to her prospective employer, the Commissioner took the view that section 56 was not applicable because the reference was not given by an individual other than in the ordinary course of his occupation. The decision was upheld by the AAB.

Section 57 — Security, etc. in Respect of Hong Kong 12.26 Section 57 exempts from application the provisions of DPP6, section 18(1)(b) and DPP3 to personal data held or used for the following purposes: (1) Personal data held by or on behalf of the Government for the purposes of safeguarding security, defence or international relations in respect of Hong Kong is exempt from the provisions of data protection principle 6 and section 18(1)(b) where the application of those provisions to the data would be likely to prejudice any of the matters referred to in this subsection.

243

12_Data Protection.indd 243

2016/6/27 2:00:05 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

(2) Personal data is exempt from the provisions of data protection principle 3 in any case in which – (a) the use of the data is for any of the purposes referred to in subsection (1) (and whether or not the data is held for any of those purposes); and (b) the application of those provisions in relation to such use would be likely to prejudice any of the matters referred to in that subsection, ...

12.27 In determining whether the exemption under section 57(1) or (2) is applicable to a particular case, the Commissioner will take into account any certificate signed by the Chief Executive or Chief Secretary for Administration who are empowered under section 57(3) and (4) to certify that exemption is or was required or that personal data is or has been used for any purpose referred to in subsection (1). They may also in the certificate direct the Commissioner not to carry out an inspection or investigation and the Commissioner shall comply with that directive. 12.28 This exemption is necessary in safeguarding security, defence or international relations in respect of Hong Kong. For cases concerning noncompliance with a data access request, the Commissioner has taken a broad approach in deciding whether compliance with a data access request would jeopardise the purposes covered by subsection (1). 12.29 The issue was illustrated in one case in which a complaint was lodged against a law enforcement agency for non-compliance with a data access request made under section 18(1). The requestor asked for records and documents in the law enforcement agency’s possession that “. . . relate to or assist the [law enforcement agency] to come to the view or conclusion that I am a member of or linked to any triad society”. The law enforcement agency refused to confirm or deny the existence or non-existence of the data. The reason put forward was that the disclosure of such information, even if it existed at all, would put the lives and well-being of those individuals who contributed the information to the law enforcement agency in jeopardy. Exemptions under sections 57(1), 58(1)(a) (i.e. the prevention or detection of crime) and 58(1)(b) (i.e. the apprehension, prosecution or detention

244

12_Data Protection.indd 244

2016/6/27 2:00:05 PM

Chapter 12. Exemption Provisions in Part 8

of offenders) were invoked with a view to justifying non-compliance with the data access request. The Commissioner found that there was no contravention of DPP6 on the grounds that the elements of these exemption provisions were satisfactorily proved by the law enforcement agency. The statutory duty of the law enforcement agency to inform the requestor whether the data existed or not under section 18(1)(a) may also be exempted under section 63 in these circumstances. For the scope of application of section 63, readers are referred to paragraphs 12.99 to 12.102. 12.30 In coming to the aforesaid conclusion, consideration was given by the Commissioner to the fact that the law enforcement agency had a substantial interest to ensure that all statements made in confidence by members of the public to the law enforcement agency were full and frank without fear of their statements being later used for another purpose. The candour of informants would be inhibited if their statements were liable to be accessed by the individuals mentioned therein.

Section 58 — Crime, etc. 12.31 Among the various exemptions in Part 8, section 58 probably has the widest application, and thus deserves careful study. It covers personal data held or used for the following purposes: (1) (a) the prevention or detection of crime; (b) the apprehension, prosecution or detention of offenders; (c) the assessment or collection of any tax or duty; (d) the prevention, preclusion or remedying (including punishment) of unlawful or seriously improper conduct, or dishonesty or malpractice, by persons; (e) the prevention or preclusion of significant financial loss arising from – (i) any imprudent business practices or activities of persons; or

245

12_Data Protection.indd 245

2016/6/27 2:00:05 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

(ii) unlawful or seriously improper conduct, or dishonesty or malpractice, by persons; (f) ascertaining whether the character or activities of the data subject are likely to have a significantly adverse impact on any thing – (i) to which the discharge of statutory functions by the data user relates; or (ii) which relates to the discharge of functions to which this paragraph applies by virtue of subsection (3); or (g) discharging functions to which this paragraph applies by virtue of subsection (3); . . .

12.32 On the whole, section 58(1) and (2) provide respectively for exemption from DPP6 and section 18(1)(b), as well as DPP3. In particular, under section 58(1), exemption from DPP6 and section 18(1)(b) is available for any personal data that satisfies the following criteria: • the data is held for any of the specified purposes (section 58(1)(a) to (g)); and • the application of DPP6 and section 18(1)(b) to the data would either be likely to prejudice any of those purposes, or to identify directly or indirectly the person who is the source of the data (section 58(1)(i) and (ii)). 12.33 In contrast, exemption from DPP3 is available under section 58(2) for any personal data that satisfies the following criteria: • the use of the data is for any of the purposes specified in section 58(1) (section 58(2)(a)); and • the application of DPP3 to such use would be likely to prejudice any of those purposes (section 58(2)(b)). 12.34 In addition, section 58(2) also creates a defence for a data user who shows, in any proceedings relating to the use of data contrary to DPP3, that he “had reasonable grounds for believing that failure to so use the data would have been likely to prejudice” any of the matters mentioned in section 58(1)(a) to (g).

246

12_Data Protection.indd 246

2016/6/27 2:00:05 PM

Chapter 12. Exemption Provisions in Part 8

12.35 From the above, it can be seen that the purposes specified in paragraphs (a) to (g) of section 58(1) are crucial in determining the operation of section 58. The Commissioner takes the view that data users seeking to rely on section 58 have to obtain sufficient evidence to establish that the data is held or used for the specified purposes. Mere or general assertion that the data is held or used for the specified purposes will not be sufficient.227 12.36 Among the purposes set out in section 58(1), those specified in paragraphs (a), (b) and (c), namely, “the prevention or detection of crime”, “the apprehension, prosecution or detention of offenders” and “the assessment or collection of any tax or duty”, appear to be relatively straightforward. Section 58(6) defines “crime” as an offence under the laws of the Hong Kong, or of a place outside Hong Kong if personal data is held or used in connection with legal or law enforcement cooperation between Hong Kong and that place. “Offender” is defined to mean a person who commits a crime. The definitions were added by the Amendment Ordinance in order to exempt the provision of personal data by law enforcement authorities to their overseas counterparts for criminal investigations or detection of crimes overseas under multilateral and bilateral cooperative agreements or arrangements. It would also enable assistance to be provided to foreign jurisdictions in verifying personal data in connection with requests for legal assistance. 12.37 In comparison, the purposes specified in paragraphs (d) to (g) appear to be more complicated. The purposes specified under paragraph (d), namely, “the prevention, preclusion or remedying (including punishment) of unlawful or seriously improper conduct, or dishonesty or malpractice, by persons”, probably have the greatest practical importance. AAB No. 26/2004 is an example on dishonesty. In the appeal, the complainant being a member of the disciplinary forces was subjected to disciplinary hearings which had to be repeatedly postponed as a result of the complainant’s sickness. With reasonable suspicion, the employer disclosed the holding of the disciplinary hearings to the complainant’s doctors in order to obtain a medical certificate regarding his physical and mental fitness to attend the hearing. The AAB held that disclosure in the circumstances of the case met the purpose

227. AAB No. 64/2005.

247

12_Data Protection.indd 247

2016/6/27 2:00:05 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

under section 58(1)(d), i.e. for “prevention, preclusion or remedying . . . of dishonesty . . .” in avoiding the proceedings. 12.38 As regards what constitutes “seriously improper conduct”, a provision is found in section 2(9). It is deemed to be seriously improper conduct when a person who holds any office, profession or occupation, and is required by any law or rule to be a fit and proper person to hold such office, profession or occupation, commits any conduct by which he ceases (or would cease) to be a fit and proper person. Section 2(13) also regards it to be seriously improper conduct if such conduct by a person has made him or could have made him a disqualified person or a suspended person under the Rules of Racing and Instructions by the Stewards of the Hong Kong Jockey Club. For conduct not otherwise falling within the statutory definitions mentioned, the term “seriously improper conduct” has received judicial scrutiny in a number of cases. 12.39 In M v M [1997] [FCMC 1425/1998], an ex-wife sought from the Housing Department the current address of her divorced husband, with a view to enforcing her right to maintenance payments pursuant to a Court order. The Department refused to disclose such personal data about the husband on the grounds that this might be contrary to DPP3. Saunders, Deputy D.J. (as he then was) ruled, however, that although there is no definition in the Ordinance of the expression “seriously improper conduct”, the failure to pay maintenance in breach of the Court Order amounted to a contempt of Court and as such was “seriously improper conduct” as those words are naturally used and understood in section 58(1)(d). In the circumstances of the case, the application of the provisions of DPP3 to the use of the data would prejudice the wife’s taking steps to prevent the husband’s seriously improper conduct. Accordingly, the exemption from DPP3 under section 58(2) was available. 12.40 On the application of section 58(2) in general, the judge had the following observations: I accordingly find that where a person is in breach of a Court order and another person, being entitled to the benefit of that order, wishes to enforce the order, then, by virtue of the provisions of s.58(2) of the Data Privacy Ordinance, a data user is exempt from the provisions of data protection principle 3 and may supply the information upon appropriate request.

248

12_Data Protection.indd 248

2016/6/27 2:00:05 PM

Chapter 12. Exemption Provisions in Part 8

12.41 Likewise in AAB No.20/2010, a plaintiff obtained judgment in a District Court action against the complainant for payment of a certain sum with interest and costs. The plaintiff’s solicitors sent letters to the complainant’s work address found on the website of the Securities and Futures Commission for demanding payment of the judgment debt. The AAB took the view that the failure to pay a judgment debt in accordance with a judgment of the Court was a civil wrong and a “seriously improper conduct” within the meaning of section 58(1)(d). The rationale in M v. M applied with equal force in the case, as similar provisions leading to the committal of a judgment debtor could also be found in the Rules of the District Court. The AAB finally concluded that such use of the address to locate the complainant and to enforce the judgment debt against her was for the purpose of the prevention, preclusion or remedying of a seriously improper conduct within the meaning of section 58(1)(d) and was thus exempted from DPP3 under section 58(2). 12.42 In contrast, the failure to honour a cheque by a person, without evidence of fraud or dishonesty, might not per se amount to “seriously improper conduct” justifying invoking the exemption under section 58(1)(d), as ruled by the AAB in AAB No. 14/2004. The appeal concerned the disclosure by a licence issuing authority to a government department, which was the applicant’s employer, that a cheque for payment of the licence fee had not been honoured upon presentation. The AAB took the view that the licence issuing authority could not avail itself of the exemption under section 58(1)(d). 12.43 In Lily Tse Lai Yin & Others v. The Incorporated Owners of Albert House & Others [HCPI 828/1997] (decision on 10 December 1998), the plaintiffs claimed damages in respect of an accident involving a collapsed canopy. In an application in chambers, they applied for non-party discovery against the Director of Buildings, the Director of the Urban Services Department and the Commissioner of Police, for the inspection of certain files held by them. It was contended on behalf of the respondents that the disclosure of those files to the plaintiffs would give rise to a contravention of DPP3 in relation to personal data contained therein. 12.44 In his judgment, Suffiad J. ruled that the use of personal data in a civil action for damages resulting from the collapse of the canopy would fall

249

12_Data Protection.indd 249

2016/6/27 2:00:05 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

within the meaning of “the remedying of unlawful conduct” under section 58(1)(d). The learned judge said, Firstly, I note that (sic) in section 58(1), the use of the word “crime” in paragraph (a) and the word ‘“offender” in paragraph (b). This to my mind suggest (sic), therefore, that the use of the words “unlawful or seriously improper conduct” in paragraph (d) extend (sic) beyond criminal conduct to include civil wrongs. Secondly, the use of the word “remedying” in paragraph (d) is again suggestive of the same thing. The most natural meaning that can be given to the word “unlawful” is that it normally describes something which is contrary to some law or enactment or is done without lawful justification or excuse. (See R. v. R. [1991] 4 All ER 481 per Lord Keith of Kinkel at page 484.) Since tort is a civil wrong, the bringing of a civil claim for damages in tort amounts to the remedying of unlawful or seriously improper conduct. For these reasons, I have no hesitation in coming to the conclusion that the words contained in section 58(1)(d) of the Personal Data (Privacy) Ordinance is (sic) sufficiently wide to cover a claim for damages in a personal injuries and/or fatal accident case.

12.45 The analysis in the Lily Tse Lai Yin case was adopted in Cinepoly Records Co. Ltd. and Others v Hong Kong Broadband Network Ltd and Others [2006] HKLRD 255, in which seven music producers sought discovery from four internet service providers the names, HKID numbers and addresses of twenty-two alleged online copyright infringers. The Court in the Cinepoly case ruled that the phrase “unlawful and seriously improper conduct” covers copyright infringement, and the music producers’ use of the personal data sought was clearly for the purpose of prevention, preclusion (in the form of injunctions) or remedying of the copyright infringements of the producers’ musical works. 12.46 In another judicial decision, Oriental Press Group Limited v Inmediahk.net Limited [2012] 2 HKLRD 1004, the plaintiff filed an action of defamation against the articles published online through a website hosted by the defendant. The plaintiff sought discovery from the defendant of the full name, HKID number, mobile phone number, email address and residential address of the internet user who posted online the articles claimed to be defamatory. The Court, in granting the application allowed for the discovery

250

12_Data Protection.indd 250

2016/6/27 2:00:05 PM

Chapter 12. Exemption Provisions in Part 8

of only the full name, email address and residential address of the internet user in question. The Court was not satisfied that the HKID number and mobile phone number were information necessary for the contemplated legal action and doubted if they were data falling within the exemption under section 58(1)(d) and 58(2) of the Ordinance. 12.47 The disclosure of complaint details to the person being complained against for a purpose under section 58(1)(d) was considered in AAB No. 1/2015. In that case, a school received a complaint letter from a parent containing allegations of improper conduct committed by a teacher. The school disclosed a copy of the complaint letter to the teacher’s solicitors for the purpose of instituting legal proceedings against the parent for defamation. The AAB considered that such disclosure was for the purpose of remedying a civil wrong and hence exempted under section 58.228 12.48 In Chan Chuen Ping v. The Commissioner of Police, [2014] 1 HKLRD 142, prior to taking out a writ, a victim’s solicitors wrote to the police requesting the essential information revealing the identities of two individuals (being the person who allegedly caused the accident and a potential witness) so as to enable the victim to advance a personal injury claim for damages as a result of an injury sustained by him. The police refused to supply the information and maintained that the victim had to issue a writ first. Deputy Judge Seagroatt was of the view that section 58(1)(d) covered steps to remedy a civil wrong (i.e. unlawful conduct) and there could be no justification for withholding the data requested by the victim.229 12.49 Deputy Judge Seagroatt, in the case of Chan Chuen Ping, confirmed that the provisions of the Ordinance did not restrict the Court’s power in making an order for pre-action discovery under the High Court Ordinance, which provided a basis for the requestor to compel disclosure of the data held by government departments to facilitate the administration of justice by

228. The AAB also considered that the disclosure was exempted under section 60B as the information was required by the teacher for defending his legal rights in Hong Kong (namely, to prove his case in respect of the parent’s allegations). For detailed discussion of the exemption under section 60B, see paragraphs 12.74 to 12.81. 229. See also the judgment of Deputy Judge Seagroatt in Chan Wai Ming v. Leung Shing Wah [2014] 1 HKLRD 376.

251

12_Data Protection.indd 251

2016/6/27 2:00:05 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

providing to individuals information needed to advance a potential remedy or possible cause of action.230 12.50 Whether a conduct would amount to “seriously improper conduct” depends on the facts of each case. A conduct which does not itself appear to be seriously improper in nature, e.g. serious indebtedness, may be seriously improper in the circumstances of the data subject. In AAB No. 5/2006, the AAB considered that the serious indebtedness of an officer of a law enforcement agency was contrary to the disciplinary guidelines of the law enforcement agency and amounted to seriously improper conduct.231 12.51 Even if the data is held or to be used for any of the purposes specified in paragraphs (a) to (g) of section 58(1), the exemption does not apply unless the data users can also establish that the application of DPP6 and section 18(1)(b), and DPP3, as the case may be, would likely prejudice the said purposes. Whether or not the specified purposes would be likely prejudiced does not depend on the subjective view of the data user. The standard is an objective one.232 The more enquiries and evidence the data users reasonably make and obtain to establish the prejudice requirement, the more likely that they may satisfy this objective requirement. 12.52 There is usually little or no doubt that the provision by a data user of any personal data requested by a law enforcement agency would be used in the discharge of the agency’s functions (e.g. the prevention or detection of crime, the assessment or collection of any tax or duty, etc.), the matter of which would fall within section 58(1). However, simply because a law enforcement agency requests the personal data does not necessarily mean that a data user can provide the data as requested without complying with DPP3. The question is whether non-provision of the data would indeed be so serious as to be likely to prejudice any such matters, as required by section 58(2)(b).

230. In Chan Yim Wah Wallace v. New World First Ferry Services Limited [HCPI 820/2013], the Court observed that the broader ambit of the new section 60B will render largely otiose the narrow scope of section 58(1) and (2). See paragraphs 12.78 to 12.81 for detailed discussions. 231. Similar examples can also be found in AAB No. 12/2014 and AAB No. 26/2014. 232. AAB No. 5/2006.

252

12_Data Protection.indd 252

2016/6/27 2:00:05 PM

Chapter 12. Exemption Provisions in Part 8

12.53 In a complaint case, a bank disclosed a data subject’s personal data to the police after receiving a letter from the police requesting such disclosure for the purposes of a disciplinary investigation. The police argued that the request was exempt from DPP3 based on section 58(1)(d) and (2). The bank relied on the police’s statement and disclosed the personal data to the police without first obtaining the complainant’s consent pursuant to DPP3. The Commissioner found that the bank had breached DPP3, as it could not reasonably believe that providing the personal data to the police without complying with DPP3 would likely prejudice the purpose of section 58(1) (d). The Commissioner commented that it was the data user’s responsibility to properly assess and consider whether the exemption under section 58(1) (d) and (2) could be relied upon, i.e. that compliance with DPP3 would prejudice the purpose of section 58(1)(d). The data user could not simply rely on the arguments made by the police. 12.54 Given the sensitive nature of most law enforcement operations, the data user may not always be able to obtain clear proof that the prejudice test in section 58(2)(b) has been satisfied. Nevertheless, it is still likely that the law enforcement agency may provide some information, or confirmation of a general nature, on which the data user may reasonably rely. The view generally taken by the Commissioner is that it is prudent for the data user to make enquiries with the law enforcement agency on:



•

the purpose for which the personal data is to be used;

•

the reason why the personal data concerned is relevant to or necessary for the purpose;

•

the reason why the data subject’s consent is not obtained by the agency;

•

whether the personal data can be obtained from another source; and

•

in particular, how the application of DPP3 would be likely to prejudice the purpose.

By asking for more information, the data user is put in a better position to invoke the defence under section 58(2) in any subsequent proceedings or complaint against it for alleged contravention of DPP3 in the disclosure of the data.

253

12_Data Protection.indd 253

2016/6/27 2:00:06 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Section 58A — Protected Product and Relevant Records under Interception of Communications and Surveillance Ordinance 12.55 Section 58A exempts from the provisions of the Ordinance any personal data which is or is contained in any communication or material (including their copies) obtained pursuant to the prescribed authorisations given by the panel judges or the authorising officer for interception and covert surveillance under the Interception of Communications and Surveillance Ordinance. In addition, any personal data system which is used by a data user for the collection, holding, processing or use of the relevant personal data is exempted from the provisions of the Ordinance.

Section 59 — Health 12.56 Section 59(1) exempts personal data relating to the physical or mental health of a data subject from the provisions of DPP3, DPP6 and section 18(1)(b), if the application of such provisions to the data would likely cause serious harm to the physical or mental health of the data subject or any other individual. The Amendment Ordinance introduced a new subsection (2), which broadens the scope of section 59 to also exempt from DPP3 personal data relating to the identity and location of a data subject where application of DPP3 would likely cause serious harm to the physical or mental health of the data subject or other individual. When properly invoked, the newly added class of personal data will assist data users to locate the data subjects, for example, in rescue actions. 12.57 The burden of proof is not a particularly onerous one for a data user to discharge as he is only required to prove that the application of those provisions of the Ordinance would be likely to cause serious harm to the physical or mental health of the data subject or any other individuals. No actual serious harm needs to be proven to have been suffered by the data subject or any other individuals. Although section 59 does not spell out whether the harm test mentioned therein is a subjective or objective one, in cases brought before the Commissioner, due consideration is given to whether a reasonable man in the circumstances of the case would come to the same conclusion as the data user in question.

254

12_Data Protection.indd 254

2016/6/27 2:00:06 PM

Chapter 12. Exemption Provisions in Part 8

12.58 In a complaint case lodged against a Chinese herbal medicine practitioner who failed to comply with a data access request by his patient for copies of the medical prescriptions, the herbalist relied upon the section 59 exemption as grounds for refusal. The Commissioner found that the exemption did not apply in the circumstances of the case as the disclosure would not be likely to cause serious harm to the physical or mental health of the data subject. On the contrary, the refusal to supply the information on the medicines prescribed for the patient would be more likely than not to cause harm to the requestor. 12.59 In AAB No.32 /2008, the complainant consulted a clinical psychologist for the purpose of obtaining a psychological report to pursue a personal injury claim. The complainant later made a data access request for copies of documents which included, inter alia, some diagrams that were derived from questionnaires which she completed in the course of consultation with the clinical psychologist. One of the issues before the AAB was whether there was any basis for the clinical psychologist to refuse disclosure of the diagrams under section 59(1) on the grounds that it “might cause [the complainant] grave distress and increase her suicidal risk”. The AAB took the view that under section 59, the burden was on the clinical psychologist to show that disclosure of the diagrams would be likely to cause serious harm to the physical or mental health of the complainant. The AAB found the diagrams not to be comprehensible for untrained persons without assistance of an expert. Accordingly, it could not be said that their disclosure would likely cause serious harm to the physical or mental health of the complainant. 12.60 Illustration of the application of section 59 is also found in a case in which an employee expressed suicidal intent to his employer. From the staff records kept by the employer, it was evident that he had been a patient of a psychiatric hospital. Led by the belief that the person might cause serious physical harm to himself, the employer disclosed the information to the psychiatric hospital for medical follow-up. The Commissioner was satisfied that since the life and limb of the data subject was at stake, section 59 was properly invoked to exempt the application of DPP3 to the personal data of that person held by his employer. 12.61 In the case of AAB No.31/2012, the complainant was a teacher who

255

12_Data Protection.indd 255

2016/6/27 2:00:06 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

complained against the unlawful disclosure of her physical or mental conditions to her colleague by the school whilst handling a dispute involving students. Both the complainant and the colleague were involved in handling the dispute. The AAB agreed with the Commissioner’s view that if her colleague had remained ignorant about the complainant’s conditions and the fact that she took medication as a result of the dispute, her colleague could not have taken into account the emotional problems that might adversely affect her in handling the above dispute, thus causing additional pressure to the complainant which might severely damage her physical or mental health. Hence, section 59 applied to exempt such disclosure from the requirements under DPP3.

Section 59A — Care and Guardianship of Minors 12.62 Section 59A is a new exemption introduced by the Amendment Ordinance. It provides for the exemption from the provisions of DPP3 personal data relating to a minor that is transferred or disclosed by the Hong Kong Police Force or Customs and Excise Department to a relevant person of the minor if: 59A …… (a) the purpose of the transfer or disclosure is to facilitate the relevant person to exercise proper care and guardianship of the minor; (b) the transfer or disclosure is in the interest of the minor; and (c) the application of those provisions in relation to such transfer or disclosure would be likely to prejudice the exercise of proper care and guardianship of the minor by the relevant person or the interest of the minor.

12.63 A “relevant person” in relation to a minor, is defined in section 2(1) of the Ordinance to mean a person who has parental responsibility for a minor. This exemption was added under the Amendment Ordinance to facilitate parents and guardians to exercise proper care and guardianship over their minor children who are obviously at risk but have not been caught committing crimes. For example, the police found a 13-year-old girl in a

256

12_Data Protection.indd 256

2016/6/27 2:00:06 PM

Chapter 12. Exemption Provisions in Part 8

secluded place with drugs discarded on the floor. While the drugs were not found to be possessed by the girl, all the circumstances would suggest that she might be involved in or was vulnerable to becoming embroiled in drug taking or even trafficking. It was suggested that in such cases, notifying the parents/guardians would facilitate early identification of a hidden problem and enable necessary intervention to prevent the problem from further deteriorating.

Section 60 — Legal Professional Privilege 12.64 This exemption relates to the basic rule of legal privilege, and exempts communications between a legal advisor and his clients, for the purpose of obtaining legal advice or when litigation is contemplated, from the application of the data access provisions (DPP6 and section 18(1)(b)). Legal professional privilege is important so that legal advice may be safely and sufficiently obtained and protected. It is a right recognised by the Basic Law233 which provides that Hong Kong residents shall have the right to confidential legal advice. 12.65 For this exemption to apply, section 60 does not seem to require absolute proof of the existence of the privilege but a plausible claim to such privilege will suffice in light of the drafting of “in respect of which a claim to legal professional privilege could be maintained in law”. The validity or otherwise of the claim is ultimately a matter for the Court not the Commissioner to decide. 12.66 This exemption operates to protect privileged information held by a party to litigation from being accessed by the opponent, sometimes motivated by the ulterior intent of fishing for useful information. 12.67 In a complaint handled by the Commissioner in which a defendant of an ongoing litigation made a data access request to the plaintiff’s solicitors for “all data held by you in respect of myself and all personal data passed by you to third parties”, information containing the personal data of the defendant

233. Article 35 of the Basic Law of Hong Kong.

257

12_Data Protection.indd 257

2016/6/27 2:00:06 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

was directly or indirectly obtained by the plaintiff’s solicitors from their client in the conduct of the litigation and used in the course of legitimate legal enquiries. On the basis that such personal data was held and used by the solicitors in relation to an ongoing litigation and held in their legal capacity as legal advisor to the plaintiff, the Commissioner came to the view that a claim for legal professional privilege could be maintained in law, and hence the section 60 exemption was properly invoked to refuse such data access request. 12.68 In another case handled by the Commissioner, an individual sought from his insurer, by means of a data access request under section 18(1)(b), a copy of the loss adjuster’s report prepared for his claim for compensation relating to a car accident. The insurer refused to comply with the data access request on the grounds that the personal data in the said report was exempt from being accessed by virtue of legal professional privilege. Despite the fact that the insurer honoured the claim subsequently without going through any litigation, there was evidence to show that the insurer had found the claim suspicious and therefore had the report prepared with the dominant purpose to seek legal advice in relation to the contemplated litigation. The Commissioner came to the view that the report could be protected by legal professional privilege and that the section 60 exemption was properly invoked. The same reasoning applies in respect of medical reports obtained by an insurance company when litigation is contemplated for the purpose of seeking legal advice in response to an insurance claim lodged by the insured. 12.69 The Commissioner is of the view that section 60 also applies to legal advice given to the data users by their internal legal advisors. In a case handled by the Commissioner, an individual made a complaint to a statutory body and applied for legal assistance from the statutory body in relation to the complaint. The statutory body subsequently turned down the complaint and the application. The individual made a data access request to the statutory body pursuant to section 18(1) for information in relation to her complaint and application. Pursuant to the request, the statutory body provided certain documents to the individual but refused to disclose certain parts of the documents to the individual by relying on section 60. Since the parts which the statutory body refused to disclose to the individual were legal advice

258

12_Data Protection.indd 258

2016/6/27 2:00:06 PM

Chapter 12. Exemption Provisions in Part 8

given by the body’s internal legal department in relation to the complaint and the application, the Commissioner was of the view that the exemption under section 60 was available to the statutory body. 12.70 The extent of the coverage of legal professional privilege was also examined in AAB No. 19/2009. In this case, an employee whose employment was terminated made a data access request for her personal data contained in a report compiled by the in-house legal counsel of the employer. In refusing her data access request, the employer stated that the report was prepared by the in-house legal counsel for the purpose of giving legal advice and so was exempt under section 60 of the Ordinance. The report also contained attachments. The question before the AAB was whether legal professional privilege applied to the advice given by the in-house legal counsel and whether it extended to cover the documents attached to the report. 12.71 Having considered the fact that the right to confidential legal advice is protected under the Basic Law234 and common law, the AAB held that inhouse lawyers enjoy the same legal professional privilege as external lawyers in relation to legal communications. As for the documents attached to the report, the AAB took the view that section 60 of the Ordinance should not and does not give a blanket claim to any pre-existing documents obtained by a solicitor for purposes of litigation or legal advice. The requested data in this case was contained in: (i) a document created for the purpose of being shown to the lawyer; (ii) a document prepared by the employee herself; (iii) a document filed by the employee herself; and (iv) a judgment of the Court. The AAB took the view that item (i) was covered by legal professional privilege; items (ii) and (iii) did not qualify for legal professional privilege as they were prepared or filed by the employee; and item (iv) did not qualify for any legal professional privilege as it was a document open to the public.235

234. Article 35. 235. The discovery application was made again for the same document in a civil action brought by the employee against the employer in DCCJ3068/2013. The Court agreed with the AAB that item (i) is covered by legal professional privilege. It was further ordered that while the other items would not by themselves qualify for legal professional privilege, they should not be disclosed as they could shed light on the trend of the advice given by the in-house lawyer to the employer.

259

12_Data Protection.indd 259

2016/6/27 2:00:06 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Section 60A — Self-Incrimination 12.72 Under common law, an individual has the fundamental right and privilege against disclosure of any information that may incriminate himself. The Ordinance as originally drafted did not, however, allow a data user to refuse to comply with a data access request on the grounds that compliance with that request will incriminate himself. The new section 60A introduced by the Amendment Ordinance serves to uphold the common law principle of privilege against self-incrimination, and provides as follows: (1) If, as a result of complying with a request under a provision of data protection principle 6 or section 18(1)(b) in relation to any personal data, a data user might be incriminated in any proceedings for any offence other than an offence under this Ordinance, the data is exempt from that provision or section. (2) Information disclosed by a data user in compliance with a request under a provision of data protection principle 6 or section 18(1)(b) is not admissible against the data user in any proceedings for an offence under this Ordinance.

12.73 A data user may invoke this exemption not to comply with a data access request on the grounds that such disclosure will result in the data user selfincriminating itself in relation to an offence, other than an offence under the Ordinance. Further, any information disclosed by a data user in compliance with a data access request will be inadmissible as evidence in prosecuting an offence under the Ordinance. It should be borne in mind that the burden of proof lies with the data user who seeks to invoke and rely on an exemption. Mere speculation on the part of the data user that the personal data disclosed to the relevant data requestor will be self-incriminating is not sufficient.

Section 60B — Legal Proceedings, etc. 12.74 Section 60B is another newly added exemption under the Amendment Ordinance. It operates to cover situations where a data user may be required or authorised by or under law, or by the Court to disclose or transfer

260

12_Data Protection.indd 260

2016/6/27 2:00:06 PM

Chapter 12. Exemption Provisions in Part 8

information which may contain personal data. If not for the application of this exemption, such use of personal data may run the risk of contravening DPP3, since the use of the personal data in legal proceedings may fall outside the original purpose of collection or its directly related purpose and very often it is not practicable to obtain the prescribed consent of the data subject for one reason or another. 12.75 Section 60B operates to exempt personal data from the provisions of DPP3 if the use of the data is: (a)

required or authorized by or under any enactment, by any rule of law or by an order of a court in Hong Kong;

(b) required in connection with any legal proceedings in Hong Kong; or (c) required for establishing, exercising or defending legal rights in Hong Kong.

12.76 “Legal proceedings” is not defined under the Ordinance. It is important to note the territorial application of section 60B which is confined to Hong Kong laws, orders made by Hong Kong Courts and legal proceedings and rights in Hong Kong. Data users cannot rely on this exemption to, for example, disclose personal data in any proceedings that take place outside Hong Kong. 12.77 The Commissioner finds it reasonable and proper that insofar as the use of personal data for the purpose of legal proceedings is concerned, it is justifiable as an exemption from use in recognition of the right and freedom of individuals to protect or defend his own personal or proprietary rights.236 12.78 The application of section 60B was discussed in the decision of Bharwaney J made on 8 May 2015 in Chan Yim Wah Wallace v. New World First Ferry Services Limited [HCPI 820/2013]. In this case, an application was made to the Court237 for discovery of documents including the witness statements and investigation report compiled by the Director of Marine as a result of a

236. See AAB No.1/2015 as discussed in paragraph 12.47. 237. Pursuant to section 42(1) of the High Court Ordinance (Cap 4) and Order 24 rule 7A(2) of the Rules of High Court.

261

12_Data Protection.indd 261

2016/6/27 2:00:06 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

marine accident for the purpose of determining the issue of liability of the defendant and were necessary for disposing fairly of the cause or matter in the proceedings. Bharwaney J expounded how the Court would balance the need for disclosure in the interest of the administration of justice and countervailing factors such as “protection of personal data” under the Ordinance and “the duty of confidentiality” under common law. 12.79 The Court explicitly noted that the exemption under section 60B is broader as compared with section 58(2) because there is no requirement to show prejudice to the purpose under section 58(1) before the exemption can be invoked. In illustrating the application of section 60B(a), the Court cited the examples of section 13 of the Motor Vehicles Insurance (Third Party Risks) Ordinance, (Cap 272) and section 44(A) of the Employees’ Compensation Ordinance (Cap 282) which create a duty on the part of the insured person to give particulars of his motor insurance policy and to produce the insurance policy and other related documents for inspection. Hence, disclosure of the insurance particulars, including the identity of the insurer, is required to be made under these statutory provisions.238 12.80 The Court further mentioned that in cases of accidents where persons have been injured, the investigating authorities ought to have no hesitation in concluding that applicants seeking discovery of witness statements and investigation reports in respect of an accident are doing so because those documents are required either in connection with their contemplated legal proceedings for damages for personal injuries against the tortfeasors concerned, or are required for establishing and exercising their legal rights. Hence, they can be confident that the relevant exemption in section 60B protects them. However, section 60B does not compel a data user to make disclosure. In case of any doubt as to the genuineness of an applicant’s

238. The application of section 60B(a) is also illustrated in the decision of the AAB in AAB No.41/2014. The AAB in this case considered that the printing of the particulars as specified under Schedule 9(1) of Road Traffic (Registration and Licensing of Vehicles) Regulations (Cap 374E) on a closed road permit and the display of the permit in front of a vehicle as required under Regulation 56 is exempt from DPP3 by virtue of section 60B(a). In another decision Ng Shek Wai v The Medical Council of Hong Kong (HCAL 167/2013), the Court also explained the application of the exemption under section 60B(a) for disclosure, which is required or authorised by the common law principle of open justice, of the names of the counsel acting for a medical practitioner in a disciplinary inquiry and the panel members of the medical council hearing the inquiry.

262

12_Data Protection.indd 262

2016/6/27 2:00:06 PM

Chapter 12. Exemption Provisions in Part 8

intended claim or the legitimacy of the disclosure application, the party can apply for a Court order. 12.81 If the exemption in section 60B is invoked, there is no longer any need to redact the personal data contained in the documents in question. Even if the exemption does not apply, the Court is still able to order discovery if, in balancing those countervailing rights, it comes to the view that privacy rights must give way to the public interest.

Section 61 — News 12.82 Section 61 relates to striking a fair balance between upholding the freedom of the press essential to journalists and the protection of the personal data privacy rights of individuals. Section 61 applies to personal data held by a data user who engages in news activity for the sole purpose of that activity and primarily seeks to protect the source of information and to limit the right of access to such information. 12.83 “News activity” is defined in subsection (3) to mean any journalistic activity and includes: (a) the – (i) gathering of news; (ii) preparation or compiling of articles or programmes concerning news; or (iii) observations on news or current affairs, for the purpose of dissemination to the public; or (b) the dissemination to the public of – (i) any article or programme of or concerning news; or (ii) observations on news or current affairs.

12.84 As no further definition is found in respect of the term “news”, its natural meaning is adopted to mean “information about recent events or happenings, especially as reported by newspapers, periodicals, radio or

263

12_Data Protection.indd 263

2016/6/27 2:00:06 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

television”. The question as to whether the activity in question amounts to the gathering of news was dealt with in the Eastweek case. In that case, the Commissioner took the view that since the article at issue was only a commentary on dress sense and the criticism of an individual’s taste in clothes was based on the random thoughts of the reporter rather than a report on fashion trends, the taking of the complainant’s photograph to illustrate such an article did not amount to news gathering. Though no ruling was made as to the nature of reporting activities that constitute news gathering, Keith JA, the judge at first instance, concluded that it was open for the Commissioner not to regard the article in question as news gathering. 12.85 Since news activity depends very much on information that is being collected, journalists are concerned that the source of information is free to disclose information without fear of contravening the requirements under the Ordinance, in particular, DPP3. It is not hard to imagine that the informant who discloses information, in particular, sensitive or “insider” information concerning personal data of another individual to the media, will in most cases be committing an act in contravention of DPP3, unless it can be justified as a directly related purpose of its collection or the informant has the prescribed consent of the data subject. 12.86 Section 61(2) comes in to exempt the source of information from the provisions of DPP3 if the following two criteria set out therein are satisfied, viz.: (a) the use of the data consists of disclosing the data to a data user referred to in subsection (1); and (b) such disclosure is made by a person who has reasonable grounds to believe (and reasonably believes) that the publishing or broadcasting (wherever and by whatever means) of the data (and whether or not it is published or broadcast) is in the public interest.

12.87 The first criterion is straightforward and easy to apply. What is less clear is the second part on what constitutes “reasonable belief” and “public interest” as both of these terms are not defined in the Ordinance. The terms as the Commissioner understands and applies them are illustrated in a complaint concerning the disclosure by the principal of a college of the personal

264

12_Data Protection.indd 264

2016/6/27 2:00:07 PM

Chapter 12. Exemption Provisions in Part 8

data of the complainant (who was a member of staff) to journalists. Such personal data was contained in an accident investigation report with regard to an employee compensation claim. 12.88 The disclosure was made in circumstances where the principal was confronted by reporters who sought to verify with him the allegation made by the complainant’s wife that the college had procrastinated in releasing compensation money to the complainant. In rebutting the allegation, the principal found it necessary to disclose information contained in the investigation report. In response to the complaint later lodged by the complainant with the Commissioner on alleged contravention of DPP3, the college raised the section 61 exemption as a defence since the principal had reasonable grounds to believe that disclosure of the personal data in question was in the public interest, i.e. in defending the image of the college and to enable the journalists to present a balanced news report. The Commissioner was satisfied that the requirements in section 61(2) were met. 12.89 Dissatisfied with the decision, the complainant appealed to the AAB under AAB No. 23/1997. The AAB agreed with the Commissioner’s findings but did not give any definitive ruling on what constituted “public interest”, considering that each case should be decided on its own facts. 12.90 In handling complaints of this sort, the Commissioner is inclined to take a broad view of what constitutes the “public interest” in section 61(2). The case is strengthened when the personal data is disclosed to the media for the purpose of serious news reporting. The Commissioner would in such cases be more ready to find that reasonable grounds exist to disclose the information in the public interest. Although the term “public interest” is not defined, a distinction needs to be drawn between what the public is interested in knowing and what is in the public’s interest.239 12.91 Section 61(1) also exempts from application the provisions of DPP6 and

239. The question of public interest was considered in two investigation cases (Investigation Reports Nos. R12-9159 and R12-9164) concerning journalists who took photographs of artistes through the use of long-lens cameras whilst the artistes were at home. The media appealed against the two decisions in AAB No. 5 & 6 of 2012. The AAB agreed with the Commissioner’s view and stated that public interest does not equate things that the public is interested to know. More details of the cases are found in paragraph 5.45 in Chapter 5.

265

12_Data Protection.indd 265

2016/6/27 2:00:07 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

section 18(1)(b), in preventing access to personal data unless the data is published or broadcast. This quells the concerns of journalists caused by requests from individuals to access the personal data they have collected in their news gathering activities prior to such data being published or broadcast. 12.92 Section 61(1) also has the effect of circumscribing the Commissioner’s powers of inspection and investigation. The Commissioner has no power of inspection of any part of a personal data system that holds such information for the purpose of news activity (section 61(1)(ii)). Furthermore, the Commissioner can only investigate a suspected contravention of the provisions of the Ordinance after the material that is the subject of the complaint has been published or broadcast (section 61(1)(i)) and only when he receives a complaint under section 38(a). 12.93 In AAB No. 34/2007, the appellant submitted a request to a newspaper for copies of emails from a person who provided comments regarding the appellant that were reported in the newspaper. The appellant argued that in order to ascertain whether the requested data was published or unpublished, all the contents of the requested data must be disclosed. The AAB rejected the argument and made the following comments: We believe this argument may have force if the Appellant may be able to demonstrate which part of the Article would have the effect as submitted. There is always a minimum threshold which the Appellant must show, at the least, that there is a prima facie case that there could be a reference in the published part to unpublished data, or somehow published and unpublished data are intertwined. To argue that there was a possibility of cross-reference or intertwining that would give rise to possible confusion is to argue in a vacuum. The logical extension of such argument would be that, . . . , all the contents of the email correspondence, whether or not their contents had not been published (and in the latter case should not be disclosed under the Section 61 exemption), must be disclosed otherwise the Commissioner nor the Appellant would not know if there had been any reference to an overlapping situation. This amounts to a submission that there can be no exemption under Section 61(1). We cannot accept such submission.

266

12_Data Protection.indd 266

2016/6/27 2:00:07 PM

Chapter 12. Exemption Provisions in Part 8

12.94 It is nevertheless worth noting that this exemption does not exempt from application the other data protection principles, with which the data user is still obliged to comply, in particular, DPP1(2), i.e. collection of personal data by lawful and fair means.240 Where a code of ethics241 is in place, the press shall observe and follow it when collecting and using materials gathered for news reporting.

Section 62 — Statistics and Research 12.95 Section 62 is comparatively easy to understand and of practical importance in exempting personal data from being used for preparing statistics or carrying out research. The value to be served by compiling statistics or conducting research is self-explanatory. 12.96 Section 62 exempts from application of DPP3 when the following conditions are satisfied: (a) the data is to be used for preparing statistics or carrying out research; (b) the data is not to be used for any other purpose; and (c) the resulting statistics or results of the research are not made available in a form which identifies the data subjects or any of them.

12.97 In order to satisfy this exemption provision, the data user must be careful to ensure these requirements are met, in particular, the requirement in (c) above, i.e. that the resulting statistics or results of the research do not expressly reveal the identities of the data subjects, or is compiled in such a way that makes it reasonably practicable for their identities to be ascertained.

240. Reference is made to the use of long-focus lenses to take photographs of the home activities of artistes where privacy was reasonably expected: Investigation Reports Nos. R12-9159 and R12-9164 and also AAB No. 5 & 6 of 2012, available on the Website. 241. See the Joint Code of Ethics issued by the Hong Kong Journalists Association.

267

12_Data Protection.indd 267

2016/6/27 2:00:07 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

12.98 Very few complaints have been brought before the Commissioner on the application of this exemption. Insofar as the requirements mentioned in this exemption are met, the raw data may continue to be retained by the data user for so long as this exemption applies. The Code of Practice on Consumer Credit Data has specifically provided for the retention of data by the credit reference agency242 to be used for purposes exempted under section 62.

Section 63 — Exemption from Section 18(1)(a) 12.99 This exemption supplements the application of sections 57 and 58 when invoked by a data user to refuse to comply with a data access request made under section 18(1)(b). For the scope of application of sections 57 and 58, readers are referred to paragraphs 12.26 to 12.54 above. 12.100 The statutory duty to inform the data subject of whether the data user holds his personal data under section 18(1)(a) (in response to a data access request) is exempt under section 63 which provides as follows: Where a data access request relates to personal data which is or, if the data existed, would be exempt from section 18(1)(b) by virtue of section 57 or 58, then the data is also exempt from section 18(1)(a) if the interest protected by that exemption would be likely to be prejudiced by the disclosure of the existence or non-existence of that data.

12.101 There may be situations where, for reasons of security and/or the prevention or detection of crime, etc. mentioned in sections 57 and 58, the mere disclosure of the fact that the data does exist or not, would be likely to prejudice the interest protected by this exemption. The classic example is the one quoted in paragraph 12.29 where the disclosure of the data pursuant to section 18(1)(a) might put the lives and well-being of the informant in jeopardy.

242. See Clause 3.7 of the Code, available on the Website.

268

12_Data Protection.indd 268

2016/6/27 2:00:07 PM

Chapter 12. Exemption Provisions in Part 8

12.102 The data user would still be obliged to comply with section 18(1)(a)243 upon receipt of a data access request so made even though exemptions under sections 57 and 58 apply. Section 63 is thus viewed as important in providing the data user with a statutory basis insofar as the prejudice test therein laid down is satisfied to refuse to comply with a data access request made under section 18(1)(a), giving a more complete and meaningful application to sections 57 and 58.

Section 63A — Human Embryos, etc. 12.103 This exemption provides that if personal data consists of information showing that an identifiable individual was, or may have been, born in consequence of a medical, surgical, obstetric or other procedure assisting or otherwise bringing about human reproduction by artificial means, such personal data is exempt from DPP6 and section 18(1)(b). The data is also exempt from section 18(1)(a) if the interest protected by that exemption would be likely to be prejudiced by the disclosure of the existence or nonexistence of the data.

Section 63B — Due Diligence Exercise 12.104 This new exemption added under the Amendment Ordinance seeks to address the practical needs of businesses to disclose or transfer information which may contain personal data in an intended merger, acquisition or transfer of businesses for the purpose of conducting a due diligence exercise by the proposed transferee. Such use of personal data may not fall within the original or directly related purpose of collection and the transfer of personal data in the absence of the prescribed consent of the data subjects may contravene DPP3. However, obtaining prescribed consent prior to the transfer will pose a hurdle to merger or acquisition activities which are very often time sensitive. Moreover, there may be a genuine need to keep the transaction confidential at the due diligence stage.

243. See Chapter 10 for further details.

269

12_Data Protection.indd 269

2016/6/27 2:00:07 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

12.105 Data users who seek to invoke this exemption should be careful about the limited scope of its application by paying particular attention to the definition of “due diligence exercise”, the nature of the proposed business transaction, the amount of personal data to be disclosed or transferred by the data users and the duty of the transferee to return the personal data after completion of the due diligence exercise. 12.106 “Due diligence exercise” is defined under section 63B(6) to mean: in relation to a proposed business transaction, the examination of the subject matter of the transaction to enable a party to decide whether to proceed with the transaction

12.107 The scope of the exception is provided under section 63B(1) as follows: (1) Personal data transferred or disclosed by a data user for the purpose of a due diligence exercise to be conducted in connection with a proposed business transaction that involves – (a) a transfer of the business of property of, or any shares in, the data user; (b) a change in the shareholdings of the data user; or (c) an amalgamation of the data user with another body, is exempt from the provisions of data protection principle 3 if each of the conditions specified in subsection (2) is satisfied”.

12.108 The three conditions that must be satisfied in order for a data user to be able to rely on the section 63B(1) exemption are stated in section 63B(2). They are: (a) the personal data transferred or disclosed is not more than necessary for the purpose of the due diligence exercise; (b) the goods, facilities or services which are the same as or similar to those provided by the data user to the data subject are to be provided to the data subject, on completion of the proposed business transaction, by a party to the transaction or a new body formed as a result of the transaction; and

270

12_Data Protection.indd 270

2016/6/27 2:00:07 PM

Chapter 12. Exemption Provisions in Part 8

(c) it is not practicable to obtain the prescribed consent of the data subject for the transfer or disclosure.

12.109 In order to avail itself of the exemption, the data user must ensure that all of the above conditions are satisfied. To curb against abuse, section 63B(3) provides that if the primary purpose of the proposed business transaction is the transfer, disclosure or provision for gain of the personal data itself, then the data user cannot rely on the exemption. 12.110 The term “provision for gain” is defined under subsection (6) which adopts essentially the same definition under section 35A(2) of Part 6A of the Ordinance in relation to the new direct marketing regulatory regime: …means the provision of the data in return for money or other property, irrespective of whether – (a) the return is contingent on any condition; or (b) the person who provides the data retains any control over the use of the data.

12.111 In order to safeguard the personal data used for the conduct of a due diligence exercise, section 63B(4) imposes the following duty on the data transferee: (a) it must only use the data for the purpose of due diligence; (b) it must, as soon as practicable after the completion of the due diligence exercise – (i) return the personal data to the data user; and (ii) destroy any record of the personal data that is kept by the person.

12.112 A person who contravenes section 63B(4) commits an offence and is liable on conviction to a fine at level five and to imprisonment for two years (section 63B(5)).

271

12_Data Protection.indd 271

2016/6/27 2:00:07 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Section 63C — Emergency Situations 12.113 Section 63C was included under the Amendment Ordinance to exempt DPP1(3) and DPP3 from application when their application will prejudice any of the following matters: (a) identifying an individual who is reasonably suspected to be, or is, involved in a life-threatening situation; (b) informing the individual’s immediate family members or relevant persons of the individual’s involvement in the life-threatening situation; (c) the carrying out of emergency rescue operations or provision of emergency relief service.

12.114 The term “immediate family member” is defined under section 63C(2) to mean, “in relation to a person…another person who is related to the person by blood, marriage, adoption or affinity”. 12.115 This exemption aims to cover the handling of personal data in emergency or catastrophic situations where victims or missing persons require immediate assistance and rescue. It will facilitate law enforcement agencies as well as rescue and relief agencies to ascertain the identities of the persons involved in the incident, to locate missing persons and to verify unconfirmed identities of persons who are in distress. These agencies may need to collect personal data from the involved individuals, or approach organisations or individuals holding relevant personal data to assist in rescue-related work. Exemption from DPP1(3) and DPP3 would facilitate these operations and be in the interest of the victims.

Section 63D — Transfer of Records to Government Records Service 12.116 Section 63D provides as follows: Personal data contained in records that are transferred to the Government Records Service is exempt from the provisions of data protection principle 3 when the records are used by the Government Records Service solely for the purpose of –

272

12_Data Protection.indd 272

2016/6/27 2:00:07 PM

Chapter 12. Exemption Provisions in Part 8

(a) appraising the records to decide whether they are to be preserved; or (b) organising and preserving the records.

12.117 In order to preserve Hong Kong’s documentary heritage, it is necessary for government bureaux and departments to transfer records of historical value, including those containing personal data, to the Government Records Service for archival purpose. Transfer of such records containing personal data has to comply with the requirements of DPP3. Given the vast array of purposes and functions performed by different government bureaux and departments in collecting personal data, the transfer of the personal data to the Government Records Service might not fall within a purpose directly related to that when the personal data was originally collected and it is impracticable to obtain the prescribed consent of the data subjects concerned for their personal data to be preserved by the Government Records Service. The introduction of this exemption under the Amendment Ordinance is therefore of practical significance in balancing the right to personal data privacy with the public interest of freedom of information.

273

12_Data Protection.indd 273

2016/6/27 2:00:07 PM

12_Data Protection.indd 274

2016/6/27 2:00:07 PM

Appendix I Data Protection Principles

1. Principle 1 – Purpose and Manner of Collection of Personal Data (1) Personal data shall not be collected unless – (a) the data is collected for a lawful purpose directly related to a function or activity of the data user who is to use the data; (b) subject to paragraph (c), the collection of the data is necessary for or directly related to that purpose; and (c) the data is adequate but not excessive in relation to that purpose. (2) Personal data shall be collected by means which are – (a) lawful; and (b) fair in the circumstances of the case. (3) Where the person from whom personal data is or is to be collected is the data subject, all practicable steps shall be taken to ensure that – (a) he is explicitly or implicitly informed, on or before collecting the data, of – (i) whether it is obligatory or voluntary for him to supply the data;

and

(ii) where it is obligatory for him to supply the data, the consequences for him if he fails to supply the data; and

13_Data Protection_appendix_01.indd 275

2016/6/27 2:00:13 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

(b) he is explicitly informed – (i) on or before collecting the data, of – (A) the purpose (in general or specific terms) for which the data is to be used; and (B) the classes of persons to whom the data may be transferred; and (ii) on or before first use of the data for the purpose for which it was collected, of – (A) his rights to request access to and to request the correction of the data; and (B) the name or job title, and address, of the individual who is to handle any such request made to the data user,

unless to comply with the provisions of this subsection would be likely to prejudice the purpose for which the data was collected and that purpose is specified in Part 8 of this Ordinance as a purpose in relation to which personal data is exempt from the provisions of data protection principle 6.

2. Principle 2 – Accuracy and Duration of Retention of Personal Data (1) All practicable steps shall be taken to ensure that – (a) personal data is accurate having regard to the purpose (including any directly related purpose) for which the personal data is or is to be used; (b) where there are reasonable grounds for believing that personal data is inaccurate having regard to the purpose (including any directly related purpose) for which the data is or is to be used – (i) the data is not used for that purpose unless and until those grounds cease to be applicable to the data, whether by the rectification of the data or otherwise; or (ii) the data is erased;

276

13_Data Protection_appendix_01.indd 276

2016/6/27 2:00:14 PM

Appendix I — Data Protection Principles

(c) where it is practicable in all the circumstances of the case to know that – (i) personal data disclosed on or after the appointed day to a third party is materially inaccurate having regard to the purpose (including any directly related purpose) for which the data is or is to be used by the third party; and (ii) that data was inaccurate at the time of such disclosure,

that the third party – (A) is informed that the data is inaccurate; and (B) is provided with such particulars as will enable the third party to rectify the data having regard to that purpose.

(2) All practicable steps must be taken to ensure that personal data is not kept longer than is necessary for the fulfillment of the purpose (including any directly related purpose) for which the data is or is to be used. (3) Without limiting subsection (2), if a data user engages a data processor, whether within or outside Hong Kong, to process personal data on the data user’s behalf, the data user must adopt contractual or other means to prevent any personal data transferred to the data processor from being kept longer than is necessary for processing of the data. (4) In subsection (3) –

“data processor” (資料處理者) means a person who – (a) processes personal data on behalf of another person; and (b) does not process the data for any of the person’s own purposes.

3. Principle 3 – Use of Personal Data (1) Personal data shall not, without the prescribed consent of the data subject, be used for a new purpose. (2) A relevant person in relation to a data subject may, on his or her behalf, give the prescribed consent required for using his or her personal data for a new purpose if –

277

13_Data Protection_appendix_01.indd 277

2016/6/27 2:00:14 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

(a) the data subject is – (i) a minor; (ii) incapable of managing his or her own affairs; or (iii) mentally incapacitated within the meaning of section 2 of the

Mental Health Ordinance (Cap 136);

(b) the data subject is incapable of understanding the new purpose and deciding whether to give the prescribed consent; and (c) the relevant person has reasonable grounds for believing that the use of the data for the new purpose is clearly in the interest of the data subject. (3) A data user must not use the personal data of a data subject for a new purpose even if the prescribed consent for so using that data has been given under subsection (2) by a relevant person, unless the data user has reasonable grounds for believing that the use of that data for the new purpose is clearly in the interest of the data subject. (4) In this section –

“new purpose” (新目的), in relation to the use of personal data, means any purpose other than – (a) the purpose for which the data was to be used at the time of the collection of the data; or (b) a purpose directly related to the purpose referred to in paragraph (a).

4. Principle 4 – Security of Personal Data (1) All practicable steps shall be taken to ensure that personal data (including data in a form in which access to or processing of the data is not practicable) held by a data user are protected against unauthorized or accidental access, processing, erasure, loss or use having particular regard to – (a) the kind of data and the harm that could result if any of those things should occur;

278

13_Data Protection_appendix_01.indd 278

2016/6/27 2:00:14 PM

Appendix I — Data Protection Principles

(b) the physical location where the data is stored; (c) any security measures incorporated (whether by automated means or otherwise) into any equipment in which the data is stored; (d) any measures taken for ensuring the integrity, prudence and competence of persons having access to the data; and (e) any measures taken for ensuring the secure transmission of the data. (2) Without limiting subsection (1), if a data user engages a data processor, whether within or outside Hong Kong, to process personal data on the data user’s behalf, the data user must adopt contractual or other means to prevent unauthorized or accidental access, processing, erasure, loss or use of the data transferred to the data processor for processing. (3) In subsection (2) –

“data processor” (資料處理者) has the same meaning given by subsection (4) of data protection principle 2.

5. Principle 5 – Information To Be Generally Available All practicable steps shall be taken to ensure that a person can – (a) ascertain a data user’s policies and practices in relation to personal data; (b) be informed of the kind of personal data held by a data user; (c) be informed of the main purposes for which personal data held by a data user is or is to be used.

6. Principle 6 – Access to Personal Data A data subject shall be entitled to – (a) ascertain whether a data user holds personal data of which he is the data subject; (b) request access to personal data –

279

13_Data Protection_appendix_01.indd 279

2016/6/27 2:00:14 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

(i) within a reasonable time; (ii) at a fee, if any, that is not excessive; (iii) in a reasonable manner; and (iv) in a form that is intelligible; (c) be given reasons if a request referred to in paragraph (b) is refused; (d) object to a refusal referred to in paragraph (c); (e) request the correction of personal data; (f) be given reasons if a request referred to in paragraph (e) is refused; and (g) object to a refusal referred to in paragraph (f).

280

13_Data Protection_appendix_01.indd 280

2016/6/27 2:00:14 PM

Appendix II Exemptions under Part 8 of the Ordinance

Section 51  Interpretation

Where any personal data is exempt from any provision of this Ordinance by virtue of this Part, then, in respect of that data and to the extent of that exemption, that provision neither confers any right nor imposes any requirement on any person, and the other provisions of this Ordinance which relate (whether directly or indirectly) to that provision shall be construed accordingly.

Section 51A  Performance of Judicial Functions (a) Personal data held by a court, a magistrate or a judicial officer in the course of performing judicial functions is exempt from the provisions of the data protection principles and Parts 4 and 5 and sections 36 and 38(b). (b) In this section – “judicial officer” (司法人員) has the same meaning given by section 2 of the Judicial Officers Recommendation Commission Ordinance (Cap 92).

13_Data Protection_appendix_02.indd 281

2016/6/27 2:00:20 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Section 52  Domestic Purposes

Personal data held by an individual and – (a) concerned only with the management of his personal, family or household affairs; or (b) so held only for recreational purposes,



is exempt from the provisions of the data protection principles, Parts 4 and 5 and sections 36 and 38(b).

Section 53  Employment – Staff Planning

Personal data which consists of information relevant to any staff planning proposal to – (a) fill any series of positions of employment which are presently, or may become, unfilled; or (b) cease any group of individuals’ employment,



is exempt from the provisions of data protection principle 6 and section 18(1) (b).

Section 54  Employment – Transitional Provisions (1) Personal data – (a) held by a data user – (i) immediately before the appointed day; (ii) who is the employer of the data subject; and (iii) relating to the employment of the subject; and (b) provided by an individual on the implicit or explicit condition that the subject would not have access to the data,

is exempt from the provisions of data protection principle 6 and section 18(1)(b) until the expiration of 7 years immediately following the enactment of this Ordinance.

282

13_Data Protection_appendix_02.indd 282

2016/6/27 2:00:20 PM

Appendix II — Exemptions under Part 8 of the Ordinance

(2) Personal data – (a) to which subsection (1)(a) applies; or (b) held by a data user – (i) but not so held at any time before the appointed day; (ii) who is the employer of the data subject; and (iii) relating to the employment of the subject,

is exempt from the provisions of data protection principle 6 and section 18(1)(b) until 1 July 1996.

Section 55  Relevant Process (1) Personal data which is the subject of a relevant process is exempt from the provisions of data protection principle 6 and section 18(1)(b) until the completion of that process. (2) In this section –

“completion” (完成), in relation to a relevant process, means the making of the determination concerned referred to in paragraph (a) of the definition of “relevant process”;



“relevant process” (有關程序) – (a) subject to paragraph (b), means any process whereby personal data is considered by one or more persons for the purpose of determining, or enabling there to be determined – (i) the suitability, eligibility or qualifications of the data subject for – (A) employment or appointment to office; (B) promotion in employment or office or continuance in employment or office; (C) removal from employment or office; or (D) the awarding of contracts, awards (including academic and professional qualifications), scholarships, honours or other benefits;

283

13_Data Protection_appendix_02.indd 283

2016/6/27 2:00:20 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

(ii) whether any contract, award (including academic and professional qualifications), scholarship, honour or benefit relating to the data subject should be continued, modified or cancelled; or (iii) whether any disciplinary action should be taken against the data subject for a breach of the terms of his employment or appointment to office; (b) does not include any such process where no appeal, whether under an Ordinance or otherwise, may be made against any such determination.

Section 56  Personal References

Personal data held by a data user which consists of a personal reference – (a) given by an individual other than in the ordinary course of his occupation; and



(b) relevant to another individual’s suitability or otherwise to fill any position of employment or office which is presently, or may become, unfilled, is exempt from the provisions of data protection principle 6 and section 18(1) (b) – (i) in any case, unless the individual referred to in paragraph (a) has informed the data user in writing that he has no objection to the reference being seen by the individual referred to in paragraph (b) (or words to the like effect); or



(ii) in the case of a reference given on or after the day on which this section comes into operation, until the individual referred to in paragraph (b) has been informed in writing that he has been accepted or rejected to fill that position or office (or words to the like effect), whichever first occurs.

Section 57  Security, etc. in Respect of Hong Kong (1) Personal data held by or on behalf of the Government for the purposes

284

13_Data Protection_appendix_02.indd 284

2016/6/27 2:00:20 PM

Appendix II — Exemptions under Part 8 of the Ordinance

of safeguarding security, defence or international relations in respect of Hong Kong is exempt from the provisions of data protection principle 6 and section 18(1)(b) where the application of those provisions to the data would be likely to prejudice any of the matters referred to in this subsection. (2) Personal data is exempt from the provisions of data protection principle 3 in any case in which – (a) the use of the data is for any of the purposes referred to in subsection (1) (and whether or not the data is held for any of those purposes); and (b) the application of those provisions in relation to such use would be likely to prejudice any of the matters referred to in that subsection,

and in any proceedings against any person for a contravention of any of those provisions it shall be a defence to show that he had reasonable grounds for believing that failure to so use the data would have been likely to prejudice any of those matters.

(3) Any question whether an exemption under subsection (1) is or at any time was required in respect of any personal data may be determined by the Chief Executive or Chief Secretary for Administration; and a certificate signed by the Chief Executive or Chief Secretary for Administration certifying that the exemption is or at any time was so required shall be evidence of that fact. (4) For the purposes of subsection (2), a certificate signed by the Chief Executive or Chief Secretary for Administration certifying that personal data is or has been used for any purpose referred to in subsection (1) shall be evidence of that fact. (5) The Chief Executive or Chief Secretary for Administration may, in a certificate referred to in subsection (3) or (4), in respect of the personal data to which the certificate relates and for the reasons specified in that certificate, direct the Commissioner not to carry out an inspection or investigation and, in any such case, the Commissioner shall comply with the direction. (6) A document purporting to be a certificate referred to in subsection (3) or

285

13_Data Protection_appendix_02.indd 285

2016/6/27 2:00:20 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

(4) shall be received in evidence and, in the absence of evidence to the contrary, shall be deemed to be such a certificate. (7) In this section –

“international relations” (國際關係) includes relations with any international organization;



“security” (保安) includes the prevention or preclusion of persons



(including persons detained in accordance with the provisions of the Immigration Ordinance (Cap 115)) entering and remaining in Hong Kong who do not have the right to enter and remain in Hong Kong.

Section 58  Crime, etc. (1) Personal data held for the purposes of – (a) the prevention or detection of crime; (b) the apprehension, prosecution or detention of offenders; (c) the assessment or collection of any tax or duty; (d) the prevention, preclusion or remedying (including punishment) of unlawful or seriously improper conduct, or dishonesty or malpractice, by persons; (e) the prevention or preclusion of significant financial loss arising from – (i) any imprudent business practices or activities of persons; or (ii) unlawful or seriously improper conduct, or dishonesty or malpractice, by persons; (f) ascertaining whether the character or activities of the data subject are likely to have a significantly adverse impact on any thing – (i) to which the discharge of statutory functions by the data user relates; or (ii) which relates to the discharge of functions to which this paragraph applies by virtue of subsection (3); or

286

13_Data Protection_appendix_02.indd 286

2016/6/27 2:00:21 PM

Appendix II — Exemptions under Part 8 of the Ordinance

(g) discharging functions to which this paragraph applies by virtue of subsection (3),

is exempt from the provisions of data protection principle 6 and section 18(1)(b) where the application of those provisions to the data would be likely to – (i) prejudice any of the matters referred to in this subsection; or (ii) directly or indirectly identify the person who is the source of the data.

(1A) In subsection (1)(c), “tax” (稅項) includes any tax of a territory outside Hong Kong if – (a) arrangements having effect under section 49(1A) of the Inland Revenue Ordinance (Cap 112) are made with the government of that territory; and (b) that tax is the subject of a provision of the arrangements that requires disclosure of information concerning tax of that territory. (2) Personal data is exempt from the provisions of data protection principle 3 in any case in which – (a) the use of the data is for any of the purposes referred to in subsection (1) (and whether or not the data is held for any of those purposes); and (b) the application of those provisions in relation to such use would be likely to prejudice any of the matters referred to in that subsection,

and in any proceedings against any person for a contravention of any of those provisions it shall be a defence to show that he had reasonable grounds for believing that failure to so use the data would have been likely to prejudice any of those matters.

(3) Paragraphs (f)(ii) and (g) of subsection (1) apply to any functions of a financial regulator – (a) for protecting members of the public against financial loss arising from – (i) dishonesty, incompetence, malpractice or seriously improper conduct by persons –

287

13_Data Protection_appendix_02.indd 287

2016/6/27 2:00:21 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

(A) concerned in the provision of banking, insurance, investment or other financial services; (B) concerned in the management of companies; (BA) concerned in the administration of provident fund schemes registered under the Mandatory Provident Fund Schemes Ordinance (Cap 485); (C) concerned in the management of occupational retirement schemes within the meaning of the Occupational Retirement Schemes Ordinance (Cap 426); or (D) who are shareholders in companies; or (ii) the conduct of discharged or undischarged bankrupts; (b) for maintaining or promoting the general stability or effective working of any of the systems which provide any of the services referred to in paragraph (a)(i)(A); or (c) specified for the purposes of this subsection in a notice under subsection (4). (4) For the purposes of subsection (3), the Chief Executive may, by notice in the Gazette, specify a function of a financial regulator. (5) It is hereby declared that – (a) subsection (3) shall not operate to prejudice the generality of the operation of paragraphs (a), (b), (c), (d) and (f)(i) of subsection (1) in relation to a financial regulator; (b) a notice under subsection (4) is subsidiary legislation. (6) In this section –

“crime” (罪行) means – (a) an offence under the laws of Hong Kong; or (b) if personal data is held or used in connection with legal or law enforcement cooperation between Hong Kong and a place outside Hong Kong, an offence under the laws of that place;



“offender” (犯罪者) means a person who commits a crime.

288

13_Data Protection_appendix_02.indd 288

2016/6/27 2:00:21 PM

Appendix II — Exemptions under Part 8 of the Ordinance

Section 58A  Protected Product and Relevant Records under Interception of Communications and Surveillance Ordinance (1) A personal data system is exempt from the provisions of this Ordinance to the extent that it is used by a data user for the collection, holding, processing or use of personal data which is, or is contained in, protected product or relevant records. (2) Personal data which is, or is contained in, protected product or relevant records is exempt from the provisions of this Ordinance. (3) In this section –

“device retrieval warrant” (器材取出手令) has the meaning assigned to it by section 2(1) of the Interception of Communications and Surveillance Ordinance (Cap 589);



“prescribed authorization” (訂明授權) has the meaning assigned to it by section 2(1) of the Interception of Communications and Surveillance Ordinance (Cap 589);



“protected product” (受保護成果) has the meaning assigned to it by section 2(1) of the Interception of Communications and Surveillance Ordinance (Cap 589);



“relevant records” (有關紀錄) means documents and records relating to – (a) any application for the issue or renewal of any prescribed authorization or device retrieval warrant under the Interception of Communications and Surveillance Ordinance (Cap 589); or (b) any prescribed authorization or device retrieval warrant issued or renewed under that Ordinance (including anything done pursuant to or in relation to such prescribed authorization or device retrieval warrant).

Section 59  Health (1) Personal data relating to the physical or mental health of the data subject is exempt from the provisions of either or both of –

289

13_Data Protection_appendix_02.indd 289

2016/6/27 2:00:21 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

(a) data protection principle 6 and section 18(1)(b); (b) data protection principle 3,

in any case in which the application of those provisions to the data would be likely to cause serious harm to the physical or mental health of – (i) the data subject; or (ii) any other individual.

(2) Personal data relating to the identity or location of a data subject is exempt from the provisions of data protection principle 3 if the application of those provisions to the data would be likely to cause serious harm to the physical or mental health of – (a) the data subject; or (b) any other individual.

Section 59A  Care and Guardianship of Minors

Personal data in relation to a minor transferred or disclosed by the Hong Kong Police Force or Customs and Excise Department to a relevant person of the minor is exempt from the provisions of data protection principle 3 if – (a) the purpose of the transfer or disclosure is to facilitate the relevant person to exercise proper care and guardianship of the minor; (b) the transfer or disclosure is in the interest of the minor; and (c) the application of those provisions in relation to such transfer or disclosure would be likely to prejudice the exercise of proper care and guardianship of the minor by the relevant person or the interest of the minor.

Section 60  Legal Professional Privilege

Personal data is exempt from the provisions of data protection principle 6 and section 18(1)(b) if the data consists of information in respect of which a claim to legal professional privilege could be maintained in law.

290

13_Data Protection_appendix_02.indd 290

2016/6/27 2:00:21 PM

Appendix II — Exemptions under Part 8 of the Ordinance

Section 60A  Self Incrimination (1) If, as a result of complying with a request under a provision of data protection principle 6 or section 18(1)(b) in relation to any personal data, a data user might be incriminated in any proceedings for any offence other than an offence under this Ordinance, the data is exempt from that provision or section. (2) Information disclosed by a data user in compliance with a request under a provision of data protection principle 6 or section 18(1)(b) is not admissible against the data user in any proceedings for an offence under this Ordinance.

Section 60B  Legal Proceedings etc.

Personal data is exempt from the provisions of data protection principle 3 if the use of the data is – (a) required or authorized by or under any enactment, by any rule of law or by an order of a court in Hong Kong; (b) required in connection with any legal proceedings in Hong Kong; or (c) required for establishing, exercising or defending legal rights in Hong Kong.

Section 61  News (1) Personal data held by a data user – (a) whose business, or part of whose business, consists of a news activity; and (b) solely for the purpose of that activity (or any directly related activity),

is exempt from the provisions of – (i) data protection principle 6 and sections 18(1)(b) and 38(i) unless and until the data is published or broadcast (wherever and by whatever means); (ii) sections 36 and 38(b).

291

13_Data Protection_appendix_02.indd 291

2016/6/27 2:00:21 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

(2) Personal data is exempt from the provisions of data protection principle 3 in any case in which – (a) the use of the data consists of disclosing the data to a data user referred to in subsection (1); and (b) such disclosure is made by a person who has reasonable grounds to believe (and reasonably believes) that the publishing or broadcasting (wherever and by whatever means) of the data (and whether or not it is published or broadcast) is in the public interest. (3) In this section – “news activity” (新聞活動) means any journalistic activity and includes(a) the – (i) gathering of news; (ii) preparation or compiling of articles or programmes concerning news; or (iii) observations on news or current affairs,

for the purpose of dissemination to the public; or

(b) the dissemination to the public of – (i) any article or programme of or concerning news; or (ii) observations on news or current affairs.

Section 62  Statistics and Research

Personal data is exempt from the provisions of data protection principle 3 where – (a) the data is to be used for preparing statistics or carrying out research; (b) the data is not to be used for any other purpose; and (c) the resulting statistics or results of the research are not made available in a form which identifies the data subjects or any of them.

292

13_Data Protection_appendix_02.indd 292

2016/6/27 2:00:21 PM

Appendix II — Exemptions under Part 8 of the Ordinance

Section 63  Exemption from Section 18(1)(a)

Where a data access request relates to personal data which is or, if the data existed, would be exempt from section 18(1)(b) by virtue of section 57 or 58, then the data is also exempt from section 18(1)(a) if the interest protected by that exemption would be likely to be prejudiced by the disclosure of the existence or non-existence of that data.

Section 63A  Human Embryos, etc. (1) Personal data which consists of information showing that an identifiable individual was, or may have been, born in consequence of a reproductive technology procedure within the meaning of the Human Reproductive Technology Ordinance (Cap 561) is exempt from the provisions of data protection principle 6 and section 18(1)(b) except so far as its disclosure under those provisions is made in accordance with section 33 of that Ordinance. (2) Where a data access request relates to personal data which is or, if the data existed, would be exempt from section 18(1)(b) by virtue of subsection (1), then the data is also exempt from section 18(1)(a) if the interest protected by that exemption would be likely to be prejudiced by the disclosure of the existence or non-existence of the data.

Section 63B  Due Diligence Exercise (1) Personal data transferred or disclosed by a data user for the purpose of a due diligence exercise to be conducted in connection with a proposed business transaction that involves – (a) a transfer of the business or property of, or any shares in, the data user; (b) a change in the shareholdings of the data user; or (c) an amalgamation of the data user with another body,

293

13_Data Protection_appendix_02.indd 293

2016/6/27 2:00:21 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance



is exempt from the provisions of data protection principle 3 if each of the conditions specified in subsection (2) is satisfied.

(2) The conditions are – (a) the personal data transferred or disclosed is not more than necessary for the purpose of the due diligence exercise; (b) goods, facilities or services which are the same as or similar to those provided by the data user to the data subject are to be provided to the data subject, on completion of the proposed business transaction, by a party to the transaction or a new body formed as a result of the transaction; (c) it is not practicable to obtain the prescribed consent of the data subject for the transfer or disclosure. (3) Subsection (1) does not apply if the primary purpose of the proposed business transaction is the transfer, disclosure or provision for gain of the personal data. (4) If a data user transfers or discloses personal data to a person for the purpose of a due diligence exercise to be conducted in connection with a proposed business transaction described in subsection (1), the person – (a) must only use the data for that purpose; and (b) must, as soon as practicable after the completion of the due diligence exercise – (i) return the personal data to the data user; and (ii) destroy any record of the personal data that is kept by the person. (5) A person who contravenes subsection (4) commits an offence and is liable on conviction to a fine at level 5 and to imprisonment for 2 years. (6) In this section –

“due diligence exercise” (盡職審查), in relation to a proposed business transaction, means the examination of the subject matter of the transaction to enable a party to decide whether to proceed with the transaction;

294

13_Data Protection_appendix_02.indd 294

2016/6/27 2:00:21 PM

Appendix II — Exemptions under Part 8 of the Ordinance



“provision for gain” (為得益而提供), in relation to personal data, means provision of the data in return for money or other property, irrespective of whether – (a) the return is contingent on any condition; or (b) the person who provides the data retains any control over the use of the data.

Section 63C  Emergency Situations (1) Personal data is exempt from the provisions of data protection principle 1(3) and data protection principle 3 if the application of those provisions to the data would be likely to prejudice any of the following matters – (a) identifying an individual who is reasonably suspected to be, or is, involved in a life-threatening situation; (b) informing the individual’s immediate family members or relevant persons of the individual’s involvement in the life-threatening situation; (c) the carrying out of emergency rescue operations or provision of emergency relief services. (2) In this section –

“immediate family member” (家人), in relation to a person, means another person who is related to the person by blood, marriage, adoption or affinity.

Section 63D  Transfer of Records to Government Records Service

Personal data contained in records that are transferred to the Government Records Service is exempt from the provisions of data protection principle 3 when the records are used by the Government Records Service solely for the purpose of – (a) appraising the records to decide whether they are to be preserved; or (b) organizing and preserving the records.

295

13_Data Protection_appendix_02.indd 295

2016/6/27 2:00:21 PM

13_Data Protection_appendix_02.indd 296

2016/6/27 2:00:21 PM

Appendix IIIA Case Notes on Significant Court Judgments

1. Cathay Pacific Airways Limited v Administrative Appeals Board & Another (HCAL 50/2008); Reported in: [2008] 5 HKLRD 539 2. Chan Chuen Ping v The Commissioner of Police (HCMP 2741/2013); Reported in: [2014] 1 HKLRD 142 3. Chan Yim Wah Wallace v New World First Ferry Services Limited (HCPI 820/2013) 4. Dr. Alice Li Miu-ling v The Hong Kong Polytechnic University (DCEO 1/2004) 5. Eastweek Publisher Limited & Another v Privacy Commissioner for Personal Data (CACV 331/1999); Reported in: [2000] 2 HKLRD 83 6. Lily Tse Lai Yin & Others v The Incorporated Owners of Albert House & Others (HCPI 828/1997) 7. M v M (FCMC 1425/1988) 8. Ng Shek Wai v The Medical Council of Hong Kong (HCAL 167/2013); Reported in: [2015] 2 HKLRD 121 9. Oriental Press Group Limited v Inmediahk.net Limited (HCA 1253/2010); Reported in: [2012] 2 HKLRD 1004 10. Wu Kit Ping v Administrative Appeals Board (HCAL 60/2007); Reported in: [2007] 4 HKLRD 849 11. Tso Yuen Shui v Administrative Appeals Board (HCAL 1050/2000)

13_Data Protection_appendix_03A.indd 297

2016/6/27 2:00:28 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

1. Cathay Pacific Airways Ltd v Administrative Appeals Board

[2008] 5 HKLRD 539 Court of First Instance

Summary Personal data collection — whether the possibility of adverse consequences when refusing to consent to disclose personal information can be considered as “fair in the circumstances of the case” — cabin crew members being provided with all necessary information to make informed choices — whether consent must be a “complete freedom” of choice unburdened by any possible adverse consequence — no existing requirement that “fair” means of collection of personal data cannot be mandatory — DPP1(2) and (3) of the Ordinance.

Facts The appellant asked cabin crew members to give consent to release their medical records as part of the Attendance Monitoring Programme (AMP). The crew had been advised that failure to consent would be a breach of their terms and conditions of service and they therefore could be subject to disciplinary investigation and action including termination of employment or summary dismissal. DPP1(2)(b) provides that personal data may be collected by means that are “fair in the circumstances of the case”. The Commissioner decided that, given the threat of serious consequences for failure to consent, cabin crew members were not in a position to refuse the request and the appellant was in breach of DPP1(2)(b) as the collection of personal data could not be by compulsory means. The Commissioner’s decision was upheld by the AAB. The appellant sought to have this decision overturned and applied for judicial review of the decisions of the Commissioner and the AAB.

298

13_Data Protection_appendix_03A.indd 298

2016/6/27 2:00:28 PM

Appendix IIIA — Case Notes on Significant Court Judgments

Issues (1) Whether the cabin crew members’ lack of complete freedom to choose to consent or not, due to the possibility of adverse consequences, would render the collection of personal data unfair? (2) Whether the AAB’s observation that in any event the relevant medical records could be obtained under the appellant’s sick leave policy instead was correct?

Held The application was allowed and the decisions of the Commissioner and the AAB were quashed. (1) There was no unfair collection of cabin crew members’ personal data by the appellant. The decision that the Ordinance had been breached was based upon an incorrect construction of DPP1(2) of the Ordinance that a data subject must have “complete freedom” of choice whether to consent or not. Where a data subject’s decision to consent or not is burdened by the possibility of adverse consequences, this will not automatically render the collection of personal data unfair. DPP1(3) itself recognises that there may be circumstances where disclosure of information may be compulsory. Therefore, if in circumstances where disclosure of personal data is properly rendered mandatory, it is necessary to inform the data subject of the consequences of a refusal to supply the data, and that advice does not thereby, of itself, constitute a threat or the exertion of undue influence. In informing all cabin crew members of the possible consequence of failure to disclose the relevant medical records, the appellant was doing no more than meeting the requirement of DPP1(3). (2) The disquiet expressed by both the Commissioner and the AAB was, to a material degree, based on the blunt and brusque manner in which certain aspects of the information concerning the failure to consent to deliver up medical records was conveyed to cabin crew members. Information given to data subjects that is nuanced and clearly reasoned, expressed in modest terms, may not reasonably be perceived to be threatening or oppressive while information that lacks those qualities of expression may well be perceived, and reasonably perceived, as constituting an abuse of power by a data user.

299

13_Data Protection_appendix_03A.indd 299

2016/6/27 2:00:28 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

(3) The Court disagreed with the AAB’s finding that the relevant material could have been obtained under the applicant’s sick leave policy. The policy concerned only current ailment and illness and was not a suitable programme for building up an archive of detailed medical records. Should the policy be altered to obtain such detail, it would be criticised for excessive collection in breach of the Ordinance.

300

13_Data Protection_appendix_03A.indd 300

2016/6/27 2:00:28 PM

Appendix IIIA — Case Notes on Significant Court Judgments

2. Chan Chuen Ping v Commissioner of Police

[2014] 1 HKLRD 142 Court of First Instance

Summary Civil procedure — application for pre-action discovery pursuant to section 42 of the High Court Ordinance (Cap 4) — refusal by the police to disclose information concerning identities of possible tortfeasors in personal injuries claim — administration of justice — disclosure requested by third party — personal data held for the purposes of remedying unlawful or seriously improper conduct exempted from DPP6 of the Ordinance.

Facts The applicant suffered an alleged injury caused by two women whose identities were unknown. The incident was reported to the police. The applicant’s solicitors contacted the police and requested information which identified the women. The police refused despite the applicant’s repeated requests for disclosure resulting in the applicant having no alternative but to issue an Originating Summons for preaction discovery pursuant to section 42 of the High Court Ordinance (Cap 4). Two days before the hearing, the parties entered into a Consent Summons, providing for the disclosure of the information which the applicant’s solicitors had sought seven months earlier, subject to costs being paid to the Department of Justice (“DoJ”) by the applicant. However, the Court refused to approve the costs order in favour of the DoJ as stated in the Consent Summons.

Issues (1) Whether the police were entitled to refuse a person’s request for information relating to identities of tortfeasors where a report had been made for an accident involving injury to himself which might arguably give rise to a claim for compensation and the police had ascertained the identities of the alleged tortfeasors?

301

13_Data Protection_appendix_03A.indd 301

2016/6/27 2:00:28 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

(2) Whether it was justified under High Court Ordinance and the Ordinance to refuse to respond to a request for information?

Held The application for pre-action discovery was allowed. The police had no justification in withholding the information requested by the applicant. (1) Under Section 42 of the High Court Ordinance (Cap 4), the Court has the power to make an order for disclosure of documents, before commencement of proceedings, against a non-party to the proceedings and who appears to the Court to be likely to have in possession, custody or power any documents which are relevant to an issue arising out of that claim. Such power can be invoked to remedy the applicant’s inability to commence proceedings against the two women due to the lack of information about their identities. (2) It has been a misconstruction and misunderstanding by government departments, private institutions and individuals that they can withhold information which is needed to advance a potential remedy or possible cause of action by relying on the Ordinance or the High Court Ordinance. They fail to understand that as a matter of common law (and common sense), there is a duty to facilitate the administration of justice. (3) DoJ was not entitled to rely on section 58 of the Ordinance to refuse to provide the requested documents, as section 58 clearly provides an exemption to personal data used for the purposes of remedying unlawful or seriously improper conduct by persons. This would most likely be in circumstances where the application of those provisions to the data would likely prejudice the remedying of unlawful or seriously improper conduct, which clearly covers steps to remedy a civil wrong (unlawful conduct). (4) The police’s refusal to disclose the identities of the possible tortfeasors to the applicant caused a seven-month-delay and forced the applicant’s solicitors to take out the application, which was an obstruction to the proper efficient and fair administration of justice as well as a waste of administrative and judicial resources. (5) In the circumstances, it was patently unfair for the applicant to pay DoJ’s costs. The DoJ was ordered to pay the costs of and occasioned by the application.

302

13_Data Protection_appendix_03A.indd 302

2016/6/27 2:00:28 PM

Appendix IIIA — Case Notes on Significant Court Judgments

3. Chan Yim Wah Wallace v New World First Ferry Services

(HCPI 820/2013, decision dated 8 May 2015) Court of First Instance

Summary Civil procedure — discovery against non-party in personal injuries action — whether disclosure would prejudice fair trial of criminal prosecution — whether non-party bound by duty of confidentiality and/or DPP3 not to disclose requested documents — sections 58(1)(d) and (2), 60B of the Ordinance.

Facts The plaintiff brought a claim against the defendant in 2013 for damages for personal injuries suffered by her as a result of a marine accident (“Accident”) in 2011. The Accident was investigated by the Marine Department for the purpose of determining the circumstances and the causes of the Accident. Pursuant to section 42(1) of the High Court Ordinance (Cap 4) (“HCO”) and Order 24, rule 7A(2) of the Rules of the High Court (Cap 4A), the plaintiff sought an order that the Director of Marine (“Director”) produce for inspection a number of documents, including witness statements and the Marine Safety Investigation (MSI) Report (the “Report”). The plaintiff’s solicitors wrote to the Marine Department in November 2012 requesting a copy of a number of documents including the Report and witness statements. Prior to and in the course of the proceedings, the Director refused to release the requested documents on the following grounds: (1) The police were considering criminal proceedings against the parties involved. Disclosure of the Report might create a substantial risk of prejudice to a fair trial and seriously impede the due administration of justice. (2) The Director was prohibited under DPP3 from disclosing the informant’s personal data for a purpose which was inconsistent with the original purpose of collection without the prescribed consent of the informant. The original collection purpose was for investigating the causes of the Accident with the

303

13_Data Protection_appendix_03A.indd 303

2016/6/27 2:00:28 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

aim of improving the safety of life at sea, but not for apportioning blame or liability towards any particular organisation or individual. (3) By virtue of section 60(1)(e) of the Merchant Shipping (Local Vessels) Ordinance (Cap 548), a person is subject to a legal obligation to supply information in connection with a marine accident for the investigation of marine safety. Before interviewing the relevant witnesses, the investigating officers of the Marine Department assured them that their identities and the content of their witness statements would be kept confidential, and would only be used for the purpose of marine safety investigation. The Director opined that his duty of confidentiality towards those witnesses must be strictly adhered to unless with the consent of the statement makers or a court order. So far, the Director had only been able to obtain consent from one out of the eight witnesses.

Issues (1) Whether the need of injured persons to commence proceedings speedily should prevail over the prejudice that may be caused to the fair trial or conduct of criminal proceedings? (2) How to balance the two competing public interests: the duty of confidentiality and the proper administration of justice? (3) Whether the exemption under section 58(1)(d) and (2) of the Ordinance could be applied in the present case? (4) Whether the exemption under section 60B of the Ordinance could be applied here, and what are the distinctions between section 60B(a), (b) and (c)? (5) Whether personal data needs to be redacted if the exemption in section 60B of the Ordinance is applicable?

Held The plaintiff’s application for discovery was allowed. (1) The practice of the Marine Department in Hong Kong is consistent with its UK counterpart and the requirement of the law in prohibiting publication of

304

13_Data Protection_appendix_03A.indd 304

2016/6/27 2:00:28 PM

Appendix IIIA — Case Notes on Significant Court Judgments

information which is likely to prejudice fair trial or the conduct of criminal proceedings. However, the Report is directly and highly relevant to issues that arose in the personal injuries proceedings. Persons injured in marine accidents are subject to strict limitation periods and need to prosecute their claims diligently. The Court therefore made the order for discovery in favour of the plaintiff upon his undertaking that the Report should only be accessible to the parties to the proceedings, their legal representatives and expert witnesses, and should be used solely for the purposes of the proceedings. (2) The Court considered that the witness statements and the Report were directly related to the issues brought about in the claim. The early disclosure of these materials was necessary for disposing fairly of the claim or for saving costs. The countervailing public interest in ensuring a fair trial on full evidence should outweigh the high degree of confidentiality attached to the witness statements taken and replicated in the Report. (3) At the hearing, the Marine Department no longer sought to rely on DPP3 of the Ordinance for resisting discovery. Hence, the following comments made by the Court are obiter to the judgment: a)

The exemptions under sections 58(1)(d) and (2) and section 60B of the Ordinance do not provide any legal basis or create any legal obligation on the part of the holder of the information to make disclosure. Therefore, an application for discovery must be founded on the Norwich Pharmacal principles or based on sections 41 or 42 of the HCO.

b)

The Court endorsed the views expressed by Suffiad J. in Lily Tse Lai Yin & Others v. the Incorporated Owners of Albert House and Deputy Judge Poon in Cinepoly Records Co. Ltd. & Others v Hong Kong Broadband Network Ltd. & Others [2006] 1 HKLRD 255 that the bringing of a civil claim for damages in tort amounted to the remedying of unlawful or seriously improper conduct within the ambit of section 58(1)(d) of the Ordinance and the relevant personal data was exempted from DPP3 by virtue of section 58(2) of the Ordinance. However, the Court commented that the broader ambit of section 60B of the Ordinance will render largely otiose the narrower scope of sections 58(1)(d) and (2) of the Ordinance.

c)

Distinctions between sections 60B(a), (b) and (c) of the Ordinance

305

13_Data Protection_appendix_03A.indd 305

2016/6/27 2:00:28 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

(i) Section 13 of the Motor Vehicles Insurance (Third Party Risks) Ordinance (Cap 272) and section 44(A) of the Employees’ Compensation Ordinance (Cap 282) have created a duty on the part of the insured person to give such particulars of his motor insurance policy as specified in the certificate of insurance in the former case, and to produce for inspection the policy of insurance and all other documents relating to the policy in the latter case. Disclosure of these insurance particulars, including the identity of the insurer, is required by these statutory provisions. Such a case falls squarely within the exemption under section 60B(a) of the Ordinance. (ii) Investigating agencies should have little difficulty in concluding that applicants seeking discovery of witness statements and investigation reports in respect of an accident fall within section 60B(b) of the Ordinance because those documents are required in connection with their legal proceedings for damages for personal injuries against the tortfeasors concerned. The difference between sections 60B(b) and 60B(c) of the Ordinance is: when legal proceedings have commenced, the exemption in section 60B(b) can be invoked; and when proceedings are merely contemplated, the exemption in section 60B(c) can be invoked for disclosing documents containing personal data which are required by the victims of accidents for establishing and exercising their legal rights. d)

Once an exemption in section 60B of the Ordinance is invoked, or a Court order is made, there is no longer any need to redact personal data contained in the documents in question, particularly the addresses of the witnesses to the accident, as doing so would defeat the very object of the exercise which is to request or to subpoena those witnesses to attend the Court to give evidence.

306

13_Data Protection_appendix_03A.indd 306

2016/6/27 2:00:28 PM

Appendix IIIA — Case Notes on Significant Court Judgments

4. Dr Alice Li Miu Ling v Hong Kong Polytechnic University

(DCEO 1/2004, decision dated 1 November 2012)



District Court

Summary Sex discrimination — whether acts of sexual harassment took place — whether employer had taken reasonable steps to prevent victim harassment — Sex Discrimination Ordinance (Cap 480), sections 2(5), 2(7), 9, 23(3) and 46(3). Personal data privacy — failure by the employer to comply with the enforcement notice issued by the Commissioner — whether employer tampered with employee’s personal data — steps taken to avoid the contravention as defence under section 66(3)(b) of the Ordinance. Tort — defamation — defence of justification under section 26 of the Defamation Ordinance (Cap 21).

Facts The plaintiff was employed as an assistant professor by the defendant (“University”) from 1992 to 1999. In September 1999, the plaintiff’s contract was not renewed. The plaintiff believed she was a victim of sexual harassment by the then acting head of department of the University who caused her to lose her employment. The plaintiff’s case consisted of the following claims against the University: (i) Sexual harassment under sections 23(3) and 46(3) of the Sex Discrimination Ordinance (“SDO”) (Cap 480); (ii) Victimisation under section 9 of the SDO; (iii) Defamation for malicious falsehood; and (iv) Breach of the Ordinance. Sexual harassment and Victimisation claims: the plaintiff claimed that the University had: (a) failed to protect her from acts of sexual harassment and discrimination from the then acting head of department; (b) covered up the acts of

307

13_Data Protection_appendix_03A.indd 307

2016/6/27 2:00:28 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

sexual harassment; and (c) failed to provide a work place free of sexual harassment under sections 23(3) and 46(3) of the SDO. She further claimed that she was victimised by the University under section 9(1) the SDO when the University did not allow her to cross the efficiency bar and chose not to renew her employment contract in 1999. Defamation claim: the plaintiff claimed that the University had defamed her by publishing documents that were untrue. The alleged defamatory comments of the University were found in various documents containing recommendations of the non-renewal of the plaintiff’s contract. Breach of the Ordinance claim: the plaintiff had made repeated requests for access to her personal data records held by the University. Being dissatisfied with the 550 pages of documents provided by the University in response to her requests, the plaintiff lodged a complaint to the Commissioner on 2 June 1999. In March 2001, the Commissioner issued an enforcement notice under section 50 of the Ordinance, on the grounds that the University had contravened section 19 of the Ordinance. Following an appeal by the University to the AAB, the enforcement notice was amended. The AAB ruled that under section 20(3)(b) of the Ordinance, it is incumbent on the data requestor to identify the data required rather than for the data user to prepare a full or consolidated list for the data requestor to pick and choose. For these reasons, the requirements of “thorough search” and “a consolidated list” were struck out from the original enforcement notice. As a result, an additional 1,320 pages of documents were made available to the plaintiff. Subsequently, the plaintiff made a complaint that the University had failed to comply with the amended enforcement notice on 8 October 2002. The University informed the plaintiff that an additional 143 pages of documents had been made available to her in September 2003, but she had failed to collect such documents.

Issues (1) Whether those alleged acts of sexual harassment were found to have taken place despite the fact that the plaintiff’s evidence was uncorroborated and there was no contemporaneous documentary evidence in support? (2) Whether those acts were unwelcome and of a sexual nature as defined in section 2(5) and (7) of the SDO?

308

13_Data Protection_appendix_03A.indd 308

2016/6/27 2:00:28 PM

Appendix IIIA — Case Notes on Significant Court Judgments

(3) Whether the University had a defence under section 46(3) of the SDO by having taken reasonably practicable steps to prevent such acts? (4) Whether the University had victimised the plaintiff by treating her less favourably than other persons because she had lodged proceedings against the then acting head of department or the University under the SDO, given evidence in such proceedings, or alleged that the University or any other person had committed an act in contravention of the SDO? (5) In relation to the defamation claim, whether the University could successfully raise a defence of justification (i.e. those comments were true and it was justified to make them), or qualified privilege (i.e. those comments were fairly made by persons in the discharge of a duty)? (6) Whether the University or its staff had tampered with the documents relating to the plaintiff? (7) Whether the University could establish a defence under section 66(3) of the Ordinance that it had taken such care as in all circumstances was reasonably required to avoid the delay in providing the documents? (8) Whether the plaintiff suffered any damage or loss, including injury to feelings as a result of such delay?

Held All claims made by the plaintiff against the University were dismissed. (1) The plaintiff failed to prove her case of sexual harassment against the then acting head of department or that the University was vicariously liable. Even if the alleged comments/acts did take place, they were not “unwelcome” given that the plaintiff was not annoyed, distressed nor experienced fear at the time. The University was also found to have taken all reasonable and practicable steps to prevent sexual harassment including the introduction of a Code of Ethics to all its staff members. (2) The plaintiff’s victimisation claim was not upheld as she had failed to prove that any of the four acts under section 9(1)(a)-(d) of SDO were known by the University before a decision not to renew her contract was reached.

309

13_Data Protection_appendix_03A.indd 309

2016/6/27 2:00:28 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

(3) The Court was satisfied that the documents with comments on the plaintiff’s performance, which she alleged to be defamatory were substantially true, and were honestly held by the makers, without malice, in discharge of their duties. The University was therefore not liable under section 26 of the Defamation Ordinance (Cap 21). (4) Although the plaintiff claimed that the University had tampered with her personal data, the Court was not satisfied that there was sufficient evidence showing any of the documents were altered or fabricated. The University was found to have exercised reasonable care and due diligence in providing the plaintiff with her personal data as required by the amended enforcement notice. The defence under section 66(3) of the Ordinance was therefore available to the University. In any event, there was no evidence indicating the plaintiff had suffered any damage or loss or in what way her feelings were injured as a result of the University’s delay in complying with her data access requests. As such, no award of damages was made. (5) Both parties were ordered to bear their own costs in respect of the SDO claims. In relation to the claims made under defamation and the Ordinance, as these claims should never have been brought, a cost order was made against the plaintiff.

310

13_Data Protection_appendix_03A.indd 310

2016/6/27 2:00:28 PM

Appendix IIIA — Case Notes on Significant Court Judgments

5. Eastweek Publisher Ltd & Another v Privacy Commissioner for Personal Data

[2000] 2 HKLRD 83 Court of Appeal

Summary Personal data privacy — collection of personal data must be involved to engage the Ordinance — data user must be compiling information about an identified person or about a person whom it intends to or seeks to identify — Ordinance only protects information privacy not personal privacy — whether photograph is personal data — DPP1(2)(b) of the Ordinance.

Facts The complainant was photographed on a public street by a photographer working for Eastweek magazine (“Eastweek”). The photograph was taken without her knowledge or consent and published in the magazine as part of an article on the fashion sense of women in Hong Kong. The article with which photographs of the complainant and a number of other women were published contained unflattering and negative comments about the complainant’s fashion sense, causing embarrassment to her. The Commissioner found that there had been a breach of DPP1(2)(b) on the part of Eastweek by collecting the complainant’s personal data by unfair means. Eastweek applied for judicial review of the Commissioner’s decision, which application was dismissed by the Court of First Instance. Eastweek further appealed to the Court of Appeal against the dismissal of the judicial review application.

311

13_Data Protection_appendix_03A.indd 311

2016/6/27 2:00:29 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Issues (1) What constitutes a contravention under the Ordinance? (2) Whether taking a photograph of the complainant amounted to collection of her personal data under the Ordinance? (3) Whether media falls outside the scope of the Ordinance? (4) Whether the Ordinance is intended to protect all forms of privacy interests? (5) Whether a photograph could be regarded as personal data?

Held The appeal was allowed. (1) In all cases where DPP1 is said to be contravened, the contravening act must involve the act of collecting personal data, this being the subject matter of DPP1. (2) It is of the essence that in the act of personal data collection the data user must be compiling information about an identified person or about a person whom the data user intends to or seeks to identify. (3) Certain provisions under the Ordinance can only operate logically when the data collected is from a subject whose identity is known. These sections include: 18, 20(1), 24(1)(a), 30, 341 and DPPs3 and 6. (4) What was crucial in the case was the complainant’s anonymity and the irrelevance of her identity so far as the photographer, the reporter and Eastweek were concerned. It was held that taking photograph of the complainant in the circumstances of the case did not constitute an act of collection of personal data of the complainant. (5) However, it was not suggesting that taking someone’s photograph can never be an act of personal data collection. It plainly can, depending on circumstances. (6) The press or other media organisations do not fall outside the scope of the Ordinance. If an organisation engages in collecting personal data, the provisions of the Ordinance apply.

1. Section 34 was repealed by the Amendment Ordinance and is now replaced by Part 6A of the Ordinance

312

13_Data Protection_appendix_03A.indd 312

2016/6/27 2:00:29 PM

Appendix IIIA — Case Notes on Significant Court Judgments

(7) The aim of the Ordinance is to protect the privacy of individuals in relation to personal data, namely, information privacy but not other kinds of privacy interests including territorial privacy, personal privacy or communications and surveillance privacy . (8) Wong JA (dissenting judge) held that the complainant’s photograph satisfied the three requirements of the definition of “personal data” as it depicted the complainant and as such, taking the photograph amounted to collection of personal data.

313

13_Data Protection_appendix_03A.indd 313

2016/6/27 2:00:29 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

6. Lily Tse Lai Yin v Incorporated Owners of Albert House

(HCPI 828/1997, decision dated 10 December 1998) Court of First Instance

Summary Civil procedure — discovery against a non-party to proceedings — personal injury proceedings — whether disclosure of witness statements taken by the police would violate personal data privacy — whether unlawful or seriously improper conduct under section 58(1)(d) covers civil wrong — whether use of personal data in civil action directly related to original purpose of taking statements — inconsistency between the Ordinance and section 42 of High Court Ordinance — DPP3 and section 58(2) of the Ordinance.

Facts In August 1994, the canopy of the first floor of Albert House in Aberdeen collapsed, falling on to the street below and causing injury or death to passers-by. The police took statements from a number of witnesses for the purpose of investigating the accident. Seven plaintiffs brought a claim for damages, either for personal injuries or under the Fatal Accidents Ordinance against six defendants. In December 1998, the plaintiffs took out three summons all under Order 24, rule 7(8) of the High Court Ordinance (Cap 4) for non-party discovery against the Director of Buildings, the Director of Urban Services Department and the Commissioner of Police respectively for certain documents including unedited witness statements taken by the police. The main opposition came from the Commissioner of Police on the grounds that indiscriminate disclosure of personal data contained in the witness statements would contravene DPP3.

314

13_Data Protection_appendix_03A.indd 314

2016/6/27 2:00:29 PM

Appendix IIIA — Case Notes on Significant Court Judgments

Issues (1) Whether use of personal data in civil action to remedy a civil wrong would fall within the ambit of section 58(1)(d)? (2) Whether disclosure of the unedited witness statements would contravene DPP3? (3) Whether there is inconsistency between the Ordinance and section 42 of High Court Ordinance?

Held All orders sought by the plaintiffs were granted. (1) The use of the words “unlawful or seriously improper conduct” and “remedying” in section 58(1)(d) of the Ordinance suggest that the scope of section 58(1)(d) extends beyond criminal wrongs to include civil wrongs. As tort is a civil wrong, section 58(1)(d) is wide enough to cover claims for damages in personal injuries and/or fatal accident cases. Disclosure of personal data contained in the witness statements for use in a civil claim was exempt from DPP3 by virtue of section 58(2) of the Ordinance. (2) Alternatively, the bringing of a civil action for damages in relation to the collapse of the canopy was directly related to the initial purpose for which the statements were originally taken by the police, namely, to investigate the accident. As such, there would be no need to obtain the consent of the data subject before the data can be used in the ensuing civil action. (3) There is no inconsistency between the Ordinance and section 42 of the High Court Ordinance. It was never the intention of the legislature that the Ordinance would impede the administration of justice by restricting or eliminating the power of the High Court to order discovery under section 42 of the High Court Ordinance.

315

13_Data Protection_appendix_03A.indd 315

2016/6/27 2:00:29 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

7. M v M

(FCMC 1425/1988, decision dated 10 June 1997) Family Court

Summary Personal Data privacy — Court procedure in enforcing maintenance order — husband failing to pay maintenance — disclosure of husband’s new address to wife — application of exemption under section 58(2) — whether breach of Court order constituted “unlawful conduct” or “seriously improper conduct” — prejudice test under section 58(2)(b) of the Ordinance.

Facts M and M were married in 1981 with one child born out of wedlock. Subsequently, the husband issued a petition for divorce to which the wife consented. A decree nisi was pronounced on that petition on 14 July 1988, upon which the judge ordered the husband to pay monthly maintenance for the child at the rate of $1,400 per month. A decree absolute was made on 7 September 1988. Since 1996, the husband had failed to pay the monthly payments, in breach of the Court order. The wife had attempted to visit the husband at his last known address in October 1996 but found that he had moved. The Housing Department, who held the husband’s new address, had declined the wife’s request to disclose the same on the grounds that to do so would result in contravention of the Ordinance. The wife filed a summons seeking an order from the Court directing the Housing Department to supply her with the new address of the husband.

Issues (1) Whether the husband’s address constituted personal data? (2) Whether disclosure of the husband’s new address would breach DPP3? (3) Whether the exemption under section 58(2) applied?

316

13_Data Protection_appendix_03A.indd 316

2016/6/27 2:00:29 PM

Appendix IIIA — Case Notes on Significant Court Judgments

Held The order was granted. (1) The husband’s address held by the Housing Department constituted personal data as defined under section 2 of the Ordinance. Equally, the Housing Department was a data user as a “person controlling the collection, holding, processing or use of data”. (2) Providing the address of a person for the purposes of matrimonial proceedings did not fall within the purpose for which the information was originally collected or a directly related purpose. Unless exemption applied, the husband’s new address could not be supplied to the wife without his prescribed consent as required under DPP3. (3) The husband’s breach of the Court order for maintenance was not an offence per se. It was held that the husband’s conduct in failing to pay maintenance was not unlawful under section 58(1)(d) of the Ordinance. (4) However, a failure to pay maintenance pursuant to a Court order might result in the issue of a judgment summons whereby the person ordered to pay was required to attend the Court to explain why he had not paid. If his explanation were not satisfactory, he might be committed to prison. Contempt of Court was considered as amounting to “seriously improper conduct” under section 58(1)(d) of the Ordinance. In blatant breach of the Court order, the husband’s conduct was found to constitute seriously improper conduct. (5) The application of DPP3 prevented the disclosure of the husband’s address and prevented the wife from taking proper steps to prevent the husband’s seriously improper conduct and contempt of Court. The exemption under section 58(2) of the Ordinance therefore applied.

317

13_Data Protection_appendix_03A.indd 317

2016/6/27 2:00:29 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

8. Ng Shek Wai v Medical Council of Hong Kong

(HCAL 167/2013, decision dated 18 February 2015) Court of First Instance

Summary Administrative law — judicial review — request for identities of members of a disciplinary inquiry, legal adviser and defence counsel — decision not to disclose information quashed — principle of open justice. Personal data privacy — basic information of key persons involved in judicial hearing should normally be published — exemption to DPP3 of the Ordinance.

Facts The Medical Council (“Council”) conducted a disciplinary inquiry in relation to M, a medical practitioner. The inquiry was held in public with the names of the Council members displayed on name plates in front of them. After M had been sentenced, it was brought to the attention of the Council that M did not have a clear record and the Council sought to review its original decision. When the revised decision of the Council was written and reported in the news, it gave only the name of the Chairman. X, a member of the public, unrelated to the case, enquired with the Council as to the identity of the members involved in the inquiry as well as the identity of the Legal Adviser to the Council and the defence counsel. When questioned on more than one occasion by the Council as to the purpose of his enquiry and his intended use of the information, X refused to answer. The Council refused to disclose the identities requested to X. As a result, X applied for judicial review to quash the Council’s decision. The Council maintained that DPP3 of the Ordinance applied and that disclosure of the requested information was restricted as none of the exemptions under the Ordinance applied.

318

13_Data Protection_appendix_03A.indd 318

2016/6/27 2:00:29 PM

Appendix IIIA — Case Notes on Significant Court Judgments

Issues (1) Whether the existing decision was substantive enough in order to invoke judicial review? (2) Whether the Ordinance was applicable and with what effect? (3) What were the principles governing access to information relating to Medical Council inquiries, both at common law and under Article 16 of the Hong Kong Bill of Rights or Article 19 of the International Covenant on Civil and Political Rights (“ICCPR”)? (4) On application of the principles, should the requested information be disclosed?

Held The application was allowed and the decision of the Council was quashed. The matter was remitted to the Council for its decision in light of this judgment. (1) The Council had decided that they would not consider providing the information until they knew X’s purpose and intended use of the information. X refused to answer these questions. As such, the parties had reached an impasse and the result was that the Council had effectively decided not to provide the information sought. X had not obtained the requested information and no further decision of the Council was pending. The Court decided that this was a decision with sufficient finality and substantive effect to engage the Court’s supervisory jurisdiction. (2) If the common law principle of open justice required or authorised disclosure (even if subject to qualification), DPP3 would not pose any obstacle to disclosure by virtue of the exemption under section 60B(a) of the Ordinance (required or authorised by a rule of law). However, a common law principle does not give an absolute right of access to the information requested. As provided in section 51 of the Ordinance, the effect of the exemption in section 60B(a) is simply that DPP3 does not prevent or restrict the disclosure of information in question. It does not imply that the Council is required to make disclosure and does not confer any entitlement on X to the information sought.

319

13_Data Protection_appendix_03A.indd 319

2016/6/27 2:00:29 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

(3) (Obiter) Disclosure of the names to X would not constitute a “new purpose” as defined under DPP3(4). When considering the original purpose or any directly related purpose, the data subjects’ “reasonable expectations” would be a legitimate consideration. As the Council members’ names were displayed during the inquiry, the members, Legal Adviser and defence counsel would reasonably expect that the Council could disclose (either in writing or otherwise) their names and the capacities in which they attended. There had been no expectation of secrecy or privacy in that regard. The Court considered that giving such information upon a subsequent inquiry such as that made by X was either part of the original purpose, or a directly related purpose within the meaning of DPP3. (4) The principle of open justice is not limited to physical access to a court room where a judicial hearing is taking place. It has been recognised that the principle extends to access to documents used in a court hearing. The applicant’s request here was not for access to documents used but just the names of certain persons who took part in the disciplinary inquiry. Public interest in the administration of justice and accountability of judicial process requires that basic information, such as the identities of Council members who had taken part in a public judicial hearing, should normally be published. In the circumstances of the case, where such information was not published, it should be disclosed upon inquiry made at a time reasonably close to the hearing. (5) Open justice is generally regarded by the common law as a constitutional right. Whether to grant access to documents or information is a question of what open justice requires in the circumstances. It is a question of principle, not mere discretion. The determination may involve balancing competing considerations but does not rest on personal preferences of a particular tribunal. (6) (Obiter) There was a division of judicial opinion as to whether Article 16 of the Bill of Rights and Article 19 of the ICCPR confer rights to obtain information. If such rights were conferred in the present context, it would not go beyond the common law principle of open justice.

320

13_Data Protection_appendix_03A.indd 320

2016/6/27 2:00:29 PM

Appendix IIIA — Case Notes on Significant Court Judgments

9. Oriental Press Group Ltd v Inmediahk.net Ltd

[2012] 2 HKLRD 1004 Court of First Instance

Summary Tort — defamation — defamatory statements posted on Internet website forum — liability of website host as subordinate distributor and not primary publisher — damages. Civil procedure — discovery — Norwich Pharmacal relief — personal particulars of anonymous website users.

Facts The plaintiff was the publisher of a Chinese newspaper in Hong Kong. The defendant was the host of a website (“Website”). Two articles (“Articles”) were posted on the Website in October 2007 and January 2009 respectively, by two persons under pseudonyms (X and Y). The plaintiff claimed that the Articles were defamatory (“Offending Words”) and on 13 August 2010 demanded the defendant to remove the Articles from the Website. The defendant failed to respond to the plaintiff’s request and on 17 August 2010 the latter commenced defamation proceedings.

Issues (1) Whether the Offending Words were defamatory of the plaintiff? (2) Was the defendant responsible for publication of the Offending Words? (3) If the defendant was liable, what was the appropriate relief?

321

13_Data Protection_appendix_03A.indd 321

2016/6/27 2:00:29 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Held Judgment was entered for the plaintiff. Defendant’s liability for publication of the Offending Words (1) The Offending Words were found to be defamatory in nature. (2) Common law recognises that persons may be involved as intermediaries in the publication of defamatory materials simply as mere conduits and do no more than fulfilling the role of a passive medium for communication. Generally, the liability of a website host for the publication of a third party’s defamatory post is in the nature of a subordinate distributor rather than a primary publisher. However, it certainly does not rule out the possibility that a website host may be held liable as primary publisher of the posts on its website, for example, by inviting defamatory comments on a particular person, or if circumstances arose where the host has (or should have) accepted responsibility for the website content. (3) The defendant was not a primary publisher as there was no evidence of the defendant’s ability to investigate or monitor the contents of every third party post in the interest of identifying and removing any defamatory material. It was found that the defendant was not able to put in place a screening system to ensure the contents of uploaded articles were scrutinized. This alone was not enough to give rise to a voluntary assumption of liability for defamatory content posted by a third party. Besides, the Website had a disclaimer as to its liability for third party posts. (4) However, the defendant was given actual notice of the Offending Words by the plaintiff on or shortly after 13 August 2010 and yet had failed to remove them by 17 August 2010. The defendant was found to have acquiesced in the publication of the Offending Words and was in a position of a subordinate distributor. Damages (5) An award of $100,000 was considered sufficient to compensate the plaintiff in the case after taking into consideration, the gravity of the libel, the fact that the Articles were posted by anonymous persons only identifiable by their

322

13_Data Protection_appendix_03A.indd 322

2016/6/27 2:00:29 PM

Appendix IIIA — Case Notes on Significant Court Judgments

pseudonyms, the extent of the publication and the conduct of the defendant. No award of aggravated damages was made. Injunction (6) The defendant’s liability having been established and with no undertaking that it would not repeat publication of the defamatory Articles or any further publication, an injunction was therefore granted. Norwich Pharmacal Relief (7) The plaintiff sought an order for disclosure of information and documentation in the defendant’s possession. The Court was satisfied that it had jurisdiction to grant the relief sought. If, through no fault of his own, a person gets mixed up in the tortious acts of others so as to facilitate their wrongdoing, he has a duty to assist the person who has been wronged by giving full information and disclosing the identities of the wrongdoer (Norwich Pharmacal Co v Customs and Excise Commissioners [1974] AC 133). (8) The defendant was ordered by the Court to disclose to the plaintiff the information sought except the HKID numbers or mobile phone numbers of X and Y. On one hand, there was no evidence that the defendant was in possession of such information. On the other hand, such information was considered highly intrusive and not necessary for the contemplated legal action. There were grave doubts as to whether the provision of such information would come within the exemption under sections 58(1)(d) and 58(2) of the Ordinance.

323

13_Data Protection_appendix_03A.indd 323

2016/6/27 2:00:29 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

10. Wu Kit Ping v Administrative Appeals Board

[2007] 4 HKLRD 849 Court of First Instance

Summary Personal data privacy — “personal data” did not extend to identity of maker or recipient of document — opinion expressed directly related to a data subject formed part of his personal data to which he was entitled access — definition of personal data — sections 18 and 20 of the Ordinance.

Facts The applicant complained to the Department of Health (“Department”) that she had been incorrectly diagnosed by a government clinic. Under section 18 of the Ordinance, the applicant made a data access request for copies of any statements about her treatment written by the medical officers concerned. The Department supplied four documents, in which the names of the authors, recipients, fax and telephone numbers, certain pronouns and some contents had been redacted leaving the diagnosis and treatments received by the applicant. One document, captioned “Feedback on Complaint...” contained a redacted sentence (“Sentence”) which expressed an opinion by the maker about his professional conduct regarding the applicant’s treatment. The applicant complained to the Commissioner that by redacting the documents the Department had not fully complied with the request. The Commissioner found that the redaction was justified under s.20(1)(b) and 20(2) of the Ordinance because the redacted words were not the applicant’s personal data, but that of other individuals. This was confirmed by the AAB. The applicant applied for judicial review.

324

13_Data Protection_appendix_03A.indd 324

2016/6/27 2:00:29 PM

Appendix IIIA — Case Notes on Significant Court Judgments

Issues (1) What is the proper interpretation of “personal data” in the Ordinance? (2) Whether the proper interpretation has been applied in determining the lawfulness of redaction by the Department?

Held With the exception of the Sentence which the Court decided that the applicant was entitled to have access to, the decision of the AAB was upheld. (1) The purpose of the Ordinance was not to enable an individual to obtain a copy of every document upon which there was a reference to the individual subject. It was not the purpose of the Ordinance to supplement rights of discovery in legal proceedings; or to add any wider action for discovery of the identity of a wrongdoer under the principles set out in Norwich Pharmacal & Others v Commissioners of Customs & Excise [1974] AC 133. (2) In this case, the extent to which a data subject was entitled to access personal data would not include the identities of a maker or recipient of a document as they did not relate “directly” or “indirectly” to the data subject under section 2 of the Ordinance. As such, redaction of this information was lawful. The redaction enabled the applicant to examine the documents for correctness and to rectify her own personal data, without compromising the privacy of personal data to which the maker/recipient was entitled under the Ordinance. Unless the names or other details explicitly identified the persons, the fact that their identities might be determined by deduction or inference was no barrier to disclosure of the data. Besides, the redaction of the pronouns (that means it could not be determined whether there was more than one person), whilst being unnecessary, was equally lawful. (3) However, where a document expresses an opinion about a data subject, it constitutes the data subject’s personal data to which he is entitled access. In this case, the Sentence related directly to the treatment of the applicant. Therefore, the redaction of the Sentence could not be justified and the Department was required to supply the applicant with the relevant data.

325

13_Data Protection_appendix_03A.indd 325

2016/6/27 2:00:29 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

11. Tso Yuen Shui v Administrative Appeals Board

(HCAL 1050/2000, decision dated 16 November 2000) Court of First Instance

Summary Data access request made by a former employee of a hospital in relation to minutes of a meeting on a boiler accident — hospital did not possess the minutes at the time of data access request being made — minutes concerned the incident rather than the applicant’s personal data — whether minutes of meeting on a boiler accident constituted personal data under section 2 — applicant alleged that the hospital deliberately concealed material facts from the Commissioner — DPP6 and section 18 of the Ordinance.

Facts The applicant alleged that the hospital had contravened the Ordinance by failing to provide him with, in response to his data access request, a copy of the minutes of a meeting which he had attended. The applicant claimed that the hospital should have the minutes in its possession and should provide him with a copy. The hospital argued that it had exhausted all practicable means to locate the minutes but in vain. The Commissioner held that the hospital did not deliberately conceal the minutes and hence it had not contravened any requirements under the Ordinance. In any event, the minutes did not constitute the applicant’s personal data. The applicant lodged his appeal against the Commissioner’s decision with the AAB, which accepted that the minutes did not constitute the personal data of the applicant, and thus dismissed the appeal. The applicant applied for judicial review against the AAB’s decision.

326

13_Data Protection_appendix_03A.indd 326

2016/6/27 2:00:29 PM

Appendix IIIA — Case Notes on Significant Court Judgments

Issues (1) Whether mere impracticability in locating the personal data rendered it “in a form in which access to or processing of the data is not practicable” and hence satisfies the definition of “personal data” under section 2? (2) Whether the minutes of a meeting on a boiler accident constituted “personal data” of the applicant?

Held The judicial review application was dismissed. (1) It was held that mere impracticability of locating certain data (which impracticability, however, has nothing to do with the form of the data in the sense of its physical shape, structure, type, etc.) does not prevent such data from being “personal data” under the Ordinance and does not render the access to or processing of the data impracticable. (2) The Court considered that the evidence adduced by the applicant was not sufficient to draw an inference that the hospital had concealed the minutes and confirmed the finding of facts by the Commissioner and the AAB that the hospital did not possess the minutes at the time when the applicant made his data access request. The Court pointed out that pursuant to section 18 of the Ordinance, an individual would only be entitled to have a copy of his personal data if the relevant data user possessed the data at the time when the data access request was made. (3) The Court considered the Court of Appeal’s ruling in the Eastweek case on the collection of personal data and ruled that the contents of the minutes in question did not constitute the personal data of the applicant. The minutes only concerned the maintenance and fixing of a boiler in the hospital and the hospital did not collect the applicant’s personal data. (4) The Court would not interfere with any administrative decisions unless such decisions are illegal or ultra vires; or tainted with any procedural irregularities such as failure to take relevant considerations into account or taking irrelevant

327

13_Data Protection_appendix_03A.indd 327

2016/6/27 2:00:29 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

considerations into account when making decisions; or the decision is so unreasonable that no reasonable decision maker could make it. In this case, the Court found that the decisions made by the Commissioner and the AAB were reasonable and proper and that no procedural irregularities were seen in the course of making the decisions.

Appeal The applicant further appealed to the Court of Appeal, which confirmed the ruling made by the Court of First Instance (under CACV 960/2000).

328

13_Data Protection_appendix_03A.indd 328

2016/6/27 2:00:29 PM

Appendix IIIB Case Notes on Significant Administrative Appeals Board Decisions

  1. AAB No. 24/1999   2. AAB No. 16/2000   3. AAB No. 22/2000   4. AAB No. 24/2001   5. AAB No. 35/2003   6. AAB No. 17/2004   7. AAB No. 5/2006   8. AAB No. 27/2006   9. AAB No. 46/2006 10. AAB No. 7/2007 11. AAB No. 16/2007 12. AAB No. 12/2008 13. AAB No. 25/2009 14. AAB No. 37/2009 15. AAB Nos. 5 & 6/2012 16. AAB No. 54/2014

13_Data Protection_appendix_03B.indd 329

2016/6/27 2:00:36 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

1. AAB No. 24/1999 Complainant — former employee of hospital — data access request made in relation to a minutes of meeting on a boiler accident — minutes concerned the incident rather than complainant’s personal data — minutes already possessed by complainant — data access request refused — DPP6 and section 18 of the Ordinance

The Complaint The complainant alleged that the hospital in which he had worked had contravened the Ordinance by failing to provide him with, in response to his data access request, a copy of the minutes of a meeting which he had attended. To substantiate his claim, he provided the Commissioner with a copy of the minutes in his possession, which showed what he had said in the meeting. The complainant insisted that the hospital should still have a copy of the minutes and should provide such a copy to him.

Findings of the Commissioner The Commissioner investigated the matter including carrying out a site inspection of the hospital. The result indicated that the hospital had exhausted all practicable means to locate the minutes but such attempts had been unsuccessful. Given that the contents of the minutes were not sensitive in nature, that the complainant already had a copy of the said minutes and that there was no evidence to show that the minutes were being concealed by the hospital, the Commissioner formed the opinion that there was no contravention of the data access provisions of the Ordinance. The complainant appealed.

The Appeal Upon hearing the appeal, the AAB unanimously upheld the Commissioner’s decision that there had been no contravention of the data access provisions by the hospital. The AAB went further to rule that the contents of the minutes in

330

13_Data Protection_appendix_03B.indd 330

2016/6/27 2:00:36 PM

Appendix IIIB — Cases Notes on Significant Administrative Appeals Board Decisions

question did not in fact amount to the personal data of the complainant, in that it was primarily about a certain piece of equipment in the hospital rather than about the complainant himself, even though it had recorded some of the complainant’s remarks on the incident.

AAB’s Decision The appeal was dismissed. (Postscript: Dissatisfied with the AAB’s decision, the complainant applied for judicial review in HCAL 1050/2000. The Court of First Instance confirmed the decisions made by the Commissioner and the AAB respectively and dismissed the complainant’s application. The complainant appealed against the court’s decision to the Court of Appeal in CACV 960/2000 which was dismissed and the decision of the Court of First Instance upheld.)

331

13_Data Protection_appendix_03B.indd 331

2016/6/27 2:00:36 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

2. AAB No. 16/2000 Complainant over 65 years  of age— entitled to concessionary traffic fare — light and sound emitted when entering toll gates using concessionary payment card — disclosing his age which was his personal data — the definition of “personal data”

The Complaint The complainant complained that whenever he used his “senior citizen concessionary ticket card” to pass through a railway toll gate, an indicating light flashed and a “beep” sound was produced. The complainant alleged that his age was thereby disclosed to any nearby passengers.

Findings of the Commissioner The Commissioner notified the complainant that no investigation would ensue as the complaint involved no personal data within the meaning of the Ordinance. There was no information relating to the complainant recorded in the senior citizen concessionary ticket card or in the information system of the railway operator which would make it reasonably practicable for his identity to be directly or indirectly ascertained. Furthermore, the sound and light being emitted did not amount to the personal data of the complainant since it was not in a recorded form as required under the definition of “personal data”.

The Appeal The complainant appealed to the AAB concerning the Commissioner’s findings. After hearing the appeal, the AAB decided that neither the senior citizen concessionary ticket card, nor its activation of the light and sound at the toll gates, disclosed any personal data of the user. There was no evidence to show that identification of the purchaser was required or recorded at the time of purchase of the ticket card. As for the signals, they identified only the type of card being used, not the user using it. The same signals would be activated whether the user was in fact 30 or 65 years of age. It would be up to the visual judgment of staff on duty

332

13_Data Protection_appendix_03B.indd 332

2016/6/27 2:00:37 PM

Appendix IIIB — Cases Notes on Significant Administrative Appeals Board Decisions

whether to ask the user about his eligibility to use the senior citizen concessionary ticket card.

AAB’s Decision The appeal was dismissed.

333

13_Data Protection_appendix_03B.indd 333

2016/6/27 2:00:37 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

3. AAB No. 22/2000 Complainant was dismissed by employer — letter of termination containing reasons for dismissal — data correction request made — reasons for termination inherently contentious — role of Commissioner confined to considering whether personal data was inaccurate — DPP6, sections 22 and 24(3)(b) of the Ordinance

The Complaint The complainant was once an employee of a social welfare organisation. He was also a shareholder of a private profit-making retirement home. In the letter of termination issued by the employer, conflict of interest, non-compliance with organisation rules and loss of mutual trust and confidence were the reasons given for the dismissal. Through a data correction request, the complainant demanded his former employer correct his personal data as contained in the letter of termination. The former employer refused on the grounds that the contents of said letter were not considered to be inaccurate. The complainant therefore made a complaint to the Commissioner.

Findings of the Commissioner During the investigation, the former employer provided evidence to support his opinion that the personal data contained in the letter of termination was not inaccurate. The Commissioner was of the view that the former employer, in accordance with section 24(3)(b) of the Ordinance, was entitled to refuse the complainant’s data correction request on the grounds that it was not satisfied that the relevant personal data was inaccurate. No contravention of the provisions of the Ordinance was found.

The Appeal The complainant appealed to the AAB on the decision. The AAB took the view that in a letter of termination the personal data dealing with the employee’s job performance was inherently contentious and it was unlikely that the dismissed employee would share the employer’s point of view. The proper avenue to resolve

334

13_Data Protection_appendix_03B.indd 334

2016/6/27 2:00:37 PM

Appendix IIIB — Cases Notes on Significant Administrative Appeals Board Decisions

these differences was by way of proceedings in the Labour Tribunal, not by way of a data correction request. In facing a dispute on facts, the role of the Commissioner was confined to considering whether the data user was indeed not satisfied that the relevant personal data was inaccurate.

AAB’s Decision The AAB upheld the Commissioner’s decision and dismissed the appeal.

335

13_Data Protection_appendix_03B.indd 335

2016/6/27 2:00:37 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

4. AAB No. 24/2001 Two data access requests made by a staff member of the University — alleged contravention of section 19(1) for non-compliance with her data access requests — enforcement notice issued for supply of “Consolidated Document List” — section 20(3)(b) gives data users grounds to refuse compliance when it is not supplied with information reasonably required to locate the personal data — enforcement notice amended by AAB — section 18 and DPP6 of the Ordinance

The Complaint A staff member of a University made two data access requests to the University. The first request was in relation to her personal data held by the Personnel Office and a department of the University. The second request was for all data including data that came into the possession of the University since her first request. In response to her two requests, the University provided her with the requested data (totaling 550 pages of documents). The staff member was not satisfied with what she obtained. She lodged a complaint with the Commissioner alleging that the University had not provided her with all her personal data as requested in her data access requests.

Findings of the Commissioner Having completed the investigation, the Commissioner found that the University had failed to provide the complainant with a copy of certain documents which, being the complainant’s personal data, should have been given to her in accordance with section 19(1) of the Ordinance. To remedy the contravention, the Commissioner served an enforcement notice on the University directing it, amongst others, to: (1) conduct a thorough search of the complainant’s personal data that was in the possession and control of the University; and (2) compile and provide to the complainant a “Consolidated Document List”.

336

13_Data Protection_appendix_03B.indd 336

2016/6/27 2:00:37 PM

Appendix IIIB — Cases Notes on Significant Administrative Appeals Board Decisions

The Appeal The University appealed to the AAB on the grounds that it was not obliged to provide the complainant with a “Consolidated Document List” of her personal data that it held for compliance with data access requests made under section 18 of the Ordinance. The AAB decided that by imposing the requirement of conducting a “thorough search”, the Commissioner had in effect placed a higher burden on the data user than the statutory duty to exercise all due diligence as required under section 64(8) of the Ordinance.1 As regards the “Consolidated Document List”, the AAB held that the complainant had no right to such a list and the imposition of this requirement was contrary to section 20(3)(b) of the Ordinance. It was the data requestor’s responsibility to identify the data he required but not for the data user to prepare a full or consolidated list for the data requestor to pick and choose.

AAB’s Decision For the aforesaid reasons, the AAB decided to strike off the relevant requirements to conduct a “thorough search” and provide a “Consolidated Document List” as contained in the enforcement notice issued by the Commissioner and substituted a new one.

1. Section 64(8) was repealed by the Amendment Ordinance and is now replaced by section 50A(2) of the Ordinance

337

13_Data Protection_appendix_03B.indd 337

2016/6/27 2:00:37 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

5. AAB No. 35/2003 Collection of library users’ personal data in prescribed forms — library staff unable to furnish privacy policy statement upon request — alleged lack of personal data policies and practices — decision not to investigate made after 45day time limit does not render the decision void — DPP1(3), DPP5 and section 39(3) of the Ordinance

The Complaint The complainant complained that a library collected his personal data when he applied to use certain library facilities. Prescribed forms were required to be completed upon his application. The complainant alleged that the library did not treat his data as personal data and suspected that there were no policies in place because its staff members were unable to provide him with any PPS upon request.

Findings of the Commissioner The Commissioner found that personal data was collected by the library in prescribed forms which contained the PICS setting out the purposes of collection. In addition, a notice containing the PICS was posted on a public notice board inside the library. A PPS was also found on the website of library services. The Commissioner was satisfied that reasonably practicable steps had been taken by the library to comply with the requirements under DPP1(3) and DPP5 of the Ordinance. Dissatisfied with the Commissioner’s decision not to investigate his complaint, the complainant appealed to the AAB.

The Appeal The complainant raised new grounds for appeal concerning (i) excessive retention of his personal data by the library; and (ii) use of his personal data for statistical

338

13_Data Protection_appendix_03B.indd 338

2016/6/27 2:00:37 PM

Appendix IIIB — Cases Notes on Significant Administrative Appeals Board Decisions

purposes without his consent. He also appealed against the Commissioner’s failure to observe the requirement to notify him of the decision not to investigate his complaint within 45 days of receiving the same pursuant to section 39(3) of the Ordinance, thus rendering the decision void. The AAB upheld the Commissioner’s findings that all reasonably practicable steps had been taken by the library in that it had issued a PICS and PPS in compliance with the requirements of DPP1(3) and DPP5 of the Ordinance. As for the alleged excessive retention and misuse of his personal data by the library, the AAB found that there was insufficient evidence to support the allegations. Even if a prima facie case of contravention were established, the allegation was never the subject of complaint before the Commissioner. Consequently, the AAB could not conclude that the decision made by the Commissioner was wrong. As for the 45-day statutory period laid down in section 39(3), the AAB found that nothing in the section indicated non-observance of the time limit would prevent a complainant from asserting his legal rights. The complainant’s right to appeal to the AAB or his right to apply for judicial review of the decision was unaffected by the decision being made after the 45-day period. The AAB noted that the complainant did not provide proof of his identity to the Commissioner until the 45-day period had expired, making it impossible for the Commissioner to consider his complaint within the prescribed time. The AAB went on to say that if the requirement under section 39(3) were meant to be mandatory, the Commissioner would be obliged to investigate a complaint despite the fact that if might later turn out to be unsubstantiated, and the investigation of which is justified to be terminated under section 39(2) of the Ordinance. The AAB opined that this anomaly was not the intention of the legislature. In the AAB’s opinion, the intention of the legislature could not be that non-compliance would render the Commissioner’s decision void.

The AAB’s Decision The AAB upheld the Commissioner’s decision and dismissed the appeal.

339

13_Data Protection_appendix_03B.indd 339

2016/6/27 2:00:37 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

6.

AAB No. 17/2004

Data access request for medical records — hospital requested an initial processing fee — final processing fee was charged after expiry of the forty days from receipt of the data access request — requested documents were eventually supplied some sixty days from receipt of the data access request — section 19(1) of the Ordinance

The Complaint The complainant made a data access request to a hospital regarding her medical records on 13 November 2003. The hospital acknowledged the data access request on 24 November 2003 and asked the complainant to pay an initial processing fee and clarify the type of data she requested. Three days later, the complainant paid the fee and clarified her request. As the complainant received no reply from the hospital on the fortieth day after the data access request, she lodged a complaint with the Commissioner. On 2 January 2004, the hospital informed the complainant of the amount of the required fee for compliance with her data access request. The complainant paid the fee on 7 January 2004 and received some medical notes and X-ray films on 15 January 2004.

Findings of the Commissioner The hospital was found to have complied with the data access request by sending the requested medical records to the complainant within a reasonable time after receipt of the requisite fee. The Commissioner was of the view that there was no evidence of contravention of section 19 and informed the complainant that no investigation would be carried out. Despite the fact that she had obtained the personal data requested, the complainant sought to argue that the hospital was in breach of the relevant provisions of the Ordinance. She appealed to the AAB against the Commissioner’s findings.

340

13_Data Protection_appendix_03B.indd 340

2016/6/27 2:00:37 PM

Appendix IIIB — Cases Notes on Significant Administrative Appeals Board Decisions

The Appeal The complainant argued that in order to comply with the requirements of section 19(1) of the Ordinance, the hospital should have sent the requested data to her, and not simply demanded payment of an initial processing fee, within the prescribed forty-day period. The AAB ruled that “to comply with the request” must mean to supply the requested data in the data access request. An acknowledgement of receipt of the data access request or the issue of a notice of demand for payment of a fee, without more, is insufficient to discharge that obligation. After all, the purpose of prescribing the 40 day period is to enable the requested data to be supplied to the requestor without delay. The AAB however acknowledged that it served no useful purpose to order an investigation of the matter given that the complainant had already obtained her medical reports and X-ray films requested for in her data access request. The AAB further asked the Commissioner to consider giving advice to the hospital as to its future handling of data access requests.

AAB’s Decision The appeal was allowed.

341

13_Data Protection_appendix_03B.indd 341

2016/6/27 2:00:37 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

7. AAB No. 5/2006 Request for disclosure of personal data by law enforcement agency — internal investigation — crime — seriously improper conduct — importance of inquiry before releasing personal data to requestor — adequacy of data user’s inquiry — sections 58(1) and 58(2) of the Ordinance

The Complaint The complainant was employed by a law enforcement agency and was a member of a club. He was suspected of seriously improper conduct and was under his employer’s internal investigation. For the internal investigation, the employer wrote to the club for the complainant’s personal data. Six days later, the club supplied the requested data to the employer without the complainant’s consent. The complainant complained that the club was in breach of DPP3 of the Ordinance.

Findings of the Commissioner The club claimed that DPP3 of the Ordinance did not apply because it was entitled to invoke the exemption under section 58(2) of the Ordinance on the grounds that it released the complainant’s personal data to the employer for (i) the prevention or detection of crime; and (ii) the prevention, preclusion of unlawful or seriously improper conduct, dishonesty or malpractice by the complainant. In support, the club claimed that, before it released the personal data to the employer, it had made oral inquiry with the employer over the telephone about the nature of the internal investigation. Having considered all the evidence, the Commissioner decided that the complainant’s conduct could be crime-related and amounted to seriously improper conduct, and since the club had inquired with the employer about the nature of the internal investigation, the exemption under section 58(2) was applicable in the circumstances. The complainant appealed.

342

13_Data Protection_appendix_03B.indd 342

2016/6/27 2:00:37 PM

Appendix IIIB — Cases Notes on Significant Administrative Appeals Board Decisions

The Appeal The AAB stated that pursuant to section 58(2), an exemption to DPP3 is available to a data user if the requirements that (i) the use of the personal data is for any of the purposes under section 58(1), i.e. prevention of crime, seriously improper conduct, etc. and (ii) the application of DPP3 would be likely to prejudice such purposes, are both satisfied. The AAB decided that the complainant’s relevant conduct was not crime-related, but since it amounted to seriously improper conduct under section 58(1)(d), requirement (i) was therefore satisfied. However, the AAB decided that the club did not satisfy requirement (ii), which was determined by applying an objective test, because there was no cogent evidence to prove that the club had sufficient knowledge of the internal investigation in showing it had reasonable grounds for believing that the application of DPP3 would be likely to prejudice the purpose of preventing or precluding the complainant’s seriously improper conduct. The AAB’s decision was based on the following: 1.

the employer’s written request to the club for the personal data did not contain anything about the nature of the internal investigation; and

2.

there was no written record or statement to show that the club had enquired with the employer about the nature of the internal investigation.

In the circumstances, the AAB ruled that the section 58(2) exemption was not applicable.

AAB’s Decision The appeal was allowed.

343

13_Data Protection_appendix_03B.indd 343

2016/6/27 2:00:37 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

8. AAB No. 27/2006 Data access request for “explanation/report/statement” made by various doctors — names of senders and recipients and part of contents redacted — noncompliance with the data access request — sections 18(1), 19(1) and 20(1)(b) of the Ordinance

The Complaint The complainant was a patient of the hospital in question who complained against the hospital for incorrect diagnosis. On 10 December 2005, she made a data access request to the hospital for “explanation/report/statement” by various doctors on consultations concerning her. On 10 February 2006, the hospital sent to the complainant copies of four statements with part of the contents redacted. Dissatisfied, the complainant lodged a complaint with the Commissioner for failure of the hospital to comply with her data access request.

Findings of the Commissioner Having looked at the unedited versions of the four statements during the investigation, the Commissioner was satisfied that the redactions were properly made and decided that since there was no prima facie case of contravention, he would not carry out an investigation of the complaint. The complainant appealed against the decision made by the Commissioner as to whether the supply of the redacted documents amounted to proper compliance with the data access request.

The Appeal The AAB ruled that the duty to comply with a data access request under section 19 of the Ordinance extended only to supplying a copy of the personal data of the data subject and not a copy of the document in which the data was contained. In determining what amounted to “personal data” of the complainant in the four statements, the AAB found the first limb of the definition of “personal data” under the Ordinance particularly relevant for consideration in the present case, i.e. whether the redacted information should be considered as “relating to” the

344

13_Data Protection_appendix_03B.indd 344

2016/6/27 2:00:37 PM

Appendix IIIB — Cases Notes on Significant Administrative Appeals Board Decisions

complainant directly or indirectly. The AAB emphasised that it was the “data” as distinct from the document or its contents, that had to “relate to” the data subject. Upon examination of the unedited versions of the four statements, the AAB was satisfied that none of the redacted information that identified or pertained to the makers and the recipients of those statements was “personal data” of the complainant. Also, the redaction of such identity had not in any way affected the integrity of the information or data that related to the complainant. As for the redaction of parts of the contents of one of the statements, the AAB was also satisfied that the information set out in the redacted parts could not properly be regarded as “relating to” the complainant as intended under the Ordinance. The AAB ruled that the redacted information did not form part of the complainant’s personal data and was therefore not subject to disclosure under the data access request.

AAB’s Decision The appeal was dismissed. (Postscript: Dissatisfied with the AAB’s decision, the complainant applied for judicial review in HCAL 60/2007. The Court of First Instance held that save and except for the unjustified redaction of a sentence referring to the treatment of the complainant which formed an opinion relating directly to the complainant, all other redactions were lawful.)

 

345

13_Data Protection_appendix_03B.indd 345

2016/6/27 2:00:37 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

9. AAB No. 46/2006 Unfair collection of personal data — secret recording of conversation between a lecturer and his supervisor — recorded conversation disclosed to public through websites and internet forums — DPP1(2), DPP3, sections 52 and 58 of the Ordinance

The Complaint This case concerned the secret recording of a conversation between a lecturer at an educational institution and his supervisor, the complainant, during a lunch meeting and its subsequent disclosure. The purpose of the lunch meeting was to discuss the lecturer’s work performance. The complainant was alleged to have said that he had completed students’ assignments for them and that the lecturer should do the same. The lecturer audio-recorded the conversation without informing the complainant. The lecturer then uploaded the recorded conversation onto the internet in two versions of different lengths. He informed the media of the conversation and some newspapers carried reports about it. He also wrote an article about the matter (“the Article”) and posted it on two websites. The complainant’s name, job title and employer appeared in the preamble of the Article and it also contained hyperlinks to the recorded conversation. The lecturer also posted messages on internet forums with hyperlinks to the Article. The complainant lodged a complaint with the Commissioner that the lecturer had collected his personal data and disclosed it on the websites and internet forums without his consent. As a result of the newspaper reports, an independent investigation panel was set up by the educational institution to investigate the allegation made against the complainant which was subsequently found to be unsubstantiated.

Findings of the Commissioner The Commissioner considered that even if it could be argued that the purpose of collecting the complainant’s personal data by the lecturer was to report the impropriety of the complainant’s teaching method, there was no evidence that the lecturer had reported the matter to the institution. Instead, the lecturer chose

346

13_Data Protection_appendix_03B.indd 346

2016/6/27 2:00:37 PM

Appendix IIIB — Cases Notes on Significant Administrative Appeals Board Decisions

to expose it through the media and to the public via the websites and internet forums and it remained so exposed even after the institution’s investigation into the complainant. The lecturer had failed to provide valid justification or explanation for his actions. The Commissioner found that the lecturer had contravened DPP3 in disclosing the complainant’s personal data for use unrelated to its original collection purpose. The Commissioner was not satisfied that there was seriously improper conduct on the part of the complainant, especially when the institution’s investigation had been concluded with the allegation of misconduct unsubstantiated. There was also no evidence to show how, if the provisions of DPP3 were to apply to the lecturer’s use of the complainant’s personal data, the alleged purpose of remedying the seriously improper conduct or malpractice by any person would likely be prejudiced. The exemption under section 58(2) of the Ordinance was therefore not applicable. The Commissioner issued an enforcement notice against the lecturer requiring him to take steps to remedy the wrongful act. Dissatisfied with the Commissioner’s decision, the lecturer appealed to the AAB.

The Appeal The AAB opined that the subsequent use of the recorded conversation by the lecturer indicated that his recording was not made with the bona fide intention of simply keeping a record of the meeting for his own use. It was found that the collection of the complainant’s personal data in the circumstances was unfair, contrary to DPP1(2) of the Ordinance. The AAB further considered that in view of the wording of section 52, the exemption under section 52 should only apply to personal data already held by an individual but not to cases concerning collection of personal data. By uploading the complainant’s personal data on the internet for disclosure to the public, the lecturer had extended the use beyond the original purpose of collection. This was done without the prior consent of the complainant, contrary to DPP3. The AAB further upheld the Commissioner’s finding that the exemption under section 58(2) of the Ordinance was not applicable as there was no evidence of misconduct in the circumstances.

347

13_Data Protection_appendix_03B.indd 347

2016/6/27 2:00:37 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

AAB’s decision The appeal was dismissed.

 

348

13_Data Protection_appendix_03B.indd 348

2016/6/27 2:00:37 PM

Appendix IIIB — Cases Notes on Significant Administrative Appeals Board Decisions

10. AAB No. 7/2007 Data access request made by a university student for examination script and external examiner’s correspondence — university no longer held the examination scripts after one year — no evidence to the contrary found — external examiner’s correspondence did not contain the complainant’s personal data — no contravention of section 19(1) — section 26, DPP2(2), DPP4 of the Ordinance

The Complaint The complainant was a university student. She made a data access request to a university for copies of her examination script (“Script”) and the related external examiner’s correspondence (“the Correspondence”) one year after sitting the examination. The university replied they were unable to comply with her data access request because (1) it was the normal policy of the university department in question to destroy examination scripts after one year; (2) the Script did not contain her personal data; and (3) the Correspondence merely contained comments on the examination arrangements but no specific comments on individual scripts. Dissatisfied with the reply, the complainant lodged a complaint with the Commissioner for the failure of the university to comply with her data access request.

Findings of the Commissioner Generally speaking, an answer in an examination does not amount to personal data of the candidate unless the answer contains information about the candidate personally. There is no provision in the Ordinance that requires a data user to retain personal data. Having examined the code of practice of the university, the Commissioner accepted that the code of practice of the university did not impose any specific time limit for the retention of the marking sheets and examination scripts and there was no contrary evidence to show that the university did hold the Script at the time of receipt of the data access request. The Commissioner also examined the Correspondence and agreed that it did not contain personal data of the complainant. Since there was no prima facie evidence of contravention of section 19(1), the Commissioner refused to carry out an investigation of

349

13_Data Protection_appendix_03B.indd 349

2016/6/27 2:00:37 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

the complaint under section 39(2)(d). The complainant appealed against the Commissioner’s decision.

The Appeal The complainant contested that the Commissioner was wrong in accepting the explanation of the university that the department’s practice was to destroy examination scripts after one year and they no longer held the Script. She argued that the university had a duty to retain the Script in order to comply with DPP4 in protecting the personal data against “unauthorized or accidental access, processing, erasure or other use...”. She also argued that the Script and the Correspondence contained her personal data. The complainant, however, could not supply any evidence to support her claims. The AAB was satisfied that the Commissioner did not act unreasonably in reaching his decision. The AAB remarked that if the examination script was marked with the examiner’s comments or evaluation of the complainant’s answers, these evaluation or comments could be the personal data of the complainant. In the present case, the Script contained only the material written by the student because the examiners were not allowed to write any remarks on the scripts. The Commissioner did not err in stating that the complainant’s answers in the Script did not amount to her personal data. In relation to the duty to retain personal data, the AAB rejected the complainant’s arguments and ruled that the provisions of the Ordinance did not impose any positive duty on a data user to keep or retain one’s personal data until the original collection purpose was fulfilled.

AAB’s Decision The appeal was dismissed.

350

13_Data Protection_appendix_03B.indd 350

2016/6/27 2:00:37 PM

Appendix IIIB — Cases Notes on Significant Administrative Appeals Board Decisions

11. AAB No. 16/2007 Complainant was an email account subscriber in PRC — webmail service provider in PRC provided certain user registration information, IP login information and email contents to PRC authorities in compliance with Disclosure Order issued — data user — question of control — extra-territorial application — exemption of “crime” under section 58(1) and section 65(2) of the Ordinance

The Complaint The complainant was a PRC resident and subscriber of a webmail service provided by an operation in the PRC. The complainant was suspected to have leaked state secrets to a foreign entity through email, violating the PRC State Secrets law. In compliance with the Disclosure Order issued by the PRC authorities to the webmail service provider’s operation in the PRC, information on certain user registration, IP log-in information and email contents were disclosed. The complainant was subsequently convicted in the PRC. The complainant lodged a complaint with the Commissioner on suspected breach of DPP3.

Findings of the Commissioner The corporate structure of the webmail service provider’s business operation was studied. Although the webmail service provider, a Hong Kong registered company, owned both of the websites in the PRC and Hong Kong, these websites were operated and managed independently. The webmail service provider was found to be responsible in its capacity as principal for the acts and practice of its agent under section 65(2) insofar as such act or practice fell under the purview of the Ordinance. There was, however, no evidence to show that any of the acts of collection, holding, processing and use of the personal data of the complainant took place in Hong Kong; nor was there any evidence to suggest that the Disclosure Order was issued to the webmail service provider in Hong Kong. On the question of whether personal data of the complainant was disclosed, the Commissioner formed the view that an IP address, being a specific address assigned to an inanimate computer, does not by itself satisfy the definition of “personal data”

351

13_Data Protection_appendix_03B.indd 351

2016/6/27 2:00:38 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

under the Ordinance. It is a question of whether an IP address together with other identifying particulars constitutes “personal data”. Apart from the verdict given by the court in the PRC confirming that the account holder information pertaining to the IP address was furnished by the webmail service provider, there was no other evidence available to show that personal data of the complainant was indeed disclosed. Since the email in question was sent under an alias, the email address itself did not reveal the identity of the complainant and as the complainant did not register his email account under his real name, it was unsafe to conclude that personal data of the complainant was disclosed by the webmail service provider. Hence, the Commissioner opined there was insufficient evidence of contravention of DPP3. The Commissioner also found that the disclosure was compelled under a lawful order issued by the PRC authorities which carried consequences of sanction on non-compliance. The Commissioner formed the view that the provider’s control, if any, was lost and vitiated under the compulsion of law. As such, the webmail service provider no longer “controls the collection, holding, processing or use of the data” as required in the definition of “data user” under section 2(1) of the Ordinance. Furthermore, the Ordinance does not confer extra-territorial application. Since none of the factors to attract jurisdiction existed, the Commissioner found that the act or practice in question fell outside the purview of the Ordinance. Since the webmail service provider’s operation in the PRC was obliged to comply with the PRC law, the disclosure of the information in question was consistent with DPP3. Lastly, the Commissioner also formed the view that the words “crime” and “offenders” in section 58(1) of the Ordinance should be construed to mean Hong Kong crime and those crimes to which the Mutual Legal Assistance in Criminal Matters Ordinance, Cap 525 applies. Dissatisfied with the Commissioner’s findings, the complainant appealed to the AAB.

The Appeal The AAB addressed the four grounds of appeal raised by the complainant as follows: Whether IP address together with other information disclosed constituted “personal data” of the complainant There was insufficient evidence to conclude that “personal data” of the complainant

352

13_Data Protection_appendix_03B.indd 352

2016/6/27 2:00:38 PM

Appendix IIIB — Cases Notes on Significant Administrative Appeals Board Decisions

was disclosed regarding the facts that (i) the verdict convicting the complainant of illegally providing state secrets to foreign entities did not indicate that the corresponding user information of the IP address belonged to the complainant or revealed his identity and the address of a business rather than an individual was provided to the PRC authorities; (ii) there was no guarantee that the information provided by email service subscribers was genuine; (iii) the user name of the email account was not in the name of the complainant; and (iv) the email was sent under an alias, not revealing the true identity of the complainant. The complainant failed to discharge the burden of proof to put forward credible evidence that the registration information held in the hands of the PRC authorities disclosed his personal data. Whether the webmail service provider was a “data user” at the time The business operator in the PRC was the agent of the webmail service provider who had control over the relevant information. The AAB took the view that even if the disclosure was compelled by the law, it did not and could not “vitiate” the webmail service operator’s control given that it had chosen to disclose the information. The AAB ruled that the webmail service provider was a “data user” as defined under the Ordinance. Whether the Ordinance has extra-territorial application Given the fact that the webmail service provider was found to be a “data user”, the AAB considered it unnecessary to come to any view on whether the Ordinance has any extra-territorial application. Whether there was a breach of DPP3 The AAB took the view that “prescribed consent” was given by the complainant authorising the disclosure by the webmail service provider “in accordance with legal procedure” as contained in the Terms of Service for the webmail service. The AAB did not agree with the Commissioner’s view that compliance with the statutory requirement on disclosure of personal data could be regarded as a use consistent with the collection purpose pursuant to DPP3. The AAB was of the view that disclosure of personal information to public prosecution authorities could not be considered to be a “use” of the information as originally intended by the parties at the time of collection.

353

13_Data Protection_appendix_03B.indd 353

2016/6/27 2:00:38 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

On the question of applicability of section 58 and the interpretation of the word “crime”, the AAB agreed that the crime committed by the complainant in the PRC did not amount to a crime under the laws of Hong Kong.2

AAB’s Decision The appeal was dismissed.

2. Section 58(6) of the Ordinance now contains a specific definition of "crime".

354

13_Data Protection_appendix_03B.indd 354

2016/6/27 2:00:38 PM

Appendix IIIB — Cases Notes on Significant Administrative Appeals Board Decisions

12. AAB No. 12/2008 Alleged incorrect employee’s personal records — data correction request could not be made verbally — no breach for failure to correct personal data in the absence of a data correction request — DPP2(1), section 22 of the Ordinance

The Complaint The complainant was an employee of a government department (“the Department”). The complainant complained to the Department alleging that she had been treated unfairly by her supervisor. Upon investigating, the Department found that the complaint was unsubstantiated. The complainant subsequently made a data access request to the Department for copies of all her personal records and the Department complied with the data access request. After receiving the requested documents, the complainant complained to the Commissioner against the Department concerning a list of sixteen “incorrect facts” she found in the documents and her concern that the investigation carried out by the Department was incomplete and incorrect. During the course of the Commissioner’s enquiries, the Department corrected two “incorrect facts” but refused to amend the others as they were not inaccurate.

Findings of the Commissioner The Commissioner found that the complainant did not make any data correction request to the Department pursuant to section 22 of the Ordinance. Therefore, the Department could not have been in breach of the Ordinance for failing to comply with a data correction request. Moreover, the “incorrect facts” were not the complainant’s personal data and there were factual disputes. The Commissioner considered that the complaint was essentially an employment dispute, and that there was no prima facie evidence that the Department had contravened the Ordinance. In the circumstances, the Commissioner decided that an investigation was unnecessary. The complainant appealed against the Commissioner’s decision.

355

13_Data Protection_appendix_03B.indd 355

2016/6/27 2:00:38 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

The Appeal The complaint was about (i) the alleged inaccuracy in her personal records and the Department’s refusal to correct them; and (ii) the alleged improper investigation by the Department. The AAB took the view that DPP2(1)(a) of the Ordinance does not impose an obligation on data users to ensure that personal data held by them must be accurate in all respects. The mere fact that the data is found to be inaccurate does not constitute a contravention of the Ordinance provided the data user has taken all reasonably practicable steps to ensure its accuracy. The keeping of inaccurate personal data would become a contravention if, upon receiving a data correction request, the data user still refused to correct them. Regarding the complainant’s argument that she had made a data correction request verbally, the AAB considered that a data correction request could not be made verbally, otherwise, it would be difficult to verify whether such request was actually made and what the requested correction was. In the absence of a data correction request, the Commissioner did not have the power to resolve whether or not the data was inaccurate, and there was no prima face evidence that the Department was in breach of the Ordinance. Moreover, it was not within the power of the Commissioner to reopen the investigation by the Department on the complainant’s unfair treatment which she considered to be improper. The AAB decided that the Commissioner’s decision not to investigate the complaint was correct.

AAB’s Decision The appeal was dismissed.

356

13_Data Protection_appendix_03B.indd 356

2016/6/27 2:00:38 PM

Appendix IIIB — Cases Notes on Significant Administrative Appeals Board Decisions

13. AAB No. 25/2009 Representatives of an insurance company made cold calls using names and office telephone numbers from the website of the telephone directory of the Hong Kong Government — whether the act constituted a contravention of DPP3 in (i) ignoring the opt-out list, or (ii) ignoring the use restriction clause — whether the insurance company is vicariously liable for such contravention — whether the remedial action taken by the insurance company was sufficient — section 50(1)(a) & (b),3 65(2) and DPP3 of the Ordinance

The Complaint The complainant was a civil servant. Notwithstanding the fact that the complainant had previously requested the insurance company to put her name on an optout list, two career representatives of the insurance company still contacted the complainant and offered her the company’s insurance restructuring services. After the Commissioner commenced investigation, the insurance company took certain remedial measures to prevent recurrence of such acts. However, another career representative still made direct a marketing call to the complainant. The three career representatives obtained the complainant’s name and office telephone number from the website, “Telephone Directory of the Government of the HKSAR and Related Organisations”. The website contains a use restriction clause that states (i) the information is not intended for direct marketing activities or dissemination or circulation of unsolicited publicity or advertising materials, (ii) the advertisers should not use the information to promote their products or services, and (iii) the information contained therein should not be transferred for commercial gain (the “Restriction Clause”). The complainant was discontent with such use of her personal data for direct marketing purpose despite the Restriction Clause, and hence, lodged a complaint with the Commissioner.

3. Section 50(1)(a) & (b) was amended by the Amendment Ordinance and is now replaced by section 50(1) removing the criterion that the contravention is likely to continue or be repeated.

357

13_Data Protection_appendix_03B.indd 357

2016/6/27 2:00:38 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Findings of the Commissioner The Commissioner was of the view that given the Restriction Clause, it was clear to the three career representatives at the time of searching for and obtaining the complainant’s personal data from the website, that the data might only be used for facilitation of official communication with the complainant but not for direct marketing purposes. Since the three career representatives had used the data for a purpose unrelated to the original collection purpose and they did not obtain the complainant’s express consent, the Commissioner was of the opinion that the three career representatives had contravened the requirements under DPP3. Furthermore, the three career representatives had failed to consult the opt-out list maintained by the insurance company. The complainant’s name had appeared in the opt-out list of the insurance company since 2005. Section 65(2) of the Ordinance states that any act done or practice engaged in by a person as agent for another person with the authority (whether express or implied and whether precedent or subsequent) of that other person shall be treated as done or engaged in by that other person as well as by him. According to the contracts of the three career representatives, they were the agents of the insurance company. The Commissioner was of the view that the cold calling practice of the three career representatives fell within the sphere of acts authorised by the insurance company. Even though the contracts provided that the three representatives should observe and comply with all laws, regulations and statutory requirements, it did not mean that the insurance company might evade liability. The Commissioner was of the view that the insurance company was liable for the contravention of the three career representatives under section 65(2) of the Ordinance. It was discovered that the insurance company had adopted some measures in an attempt to prevent similar incidents from happening. However, the Commissioner considered that the measures adopted were insufficient in that even though there was no express prohibition in the public domain for the use of personal data for direct marketing, it did not mean that the personal data so obtained could be so used, and the purpose of disclosure of the data in the public domain must be considered as well. Therefore, an enforcement notice was issued to the insurance company. Dissatisfied with the decision, the insurance company appealed to the AAB.

358

13_Data Protection_appendix_03B.indd 358

2016/6/27 2:00:38 PM

Appendix IIIB — Cases Notes on Significant Administrative Appeals Board Decisions

The Appeal During appeal, the insurance company conceded that the three career representatives were its agents and they were in breach of DPP3. The AAB was of the view that section 65(2) had a strong overtones of strict liability and to ensure that the principal would find some ways to procure observance of the DPPs. Therefore, the AAB found that the insurance company was vicariously liable as provided under section 65(2) of the Ordinance. After considering the measures adopted by the insurance company, the AAB also agreed that the measures taken were insufficient because the staff did not accidentally commit the act once, but three times. The AAB was of the view that a clear strong warning should be inserted in a manual or a code of practice for all members of the staff to make them realise that any breach would lead to serious consequences e.g. a threat for summary dismissal. However, the AAB considered that the enforcement notice went far beyond rectification of the contravention in question. The AAB did not agree that the breach in the present case arose from the situation where there was no prohibition clause for use of the personal data in the public domain.

AAB’s Decision The AAB set aside the enforcement notice and allowed the appeal.

359

13_Data Protection_appendix_03B.indd 359

2016/6/27 2:00:38 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

14. AAB No. 37/2009 Data access requests made for extensive personal data — s.28(3) requires that an excessive fee shall not be imposed for complying with a data access request — whether the government department was in breach of s.28(3) — proper interpretation of s.28 — proper test for calculation of fee imposed when complying with data access request — whether enforcement notice should be issued — sections 18(1), 28(2), 28(3) and 50 of the Ordinance

The Complaint The complainant made three extensive data access requests to a government department for his personal data covering over ten years. Having noticed the complainant’s objection to excessive fees, the government department lowered the estimated fee to a total sum of HK$14,599.92 charged for complying with the three data access requests by reducing the hourly rate of the staff to be deployed to handle the requests. The complainant complained to the Commissioner that the fee imposed was excessive and thus in breach of section 28(3) of the Ordinance.

Findings of the Commissioner The Commissioner carried out an investigation against the government department. The government department explained to the Commissioner how it had calculated the fees charged for compliance with the three data access requests. The personal data requested by the complainant were all in English and kept in files/records under different subjects. An assistant clerical officer being the lowest grade of clerical staff and competent in terms of English proficiency would have to be assigned to handle the three data access requests. The government department estimated they would need to charge sixty-six hours in order to comply with the data access requests and provided a breakdown of the working hours required for retrieving the requested data in different locations. The government department also explained how it had calculated the hourly rate of the staff. Having considered the circumstances of the case, the Commissioner took the view that the government department might be allowed to recover the labour costs and actual out-of-pocket expenses involved in complying with the data access requests

360

13_Data Protection_appendix_03B.indd 360

2016/6/27 2:00:38 PM

Appendix IIIB — Cases Notes on Significant Administrative Appeals Board Decisions

insofar as they related to the location, retrieval and reproduction of the requested data (“the Tasks”). The amount of the labour costs should only reflect the necessary skills and labour for performing the Tasks. A clerical or administrative staff member of the government department should be able to perform the Tasks and the labour costs should therefore only refer to the reasonable salary of such an employee in performing the Tasks. The Commissioner did not find the photocopying charges (at HK$1 per page) for about 6000 pages and the registered postage imposed excessive. The Commissioner also accepted that the sixty-six man-hours estimated for retrieving the requested data was not extensive, given the considerable scope and extent of the data requested. It was also not unreasonable for a clerical or administrative staff member of that rank to be assigned to perform the Tasks. In calculating the rate of the clerical/administrative staff member, it was noted that the government department adopted the Staff Cost Ready Reckoner No.2007/1 promulgated by the Government Treasury (“the Reckoner”) and the Financial and Accounting Regulation 440 of the Government (“the Regulation”). The Reckoner provided both the monthly and annual average staff costs for 200708 in respect of all ranks of civil service who were paid through the Treasury Payroll System. The following formula was relied on by the government department:  [Annual Staff Cost of an Assistant Clerical Officer provided in the Cost Table of the Reckoner / Net Annual Working Hours provided in the Reckoner] + 20% Overhead Charge based on the principles in the Regulations. The Commissioner did not accept the use of the annual salary in computing the labour costs, as it would average out to give a monthly salary of HK$19,649, closest to a higher salary level for an assistant clerical officer. It was considered that the inclusion of the fringe benefits as part of the labour costs was unjust. The Commissioner also did not accept the inclusion of the annual and other leave entitlements which reflect the long-term cost considerations when hiring an officer. The Commissioner further disagreed that the government department was entitled to include overhead charges because the obligation to comply with the three data access requests was a statutory obligation. On the basis of the aforesaid, the Commissioner found the government department had acted in breach of section 28(3) and issued an enforcement notice giving directions for a lower fee to be imposed. Being dissatisfied, the government department lodged an appeal to the AAB.

361

13_Data Protection_appendix_03B.indd 361

2016/6/27 2:00:38 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

The Appeal The AAB considered the relevant provisions under the Ordinance and the legislative history. Section 28(1) of the Ordinance prohibits a data user from imposing a fee for complying with a data access request unless the imposition of the fee is expressly permitted by section 28. Section 28(2) expressly allows a data user to impose a fee for complying with a data access request subject to section 28(3) which specifically requires that no fee imposed for complying with a data access request shall be excessive. However, section 28 does not go further to define the fee that is permitted and there is also no definition of what is “excessive”. The AAB rejected the Commissioner’s argument to rely on the recommendations made in the LRC’s Report for “nominal and non-cost-related” data access fees. The AAB considered that the legislature had not adopted the LRC’s recommendation when enacting the Ordinance. The AAB took a purposive approach in construing section 28 and came to the view that the word “excessive” in section 28(3) should be construed as confining “the fee only to recover those costs which are directly related to and necessary for complying with a data access request”. A fee that exceeded such direct and necessary costs was, in the AAB’s view, excessive. This only applied to first-time data access requests, and not to situations specially provided for under section 28(6) (which required the adoption of a different statutory formula). The AAB further pointed out that the onus rested with the data user and he had the burden of proof to show that the fee represented no more than the direct and necessary costs incurred in complying with the data access request. “Direct and necessary” was not the same as “reasonable”. A cost that a reasonable data user might see fit to incur may not be strictly necessary as it was still possible to comply with a data access request without incurring that cost. In addition, the AAB stated that section 28(3) did not prevent a data user from imposing a fee that was less, or to waive a fee that he might otherwise be entitled to charge. Data users might consider imposing flat-rate fees for complying with data access requests due to administrative convenience so long as the fee imposed is lower than the direct and necessary costs for complying with a data access request in question. Having considered the circumstances, the AAB found that it was artificial to reject the calculation of the hourly rate of the clerical staff with reference to the Reckoner,

362

13_Data Protection_appendix_03B.indd 362

2016/6/27 2:00:38 PM

Appendix IIIB — Cases Notes on Significant Administrative Appeals Board Decisions

based on the reason that the annual salary level averaged out to a higher salary level within the same rank, and to exclude clerical staff’s fringe benefits, the annual and other leave entitlements from the calculation. However, the AAB accepted that the inclusion of overhead charges was inappropriate. For these reasons, the AAB reduced the fee imposed and the government department was entitled to charge a sum of HK$12,161.55. With regard to the enforcement notice, the AAB took the view that based on the facts of the case, there was no evidence to suggest that the government department would insist on imposing a fee that the Commissioner had found to be excessive and there was also no evidence to suggest that the government department was one which flagrantly disregarded the law or acted in bad faith.4 The AAB considered that the case was the first case that was brought for the proper construction of section 28. In the circumstances, the AAB allowed the appeal and set aside the enforcement notice. The government department was ordered to charge a fee not more than the sum allowed by the AAB for compliance with the three data access requests.

AAB’s Decision The appeal was allowed.

4. Please note the subsequent amendment to section 50 of the Ordinance.

363

13_Data Protection_appendix_03B.indd 363

2016/6/27 2:00:38 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

15. AAB Nos. 5 & 6/2012 Photographs of artistes’ daily lives and intimate acts at a private residence taken from outside premises and published in magazine without consent — whether the taking of photographs constituted unfair collection of personal data — whether private lives of artistes a matter of public interest — whether contents and descriptions of photographs consistent with the asserted purpose for taking the photographs — whether the exemption under section 61 of the Ordinance applied

The Complaint These two cases arose out of the complaints made by three television artistes to the Commissioner against the appellants. The facts of the cases were similar. (a) AAB Appeal No. 5 of 2012

The complainants complained that photographs of their daily lives and intimate acts at their private residence were taken from a place outside their premises and published in the appellant’s magazine without their consent.

(b) AAB Appeal No. 6 of 2012

The complainant was a male artiste and he complained that nude photographs were taken of him inside his private residence and published in the appellant’s magazine without his consent. The photographs also showed the presence of a female artiste inside his residence. The complainant took the view that but for the deliberate clandestine photography, other people would not be able to see his activities inside his residence which was located at a high rise building.

Findings of the Commissioner Having conducted investigations into these two cases, the Commissioner found that: (a) the taking of the photographs in both cases amounted to collection of personal data of the complainants; (b) given the long distance between the shooting locations and the artistes’ residential premises, the taking of the photographs in question would require

364

13_Data Protection_appendix_03B.indd 364

2016/6/27 2:00:38 PM

Appendix IIIB — Cases Notes on Significant Administrative Appeals Board Decisions

the use of devices such as tele-focus lenses and magnifiers. A person inside his own residence would not reasonably expect that he would be photographed from a location far away from his home using such devices, and the three complainants should not be deprived of their rights to privacy protection simply because they were artistes; (c) the appellants’ acts of prolonged and systematic surveillance of the complainants’ activities inside their residences and taking photographs of them from a long distance with special photographic equipment seriously invaded the privacy of the complainants; (d) the publication of the photographs in question did not involve public interest as alleged by the appellants; and (e) specific guidelines on data collection should be provided by the appellants instead of relying on their employees to interpret the requirements of the Ordinance. As a result of the above findings, the Commissioner concluded that the appellants had contravened DPP1(2) and issued enforcement notices to the appellants under section 50 of the Ordinance. The appellants were dissatisfied with the Commissioner’s findings and appealed to the AAB.

The Appeal The AAB’s findings were as follows: (a) Referring to the Court of Appeal judgment in the Eastweek case, there was no dispute that photographic images constituted “personal data” for the purpose of the Ordinance. (b) Public interest is one of the factors to be considered in deciding whether or not the collection of personal data in an individual case is fair. Where there are competing considerations, it is a question of balancing the fairness in collecting personal data against the public interest in knowing the truth. (c) The two English authorities5 relied on by the appellants did not advance their cases. In the instant appeal cases, there was nothing to suggest that either of

5. Woodward v Hutchins [1977] 1 WLR 760 and Campbell v MGN Ltd [2004] 2 AC 457

365

13_Data Protection_appendix_03B.indd 365

2016/6/27 2:00:38 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

the artistes, unlike the celebrities in the two English cases, actively sought publicity of their personal relationships at any time. (d) Agreeing with the observation made by the LRC in its Report on Civil Liability for Invasion of Privacy (at paragraph 7.72) that the “mere fact that a person is an artiste or is engaged in some occupation which brings him into public notice is not of itself enough to make his private life a matter of public interest”, the AAB considered that it was not in the public interest for the appellants to take and publish photographs showing the artistes’ daily lives and intimate acts at their private premises. (e) The contents and captions of some of the published photographs in question were inconsistent with the appellants’ asserted purpose for taking the photographs (i.e. to expose the falsity of the complainants’ public images, in that they were idols of young people who would be influenced by their words and deeds). (f) Section 61 did not offer any exemption to news organisations from DPP1(2).

AAB’s Decision The AAB confirmed the decisions of the Commissioner in both cases and dismissed the appeals accordingly.

366

13_Data Protection_appendix_03B.indd 366

2016/6/27 2:00:38 PM

Appendix IIIB — Cases Notes on Significant Administrative Appeals Board Decisions

16. AAB No. 54/2014 Complainant’s identity in Judiciary’s anonymised judgments was ascertained on a website through the hyperlinks provided — whether original purpose in DPP3 refers to purpose of the Judiciary who first collected the data or to the purpose of the website operator — whether DPP3 is applicable to personal data available in public domain

The Complaint The complainant was a member of several statutory panels. Three judgments were handed down in 2000, 2001 and 2002 concerning her divorce proceedings heard in open court, and these judgments, which originally contained the names of the complainant, her ex-husband and her children, were made available by the Judiciary in the Legal Reference System (“LRS”). In 2010 and 2012, the Judiciary replaced the judgments in the LRS with their names anonymised at the request of the complainant. In early 2013, the complainant found her name revealed on three hyperlinks in the “Who’s Who” section of a website operated by the appellant which are respectively connected to the three anonymised judgments in the LRS. If a user entered the complainant’s name in the “search people” box of the appellant’s website, the user would be brought to the “Who’s Who” page of the same website where information about the complainant was shown. However, on this “Who’s Who” page, the three hyperlinks were embedded under the item “Articles”, and by clicking on “Articles”, the three hyperlinks with the judgments’ titles (referring to the names of the complainant and her former husband) would appear. This search process effectively identified the complainant’s name in those three judgments, despite the anonymisation in them. In March 2013, the complainant wrote to the appellant for deletion of the hyperlinks but her request was declined. She then lodged a complaint with the Commissioner against the appellant in disclosing her personal data on the said website.

367

13_Data Protection_appendix_03B.indd 367

2016/6/27 2:00:39 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Findings of the Commissioner Upon completion of the investigation of the complaint, the Commissioner concluded that the appellant had contravened the requirement of DPP3. In August 2014, the Commissioner served the appellant with the result of investigation and an enforcement notice directing him to remove the three hyperlinks from the website. Dissatisfied with the Commissioner’s decision, the appellant lodged an appeal with the AAB.

The Appeal (1) The appellant argued that the “purpose” in DPP3 refers to the purpose of the data collector. As the appellant regarded himself as the “data collector”, his purpose in collecting personal data from the three judgments included publication of the data on his website. This purpose did not change at any time. The appellant cited AAB No.36/2007 as grounds for this.

The AAB considered that in subsection (4) of DPP3, the phrase “the purpose for which the data was to be used at the time of the collection of the data” refers to the purpose for which the data was originally collected. In this case, the original purpose referred to the purpose of the Judiciary being the person who first collected the relevant data.



The AAB did not agree that the appellant’s purpose for using the complainant’s personal data (i.e. reporting and publication for general use) could be said to be consistent with the Judiciary’s purpose of publishing the judgments (i.e. to enable their judgments to be utilised as “legal precedents on points of laws, practice and procedure of the courts and of public interests”). There was nothing to suggest that the appellant’s purpose was in any way related to the law. As the appellant used the relevant personal data for a new purpose, the Commissioner was correct in concluding that the appellant had contravened DPP3.

(2) Relying on paragraphs 30 and 32 of the Court of Appeal’s judgment in TCWF v LKKS (CACV 154 & 166/2012), the appellant contended that unless the court grants a specific injunction, it would not be against the law to publish the name of the parties in an action if their identities are known.

368

13_Data Protection_appendix_03B.indd 368

2016/6/27 2:00:39 PM

Appendix IIIB — Cases Notes on Significant Administrative Appeals Board Decisions



The AAB noted that there was no reference to the Ordinance or DPP3 in TCWF v LKKS, which suggested that there was no issue of personal data protection and the Court of Appeal was not concerned with the application of any provisions of the Ordinance in that case. The AAB did not consider the relevant paragraphs in the judgment as providing any defence or exemption to a contravention of DPP3.

(3) The appellant argued that if DPP3 restricts the repeated use of public domain personal data, such restriction would be unconstitutional because it violates Article 27 of the Basic Law and Article 16(2) of the Hong Kong Bill of Rights.

The AAB believed that the Commissioner had carried out the exercise of balancing the press’ freedom of expression against the personal data privacy of the complainant. The AAB was of the view that the Commissioner’s conclusion, after performing the relevant balancing exercise, of tipping in favour of protecting the personal data of the complainant in the three anonymised judgments was not unreasonable.

(4) The appellant submitted that the Commissioner had erroneously interpreted the term “data user” to embrace persons who merely read or collect and aggregate personal information in and from the public domain.

Noting what the majority of the Court of Appeal said in the Eastweek case, the AAB agreed with the Commissioner that in order to amount to collection of personal data within the meaning of the Ordinance, the collecting party must be compiling information about an individual, and that a person who carries out the activities described by the appellant is prima facie not considered as compiling information about another individual, and the provisions of the Ordinance do not come into play.



Further, the AAB held that DPP3 is directed against misuse of personal data regardless of whether the relevant personal data has been published elsewhere or is in the public domain, quoting the Court of Appeal decision in Re Hui Kee Chun (CACV 4/2012) in support.

AAB’s decision The appeal was dismissed.

369

13_Data Protection_appendix_03B.indd 369

2016/6/27 2:00:39 PM

13_Data Protection_appendix_03B.indd 370

2016/6/27 2:00:39 PM

Appendix IV The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

Code of Practice on Identity Card Number and Other Personal Identifiers HKID numbers are commonly collected and used by a data user to identify individuals and manage records relating to them. Copies of HKID are often collected by a data user for use as evidence of its dealings with the individuals concerned. Indiscriminate collection and improper handling of HKID numbers and copies may unduly infringe on the privacy of the individual, besides creating opportunities for fraud. The Code provides guidance on the appropriate handling of personal identifiers in general and HKID numbers and copies in particular. A “personal identifier” is usually a series of numbers or letters, such as a passport number or staff card number, that uniquely identifies an individual and the most commonly used personal identifier in Hong Kong is by far HKID number. The latest version of the Code took effect in April 2016.

Introduction This Code of Practice has been issued by the Privacy Commissioner for Personal Data (the “Commissioner”) in the exercise of the powers conferred on him by section 12(1) of the Personal Data (Privacy) Ordinance (Cap 486) (the “Ordinance”), which empowers him to issue codes of practice “for the purpose of providing practical guidance in respect of any requirements under this Ordinance imposed on data users”, and pursuant to section 12(8) of the Ordinance, which provides that the

13_Data Protection_appendix_04A.indd 371

2016/6/27 2:00:45 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Commissioner shall approve a code of practice in respect of all or any requirements of the Ordinance in so far as they relate to personal data which is personal identifiers. This Code was first notified by Gazette on 19 December 1997. The relevant Gazette Notice, as required by section 12(2) of the Ordinance, specified that the Code was approved with effect from 19 December 1997 in relation to the following requirements of the Ordinance: section 26, Data Protection Principles 1, 2, 3 and 4 in Schedule 1. This Code was revised in April 2016. The revision was necessitated by the amendments of the Ordinance and a relevant decision of the Administrative Appeals Board which would be shown by way of a footnote and to update the provisions of the Code that were spent of effect. The provisions of the Code are not legally binding. A breach of the Code by a data user, however, will give rise to a presumption against the data user in any legal proceedings under the Ordinance. Basically the Ordinance provides (in section 13) that: (a) where a code of practice has been issued in relation to any requirement of the Ordinance; (b) the proof of a particular matter is essential for proving a contravention of that requirement; (c) the specified body conducting the proceedings (a magistrate, a court, the Administrative Appeals Board or the chairman of the Administrative Appeals Board) considers that any particular provision of the code of practice is relevant to that essential matter; and if (d) it is proved that that provision of the code of practice has not been observed; then that essential matter shall be taken as proved unless there is evidence that the requirement of the Ordinance was actually complied with in a different way, notwithstanding the non-observance of the code of practice. Aside from legal proceedings, failure to observe a code of practice by a data user will weigh unfavourably against the data user in any case before the Commissioner.

372

13_Data Protection_appendix_04A.indd 372

2016/6/27 2:00:45 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

Code of Practice on the Identity Card Number and Other Personal Identifiers The italicized parts in the text are guiding notes and are not themselves part of the Code.

I.

Definitions

Unless the context otherwise requires, the terms used in this Code have the following meanings. 1.1

“Personal identifier” means an identifier (a)

that is assigned to an individual by a data user for the purpose of the operations of the data user; and

(b) that uniquely identifies that individual in relation to the data user, but does not include an individual’s name used to identify that individual. (Section 2 of the Ordinance refers.)

For the avoidance of doubt, an email address is deemed not to be a personal identifier for the purposes of the Code.

1.2

“HKID Card” means a Hong Kong Identity Card issued under the Registration of Persons Ordinance (Cap 177).

1.3

“HKID Card number” means the personal identifier on a HKID Card whether in its original or an altered form.

1.4

“Furnishing” or “provision” of a copy of a HKID Card may include the furnishing or provision (as the case may be) of the HKID Card solely to enable the making of a copy thereof immediately, to the extent such furnishing or provision in the circumstances does not constitute an offence under the Registration of Persons Ordinance (Cap 177).



Note: It is an offence under section 7AA of the Registration of Persons Ordinance for any person to transfer a HKID Card to another person without lawful authority or reasonable excuse.

373

13_Data Protection_appendix_04A.indd 373

2016/6/27 2:00:45 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

1.5

“Copy of a HKID Card” means a visual representation or a reproduction of a HKID Card in a permanent form.

1.6

Words and expressions importing the masculine gender include the feminine, and words and expressions in the singular include the plural, and vice versa.

II. The HKID Card Number The following paragraphs seek to give practical effect to the Personal Data Collection Limitation Principle (Data Protection Principle 1): 2.1

Unless authorised by law, no data user may compulsorily require an individual to furnish his HKID Card number.

2.2

Without prejudice to the generality of paragraphs 2.1 and 2.3, before a data user seeks to collect from an individual his HKID Card number, the data user should consider whether there may be any less privacy-intrusive alternatives to the collection of such number, and should wherever practicable give the individual the option to choose any such alternative in lieu of providing his HKID Card number. Such alternatives may include but are not limited to the following: 2.2.1 the identification of the individual by another personal identifier of his choice;

Note: A common example would be the furnishing of the individual’s passport number.

2.2.2 the furnishing of security by the individual to safeguard against potential loss by the data user;

Note: A common example would be the furnishing of a deposit for bicycle hire.



or

2.2.3 the identification of the individual by someone known to the data user.

374

13_Data Protection_appendix_04A.indd 374

2016/6/27 2:00:45 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance



2.3

Note: A common example would be the identification of a visitor to a building by the tenant in the building whom he visits.

A data user should not collect the HKID Card number of an individual except in the following situations: 2.3.1 pursuant to a statutory provision which confers on the data user the power or imposes on the data user the obligation to require the furnishing of or to collect the HKID Card number;

Note 1: For an example of a statutory power to require the furnishing of HKID Card number, section 5 of the Registration of Persons Ordinance (Cap 177) confers on a public officer the power to require any registered person in all dealings with the Government to furnish his HKID Card number and, so far as he is able, the HKID Card number of any other person whose particulars he is required by law to furnish.



Note 2: For an example of a statutory obligation to collect a HKID Card number, section 17K of the Immigration Ordinance (Cap 115) provides:



“(1) Every employer shall keep at the place of employment of each of his employees a record of:(a) the full name of the employee as shown in his identity card or other document by virtue of which he is lawfully employable; and (b) the type of document held by the employee by virtue of which he is lawfully employable, and the number of that document.”

2.3.2 where the use of the HKID Card number by the data user is necessary: 2.3.2.1 for any of the purposes mentioned in section 57(1) of the Ordinance (safeguarding security, defence or international relations in respect of Hong Kong);

375

13_Data Protection_appendix_04A.indd 375

2016/6/27 2:00:45 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

2.3.2.2 for any of the purposes mentioned in section 58(1) of the Ordinance (the prevention or detection of crime, the apprehension, prosecution or detention of offenders, the assessment or collection of any tax or duty, etc.); or 2.3.2.3 for the exercise of a judicial or quasi-judicial function by the data user;

Note: An example of the exercise of a quasi-judicial function would be the Administrative Appeals Board hearing an appeal brought to it by an individual under the Administrative Appeals Board Ordinance (Cap 442).

2.3.3 to enable the present or future correct identification of, or correct attribution of personal data to, the holder of the HKID Card, where such correct identification or attribution is or will be necessary:

2.3.3.1 for the advancement of the interest of the holder;



Note: For example, a doctor may require a patient’s HKID Card number to ensure that his past medical records are correctly attributed to him to enable better treatment. 2.3.3.2 for the prevention of detriment to any person other than the data user;



Note: The HKID Card number provided by a patient in the previous example may also prevent medication being given wrongly to that or some other patient as a result of misidentification. or 2.3.3.3 to safeguard against damage or loss on the part of the data user which is more than trivial in the circumstances;

Note: For example, a driver in a motor accident may collect the HKID Card number of the other party to facilitate a future claim.

2.3.4 without prejudice to the generality of paragraph 2.3.3, for the following purposes:

376

13_Data Protection_appendix_04A.indd 376

2016/6/27 2:00:45 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

2.3.4.1 to be inserted in a document executed or to be executed by the holder of the HKID Card, which document is intended to establish or to evidence any legal or equitable right or interest or any legal liability on the part of any person, other than any right, interest or liability of a transient nature or which is trivial in the circumstances;

Note: A common example would be the execution by an individual of a contract or an assignment of real property.



An individual who signs up in a signature campaign should not be asked to put down his HKID Card number, as the campaign or any signed document is not intended to establish any right, interest or liability on the part of the signatories. Moreover, a signature campaign does not require any identification of a signatory, and as such, any demand for the signatory’s HKID Card in the campaign may not be justified under this paragraph.

2.3.4.2 as the means for the future identification of the holder of the HKID Card where such holder is allowed access to premises or use of equipment which the holder is not otherwise entitled to, in circumstances where the monitoring of the activities of the holder after gaining such access or use is not practicable;

Note: A common example would be the entering of HKID Card numbers of visitors in a log book located at the entrance of a government, commercial or residential building, subject to other alternatives for visitors to identify themselves as given in paragraphs 2.2.1 and 2.2.3 above.



or

2.3.4.3 as a condition for giving the holder of the HKID Card custody or control of property belonging to another person, not being property of no value or of a value which is trivial in the circumstances.

377

13_Data Protection_appendix_04A.indd 377

2016/6/27 2:00:45 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance



Note: A common example would be car-rental. A counterexample would be the renting of a beach umbrella, the value of which would obviously be too trivial to justify the collection of the HKID Card number of the customer.

The following paragraph seeks to give practical effect to the Personal Data Accuracy Principle (Data Protection Principle 2(1)): 2.4

A data user should not collect from an individual his HKID Card number except by: 2.4.1 means of the physical production of the HKID Card in person by the individual; 2.4.2 accepting the number as shown on a copy of the HKID Card which the individual chooses to provide rather than present his HKID Card in person;

Note: A data user is, however, not obliged to accept a HKID Card number so provided by an individual. Furthermore, where a data user has a general policy of accepting copies of HKID Cards provided by individuals pursuant to this paragraph, the requirements of paragraph 3.7 should be complied with.

or 2.4.3 first accepting the number as furnished, and later checking its accuracy and authenticity by means of the physical production of the HKID Card in person by the holder, or if that is not reasonably practicable, by means of a copy of the HKID Card provided by the holder, before the number is used for any purpose.

Note: For example, in the case of an application for a vacancy in the civil service, the HKID Card number of an applicant as shown on the application form should not be used for integrity checking until it has been verified by examination against the HKID Card produced by the applicant on a subsequent occasion.

378

13_Data Protection_appendix_04A.indd 378

2016/6/27 2:00:45 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

The following paragraph seeks to give practical effect to section 26 of the Ordinance and to the Personal Data Duration of Retention Principle (Data Protection Principle 2(2)): 2.5

Without prejudice to the general requirements of the Ordinance: 2.5.1 where paragraph 2.3.4.2 applies, the data user should take all reasonably practicable steps to erase the record of a HKID Card number upon the holder of the HKID Card leaving the premises or ceasing to have the use of the equipment concerned (as the case may be), or within a reasonable time thereafter; and 2.5.2 where paragraph 2.3.4.3 applies, the data user should take all reasonably practicable steps to erase the record of a HKID Card number upon the holder of the HKID Card ceasing to have custody or control of the property concerned, or within a reasonable time thereafter.

The following paragraph seeks to give practical effect to the Personal Data Use Limitation Principle (Data Protection Principle 3): 2.6

Subject to any applicable exemption from Data Protection Principle 3 in the Ordinance, a data user who has collected the HKID Card number of an individual should not use it for any purpose except: 2.6.1 for the purpose for which it was collected pursuant to paragraph 2.3;

Note: Where a data user has collected a HKID Card number for more than one purpose pursuant to paragraph 2.3, it may use the number for any of those purposes. For example, an employer who has collected the HKID Card number of an employee may use such number to show its compliance with the relevant statutory requirement. It may also use such number for providing medical insurance to the employee in advancement of his interest.

2.6.2 in carrying out a “matching procedure” permitted under section 30 of the Ordinance;

379

13_Data Protection_appendix_04A.indd 379

2016/6/27 2:00:46 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

2.6.3 for linking, retrieving or otherwise processing records held by it relating to the individual; 2.6.4 for linking, retrieving or otherwise processing records relating to the individual held by it and another data user where the personal data comprised in those records has been collected by the respective data users for one particular purpose shared by both;

Note: For example, employees’ HKID Card numbers may be used for the linking of their records held by different data users under the Mandatory Provident Fund system. However, customers’ records held by two banks which comprise of personal data collected by each one of them for the purpose of marketing its own services should not be linked via HKID Card numbers contained in such records.

2.6.5 for a purpose required or permitted by any other code of practice from time to time in force under section 12 of the Ordinance; or 2.6.6 for a purpose to which the holder of the HKID Card has given his prescribed consent.

Note: Under section 2(3) of the Ordinance, “prescribed consent” means express consent given voluntarily which has not been withdrawn by notice in writing.

The following paragraphs seek to give practical effect to the Personal Data Security Safeguard Principle (Data Protection Principle 4): 2.7

Unless otherwise required or permitted by law, a data user should take all reasonably practicable steps to ensure that a HKID Card number and the name of the holder are not:

380

13_Data Protection_appendix_04A.indd 380

2016/6/27 2:00:46 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

2.7.11 displayed together publicly;

Note: For example, HKID Card numbers should not be displayed with the names of the holders in newspaper notices, unless required or permitted by law. On the other hand, the public display of HKID Card numbers for the purpose of identification, without the names or other identifying particulars of the individuals concerned, would not be affected by this paragraph.

or 2.7.2 made visible or otherwise accessible together to any person, other than a person who needs to carry out activities related to the permitted uses of the HKID Card number.

Note: For example, a visitor’s log book kept at the entrance counter of a building containing the names and HKID Card numbers of visitors should be kept under secure conditions at all times to prevent access by any persons other than the building management in the discharge of its duties.

2.8

A data user should not issue to an individual any card (not being a HKID Card or driving licence) bearing in a legible form the HKID Card number of that individual, including such number in its original or an altered form from which it is reasonably practicable to deduce the HKID Card number.



Note: For example, no staff card should be issued to an employee which bears on its face the staff number of the employee, being actually his HKID Card number in an altered form. To enable identification of the employee in legible

1. Paragraphs 2.7.1 and 2.8 of the Code concern the display of a HKID Card number by a data user intentionally. In the first edition of the Code issued in 1997, paragraph 2.7.1 and 2.8 sought to give practical effect to the Personal Data Security Safeguard Principle (Data Protection Principle 4). In 1999, the Administrative Appeals Board in the case AAB No. 5/1999 decided that as a matter of construction, Data Protection Principle 4 is applicable to the “storage (i.e. location); security measures in accessing (both in terms of the equipment and personnel) and transmission” of personal data and the activities, such as “access, process and erasure” which Data Protection Principle 4 seeks to avoid, must be “unauthorised and accidental” in nature. According to the decision of the Administrative Appeals Board, Data Protection Principle 4 is therefore not applicable in the circumstances in paragraphs 2.7.1 and 2.8 of the Code. In this revised edition, paragraphs 2.7.1 and 2.8 were amended accordingly to seek to give practical effect to the Personal Data Use Limitation Principle (Data Protection Principle 3).

381

13_Data Protection_appendix_04A.indd 381

2016/6/27 2:00:46 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

form by an outsider, the presence of a photograph of that employee on the card which also bears a staff number (not related to his HKID Card number) will be sufficient. This paragraph does not affect the issuance of cards which have the HKID Card numbers of the holders printed on them in bar code or other forms that are not directly legible.

III. Copy of a HKID Card The following paragraphs seek to give practical effect to the Personal Data Collection Limitation Principle (Data Protection Principle 1): 3.1

Unless authorised by law, no data user may compulsorily require an individual to furnish a copy of his HKID Card.

3.2

A data user should not collect a copy of a HKID Card except: 3.2.1 where the use of the copy by the data user is necessary: 3.2.1.1 for any of the purposes mentioned in section 57(1) of the Ordinance (safeguarding security, defence or international relations in respect of Hong Kong); or 3.2.1.2 for any of the purposes mentioned in section 58(1) of the Ordinance (the prevention or detection of crime, the apprehension, prosecution or detention of offenders, the assessment or collection of any tax or duty, etc.);

Note: The above-mentioned purposes include the prevention, preclusion or remedying (including punishment) of unlawful or seriously improper conduct, or dishonesty or malpractice, by persons (section 58(1)(d) of the Ordinance refers). This paragraph would therefore include the collection from an individual of a copy of his HKID Card for the prevention or detection of any collusion between the individual and the staff member of the data user handling his case, in a transaction which offers a substantial opportunity for corruption to arise, for example, the processing of an application for public housing. It would also include the collection from an individual of a copy of his HKID Card for the prevention or

382

13_Data Protection_appendix_04A.indd 382

2016/6/27 2:00:46 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

detection of impersonation by such individual using a forged, lost or stolen HKID Card, in a transaction where such risk is not remote, for example, in the case of a solicitors’ firm acting for an individual in the sale and purchase of real property. or 3.2.2 where the collection of the HKID Card number of the individual by the data user is permissible under Part II of this Code, and the copy of the HKID Card is collected furthermore by the data user: 3.2.2.1 in order to provide proof of compliance with any statutory requirement on the part of the data user;

Note: For example, an employer may collect a copy of the HKID Card of an employee as proof of compliance on the part of the employer of section 17J of the Immigration Ordinance (Cap 115), which requires the employer to inspect the HKID Card of a prospective employee before employing him.

3.2.2.2 in order to comply with a requirement to collect such copy as contained in any codes, rules, regulations or guidelines applicable to the data user issued by a regulatory or professional body, which requirement has been endorsed in writing by the Commissioner as being in accordance with Data Protection Principle 1 of the Ordinance;

Note: For example, banks are permitted under this paragraph to collect copies of the HKID Card of their customers in compliance with the relevant requirement contained in the Money Laundering Guidelines issued by the Hong Kong Monetary Authority, which requirement has been endorsed in writing by the Commissioner.2

2. The Office of the Privacy Commissioner for Personal Data has not been asked to give written endorsement of the current Money Laundering Guidelines, probably because Schedule 2 to the Anti-Money Laundering and CounterTerrorist Financing (Financial Institutions) Ordinance (Cap 615) now specifies that a financial institution shall identify and verify a customer’s identity on the basis of documents provided by a governmental body. Be that as it may, the Commissioner will assess the collection of HKID Card numbers on a case-by-case basis.

383

13_Data Protection_appendix_04A.indd 383

2016/6/27 2:00:46 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

3.2.2.3 as the means to collect or check the HKID Card number of the individual, who has been given the alternative of physical production of his HKID Card in lieu of collection of such copy by the data user but has chosen not to do so;

Note: For example, in applying for a driving licence, an applicant may choose to apply either in person, where he can produce his HKID Card for the Transport Department to check the HKID Card number, or by post where he has to enclose a copy of his HKID Card for the same purpose.



Although a data subject’s HKID Card number is predominantly collected by a data user through mail or fax of a copy of the HKID Card sent by the data subject, an option should still be given, if appropriate, to the data subject to provide his HKID Card number by producing his HKID Card in person. In the case of a service provider without any retail outlets, a data subject who may choose to present his HKID Card in person, instead of providing a copy of his HKID Card to the service provider, may be allowed to attend the office of the service provider to present his HKID Card.

3.2.2.4 to enable the issuance of an officially recognised travel document; or 3.2.2.5 for the exercise of a judicial or quasi-judicial function by the data user. 3.3

For the avoidance of doubt, nothing in paragraph 3.2.2 permits a data user to collect a copy of the HKID Card of an individual: 3.3.1 merely to safeguard against any clerical error in recording the name or HKID Card number of the individual;

Note: For example, while the HKID Card number of an individual may be recorded upon his admission to a building, his HKID Card copy should not be taken.

or

384

13_Data Protection_appendix_04A.indd 384

2016/6/27 2:00:46 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

3.3.2 merely in anticipation of a prospective relationship between the data user and the individual.

3.4

Note: For example, while it may be justifiable for an employer to obtain the HKID Card number of a job applicant, say for checking it against those of previous unsuccessful applicants, no HKID Card copy should be collected until the individual is successfully recruited.

Notwithstanding paragraph 3.2, the Immigration Department may collect a copy of the HKID Card for a purpose directly related to its operations where this is necessary to carry out the purpose concerned.

The following paragraphs seek to give practical effect to the Personal Data Accuracy Principle (Data Protection Principle 2(1)): 3.5

Where a data user collects a copy of a HKID Card from the holder in person, the data user should always check it against the HKID Card produced by the holder.



Note: For example, a solicitor’s clerk collecting a HKID Card copy from a new client should always check it against the original HKID Card produced by the client.

3.6

Where a data user has a general policy of accepting copies of HKID Cards collected from the holders in person by a third party, the data user should take all reasonably practicable steps to ensure that such copies have been checked against the HKID Cards produced by the holders upon collection by the third party.



Note: For example, in the case of the hire-purchase of a car, the finance company which accepts from the car dealer the HKID Card copy of a buyer should require that the car dealer has checked the original HKID Card of the buyer before collecting the copy.

3.7

A data user who has a general policy of accepting copies of HKID Cards provided by individuals as the means to collecting or checking the HKID Card numbers should: 3.7.1 provide adequate training to any member of its staff responsible for collecting such copies to reasonably enable him to detect any

385

13_Data Protection_appendix_04A.indd 385

2016/6/27 2:00:46 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

irregularity which may appear on the face of a copy of a HKID Card; 3.7.2 set up a system of control whereby no copy so provided is accepted unless it has been carefully examined and no irregularity is found upon such examination; and 3.7.3 ensure that for any copy so accepted and subsequently retained, there is some indication on record that it has been collected without being checked against the original HKID Card. The following paragraph seeks to give practical effect to the Personal Data Use Limitation Principle (Data Protection Principle 3): 3.8

Subject to any applicable exemption from Data Protection Principle 3 provided by the Ordinance, a data user who has collected a copy of the HKID Card of an individual should not: 3.8.1 use the HKID Card number contained in the copy for any purpose except for a purpose which is permissible under paragraph 2.3 of this Code; or 3.8.2 use the copy or any item of personal data contained in such copy other than the name and HKID Card number for any purpose, except for the purpose for which it was collected pursuant to paragraph 3.2 or 3.4 or for a purpose to which the holder of the HKID Card has given his prescribed consent.

Note: For example, where a securities dealer has collected a copy of the HKID Card of a client in compliance with the relevant regulations of the stock exchange, information shown on the copy of the HKID Card, such as sex, date of birth etc. should not be used for direct marketing purposes. The meaning of the term “prescribed consent” is given in the note to paragraph 2.6.6.

The following paragraphs seek to give practical effect to the Personal Data Security Safeguard Principle (Data Protection Principle 4): 3.9

Save where it is required or permitted by law to do the contrary and subject to paragraph 3.10, a data user should not keep a copy of a HKID Card in

386

13_Data Protection_appendix_04A.indd 386

2016/6/27 2:00:46 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

paper form unless it is marked clearly and permanently on such copy, across the entire image of the HKID Card, the word “copy”, or “副本” in Chinese, or other words in English or Chinese to the same effect. Where the copy is collected by the data user in the presence of the holder of the HKID Card, such marking should be made at the time of collection in the presence of the holder.

Note: A corollary of this is that an individual who in person provides a copy of his HKID Card to a data user has the right to (and in fact should) insist on the marking of the copy being done before him.

3.10 Paragraph 3.9 does not apply to a copy of a HKID Card: 3.10.1 existing in a form other than paper form or pending conversion into such a form within a reasonable period;

Note: Common examples of different forms in which copies of HKID Cards are kept are imaged and microfilmed forms.

or 3.10.2 collected by a data user before the date on which paragraph 3.9 commences operation3 until such copy is used by the data user after such date. 3.11 A data user who collects a copy of a HKID Card should ensure that such copy is treated by all staff members concerned as a confidential document, and is kept under reasonably secure conditions with access restricted to individuals who need to carry out activities related to permitted uses of the copy. 3.12 Without prejudice to the generality of paragraph 3.11, a data user should not transmit a copy or image of a HKID Card, nor invite the transmission to itself of such copy or image, unless it has taken all reasonably practicable steps to ensure that no individual will have access to the image or copy so transmitted except the intended individual recipient or someone acting on the instructions of such intended recipient. Such steps should include:

3. 19 June 1998

387

13_Data Protection_appendix_04A.indd 387

2016/6/27 2:00:46 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

3.12.1 in the case of fax or Internet transmission through a public network: 3.12.1.1 wherever practicable, the employment of technological safeguards to ensure secure transmission of the data and to prevent unauthorised access to the data transmitted;

Note: Some examples of such technological safeguards include access control, encryption, and techniques such as converting physical fax machines to fax-to-email systems, and applying security patches and the latest anti-virus signature to systems etc.

and 3.12.1.2 the employment of other safeguard of a non-technological nature, such as the using of a dedicated fax machine for such transmission and advance notification of an incoming fax; or 3.12.2 in the case of sending a copy of a HKID Card by mail, making sure that the copy is contained in a sealed envelope and the image of the HKID Card is not visible from the outside.

IV. Personal Identifiers Other than the HKID Card Number The following paragraphs seek to give practical effect to the Personal Data Collection Limitation Principle (Data Protection Principle 1): 4.1

Subject to paragraph 4.2, paragraphs 2.1, 2.2 and 2.3 apply with the modifications set out in paragraph 4.3 to personal identifiers other than the HKID Card number in the same way as they apply to the HKID Card number.

4.2

Where a data user has assigned a personal identifier other than the HKID Card number to an individual in relation to its function or activity, such personal identifier may subsequently be collected when such collection is necessary for a purpose that is directly related to that function or activity.

388

13_Data Protection_appendix_04A.indd 388

2016/6/27 2:00:46 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance



Note 1: This allows a data user that has assigned a personal identifier to an individual to collect that personal identifier for a purpose that is directly related to its operations. For example, a company may assign an employee number to its employees, which it may record for security purposes each time an employee enters or leaves a restricted area within the company premises.



Note 2: The paragraph also allows other persons to collect the personal identifier for purposes that are directly related to the operations of the assigning data user. For example, where a company dispatches an employee to a private household to carry out a service, the householder may record the employee number of the service engineer in order to identify the employee in, say, subsequent communication with the company.

4.3

The modifications referred to in paragraphs 4.1, 4.4, 4.6 and 4.7 are as follows:4.3.1 references to “HKID Card number” are to be construed as references to “personal identifiers other than the HKID Card number”; 4.3.2 references to the “holder” of a HKID Card are to be construed as references to “the individual to whom the personal identifiers relate”; and 4.3.3 references to “HKID Card” are to be construed as references to “the original of the identification document, if any, to which the personal identifier in question relates”.

Note: The identification document to which a personal identifier relates is the document issued to the individual for identification purposes containing the personal identifier concerned, for example, a passport in relation to a passport number.

The following paragraphs seek to give practical effect to the Personal Data Accuracy Principle (Data Protection Principle 2(1)): 4.4

Subject to paragraph 4.5, paragraph 2.4 applies with the modifications set out in paragraph 4.3 to personal identifiers other than the HKID Card number in the same way it applies to the HKID Card number.

389

13_Data Protection_appendix_04A.indd 389

2016/6/27 2:00:46 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

4.5

Paragraph 2.4 as modified by paragraph 4.3 does not apply to the collection of a personal identifier pursuant to paragraph 4.2.

The following paragraph seeks to give practical effect to section 26 of the Ordinance and to the Personal Data Duration of Retention Principle (Data Protection Principle 2(2)): 4.6

Paragraph 2.5 applies with the modifications set out in paragraph 4.3 to personal identifiers other than the HKID Card number in the same way as they apply to the HKID Card number.

The following paragraphs seek to give effect to the Personal Data Use Limitation Principle (Data Protection Principle 3): 4.7

Subject to paragraph 4.8, paragraph 2.6 applies with the modifications set out in paragraph 4.3 to personal identifiers other than the HKID Card number in the same way as it applies to the HKID Card number.

4.8

A personal identifier other than the HKID Card number may be used for the purpose for which it was collected pursuant to paragraph 4.2.

V. All Personal Identifiers (Including the HKID Card Number) The following paragraph seeks to give practical effect to the Personal Data Security Safeguard Principle (Data Protection Principle 4): 5.1

A data user shall take all reasonably practicable steps to ensure the security of any system it controls for assigning a personal identifier to an individual. Such steps shall include all reasonably practicable measures to safeguard against the unauthorised assignment of the personal identifier to an individual and to prevent the unauthorised production of the identification documents, if any, it issues bearing the personal identifier that it assigns to the individual.

390

13_Data Protection_appendix_04A.indd 390

2016/6/27 2:00:46 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

VI. Exclusions For the avoidance of doubt, the following paragraph expressly excludes from the coverage of the Code personal identifiers (including the HKID Card number) in certain situations. 6.1

The following are not subject to the foregoing sections of the Code:6.1.1 any record of a personal identifier or a copy of a HKID Card held by an individual for purposes directly related to the management of the individual's personal, family or household affairs or for the individual's recreational purposes; 6.1.2 a personal identifier assigned to an individual who is deceased; and 6.1.3 a personal identifier being furnished without being recorded.

391

13_Data Protection_appendix_04A.indd 391

2016/6/27 2:00:46 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Code of Practice on Consumer Credit Data In the ordinary course of business, a credit provider, who subscribes to the services of a credit reference agency, may provide consumer credit data to the credit reference agency and in return obtain a credit report of the individual for credit checking and assessment. The Code gives practical guidance to data users on the handling of consumer credit data in compliance with the requirements of the Ordinance. It deals with collection, accuracy, retention, use, security, access and correction issues as they relate to personal data of individuals who are, or have been, applicants for consumer credit. The Code covers, on the one hand, credit reference agencies, and on the other hand, credit providers in their dealings with credit reference agencies and debt collection agents. The latest version of the Code took effect in January 2013.

Introduction This Code of Practice (“the Code”) has been issued by the Privacy Commissioner for Personal Data (“the Commissioner”) in the exercise of the powers conferred on him by PART III of the Personal Data (Privacy) Ordinance (Cap 486) (“the Ordinance”). Section 12 of the Ordinance empowers the Commissioner to issue such codes of practice “for the purpose of providing practical guidance in respect of any requirements under this Ordinance imposed on data users”. The Code was first notified in the Gazette on 27 February 1998. The related Gazette Notice, as required by section 12, specified that: (a)

the Code was to take effect on 27 November 1998; and

(b)

the Code was approved in relation to the following requirements under the Ordinance: sections 19(1), 23(1), 26 and Data Protection Principles 1, 2, 3, 4 and 6 of Schedule 1.

The first revision of the Code was notified in the Gazette on 8 February 2002. The related Gazette Notice specified that such revision shall take effect on 1 March 2002. The second revision of the Code was notified in the Gazette on 23 May 2003. The related Gazette Notice specified that such revision shall take effect on 2 June 2003.

392

13_Data Protection_appendix_04B.indd 392

2016/6/27 2:00:53 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

The third revision of the Code was notified in the Gazette on 1 April 2011. The related Gazette Notice specified that such revision (save as such clauses as specified therein) shall take effect on 1 April 2011. Clauses 2.4.1A, 2.7B and 3.1.1A of the Code took effect on 1 July 2011. The fourth revision of the Code was notified in the Gazette on 28 December 2012. The related Gazette Notice specified that such revision shall take effect on 1 January 2013. The Code is designed to provide practical guidance to data users in Hong Kong in the handling of consumer credit data. It deals with collection, accuracy, use, security and access and correction issues as they relate to personal data of individuals who are, or have been, applicants for consumer credit. The Code covers, on one hand, credit reference agencies, and on the other hand, credit providers in their dealing with credit reference agencies and debt collection agencies. A breach of the Code by a data user will give rise to a presumption against the data user in any legal proceedings under the Ordinance. Basically the Ordinance provides (in section 13) that: (a)

where a code of practice has been issued in relation to any requirement under the Ordinance;

(b)

the proof of a particular matter is essential for proving a contravention of that requirement;

(c)

the specified body conducting the proceedings (a magistrate, a court, the Administrative Appeals Board or the Chairman of the Administrative Appeals Board) considers that any particular provision of the code of practice is relevant to that essential matter; and if

(d)

it is proved that that provision of the code of practice has not been observed;

then that essential matter shall be taken as proved unless there is evidence that the requirement under the Ordinance was actually complied with in a different way, notwithstanding the non-observance of the code of practice. Aside from legal proceedings, a failure to observe a code of practice by a data user will weigh unfavourably against the data user in any case brought before the Commissioner.

393

13_Data Protection_appendix_04B.indd 393

2016/6/27 2:00:53 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Personal Data (Privacy) Ordinance Code of Practice on Consumer Credit Data

I

Interpretation

Unless the context otherwise requires, the terms used in this Code have the following meanings: 1.1

“Account” means any account between a credit provider and an individual that involves the provision of consumer credit, and includes any new account created as the result of any scheme of arrangement involving one or more previous accounts;

1.2

“Account data” means the account data referred to in Schedule 2. For account involving the provision of consumer credit to another person for whom an individual acts as mortgagor or guarantor, the account data of such account is, in addition to being account data relating to that other person as the borrower, deemed to be also account data relating to the individual to such extent as to reveal the contingent liability of the individual as mortgagor or guarantor;

1.3

“Account general data” means the account general data referred to in Schedule 2;

1.4

“Account repayment data” means the account repayment data referred to in Schedule 2;

1.5

“Banking Code” means the Code of Banking Practice issued jointly by the Hong Kong Association of Banks and the DTC Association and endorsed by the Hong Kong Monetary Authority, including any revision from time to time in force;

1.6

“Commissioner” means the Privacy Commissioner for Personal Data;

1.7

“Consumer credit” means any loan, overdraft facility or other kind of credit provided by a credit provider to and for the use of an individual, or to and for the use of another person for whom an individual acts as mortgagor or guarantor. For credit involving leasing or hire-purchase, an individual

394

13_Data Protection_appendix_04B.indd 394

2016/6/27 2:00:53 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

acquiring motor vehicles, equipment or vessels financed by a credit provider by way of leasing or hire-purchase is deemed to be provided with credit by the credit provider to the extent of the value of those goods, any amount overdue under the lease or hire-purchase agreement is deemed to be an amount in default under the individual’s account with the credit provider, and all related terms and expressions are to be construed accordingly; 1.8

“Consumer credit data” means any personal data concerning an individual collected by a credit provider in the course of or in connection with the provision of consumer credit, or any personal data collected by or generated in the database of a CRA (including the mortgage count) in the course of or in connection with the providing of consumer credit reference service;

1.9

“Consumer credit reference service” means the service of compiling and/or processing personal data (including consumer credit scoring), for disseminating such data and any data derived therefrom to a credit provider for consumer credit purposes and, for performing any other functions directly related to consumer credit transactions;

1.10 “Consumer credit scoring” means the process whereby personal data relating to an individual held in the database of a CRA is used, either separately or in conjunction with other information held in the system, for the purpose of generating a score (being information statistically validated to be predictive of future behaviour or the degree of risk of delinquency or default associated with the provision or continued provision of consumer credit) to be included in a credit report on the individual; 1.11 “CRA” means credit reference agency, which in turn means any data user who carries on a business of providing a consumer credit reference service, whether or not that business is the sole or principal activity of that data user; 1.12 “Creation”, in relation to consumer credit data held by a CRA, means the entering of such data into the database of the CRA; 1.13 “Credit provider” means any person described in Schedule 1; 1.14 “Credit report” provided by a CRA on an individual means a disclosure made by the CRA, in whatever form, of consumer credit data relating to such individual held in its database;

395

13_Data Protection_appendix_04B.indd 395

2016/6/27 2:00:53 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

1.15 “DCA” means debt collection agency; 1.16 “DPP” means data protection principle; 1.17

[Omitted as spent on 1 April 2011];

1.18 “Hire-purchase, leasing or charge account” means an account involving the hire-purchase or leasing of, or the creation of a charge over, motor vehicles, equipment, vessels or other assets excluding real estate property; 1.19 “Loan restructuring arrangement” means any scheme of arrangement in relation to debts owed by an individual consequent upon a default in the repayment of those debts; 1.20 “Material default” means a default in payment for a period in excess of 60 days; 1.21 “Mortgage loan” means a loan secured or to be secured by residential (including uncompleted units and properties under the Home Ownership Scheme, Private Sector Participation Scheme, Tenants Purchase Scheme, and any other subsidised home purchase scheme offered by the Government of the Hong Kong Special Administrative Region from time to time), retail, commercial or industrial properties, unless otherwise specified and reference to “mortgage” shall be construed accordingly; 1.22 “Mortgage count” means the number of mortgage loans under which an individual is a borrower, mortgagor and/or guarantor; 1.23 “Ordinance” means the Personal Data (Privacy) Ordinance (Cap 486); 1.24 “Prescribed consent” means the express consent of an individual given voluntarily but does not include any consent which has been withdrawn by notice in writing served on the person to whom the consent has been given (but without prejudice to so much of that act that has been done pursuant to the consent at any time before the notice is so served); 1.25 “Reporting period”, in relation to an account, means the period between 1 April 2011 and the date on which account data is provided by the credit provider to the CRA for the first time, and, thereafter, the period (not exceeding 31 days) between each successive instance of providing such data;

396

13_Data Protection_appendix_04B.indd 396

2016/6/27 2:00:53 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

1.26 “Scheme of arrangement” means any restructuring, rescheduling or other modification of terms of whatsoever nature in relation to debts owed by an individual, whether as borrower, as mortgagor or as guarantor, towards a single creditor or more than one creditor; 1.27 “Suspected abnormal access” means the occurrence of access on five or more occasions within a period of 31 days made by the same credit provider seeking access to the consumer credit data of a particular individual held by a CRA, in connection with the review of existing consumer credit facilities pursuant to clause 2.9.1.2, 2.9A.2, 2.9A.4, 2.9A.5, 2.10A.2 , 2.10A.3 or 2.10A.4 of the Code; 1.28 “Transitional period” means the period of 24 months beginning on 1 April 2011 and ending on 31 March 2013. 1.29 “Termination of the account”, “account termination” or other word that connotes an account being terminated means closure for any further business between the credit provider and the borrower of the account after being fully repaid subject to the agreed terms and conditions then in force. For avoidance of doubt, any amount being written off in full or in part is not considered as repayment. Words and expressions importing the masculine gender include the feminine, and words and expressions in the singular include the plural, and vice versa.

II

The Handling of Consumer Credit Data by Credit Providers

Notification to Customer by Credit Provider Notification upon Application for Consumer Credit 2.1

A credit provider who provides consumer credit data (excluding the data relating to mortgage loan) to a CRA or, in the event of default, to a DCA, shall, on or before collecting the personal data of an individual applicant for consumer credit, take all reasonably practicable steps to provide to such individual a written statement setting out clearly the following information:1

1. If a credit provider fails to take all reasonably practicable steps to give to the individual applicant a written statement as described in clause 2.1, this will give rise to a presumption of contravention of DPP1(3) under section 13(2) of the Ordinance.

397

13_Data Protection_appendix_04B.indd 397

2016/6/27 2:00:53 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

2.1.1 that the data may be so supplied to a CRA and/or, in the event of default to a DCA; 2.1.2 that the individual has the right to be informed, upon request, about which items of data are routinely so disclosed, and his right to be provided with further information to enable the making of a data access and correction request to the relevant CRA or DCA, as the case may be; 2.1.3 [Omitted as spent on 1 January 2013] 2.1.3A

that, in the event of any default in repayment, unless the amount in default is fully repaid or written off (otherwise than due to a bankruptcy order) before the expiry of 60 days from the date such default occurred, the individual shall be liable to have his account repayment data retained by the CRA until the expiry of 5 years from the date of final settlement of the amount in default;

2.1.3B

that, in the event of any amount being written off due to a bankruptcy order being made against the individual, the individual shall be liable to have his account repayment data retained by the CRA, regardless of whether the account repayment data reveal any material default, until the earlier of the expiry of 5 years from the date of final settlement of the amount in default or the expiry of 5 years from the date of the individual’s discharge from bankruptcy as notified to the CRA by such individual with evidence; and

2.1.4 that the individual, upon termination of the account by full repayment and on condition that there has not been, within 5 years immediately before account termination, any material default on the account, will have the right to instruct the credit provider to make a request to the CRA to delete from its database any account data relating to the terminated account.2

2. See clause 2.15 for the duty of the credit provider to make such a request to the CRA upon the individual’s instructions.

398

13_Data Protection_appendix_04B.indd 398

2016/6/27 2:00:53 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

2.1A [Omitted as spent on 1 January 2013] 2.1B A credit provider who provides consumer credit data relating to mortgage loan to a CRA or, in the event of default, to a DCA, shall, on or before collecting the personal data of an individual applicant for mortgage loan, take all reasonably practicable steps to provide to such individual a written statement setting out clearly the information in clauses 2.1.1, 2.1.2, 2.1.3A, 2.1.3B and 2.1.4 above with respect to data relating to mortgage loan and in addition thereof, the credit provider shall state explicitly that the mortgage account general data (as defined in clause 2.4.4A) will be so supplied to the CRA for generating the mortgage count for sharing in the consumer credit database of CRA by credit providers.3 Notification upon Default 2.2

[Omitted as spent on 1 January 2013]

2.2A Where the credit provider has provided consumer credit to an individual and the account is subsequently in default, the credit provider shall, as a recommended practice, give to such individual within 30 days from the date of default a written reminder stating that unless the amount in default is fully repaid or written off (otherwise than due to a bankruptcy order) before the expiry of 60 days from the date of the default, the individual shall be liable to have his account repayment data retained by the CRA until the expiry of 5 years from the date of final settlement of the amount in default or 5 years from the date of the individual’s discharge from bankruptcy as notified to the CRA, whichever is earlier. Notification upon Account Termination 2.3

Upon the termination of the account by full repayment (excluding payment by refinancing of the debit balance on the account by the credit provider), the credit provider shall, as a recommended practice, give to the individual a written reminder of his right (on condition that there has not been, within 5 years immediately before account termination, any material default on

3. If a credit provider fails to take all reasonably practicable steps to give to the individual applicant a written statement as described in clause 2.1B, this will give rise to a presumption of contravention of DPP1(3) under section 13(2) of the Ordinance.

399

13_Data Protection_appendix_04B.indd 399

2016/6/27 2:00:53 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

the account) to instruct the credit provider to make a request to the CRA to delete from its database any account data or mortgage account general data relating to the terminated account.4

Providing of Consumer Credit Data by Credit Provider to CRA Scope of Data to be Provided 2.4

Where a credit provider has collected any consumer credit data in relation to an individual, subject to compliance with clauses 2.5 and 2.6, it may thereafter provide to a CRA any of following items of consumer credit data:5



Where the consumer credit data are not collected in relation to a mortgage loan 2.4.1 [Omitted as spent on 1 July 2011] 2.4.1A general particulars of the individual, being: name, address, contact information, date of birth, Hong Kong Identity Card Number or travel document number; 2.4.2 credit application data (being the fact that the individual has made an application for consumer credit, the type and the amount of credit sought) that do not relate to a mortgage loan; 2.4.3 account data as described in Schedule 2, provided that the credit provider shall not provide to the CRA: 2.4.3.1

account data of any account which has been terminated by full repayment (excluding payment by refinancing of the debit balance on the account by the credit provider) prior to 2 June 2003; or

4. See clause 2.15 for the duty of the credit provider to make such a request to the CRA upon the individual’s instructions. 5. If, in the absence of any applicable exemption, a credit provider provides to a CRA any consumer credit data other than those permitted under this clause, this will give rise to a presumption of contravention of DPP3(1) under section 13(2) of the Ordinance.

400

13_Data Protection_appendix_04B.indd 400

2016/6/27 2:00:53 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

2.4.3.2

account repayment data held by it prior to 2 June 2003 of any account which already existed prior to 2 June 2003 and continues to exist after that date, unless such account repayment data reveal an outstanding default on 2 June 2003, in which case, the credit provider may provide to the CRA the default data relating to such default;

2.4.3.3

[Omitted as spent on 1 April 2011]

2.4.3A credit card loss data, being: 2.4.3A.1 notice that the credit provider, as card issuer, has suffered financial loss as the result of an unauthorized transaction carried out through the use of a credit card that has been reported lost, for an amount in excess of the maximum liability of the individual before notification to the card issuer of the loss of the card; 2.4.3A.2 the amount of such maximum liability and the amount of financial loss suffered by the card issuer; 2.4.3A.3 the reported date of the loss of the credit card, and the date of such report; and 2.4.3A.4 a description of the event (misplacement of wallet, theft, robbery, etc.) reported to have given rise to the loss of the credit card and any follow-up action including, where applicable, any report to the police, subsequent investigation or prosecution and result, finding of the lost card, etc. 2.4.4 [Omitted as spent on 1 April 2011]

Where the consumer credit data is collected in relation to a mortgage loan 2.4.4A

mortgage account general data, being: (i) name of the individual;

401

13_Data Protection_appendix_04B.indd 401

2016/6/27 2:00:53 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

(ii) capacity of the individual (i.e. whether as borrower, mortgagor or guarantor); (iii) Hong Kong Identity Card Number or travel document number; (iv) date of birth; (v) address; (vi) account number; (vii) type of the facility; (viii) account status (active, closed, write-off, etc.); (ix) account closed date, provided that the credit provider shall not provide to the CRA:2.4.4A.1 the mortgage account general data of any account relating to a mortgage loan which has been terminated by full repayment prior to 1 April 2011; or 2.4.4A.2 the mortgage account general data of any account relating to a mortgage loan which already existed prior to 1 April 2011 and continues to exist after that date unless:(i) the credit provider has obtained the prescribed consent of the individual to whom the data relates for disclosure of the mortgage account general data to the CRA; or (ii) the repayment data of such account reveals a currently outstanding material default, in which case, the credit provider may provide to the CRA the account general data together with the default data relating to such material default; 2.4.4B mortgage application data (being the fact that the individual has

402

13_Data Protection_appendix_04B.indd 402

2016/6/27 2:00:53 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

made an application for mortgage loan) provided that the credit provider has obtained the prescribed consent of the individual; and 2.4.4C where there is any outstanding material default of a mortgage loan which is granted on or after 1 April 2011, the credit provider may provide to the CRA the account general data together with the default data relating to such material default. Accuracy of Data Provided 2.5

Before a credit provider provides any consumer credit data to a CRA, it shall have taken reasonably practicable steps to check such data for accuracy. If subsequently the credit provider discovers any inaccuracy in the data which has been provided to the CRA, it shall update such data held in the database of the CRA as soon as reasonably practicable.6

Providing of Disputed Data 2.6

Whenever a credit provider provides to a CRA any consumer credit data disputed by the individual to whom such data relates, this shall be accompanied by an indication of the existence of the dispute. If at any subsequent time the dispute has ended, the credit provider shall as soon as reasonably practicable update the data held by the CRA accordingly.7

Updating of Account Data 2.7

[Omitted as spent on 1 July 2011]

2.7A Without prejudice to the generality of clauses 2.4, 2.5 and 2.6, but subject to clause 2.7B, where a credit provider has provided any account data or mortgage account general data to a CRA:

6. If a credit provider fails to have taken reasonably practicable steps to check the accuracy of the data before providing such data to a CRA, or if it fails to update the data held in the database of the CRA after discovering such accuracy, this will give rise to a presumption of contravention of DPP2(1) under section 13(2) of the Ordinance. 7. If a credit provider provides to a CRA any consumer credit data disputed by the individual to whom such data relates without accompanying the data with an indication of the existence of such dispute, or if the credit provider, having accompanied the data with such an indication, fails to update the data held by the CRA as soon as reasonably practicable after the dispute has ended, this will give rise to a presumption of contravention of DPP2(1) under section 13(2) of the Ordinance.

403

13_Data Protection_appendix_04B.indd 403

2016/6/27 2:00:53 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

2.7A.1 the credit provider shall thereafter continue to update such account data or mortgage account general data promptly or, in any event, by the end of each reporting period not exceeding 31 days, until the account is terminated or written-off, whereupon the credit provider shall promptly update the account data to indicate such termination or write-off; and 2.7A.2 in addition, the credit provider shall update as soon as reasonably practicable the account data or mortgage account general data held in the database of the CRA upon the occurring of any of the following events:8 2.7A.2.1 the repayment in full or in part of any amount in default; 2.7A.2.2 a scheme of arrangement being entered into with the individual; 2.7A.2.3 the final settlement of the amount payable pursuant to such a scheme of arrangement; or 2.7A.2.4 the write-off of any amount whether or not the amount has been in default or the subsequent repayment in full or in part of the written off amount. 2.7B In the event that the individual makes a request to the credit provider for updating under the circumstances in clauses 2.7A.2.1 to 2.7A.2.4 above, the credit provider shall update the account data or mortgage account general data of the individual held in the database of the CRA promptly but in any event not later than 14 days from the date of receiving the request.9

8. If a credit provider fails to update any account data provided to a CRA in accordance with clause 2.7A, this will give rise to a presumption of contravention of DPP2(1) under section 13(2) of the Ordinance. 9. If a credit provider fails to update any account data provided to a CRA in accordance with clause 2.7B, this will give rise to a presumption of contravention of DPP2(1) under section 13(2) of the Ordinance.

404

13_Data Protection_appendix_04B.indd 404

2016/6/27 2:00:53 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

Access by Credit Provider to Consumer Credit Data Held by CRA Access for Updating 2.8

A credit provider may at any time, for the purpose of providing or updating consumer credit data on an individual, access from a CRA such consumer credit data on the individual as was previously provided by it to the CRA.10

Access through Credit Report 2.9

Without prejudice to the generality of clause 2.8 but subject to clauses 2.9A and 2.10A, a credit provider may, through a credit report provided by a CRA, access consumer credit data (except mortgage count) held by the CRA on an individual:11 2.9.1 in the course of:



2.9.1.1

the consideration of any application for grant of consumer credit;

2.9.1.2

the review of existing consumer credit facilities granted; or

2.9.1.3

the renewal of existing consumer credit facilities granted,

to the individual as borrower or to another person for whom the individual proposes to act or acts as mortgagor or guarantor; or

2.9.2 for the purpose of the reasonable monitoring of the indebtedness of the individual while there is currently a default by the individual as borrower, mortgagor or guarantor,

and for the purpose of clauses 2.9.1.2, 2.9A.2, 2.9A.4, 2.9A.5, 2.10A.2, 2.10A.3, 2.10A.4 and other related clauses, the word “review” means

10. If the credit provider accesses any of the consumer credit data held by a CRA in situations other than those provided for in clauses 2.8, 2.9, 2.9A or 2.10A, this will give rise to a presumption of contravention of DPP1(1) and/or DPP1(2) under section 13(2) of the Ordinance. 11. For the consequence of a credit provider accessing the consumer credit data held by a CRA in situations other than those provided for in clauses 2.9 and 2.9A, see Note 10 to clause 2.8 above.

405

13_Data Protection_appendix_04B.indd 405

2016/6/27 2:00:53 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

consideration by the credit provider of any of the following matters (and those matters only) in relation to the existing credit facilities, namely: 2.9.3 an increase in the credit amount; 2.9.4 the curtailing of credit (including the cancellation of credit or a decrease in the credit amount); or 2.9.5 the putting in place or the implementation of a scheme of arrangement with the individual. 2.9A Without prejudice to the generality of clause 2.8 but subject to clause 2.10A, a credit provider may, with the written consent from the individual and through a credit report provided by a CRA, access the mortgage count held by the CRA on an individual12 in the course of: 2.9A.1 the consideration of any application for grant of a mortgage loan; 2.9A.2 the review of existing mortgage loans granted; 2.9A.3 the consideration of any application for grant of consumer credit facilities (other than mortgage loan); 2.9A.4 the review of existing consumer credit facilities granted (other than mortgage loan); 2.9A.5 the review under the circumstances in clauses 2.10A.2, 2.10A.3 and 2.10A.4 for any existing consumer credit facilities granted; 2.9A.6 the renewal of existing mortgage loans granted; or 2.9A.7 the renewal of existing consumer credit facilities granted (other than mortgage loan),

to the individual as borrower or to another person for whom the individual

12. If the credit provider accesses the mortgage count held by a CRA in situations other than those provided for in clause 2.9A, this will give rise to a presumption of contravention of DPP1(1) and/or DPP1(2) under section 13(2) of the Ordinance.

406

13_Data Protection_appendix_04B.indd 406

2016/6/27 2:00:53 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

proposes to act or acts as mortgagor or guarantor and for the purposes of clauses 2.9A.3, 2.9A.4 and 2.9A.7, the consumer credit facilities granted or to be granted shall be of an amount not less than such level or be determined by a mechanism as prescribed or approved by the Commissioner from time to time. Access to Mortgage Count during Transitional Period 2.10 [Omitted as spent on 1 April 2011] 2.10A Notwithstanding clause 2.9A, a credit provider shall not, during the transitional period, be entitled to access the mortgage count of an individual through a credit report, unless the access is made with the written consent of the individual and under any of the following circumstances:13 2.10A.1 in the course of considering any application for grant of a mortgage loan to the individual, or to another person for whom the individual proposes to act as mortgagor or guarantor; 2.10A.2 in the course of the review of existing credit facilities currently in material default, with a view to putting in place a loan restructuring arrangement by the credit provider; 2.10A.3 in the course of the review of existing credit facilities, where there is in place a loan restructuring arrangement between the individual and the credit provider (whether or not other parties are also involved), for the implementation of the said arrangement by the credit provider; or 2.10A.4 in the course of the review of existing credit facilities, with a view to putting in place a scheme of arrangement with the individual initiated by a request from the individual.

13. If the credit provider accesses the mortgage count during the transitional period in circumstances other than those provided for in clause 2.10A, this will give rise to a presumption of contravention of DPP1(1) and/or DPP1(2) under section 13(2) of the Ordinance.

407

13_Data Protection_appendix_04B.indd 407

2016/6/27 2:00:54 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Confirmation to CRA upon Access 2.11 On each occasion of accessing any consumer credit data held by a CRA, the credit provider shall confirm to the CRA for its record:14 2.11.1 the circumstances provided for in clause 2.8, 2.9, 2.9A or 2.10A under which the access has been made; and 2.11.2 in the case where the access has been made in the course of the review of existing consumer credit facilities under clause 2.9.1.2, 2.9A.2, 2.9A.4, 2.9A.5, 2.10A.2, 2.10A.3 or 2.10A.4 above, the specific matter or matters provided for in clause 2.9.3, 2.9.4 or 2.9.5 above that has been considered upon such a review. No Access for Direct Marketing 2.12 A credit provider is prohibited from accessing the consumer credit data of an individual held by a CRA for the purpose of offering or advertising the availability of goods, facilities or services to such individual.15 For the avoidance of doubt, this clause does not prohibit a credit provider from accessing the consumer credit data of its existing customers in the course of the review or renewal of existing consumer credit facilities under the circumstances as provided under clauses 2.9.1.2, 2.9.1.3, 2.9A.2, 2.9A.4, 2.9A.5, 2.9A.6, 2.9A.7, 2.10A.2, 2.10A.3 and 2.10A.4.

Notification to Individual of Access to Consumer Credit Data Notification of Access for Considering Credit Application 2.13 Where a credit provider has been provided by a CRA with a credit report on an individual and has considered such credit report in connection with

14. If the credit provider, on accessing any consumer credit data held by the CRA, fails to give to the CRA the confirmation referred to in this clause 2.11, or gives a confirmation that is not truthful, this will give rise to a presumption of contravention of DPP1(2) under section 13(2) of the Ordinance. 15. If the credit provider accesses the consumer credit data of an individual held by a CRA for the purpose of offering or advertising the availability of goods, facilities or services to such individual , this will give rise to a presumption of contravention of DPP1(2) and/ or DPP3(1) under section 13(2) of the Ordinance.

408

13_Data Protection_appendix_04B.indd 408

2016/6/27 2:00:54 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

an application for consumer credit by that individual, the credit provider shall, in its notification to the individual of its decision on the application, give notice of the fact that a credit report has been so considered. The credit provider shall also inform the individual how to contact the CRA who provided the credit report, for the purpose of making access to a copy of the credit report for free under clause 3.18 and, where appropriate, to make a data correction request under the Ordinance.16 If a correction request made by the individual is subsequently complied with by the CRA, the credit provider shall, at the request of the individual, use a new credit report obtained from the CRA as a basis for its reconsideration of the credit application.17 Notification of Access for Review 2.14 Where a credit provider accesses the consumer credit data of an individual held by a CRA for the purpose of the review of existing consumer credit facilities (whether within or outside the transitional period): 2.14.1 the credit provider shall, before making such access, take such steps as may be reasonably practicable in the circumstances to notify the individual of:18 2.14.1.1 the fact that his data is being so accessed upon the review of his existing consumer credit facilities; and 2.14.1.2 the specific matter or matters, as provided for in clause 2.9.3, 2.9.4 or 2.9.5, to be considered by the credit provider upon such a review,

16. If the credit provider fails to notify the individual of the fact that a credit report has been considered, or fails to inform such individual how to contact the CRA who provided the credit report, this will give rise to a presumption of contravention of DPP2(1) under section 13(2) of the Ordinance. 17. If, despite the request of the individual whose consumer credit data held by the CRA has been corrected, the credit provider fails to use a new credit report obtained from the CRA as a basis for its reconsideration of the credit application, this will give rise to a presumption of contravention of DPP2(1) under section 13(2) of the Ordinance. 18. If the credit provider, in situations other than those mentioned in clause 2.14.1.3 or 2.14.1.4, fails to take such steps as may be reasonably practicable in the circumstances to give prior notification to the individual of the matters provided for in clauses 2.14.1.1 and 2.14.1.2, this will give rise to a presumption of contravention of DPP1(2) under section 13(2) of the Ordinance.

409

13_Data Protection_appendix_04B.indd 409

2016/6/27 2:00:54 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance



except that no such notification by the credit provider shall be necessary: 2.14.1.3 where the review of existing consumer credit facilities has been initiated by a request from the individual; or 2.14.1.4 where there is in place, at the time of the access, a loan restructuring arrangement in relation to debts owed by the individual to the credit provider; and

2.14.2 the credit provider shall, upon making such access, create, and thereafter keep for a period of 2 years, an internal record of the notification given to the individual pursuant to clause 2.14.1 or, where applicable, the specific matter as provided for in clause 2.14.1.3 or 2.14.1.4 which made such a notification unnecessary.19

Request to CRA for Deletion of Data after Account Termination Request on Instructions from Individual 2.15 Where a credit provider has provided to a CRA any account data or mortgage account general data relating to an account, if within 5 years after account termination, the credit provider receives instructions from the individual to whom such account relates (or, if the account relates to more than one individuals, their joint instructions) to make a request to the CRA to delete such account data or mortgage account general data from its database, the credit provider shall, as soon as reasonably practicable upon the receiving of the instructions, check from its own records whether both of the following conditions are satisfied, namely: 2.15.1 that the account has been settled by full payment (other than payment by refinancing of the debit balance on the account by the credit provider); and

19. If the credit provider, upon accessing the consumer credit data of an individual held by a CRA for the purpose of the review of existing consumer credit facilities, fails to create, or thereafter fails to keep for a period of 2 years, the internal record referred to in clause 2.14.2, this will give rise to a presumption of contravention of DPP1(2) under section 13(2) of the Ordinance.

410

13_Data Protection_appendix_04B.indd 410

2016/6/27 2:00:54 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

2.15.2 that there has not been, within 5 years immediately before account termination, any material default on the account (whether or not such default period fell entirely within those 5 years),

and shall, upon verifying that both conditions are satisfied, make the request to the CRA as soon as reasonably practicable, or alternatively, upon verifying that one of the said conditions is not satisfied, notify the individual as soon as reasonably practicable its rejection of the instructions, and the reason for such rejection.20

Providing of Consumer Credit Data by Credit Provider to DCA Matters To Be Satisfied with before Providing Data 2.16 On or before providing any consumer credit data to a DCA for debt collection against an individual, a credit provider shall ensure that:21 2.16.1 a formal contract has been executed to require, or written instructions have been issued under such a contract to require, the DCA to (i) follow such conduct as stipulated by the Banking Code or similar industry codes (if any) in relation to debt collection activities; (ii) prevent any consumer credit data transferred to it from being kept longer than necessary for debt collection; and (iii) prevent authorized or accidental access, processing, erasure, loss or use of the data transferred to it for debt collection; and 2.16.2 the credit provider is satisfied with the reputation of such DCA, on the basis of previous dealings with the DCA or other reasonable grounds, that the agency will fully comply with the requirement as aforesaid.

20. If the credit provider fails to handle the instructions from the individual for the deletion of the account data in accordance with this clause 2.15, this will give rise to a presumption of contravention of DPP2(2) under section 13(2) of the Ordinance. 21. If the credit provider fails to ensure the matters set out in this clause before providing any consumer credit data to a DCA, this will give rise to a presumption of contravention of DPP2(3),DPP3(1)and/or DPP4(2)under section 13(2) of the Ordinance.

411

13_Data Protection_appendix_04B.indd 411

2016/6/27 2:00:54 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Data To Be Provided 2.17 Subject to clause 2.16, if a credit provider engages a DCA for collection against an individual in default, it may provide to the agency only information relating directly to the individual consisting of the following:22 2.17.1 particulars to enable identification and location of the individual, including address and contact information; 2.17.2 the nature of the credit; 2.17.3 amount to be recovered and details of any goods subject to repossession. Accuracy of Data Provided 2.18 A credit provider shall only provide consumer credit data to a DCA after checking the data for accuracy. If the amount in default is subsequently repaid in full or in part, or if any scheme of arrangement is entered into with the individual, or if the credit provider discovers any inaccuracy in the data which has been provided to and which the credit provider reasonably believes is being retained by the DCA, the credit provider shall notify the DCA as soon as reasonably practicable of such fact.23

Data Security and System Integrity Safeguards by Credit Provider Engagement of CRA 2.19 In deciding on the engagement of a CRA for the provision of consumer credit reference service, and in considering, from time to time, the continued engagement of such CRA, a credit provider shall treat as an

22. If the credit provider provides to a DCA any consumer credit data relating to an individual other than those permitted under this clause 2.17, this will give rise to a presumption of contravention of DPP3(1) under section 13(2) of the Ordinance. 23. If the credit provider fails to check the accuracy of the data before providing such data to a DCA, or if it fails to notify the DCA of any inaccuracy of the data that it has provided to the DCA after discovering such inaccuracy, this will give rise to a presumption of contravention of DPP2(1) under section 13(2) of the Ordinance.

412

13_Data Protection_appendix_04B.indd 412

2016/6/27 2:00:54 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

important criterion the demonstration by the CRA of its compliance with the requirements under the Ordinance and the Code, including compliance with the recommended good practice laid down in clauses 3.14 to 3.17 below, regarding the security of consumer credit data.24 Measures To Take in Preparation for Subscription to Consumer Credit Reference Service 2.20 On or before a credit provider’s subscription to the consumer credit reference service of a CRA, the credit provider shall take appropriate measures, including the following, to safeguard against any improper access to or mishandling of consumer credit data:25 2.20.1 develop written guidelines and disciplinary procedures specifying the controls and procedures to be followed by its staff in relation to the access to and the use of a CRA’s database; 2.20.2 establish controls, including but not limited to password controls, to ensure that only authorized staff are allowed access to a CRA’s database; and 2.20.3 enter into a formal written agreement with the CRA whose consumer credit reference service is being subscribed for, which shall specify: 2.20.3.1 the duty of both parties to comply with the Code in providing and in utilizing the consumer credit reference service; 2.20.3.2 the conditions under which the credit provider may access consumer credit data held by the CRA; and

24. If the credit provider, in deciding on the engagement of the CRA and in considering, from time to time, the continued engagement of such CRA, fails to treat as an important criterion the demonstration by the CRA of its compliance with the requirements under the Ordinance and the Code regarding the security of consumer credit data, this will give rise to a presumption of contravention of DPP4(1) under section 13(2) of the Ordinance. 25. If a credit provider, in preparation for subscription to a consumer credit reference service, fails to take any of the measures required under clause 2.20 to safeguard against any improper access to or mishandling of consumer credit data held by it, this will give rise to a presumption of contravention of DPP4(1) under section 13(2) of the Ordinance.

413

13_Data Protection_appendix_04B.indd 413

2016/6/27 2:00:54 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

2.20.3.3 the controls and procedures to be applied when the credit provider seeks access to the CRA’s database. Measures To Take in Daily Operations 2.21 A credit provider shall take appropriate measures, including the following, to safeguard against any improper access to or mishandling of consumer credit data in its daily operations:26 2.21.1 the credit provider shall maintain a system whereby its senior management is provided with regular reports regarding instances of access to a CRA’s database made during the period since the last report, to facilitate overall monitoring and to enable the detection of anomalous trends in access, if any; 2.21.2 in case any anomalous trends in access have been identified, or upon receiving from a CRA a report of suspected abnormal access pursuant to clause 3.13.1, the credit provider shall as soon as reasonably practicable conduct an internal investigation to ascertain whether such anomalous trends in access or suspected abnormal access (as the case may be) has been the result of: 2.21.2.1 improper access or other mishandling of data by any person (including but not limited to its staff), in contravention of the requirements under the Ordinance or of the Code; or 2.21.2.2 any defect in its system of handling consumer credit data which may have enabled or facilitated such improper access or mishandling; 2.21.3 if as the result of the investigation, the credit provider discovers any improper access, mishandling or defect as aforesaid, the credit provider shall, as soon as reasonably practicable, take appropriate action to prevent any further improper access or mishandling or to rectify the defect, as the case may be (including but not limited to disciplinary action against its staff, or reporting any case of suspected

26. If a credit provider, in its daily operations, fails to take any of the measures required under clause 2.21 to safeguard against any improper access to or mishandling of consumer credit data held by it, this will give rise to a presumption of contravention of DPP4(1) under section 13(2) of the Ordinance.

414

13_Data Protection_appendix_04B.indd 414

2016/6/27 2:00:54 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

contravention of the Ordinance or other laws to the Commissioner or other relevant authorities, as the case may be); 2.21.4 the credit provider shall maintain a log of: 2.21.4.1 all instances of anomalous trends in access identified by it, and all reports of suspected abnormal access made to it by a CRA; 2.21.4.2 the actions taken by it as a result of the above, including a description of the investigation undertaken, the result and any action taken consequent thereon; and 2.21.4.3 attempts made by it to access account data or mortgage count held by a CRA for the purpose of the review of existing consumer credit facilities, including the specific matter or matters provided for in clause 2.9.3, 2.9.4 or 2.9.5 that has been considered upon such a review;

and shall keep such log for not less than two years for examination by the Commissioner if and when required; and

2.21.5 the credit provider shall review on a regular and frequent basis its password controls which help to ensure that only authorized staff are allowed access to a CRA’s database.

III The Handling of Consumer Credit Data by Credit Reference Agencies Collection of Consumer Credit Data by CRA Scope of Data to be Collected 3.1

A CRA may, for the consumer credit reference service which it provides, collect the following items of personal data:27 3.1.1 [Omitted as spent on 1 July 2011]

27. If a CRA, for the consumer credit reference service which it provides, collects personal data other than those permitted under clause 3.1, this will give rise to a presumption of contravention of DPP1(1) under section 13(2) of the Ordinance.

415

13_Data Protection_appendix_04B.indd 415

2016/6/27 2:00:54 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

3.1.1A general particulars of an individual as follows: name, address, contact information, date of birth, Hong Kong Identity Card Number or travel document number; 3.1.2 consumer credit data as permitted to be provided by a credit provider to the CRA under clause 2.4, including the identity of the credit provider and the date of the providing of such data; 3.1.3 [Omitted as spent on 1 January 2013] 3.1.3A public record and related data, being data in official records that are publicly available relating to any action for the recovery of a debt or judgements for monies owed entered against the individual, and any declaration or discharge of bankruptcy appearing on official records or as notified to the CRA by the individual pursuant to clauses 3.3.2 and 3.4B.2; 3.1.4 watch list data, being a list of credit providers who wish to be notified and provided information to assist in debt collection if an individual in default has reappeared in the system; 3.1.5 file activity data, being record of a credit provider accessing an individual’s personal data held by the CRA under the consumer credit reference service provided; 3.1.6 credit score data, being the score that results or resulted from applying consumer credit scoring to an individual; 3.1.7 notification by the Transport Department under clause 3.10.2; and 3.1.8 any other type of personal data as described in Schedule 3 subject to the conditions therein mentioned, as may from time to time be amended by the Commissioner.

Retention of Consumer Credit Data by CRA Retention of Account General Data or Mortgage Account General Data 3.2

Where a CRA has collected from a credit provider any account general data or mortgage account general data, the CRA may thereafter retain the same

416

13_Data Protection_appendix_04B.indd 416

2016/6/27 2:00:54 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

in its database for so long as there remain in such database any account repayment data relating to the same account or until the termination of the account, whichever is later.28 Retention of Account Repayment Data Revealing Material Default 3.3



Where a CRA has collected from a credit provider any account repayment data relating to an individual that reveals a material default, the CRA may thereafter retain the account repayment data in its database until the earlier of:29 3.3.1

the expiry of 5 years from the date of final settlement of the amount in default (or final settlement of the amounts payable pursuant to a scheme of arrangement with the credit provider); or

3.3.2

the expiry of 5 years from the date of the individual’s discharge from bankruptcy, as notified to the CRA by such individual and evidenced by the relevant certificate of discharge issued by the Court of First Instance or by a written notice from the Official Receiver stating that the Official Receiver has no objection to a certificate of discharge being issued to the individual,

irrespective of any write-off by the credit provider of the amount in default in full or in part at any time after such default occurred (if such be the case).

Retention of Account Repayment Data not Revealing Material Default 3.4

[Omitted as spent on 1 January 2013].

3.4A Subject to Clause 3.4B, where a CRA has collected from a credit provider any account repayment data that does not reveal a material default, the CRA

28. If a CRA retains in its database any account general data or mortgage account general data beyond the period permitted under this clause 3.2, subject to clause 3.7, this will give rise to a presumption of contravention of DPP2(2) under section 13(2) of the Ordinance. 29. If a CRA retains in its database any account repayment data described in this clause 3.3 beyond the period permitted for the retention of such data under this clause, subject to clause 3.7, this will give rise to a presumption of contravention of DPP2(2) under section 13(2) of the Ordinance.

417

13_Data Protection_appendix_04B.indd 417

2016/6/27 2:00:54 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

may thereafter, in respect of each individual item of data collected, retain the same in its database for a period of 5 years from the date of creation of such data, provided that if the account is in the meantime terminated, then subject to clause 3.5.2, the CRA may continue to retain the account repayment data in its database until the expiry of 5 years after account termination.30 3.4B Where the account general data or mortgage account general data relating to an individual reveals a status of write-off due to a bankruptcy order being made against the individual, the CRA may retain in its database the account repayment data at the time of write-off until the earlier of:31 3.4B.1

the expiry of 5 years from the date of final settlement of the outstanding amount at the time of write-off (or final settlement of the amount payable pursuant to a scheme of arrangement made through the Official Receiver with the credit provider); or

3.4B.2

the expiry of 5 years from the date of the individual’s discharge from bankruptcy, as notified to the CRA by such individual and evidenced by the relevant certificate of discharge issued by the Court of First Instance or by a written notice from the Official Receiver stating that the Official Receiver has no objection to a certificate of discharge being issued to the individual.

Deletion of Data after Account Termination Pursuant to Individual’s Request 3.5

[Omitted as spent on 1 January 2013]

3.5A Notwithstanding clause 3.4A, if a CRA has collected any account data or mortgage account general data from a credit provider and within 5 years

30. If a CRA retains in its database any account repayment data described in this clause 3.4A beyond the period permitted for the retention of such data under this clause, subject to clause 3.7, this will give rise to a presumption of contravention of DPP2(2) under section 13(2) of the Ordinance. 31. If a CRA retains in its database any account repayment data described in this clause 3.4B beyond the period permitted for the retention of such data under this clause, subject to clause 3.7, this will give rise to a presumption of contravention of DPP2(2) under section 13(2) of the Ordinance.

418

13_Data Protection_appendix_04B.indd 418

2016/6/27 2:00:54 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

after the termination of the account the CRA receives from the credit provider a request under clause 2.15 for the deletion of the account data or mortgage account general data from its database, the CRA shall: 3.5A.1 verify from its database as soon as reasonably practicable that there has not been, within 5 years immediately before account termination, any material default (whether or not such default period fell entirely within those 5 years); and 3.5A.2 having thus verified from its database, delete as soon as reasonably practicable from its database any account data or mortgage account general data relating to such terminated account,32

provided that if the CRA discovers from its database that there has apparently been a material default within 5 years immediately before account termination, the CRA shall then clarify the matter with the credit provider as soon as reasonably practicable. The CRA shall, in the meantime, be under no obligation to delete the account data or mortgage account general data until it shall have clarified the matter with the credit provider.33

Retention of Other Consumer Credit Data 3.6

Where a CRA has collected any consumer credit data other than account data or mortgage account general data, it may thereafter retain such data in its database for the following periods:34 3.6.1 public record and related data under clause 3.1.3A, except data

32. If the CRA, having received instructions from the credit provider, fails to verify from its database as soon as reasonably practicable that there has not been, within 5 years immediately before account termination, any material default on the account, or, having so verified, fails to delete the account data or mortgage account general data as soon as reasonably practicable from its database, this will give rise to a presumption of contravention of DPP2(1) and/or DPP2(2) under section 13(2) of the Ordinance. 33. If the CRA, having discovered from its database that there has apparently been a material default on the account within 5 years immediately before account termination, fails to clarify the matter with the credit provider as soon as reasonably practicable, this will give rise to a presumption of contravention of DPP2(1) under section 13(2) of the Ordinance. 34. If a CRA retains in its database any consumer credit data described in this clause 3.6 beyond the period permitted for the retention of such data under this clause, subject to clause 3.7, this will give rise to a presumption of contravention of DPP2(2) under section 13(2) of the Ordinance.

419

13_Data Protection_appendix_04B.indd 419

2016/6/27 2:00:54 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

relating to a declaration or discharge of bankruptcy: the period of 7 years from the date of the event shown in the official record; 3.6.2 public record and related data under clause 3.1.3A relating to a declaration or discharge of bankruptcy: the period of 8 years from the relevant declaration of bankruptcy; 3.6.3 credit application data under clause 2.4.2 or mortgage application data under clause 2.4.4B: the period of 5 years from the date of the reporting of the application; 3.6.4 credit card loss data under clause 2.4.3A: the period of 5 years from the date of report of the loss of the credit card; 3.6.5 file activity data under clause 3.1.5: the period of 5 years from the date of creation of such data; 3.6.6 credit score data under clause 3.1.6: until the end of the next business day following the date of creation of such data; 3.6.7 general particulars of an individual: for as long as there are other consumer credit data related to the individual contained in the database of the CRA. Retention of Exempted Data 3.7

For the avoidance of doubt, notwithstanding any provision to the contrary in the Code, in a situation where exemption from DPP3 under section 62 of the Ordinance applies to certain consumer credit data held by the CRA (including, for example, such data used or to be used by the CRA for the development of a consumer credit scoring model intended to be of general application), the data may continue to be retained by the CRA for so long as such exemption applies.

Use of Consumer Credit Data by CRA Providing of Credit Report 3.8

In response to the seeking of access by a credit provider to consumer credit data relating to an individual pursuant to clause 2.9, 2.9A or 2.10A, a CRA

420

13_Data Protection_appendix_04B.indd 420

2016/6/27 2:00:54 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

may provide to the credit provider a credit report on the individual. The credit report may contain any of the consumer credit data relating to the individual permitted to be collected and retained by the CRA, subject to the following constraints which apply to particular categories of consumer credit data:35 3.8.1A in respect of consumer credit data relating to mortgage loans, only: 3.8.1A.1 the mortgage count; 3.8.1A.2 mortgage application data under clause 2.4.4B; and 3.8.1A.3 account general data and material default data under clauses 2.4.4A.2(ii) and 2.4.4C,

may be accessed by or provided to the credit provider;

3.8.1 credit application data under clause 2.4.2, credit card loss data under clause 2.4.3A and file activity data under clause 3.1.5: confined to such data created for not more than 2 years; 3.8.2 account data under clause 2.4.3 and the derivatives deriving directly from such account data: 3.8.2.1

the credit report shall not reveal the identity of the credit provider who provided such account data or the account number, unless the credit report is to be provided to that same credit provider;

3.8.2.2

[Omitted as spent on 1 January 2013]

3.8.2.2A the credit report shall not contain: 3.8.2.2A.1 in relation to a terminated account, any account repayment data created more than 2 years before the account termination date; or

35. If, in the absence of any applicable exemption, a CRA uses any consumer credit data otherwise than in a way permitted under clause 3.8 or 3.10, this will give rise to a presumption of contravention of DPP3(1) under section 13(2) of the Ordinance.

421

13_Data Protection_appendix_04B.indd 421

2016/6/27 2:00:54 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

3.8.2.2A.2 in relation to an account other than a terminated account, any account repayment data created more than 2 years before the date of providing the credit report;

unless there has been any material default or write-off due to a bankruptcy order being made against the individual within 5 years before the providing of the credit report, in which case, the credit report may contain, in addition to the account repayment data described in clause 3.8.2.2A.1 or 3.8.2.2A.2 (as the case may be), also the default data relating to such material default or material defaults and/or the outstanding balance at the time of such write-off; 3.8.2.3

[Omitted as spent on 1 April 2011]

3.8.2.4

[Omitted as spent on 1 April 2011]

3.8.2.4A the credit report, if provided at any time during the transitional period, shall not contain the mortgage count unless the credit report is provided to a credit provider who has confirmed to the CRA, pursuant to clause 2.11 above, that the access has been made under any of the circumstances set out in clauses 2.10A.1, 2.10A.2, 2.10A.3 or 2.10A.4 above; 3.8.2.4B the credit report, if provided at any time after the transitional period, shall not contain the mortgage count unless the credit report is provided to a credit provider who has confirmed to the CRA, pursuant to clause 2.11 above, that the access has been made under any of the circumstances set out in clause 2.9A above; and 3.8.2.4C [Omitted as spent on 1 January 2013] 3.8.2.4D without prejudice to the generality of clauses 3.8.1A, 3.8.1, 3.8.2.1, 3.8.2.2A, 3.8.2.4A and 3.8.2.4B above and for the avoidance of doubt, in the case of the individual being a mortgagor or guarantor to the repayment of a consumer

422

13_Data Protection_appendix_04B.indd 422

2016/6/27 2:00:55 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

credit provided to another person, the credit report of such individual may contain, in addition to the consumer credit data relating to the individual as borrower, also the account general data, mortgage count and the remaining available credit or outstanding balance of the guaranteed credit facility or the mortgage loan relating to that other person. Disclosure of Disputed Data 3.9

If any consumer credit data provided by a credit provider to a CRA is accompanied by an indication of the existence of a dispute over the data, then, in subsequently disclosing such data in a credit report, the CRA shall also reveal in the credit report the existence of the dispute.36

Other Uses of Consumer Credit Data 3.10 In addition to disclosure in a credit report pursuant to clause 3.8, a CRA may, in providing a consumer credit reference service, use any consumer credit data relating to an individual held in its database:37 3.10.1 to provide notice and information to a credit provider on a watch list, when new data of the individual in default has appeared in the system, to assist in debt collection action; 3.10.2 to provide notice to a relevant credit provider and to the Transport Department where an individual who has received credit in relation to a motor vehicle has been the subject of advice from the Department that it has received an application from the individual for a duplicate vehicle registration document; 3.10.3 to provide a report to insurers in relation to insurance cover for property related to a consumer credit transaction;

36. If a CRA, in disclosing in a credit report any consumer credit data known to be subject to a dispute, fails to reveal in the credit report the existence of such dispute, this will give rise to a presumption of contravention of DPP2(1) under section 13(2) of the Ordinance. 37. For the consequence of a CRA using any consumer credit data in its database otherwise than in a way permitted under clause 3.10, see Note 35 to clause 3.8 above.

423

13_Data Protection_appendix_04B.indd 423

2016/6/27 2:00:55 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

3.10.4 for reasonable internal management purposes, such as the defence of claims and the monitoring of the quality and efficiency of its service; or 3.10.5 to carry out consumer credit scoring, provided that the CRA shall not, in carrying out such scoring, take into account: 3.10.5.1 [Omitted as spent on 1 January 2013] 3.10.5.1A in relation to an account other than a terminated account, any account data created more than 5 years before the carrying out of the scoring; or 3.10.5.2 in relation to a terminated account, any account data created more than 5 years before account termination.

Data Security and System Integrity Safeguards by CRA Measures To Take in Preparation for Providing Consumer Credit Reference Service 3.11 On or before providing consumer credit reference service to a credit provider, a CRA shall take appropriate measures, including the following, to safeguard against any improper access to or mishandling of consumer credit data held by it:38 3.11.1 enter into a formal written agreement with the credit provider as subscriber for such service, which shall specify: 3.11.1.1 the duty of both parties to comply with the Code in providing and in utilizing the consumer credit reference service;

38. If a CRA, in preparation for providing a consumer credit reference service, fails to take any of the measures required under clause 3.11 to safeguard against any improper access to or mishandling of the consumer credit data held by it, this will give rise to a presumption of contravention of DPP4(1) and /or DPP4(2) under section 13(2) of the Ordinance.

424

13_Data Protection_appendix_04B.indd 424

2016/6/27 2:00:55 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

3.11.1.2 the conditions under which the credit provider may access consumer credit data held by the CRA; and 3.11.1.3 the controls and procedures to be applied when such credit provider seeks access to the CRA’s database; 3.11.2 establish controls to ensure that only data to which a subscriber is entitled is released; 3.11.3 train staff in relation to the Ordinance and the Code and, in particular, good security practice; 3.11.4 develop written guidelines, and disciplinary or contractual procedures in relation to the proper use of access authorities by staff, external contractors or subscribers; and 3.11.5 ensure that adequate protection exists to minimize, as far as possible, the risk of unauthorized entry into the database or interception of communications made to and from the database. Measures To Take in Daily Operations 3.12 A CRA shall take appropriate measures in its daily operations, including the following, to safeguard against any improper access to or mishandling of consumer credit data held by it:39 3.12.1 review on a regular and frequent basis its password controls which help to ensure that only authorized staff are allowed access to its database; 3.12.2 monitor and review on a regular and frequent basis usage of the database, with a view to detecting and investigating any unusual or irregular patterns of access or use;

39. If a CRA, in its daily operations, fails to take any of the measures required under clause 3.12 or 3.13 to safeguard against any improper access to or mishandling of the consumer credit data held by it, this will give rise to a presumption of contravention of DPP4(1) under section 13(2) of the Ordinance.

425

13_Data Protection_appendix_04B.indd 425

2016/6/27 2:00:55 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

3.12.3 ensure that practices in relation to the deletion and disposal of data are secure, especially where records or discs are to be disposed of offsite or by external contractors; and 3.12.4 maintain a log of all incidents involving a proven or suspected breach of security, which includes an indication of the records affected, an explanation of the circumstances and action taken. Log of Access etc. by Credit Provider 3.13 Without prejudice to the generality of clause 3.12 above, a CRA shall:40 3.13.1 in the case of there being any suspected abnormal access by a credit provider, report such suspected abnormal access as soon as reasonably practicable to the senior management of the credit provider and to the Commissioner; 3.13.2 maintain a log of all instances of access to its database by credit providers, which log shall include: 3.13.2.1 the identity of the credit provider seeking access; 3.13.2.2 the date and time of access; 3.13.2.3 the identity of the individual whose data was so accessed; 3.13.2.4 the circumstances provided for in clause 2.8, 2.9, 2.9A or 2.10A under which the access has been made (as confirmed by the credit provider pursuant to clause 2.11.1); 3.13.2.5 in the case where the access has been made in the course of the review of existing consumer credit facilities under clause 2.9.1.2, 2.9A.2, 2.9A.4, 2.9A.5, 2.10A.2, 2.10A.3 or 2.10A.4, the specific matter or matters provided for in clause 2.9.3, 2.9.4 or 2.9.5 (as confirmed by the credit provider pursuant to clause 2.11.2); and

40. For the consequence of a CRA failing to take any of the measures described in this clause 3.13, see Note 39 to clause 3.12.

426

13_Data Protection_appendix_04B.indd 426

2016/6/27 2:00:55 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

3.13.2.6 instances of reporting by the CRA of suspected abnormal access to the senior management of a credit provider and to the Commissioner,

and shall keep such a log for not less than 2 years for examination by its compliance auditor and/or by the Commissioner, as the case may be.

Compliance Audit of CRA Compliance audit 3.14 As a recommended practice, a CRA shall engage, at its expense, an independent compliance auditor as may be approved (or, at the election of the Commissioner, to be nominated) by the Commissioner, to conduct regular compliance audits on the way in which the CRA provides the consumer credit reference service, including the security of consumer credit data held by the CRA in its database, and the adequacy and efficiency of the measures taken by it to comply with the requirements under the Ordinance and the Code. 3.14A As a recommended practice, the compliance audit on the security of consumer credit data held by a CRA mentioned in clause 3.14 shall include an audit on the IT security arrangement of the CRA covering the control objectives of the ISO/IEC 27002 Best Practice on Information Security Management (or its equivalent as approved by the Commissioner). Regular Compliance Audit 3.14B The CRA shall continue to arrange for compliance audits as referred to in clause 3.14 to be conducted at intervals not exceeding 12 months and, in each instance, for audit reports to be provided to the Commissioner for his consideration and/or comments within 3 months from the commencement of the compliance audit. The First Compliance Audit on the Sharing of Consumer Credit Data Relating to Mortgage Loans 3.15 The first of such compliance audit on the sharing of consumer credit data relating to mortgage loans shall commence after 6 months (in any

427

13_Data Protection_appendix_04B.indd 427

2016/6/27 2:00:55 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

event no later than 7 months) from 1 April 2011, with a view to having the compliance auditor submit its audit report to the Commissioner for his consideration within 3 months from the commencement of the compliance audit. Such compliance audit shall address, in particular, the compliance with the provisions of the Code and the adequacy of the data handling system of the CRA as far as the sharing of consumer credit data relating to mortgage loans is concerned. Commissioner’s Approval of Report on the First Compliance Audit on the Sharing of Consumer Credit Data Relating to Mortgage Loans 3.16 If the Commissioner does not approve the first compliance audit report on the sharing of consumer credit data relating to mortgage loans provided to him, he may, by written notice to the CRA, direct the CRA to take such steps as may be considered necessary for ensuring better compliance with the requirement under the Code and/or the Ordinance, thereafter to arrange for a further compliance audit on the sharing of consumer credit data relating to mortgage loans to be carried out, and for such further audit report to be submitted to the Commissioner for his reconsideration within such period as the Commissioner may specify. Regular Audits after Commissioner’s Approval 3.17 Upon the receipt of a notice from the Commissioner under clause 3.16, the CRA shall duly comply with the Commissioner’s directions, and clause 3.16 shall continue to apply to the CRA until the Commissioner gives his approval to a compliance audit report submitted. From the date of such approval onwards, the compliance audits on the sharing of consumer credit data relating to mortgage loans shall be conducted together with the regular audits referred to in clause 3.14B above.

Data Access and Correction Request to CRA Compliance with Data Access Request 3.18 As a recommended practice, a CRA shall seek to respond promptly to a data access request without charge in respect of personal data held by it brought by an individual who advises that he has been refused credit by a credit provider to whom a credit report on him has been provided by the CRA.

428

13_Data Protection_appendix_04B.indd 428

2016/6/27 2:00:55 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

Where such an access request is made at the office of the CRA, the copy of the data held shall, if practicable, be provided forthwith to the individual, or else be dispatched by mail to the individual not later than 3 working days from the date of the request. Verification with Credit Provider 3.19 Upon receiving a request for correction of consumer credit data provided by a credit provider, the CRA shall promptly consult the credit provider. If the CRA does not receive from the credit provider any written confirmation or correction of the disputed data within 40 days from the correction request, the relevant data shall upon expiry of the 40 days be deleted or otherwise amended as requested.41 Verification of Public Record Data 3.20 Upon receiving a request for correction of consumer credit data being public record data, the CRA shall wherever practicable verify the accuracy of such data by checking the relevant public records. If no such verification is obtained within 40 days from the date of the correction request, the public record data shall upon expiry of the 40 days be deleted or otherwise amended as requested, except where the individual alleges any inaccuracy in the data which is not apparent on the face of the public records, it shall in that case be incumbent on the individual to provide proof of such inaccuracy.42 No Transfer of Personal Data outside Hong Kong 3.21 A CRA shall not transfer consumer credit data held by it to a place outside Hong Kong unless the purpose of use of the data transferred is the same as or directly related to the original purpose of collection of the data.43

41. If a CRA fails to respond to a data correction request in accordance with clauses 3.19 or 3.20, this will give rise to a presumption of contravention of section 23 under section 13(2) of the Ordinance. 42. For the consequence of a CRA failing to respond to a data correction request in accordance with this clause, see Note 41 to clause 3.19. 43. If a CRA transfers consumer credit data held by it to a place outside Hong Kong for a purpose other than the original collection purpose or its directly related purpose, this will give rise to a presumption of contravention of DPP3(1) under section 13(2) of the Ordinance.

429

13_Data Protection_appendix_04B.indd 429

2016/6/27 2:00:55 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

IV General No Effect on Duty of Confidentiality 4.1

For the avoidance of doubt, nothing in Parts I to III of the Code affects the application of the law of confidentiality in relation to consumer credit data. In particular, in a situation where, under the general law, a credit provider or a CRA owes a duty of confidentiality to an individual in respect of the consumer credit data relating to such individual, none of the provisions in Parts I to III of the Code shall have, or purport to have, the effect of abrogating, limiting or otherwise modifying such duty under the general law.

Schedule 1 Credit Providers (1)

an authorized institution within the meaning of section 2 of the Banking Ordinance (Cap 155)

(2)

a subsidiary of an authorized institution within the meaning of section 2 of the Banking Ordinance (Cap 155) (the term “subsidiary” shall have the same meaning as in section 2 of the Companies Ordinance, Cap 32)

(3)

a money lender licensed under the Money Lenders Ordinance (Cap 163)

(4)

a person whose business (whether or not the person carries on any other business) is that of providing finance for the acquisition of goods by way of leasing or hire-purchase

Schedule 2 Account Data as Described in Clause 2.4.3 (A)

Account general data, being: • identity of the credit provider;

430

13_Data Protection_appendix_04B.indd 430

2016/6/27 2:00:55 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

• account number; • capacity of the individual (whether as borrower, mortgagor or guarantor); • account opened date; • account closed date; • type of the facility and currency denominated; • approved credit limit or loan amount (as appropriate); • repayment period or terms (if any); • account status (active, closed, write-off, etc.); • facility maturity date (if any); • details of any scheme of arrangement, including: − the date of the arrangement, the number and frequency of installments, the installment amount, etc.; and • in the case of a hire-purchase, leasing or charge account, including: − account expiry date, type of security, investigation date, installment amount, etc.; − particulars for the identification of the motor vehicles, equipment, vessels or the asset secured by the charge, and notification of termination of the charge. (B)

Account repayment data, being: • amount last due; • amount of payment made during the last reporting period; • remaining available credit or outstanding balance; • default data being: − amount past due (if any) and number of days past due; − date of settlement of amount past due (if any); − date of final settlement of amount in material default (if any).

431

13_Data Protection_appendix_04B.indd 431

2016/6/27 2:00:55 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Schedule 3 Types of Personal Data a Credit Reference Agency May Collect Under Clause 3.1.8 and the Conditions (if any) Subject to which Such Collection May Take Place

432

13_Data Protection_appendix_04B.indd 432

2016/6/27 2:00:55 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

Code of Practice on Human Resource Management The primary objective of the Code is to provide practical guidance to employers and their staff on how to properly handle personal data that relate to each phase of the employment process. It is issued to assist human resources practitioners in complying with the requirements of the Ordinance in their performance of human resources management functions and activities and it deals with issues concerning collection, holding, accuracy, use, security, data subject access and correction requests in relation to the personal data of prospective, current and former employees. The latest version of the Code took effect in April 2016. (N.B. It is to be noted that these Codes of Practice, though not legally binding, breach of the Codes will give rise to a presumption against the data user in any proceedings under the Ordinance. Section 13 provides in essence that: (a)

where a Code of Practice has been issued in relation to any requirement of the Ordinance;

(b)

the proof of a particular matter is essential for proving a contravention of that requirement;

(c)

the specified body conducting the proceedings (a magistrate, a court or the Administrative Appeals Board) considers that any particular provision of the Code of Practice is relevant to that essential matter; and if

(d)

it is proved that that provision of the Code of Practice has not been observed;

then that essential matter shall be taken as proved unless there is evidence that the requirement of the Ordinance was actually complied with in a different way, notwithstanding the non-observance of the Code of Practice.)

Introduction This Code of Practice (“the Code”) has been issued by the Privacy Commissioner for Personal Data (“the Commissioner”) in the exercise of the powers conferred on him by Part III of the Personal Data (Privacy) Ordinance (Cap 486 “the Ordinance”). Section 12(1) of the Ordinance empowers the Commissioner to issue codes of practice “for the purpose of providing practical guidance in respect of any requirements under this Ordinance imposed on data users”.

433

13_Data Protection_appendix_04C.indd 433

2016/6/27 2:01:01 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

This Code was first notified by Gazette of the Hong Kong SAR Government on 22 September 2000. The related Gazette Notice, as required by section 12(2) of the Ordinance, specified that the Code took effect on 1 April 2001 and was approved in relation to the following requirements of the Ordinance: Sections 18, 19, 20, 22, 23, 24, 25, 26 and the six Data Protection Principles in Schedule 1. This Code was revised and notified by Gazette in April 2016. The revision was necessitated by the amendments of the Ordinance and to update the provisions of the Code that were spent of effect. The primary purpose of this Code is to provide practical guidance to employers and their staff on how to properly handle personal data that relate to each phase of the employment process. Failure to abide by the mandatory provisions of this Code will weigh unfavorably against the data user concerned in any case that comes before the Commissioner. Where any data user fails to observe any of the mandatory provisions of this Code, a court, a magistrate, the Administrative Appeals Board or the chairman of the Administrative Appeals Board, is entitled to take that fact into account when deciding whether there has been a contravention of the Ordinance. ••••••••••••••••••••••••••••••••••••••••••••• This Code is designed to give practical guidance to data users who handle personal data in performing human resource management functions and activities. It deals with issues concerning collection, holding, accuracy, use and security, and data subject access and correction in relation to the personal data of prospective, current and former employees. The provisions of the Code apply to data users who are employers of individuals relating to their prospective, current or former employment with the employers concerned.

Interpretation Unless the context otherwise requires, the terms used in the Code have the following meanings: “DPP” means a data protection principle in Schedule 1 to the Ordinance.

434

13_Data Protection_appendix_04C.indd 434

2016/6/27 2:01:01 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

“Employer” means any person who has entered into a contract of employment to employ any other person as an employee and the duly authorised agent of such first mentioned person. “Employment” is deemed to include the engagement of an individual whose service is procured through a contract with a third party which employs such individual, and the terms “employ”, “employer” and “employee” are to be construed accordingly. “Ordinance” means the Personal Data (Privacy) Ordinance. “Personal Information Collection Statement” (“PICS”) means a statement made to an individual in respect of whom personal data is collected by the person providing the statement in compliance with the requirements of DPP1(3). “Permitted purpose” in relation to personal data means a lawful purpose directly related to an employer’s functions or activities for which the data was to be used at the time of their collection; a directly-related purpose for which the data was or is used; the fulfillment of a relevant statutory requirement; or a purpose for which the data was or is used where the data subject has given express consent to that use. “Practicable” means reasonably practicable. “Prescribed consent” is the express consent of the person1 given voluntarily, which has not been withdrawn by notice in writing.

Using this Code It is recommended that readers begin by carefully reading the Code as a whole to understand all elements of its use as it applies to the personal data of job applicants, employees and former employees. Subsequently, when a specific question needs to be answered in relation to a matter covered by the Code, the reader should first refer to Section 1 which contains general requirements for handling employmentrelated personal data, and then the particular subsequent section dealing with the

1. Under DPP3(2), a relevant person may give prescribed consent on behalf of a data subject when certain conditions are fulfilled.

435

13_Data Protection_appendix_04C.indd 435

2016/6/27 2:01:01 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

specific area of interest. If this approach is used, the reader should acquire a better understanding of the matter. In this document, the contents of the Code are arranged to indicate which parts of the text are mandatory, and which are illustrative or explanatory as follows: The mandatory provisions of the Code are printed in normal typeface. The sections in italics give general explanatory notes, examples and specify good practices. These sections amplify the Code to assist the reader in complying with the mandatory provisions of the Code. The footnotes provide specific references to the provisions of the Ordinance or other sources that provide the statutory basis e.g. other codes of practice, for the particular requirements of the Code.

Code of Practice on Human Resource Management 1

General Requirements

1.1

Introduction



Section 1 reviews a range of topics relating to the general practices and policies that an employer should give consideration to when collecting, processing and handling employment-related personal data. Other matters relating to specific aspects of human resource management, such as recruitment, current and former employees’ matters are dealt with in subsequent sections.



More specifically, this section details the following: 1.1.1 Notification requirements on collection of personal data — PICS. 1.1.2 Issues pertaining to the accuracy and retention of employmentrelated personal data. 1.1.3 Security measures for protection of employment-related personal data.

436

13_Data Protection_appendix_04C.indd 436

2016/6/27 2:01:01 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

1.1.4 Data access and correction requests concerning recruitment-related or employment-related personal data. 1.1.5 Employer’s liability pertaining to the wrongful conduct of its staff or an appointed agent in handling personal data. 1.2

Notification Requirements on Collection of Personal Data



Statements to be Made on or before Collecting Employment-related Personal Data 1.2.1 When an employer collects personal data from a job applicant or employee, the employer should take all practicable steps to explicitly inform the individual on or before collecting the data of the following information:2



1.2.1.1

the purpose for which the data is to be used;

1.2.1.2

the classes of persons to whom the data may be transferred; and

1.2.1.3

whether it is obligatory or voluntary for the individual to supply the data unless this is obvious from the circumstances.

On or before using the data, an employer should explicitly provide the following information to the individual concerned: 1.2.1.4



the rights of the individual to request access to, and correction of, his personal data and the name or job title, and address, of the person to whom such requests should be made.

As a matter of good practice, an employer should comply with the above notification requirements by means of a written PICS. This statement may, for example, be attached to, or be printed as an

2. DPP1(3)

437

13_Data Protection_appendix_04C.indd 437

2016/6/27 2:01:01 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

integral part of standard employment forms used to collect data e.g. a job application form.

The following list provides examples of occasions when it would be appropriate to make such statements. • In recruitment advertisements where an employer requests that résumés, or other personal data, be submitted by job applicants. • On an Internet page where an employer invites job applicants to complete a form and submit online. • On an employer’s printed job application form or any other data collection forms specified by the employer that requires the provision of personal data.



Purpose Statement: Purpose for which Personal Data is to be Used 1.2.2 An employer may state the purposes for which employment-related personal data is to be used in general or specific terms.3

Many of the purposes for which personal data is to be collected are common to most employers. Examples of common purposes for which personal data is collected from employees include information required: to pay employees and to make compensation, benefits and awards, to contact employees when absent from the office, to make tax returns, to assess employees’ training and development needs, to plan promotion and to administer a retirement or provident fund scheme to which employees contribute and from which they may benefit.



The accompanying examples may be used as a starting point from which employers may prepare more specific statements of purposes, adapted to their own needs, to be included in their PICS.



3. DPP1(3)(b)(i)(A)

438

13_Data Protection_appendix_04C.indd 438

2016/6/27 2:01:01 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

Purpose of Collection – Job Applicants To assess the suitability of candidates for a vacancy within the organisation, and to negotiate with and make offers of employment to selected applicants. Purpose of Collection – Employees For the supervision, management and payment of employees, to develop and maintain the employment relationship between the employer and the individual, and to support the organisation’s development. For any residual employment-related activities of an employer in respect of an employee, including the provision of job references, processing of applications for re-employment and any matter relating to pension or retirement scheme payments.



Transferee Statement: Classes of Transferees 1.2.3 An employer should explicitly inform job applicants or employees of the classes of third parties to which any of their personal data may be transferred. An employer must do this on or before collecting the data.4

Examples of common classes of transferees include the employer’s insurers, bankers, medical practitioners providing medical services for employees, staff unions and provident fund managers. Before collecting the relevant personal data it is necessary for an employer to inform staff of such possible transfers. Government departments to which an employer is required by law to transfer relevant personal data, for example the Inland Revenue Department, need not be included in a statement of such third parties.



It should be noted that an employer should state that any transfer of employment-related personal data to one of the named classes of possible transferees will be for one or other of the purposes stated in the

4. DPP1(3)(b)(i)(B)

439

13_Data Protection_appendix_04C.indd 439

2016/6/27 2:01:01 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Classes of Transferee The data that you have supplied for the purpose of employment may be passed to the employer’s insurers, bankers, medical practitioners providing medical services to employees, any relevant staff union and provident fund managers.

Omission of Personal Data The provision of full and complete information in support of a job application is necessary for selection purposes. Failure to provide any of the data may affect the processing and outcome of the application.

Purpose Statement, or a directly related purpose. Because the transfer notification requirements only apply to transfers to third parties outside the employing organisation, there is no requirement for employers to name other internal departments or employees of the employer to whom personal data may be transferred for the purposes of employment.

Optional or Obligatory Provision of Data 1.2.4 Unless it is obvious from the circumstances, an employer should explicitly inform job applicants or employees, whether it is obligatory or voluntary to supply personal data.5 The consequences of not providing such data should also be stated explicitly unless this is obvious from the circumstances.6

An employer needs not provide a notice of whether it is compulsory to provide personal data if it is obvious from the circumstances that all the employment-related personal data sought in a form used by an employer must be provided and that if any item is not provided the matter concerned will not be processed further.

5. DPP1(3)(a)(i) 6. DPP1(3)(a)(ii)

440

13_Data Protection_appendix_04C.indd 440

2016/6/27 2:01:01 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

Data Access & Correction Rights You have a right under the Ordinance to make a data access or correction request concerning your personal data. You may make such requests by applying to the Privacy Compliance Officer in the Human Resources Department.





For example, on a staff leave application form, it is not necessary for an employer to state that it is compulsory to provide personal data such as the days of intended absence in order for the application to be processed and approved.

Data Access and Correction Rights 1.2.5 An employer, on or before the first use of the employment-related data, should explicitly provide information of an individual’s rights of access to, and correction of, his personal data and the contact details of the person to whom any such request may be made.7





The Ordinance confers upon an individual whose personal data is held by an employer a right to request a copy of such data. Subsequently, the individual concerned is entitled to request correction of any inaccurate data provided in compliance with such a request.



An employer should also include the name or job title and address of a person to whom the request may be made.

Employment-related Personal Data Collected before the Ordinance came into Effect 1.2.6 An employer may continue to use employment-related personal data collected before 20 December 19968 as long as the purposes for which the data is used come within the reasonable scope of the

7. DPP1(3)(b)(ii)(A) and DPP1(3)(b)(ii)(B) 8. The date the relevant provisions of the Ordinance first came into effect.

441

13_Data Protection_appendix_04C.indd 441

2016/6/27 2:01:01 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

purposes for which the data was originally collected. Any use of such data outside the original scope of collection will require the prescribed consent of the individual concerned.9

Employment-related data collected prior to 20 December 1996 may be used for the implicit purpose for which it was collected, which may be inferred from the nature of the transaction involved e.g. recruitment or administering the employment of the individual who provided the data. As a matter of good practice, an employer should consider providing an employee with its PICS at the first opportunity where new data is collected from the employee.

1.3

Accuracy and Retention of Employment-related Personal Data



Accuracy of Employment-related Data 1.3.1 An employer should take all practicable steps to ensure that the employment-related data it holds about employees is: 1.3.1.1

accurate having regard to the purpose for which the data is used;10 or

1.3.1.2

not used for the purpose where there are reasonable grounds for believing that the data is inaccurate when used for that purpose, unless and until such inaccuracies are rectified.11

1.3.2 An employer who discloses or transfers employment-related data to a third party on or after 20 December 1996 should take all practicable steps to ensure that: 1.3.2.1

the data thereby disclosed or transferred is accurate having regard to the purpose for which the data is disclosed or transferred; and

9. DPP3 10. DPP2(1)(a) 11. DPP2(1)(b)

442

13_Data Protection_appendix_04C.indd 442

2016/6/27 2:01:01 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

1.3.2.2

where it is practicable in all circumstances to know that the data was inaccurate at the time of such disclosure or transfer, the recipient is informed of the inaccuracy and is provided with such particulars as will enable the recipient to rectify the data.12

Retention of Employment-related Data 1.3.3 An employer should implement a written data retention policy that specifies a retention period of: 1.3.3.1

no longer than two years in respect of recruitment-related data held about a job applicant from the date of rejecting the applicant;

1.3.3.2

no longer than seven years in respect of employmentrelated data held about an employee from the date the employee leaves employment;

Unless



1.3.3.3

the individual concerned has given express consent for the data to be retained for a longer period; or

1.3.3.4

there is a subsisting reason that obliges the employer to retain the data for a longer period.

The provisions of the four anti-discrimination ordinances — the Disability Discrimination Ordinance, the Family Discrimination Ordinance, the Sex Discrimination Ordinance and the Race Discrimination Ordinance permit an individual to make a claim to the District Court against another person for an act of discrimination against him before the end of the period of two years beginning (a) when the act complained of was done; or (b) if there is a relevant report in relation to the act, the day on which the report is published or made available for inspection.

12. DPP2(1)(c)

443

13_Data Protection_appendix_04C.indd 443

2016/6/27 2:01:01 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance



Further guidance in respect of the above requirements is given in Section 2 on Recruitment and in Section 4 on Former Employees’ Matters.

1.4

Security Measures to Protect Employment-related Data



Measures to Ensure Integrity, Prudence and Competence of Employees 1.4.1 An employer should take reasonably practicable measures to ensure that staff handling employment-related personal data are trained to observe the employer’s personal data privacy policies, exercise due diligence in the application of those policies, and are subject to procedures designed to ensure their compliance with those policies.13

Employees play the principal role in implementing an employer’s policies on the security of personal data. Security practices are therefore a vital part of any human resources policy with regard to privacy of personal data.



In evaluating internal procedures pertaining to the security of employment-related personal data, employers should determine the extent to which their policies satisfy the following criteria: • Policy relating to the security of employment-related personal data is systematically and regularly communicated to staff authorised to access and process that data. • The employer commits to, and provides, on-going training to staff on matters relating to personal data protection. • New recruits to the organisation are provided with training on personal data protection as part of their induction into the organisation. • Employer’s policy manuals, training materials, and employee handbook are periodically reviewed to ensure that they are

13. DPP4(1)(d)

444

13_Data Protection_appendix_04C.indd 444

2016/6/27 2:01:01 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

consistent with the requirements under the Ordinance and any codes of practice in force. • In-house policy is to restrict access to, and processing of, personal data on a “need-to-know” and “need-to-use” basis. • As a matter of protocol, staff involved in accessing and processing employment-related personal data are required to sign a secrecy or confidentiality statement that clearly specifies operational expectations in these respects. • Appropriate investigative procedures are engaged should such protocols be breached and action taken against staff found to have violated the terms and conditions of the confidentiality statement. • Random checks are made to ensure that there is compliance with established procedures.

Security through Controlled Access to Employment-related Personal Data 1.4.2 If an employer makes any employment-related data available internally, it should take appropriate measures to protect the data against unauthorised or accidental access, processing, erasure, loss or use of that data.14

As a matter of good practice, employers should ensure that access to personal data held on an automated system is regulated by security features. For example, such features may include the use of account names and passwords; dedicated terminals; an audit trail or installed warning feature that can detect unsuccessful attempts to access data; and automatic log-off after a timed period of inactivity. Further precautions may include prohibiting unauthorised copies of employment-related personal data from being established on distributed computers, such as stand alone PCs, that are not subject to the controls applied to authorised copies.

14. DPP4(1)

445

13_Data Protection_appendix_04C.indd 445

2016/6/27 2:01:01 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

1.4.3 If an employer engages a third party to perform any of its human resource management functions, it must adopt contractual or other means to ensure that the third party applies appropriate security protection to the employment-related data.15

It should be noted that the Ordinance imposes legal liability on an employer in relation to any wrongful acts or practices done by a third party where the third party is engaged as an agent acting on behalf of the employer.16 For example, an employer without suitable storage or disposal facilities may arrange for large volumes of employment-related personal data to be stored or destroyed by a reputable storage or waste disposal company. The employer should include in its agreement with such a company appropriate precautions controlling the handling of the materials including, in particular, conditions that ensure security and confidentiality.

1.4.4 An employer should ensure that the physical destruction of documents containing employment-related data held on paper or other non-erasable media is undertaken with appropriate security precautions, to avoid their inadvertent disclosure to, or access by, unauthorised parties prior to destruction.



As a matter of good practice, an employer should note that the destruction of personal data that is no longer required will generally necessitate special arrangements to be put in place within the organisation for the collection and consolidation of such data prior to its disposal. For example, waste for secure disposal may be collected in special containers in a controlled area accessible only to staff authorised to handle personal data of the type being disposed of.

Precautions and Other Matters Regarding Internet Usage 1.4.5 An employer should take all practicable steps to implement appropriate data protection measures to ensure the secure

15. DPP4(2) 16. Section 65(2)

446

13_Data Protection_appendix_04C.indd 446

2016/6/27 2:01:01 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

transmission of employment-related data on a public network such as the Internet.17

Data travelling on the Internet is vulnerable to unauthorised interception or access. Depending on the sensitivity of the data to be transmitted, appropriate security protection software should be installed to enhance the integrity of data. For example, software encryption or digital signature used in email transmission would be an acceptable form of protection to safeguard data integrity and authentication. In addition, security protection measures should also be implemented on computers that are used for sending or receiving email containing personal data. Staff should be reminded to ensure all copies of email are held securely to prevent accidental or unauthorised access.

1.4.6 If an employer provides Internet access facilities, including email, for the use of its employees, it should inform the employees of its written policy on the use of the system.

As a matter of good practice, the policy referred to above should include matters such as: • Whether the use of the email system by employees for sending and receiving personal email is permitted and any special arrangements that employees should adopt for segregating personal email from work-related email. • Whether the employer reserves the right to access and read email sent and received by employees using the email system. • Specific rules that apply to the distribution of incoming or outgoing email and the erasure of unnecessary email that contain personal data or have an attachment that includes such data.

17. DPP4(1)(e)

447

13_Data Protection_appendix_04C.indd 447

2016/6/27 2:01:02 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

1.5

Complying with Data Access and Correction Requests



Data Access Requests of Employment-related Data 1.5.1 An individual whose personal data is held by his employer is entitled to request to be given a copy of such data.18 Unless exempted from doing so under the Ordinance, the employer is required to provide a copy of the requested data within 40 days after receiving a data access request.19 In the event of an employer being unable to provide the copy within the 40-day limit, the employer must communicate that fact in writing to the person making the request before the expiry of that period and must provide the copy as soon as practicable thereafter.20 1.5.2 An employer responding to a data access request from a job applicant, current or former employee must not disclose to the individual seeking access any data identifying any other individual unless that other individual consents.21 1.5.3 Where one document contains the personal data of two or more individuals, an employer may not refuse to comply with a data access request from one or more individuals where it is possible not to disclose the identities of the others by the omission of names or other identifying particulars.22

For example, an employee who is the subject of a disciplinary proceeding has a right to request a copy of the disciplinary records such as a disciplinary board’s minutes of a meeting that is conducted for the purpose of the disciplinary investigation. The employer cannot rely on the fact that the document contains personal data of a third party, other than the employee, to refuse to provide a copy of the minutes.

18. Section 18 19. Section 19(1) 20. Section 19(2) 21. Section 20(1)(b) and 20(2)(a) 22. Section 20(1)(b) and 20(2)

448

13_Data Protection_appendix_04C.indd 448

2016/6/27 2:01:02 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

In this circumstance, the employer should edit out the information relating to the third party before providing a copy to the employee if no consent is given by the third party concerned of its disclosure. Similarly, it is not a valid reason for the employer to refuse access to a promotion board report merely because the document contains a comparison of two or more employees where it is possible to conceal the identities of the others by the omission of names or other identifying particulars.

As a matter of good practice employers should implement measures to ensure that they can comply with a data access request made by a job applicant, current or former employee. Those measures should seek to satisfy the following criteria: • The employer has established tracking procedures to monitor the progress of compliance with data access requests. • In complying with a data access request the employer should: – not withhold any personal data of the requestor unless a lawful exemption applies to the circumstances of the case; – reply to the data access request in writing within 40 days of receipt of the request; – clearly specify what fees, if any, will be charged for providing the requestor with a copy of his/her record of personal data; – provide the relevant data in a form that is intelligible to the data subject; – erase from the copy any reference of personal data of a third party individual unless that third party has consented to its disclosure; – erase from the copy all names or other identifying particulars that explicitly identify a third party individual as the source of the personal data relating to the requestor.

449

13_Data Protection_appendix_04C.indd 449

2016/6/27 2:01:02 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

• Where the employer is unable to comply with the data access request within 40 days he should, before that time has elapsed: – comply with the data access request in part, so far as it is practicable to do so; – inform the requestor in writing, explaining why he is unable to comply fully with the request; – fully comply with the request as soon as practicable thereafter. Data Correction Requests of Employment-related Data 1.5.4 An employee who has been provided with a copy of personal data held by his employer in compliance with a data access request is entitled to request the employer to make the necessary correction in respect of any data that the employee considers to be inaccurate.23 If satisfied that the data is indeed inaccurate, the employer is required to make the necessary correction and provide the employee with a copy of the corrected data within 40 days of receiving the request.24 1.5.5 An employer who, pursuant to a permitted circumstance under the Ordinance, refuses to make the necessary correction in relation to a data correction request, should inform the requestor in writing of the refusal and the reasons for such refusal.25

For example, if the correction requested relates to data, whether a fact or an expression of opinion and the employer is not satisfied that the data is inaccurate, it may refuse to make the correction. An "expression of opinion" includes an assertion of fact that is unverifiable or, in all circumstances of the case, is not practicable to verify. However, the employer should inform the requestor in writing of the refusal and the reasons for such refusal. In the case of the data being an expression

23. Section 22(1) 24. Section 23(1) 25. Sections 24(3) and 25(1)(a)

450

13_Data Protection_appendix_04C.indd 450

2016/6/27 2:01:02 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

of opinion, the written refusal should be accompanied by a copy of a note containing matters referred to in the correction request. This note should be annexed to the file of the individual concerned so that anyone having access to it may have the contents of the note brought to their attention. 1.6

Employer’s Liability for Wrongful Acts or Practices by its Employees or Agents 1.6.1 An employer is liable in civil proceedings for any act or practice relating to personal data that is undertaken by its employees in the course of their employment that is contrary to the provisions of the Ordinance, even if the employees undertook the act or engaged in the practice without the employer’s knowledge or approval.26 1.6.2 An employer is liable in civil proceedings for any wrongful acts or practices done by a third party where the third party is engaged as an agent acting with authority (whether express or implied, and whether precedent or subsequent) on behalf of the employer.27 1.6.3 The employer may avoid liability only if the employer is able to prove that it took such steps as were reasonably practicable to prevent the wrongful acts undertaken or practices engaged in by its employee who acted on its behalf.28

For example, if an employee disclosed employment-related personal data to a third party contrary to DPP3, the employer may be able to avoid liability for the wrongful disclosure if it can prove that the employee had ignored a departmental policy that prohibited disclosure to a third party.

26. Section 65(1) 27. Section 65(2) 28. Section 65(3)

451

13_Data Protection_appendix_04C.indd 451

2016/6/27 2:01:02 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

1.7

Other Matters



Statutory Requirements in Relation to Employment-related Data 1.7.1 Where ordinances other than the Ordinance impose upon an employer obligations to keep certain employment-related information, and to disclose such information to the relevant authorities when required, the employer should comply with the obligation as stated.



For example, under the Immigration Ordinance an employer is required to keep a record of the type of identification document held by an employee by virtue of which the employee is lawfully employable, and the number of that identification document. The employer is also required to disclose such information when requested by a labour inspector.

Information about Policies and Practices to be Made Available 1.7.2 An employer should take all practicable steps to ensure that the public at large and its employees can be provided with a copy of its policies and practices in relation to personal data.29



As a matter of good practice, an employer should comply with the above requirement by means of a written Privacy Policy Statement (“PPS”) that details its personal data management policies and practices. The PPS should include a list of the kinds of personal data held by the employer as well as the main purposes for which such data is used. The employer should also consider including other data protection policies and practices such as its data retention policy and security protection policy.

Matters Concerning the Hong Kong Identity Card Number in Employee Records 1.7.3 The Code of Practice on the Identity Card Number and Other

29. DPP5

452

13_Data Protection_appendix_04C.indd 452

2016/6/27 2:01:02 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

Personal Identifiers (“the PI code”) makes provisions whereby an employer may: 1.7.3.1

collect the Hong Kong Identity Card number of a job applicant when certain criteria are met;30

1.7.3.2

collect a copy of the Hong Kong Identity Card of a selected candidate at the time the candidate accepts an offer of employment;

1.7.3.3

collect the Hong Kong Identity Card number and copy of the Hong Kong Identity Card of an employee;31 or

1.7.3.4

use Hong Kong Identity Card numbers in a computer or manual system to link, retrieve or otherwise process records of employment-related data within the organisation.32

1.7.4 An employer must check any copy of the Hong Kong Identity Card against the original card33 and mark it with the word “COPY” across the entire image of the Hong Kong Identity Card.34 Such a copy collected before 19 June 1998 needs not be so marked until it is first used after that date. 1.7.5 An employer issuing staff cards, pensioner’s cards, employee club cards etc. to its employees or former employees, should not issue any such cards bearing the holder’s Hong Kong Identity Card number.35

30. Paragraph 2.3.1 of the PI code 31. Paragraphs 2.3.1 and 3.2.2.1 of the PI code 32. Paragraph 2.6.3 of the PI code 33. Paragraph 3.5 of the PI code 34. Paragraph 3.9 of the PI code 35. Paragraph 2.8 of the PI code

453

13_Data Protection_appendix_04C.indd 453

2016/6/27 2:01:02 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

2 2.1

Recruitment Introduction 2.1.1 Employers often commence the recruitment process by specifying a job description or candidate specification. Various means may be employed in the collection of personal data from job applicants. These may include: 2.1.1.1

Requiring job applicants to fill in a job application form.

2.1.1.2

Inviting job applicants to submit an application in response to a job advertisement.

2.1.1.3

Obtaining job applicants’ personal data via employment agencies or an executive search company.

2.1.1.4

Relying on job applications that are collected in the course of a previous recruitment exercise.

2.1.2 An employer may have a practice of inviting job applicants to submit applications in response to a job advertisement posted on the employer’s website by filling in an online data collection form or by email. In these circumstances, the employer also engages in a practice that amounts to the collection of personal data from applicants. 2.1.3 In addition to the data collected through the original application, an employer may, in the course of the recruitment selection process, compile additional information about job applicants to assess the suitability of candidates for the job. Such information may include: 2.1.3.1

A written assessment of the candidate recorded in a selection interview.

2.1.3.2

An assessment report of any tests that the candidate is required to undertake, such as psychological tests.

2.1.3.3

Personal references obtained from the candidate’s current or former employers or other sources.

454

13_Data Protection_appendix_04C.indd 454

2016/6/27 2:01:02 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

2.1.4 The Ordinance requires an employer to take all practicable steps to ensure that job applicants are informed, on or before collection, of certain matters relating to the collection of their personal data.36 This requirement applies to paragraphs 2.1.1.1, 2.1.1.2, 2.1.2 and 2.1.3. The notification requirement can be made in the form of a written PICS, either as a separate statement for recruitment, or as an integral part of a more detailed PICS pertaining to employment.

Practical Guidance on Recruitment-related Practices 2.2

Collection of Personal Data from Job Applicants 2.2.1 An employer should not collect personal data from job applicants unless the purpose for which the data is to be used is lawful.37

For example, an employer should not use a vacancy notice to solicit the submission of personal data by candidates for the purpose of unlawfully discriminating against them on grounds of gender or marital status with the intention of excluding female employees from supervisory positions.

2.2.2 An employer should not collect personal data from job applicants unless the data is adequate but not excessive in relation to the purpose of recruitment.38

In determining which data is regarded as relevant, an employer should be mindful of the need to demonstrate that the prescribed personal data is indeed directly related to the purpose of identifying suitable candidates. Careful selection of relevant data in the job description or candidate specification will minimise the likelihood of personal data being collected from job applicants that is excessive for the recruitment purpose.

36. DPP1(3) 37. DPP1(1)(a) 38. DPP1(1)(c)

455

13_Data Protection_appendix_04C.indd 455

2016/6/27 2:01:02 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance



For example, the job description or specification should be restricted to the collection of personal data relevant to the recruitment exercise, and for the purpose of identifying suitable candidates for the job. Generally, these may include work experience, job skills, competencies, academic/professional qualifications, good character and other attributes required for the job.

2.2.3 An employer may collect the Hong Kong Identity Card number of a job applicant only if all of the following requirements are satisfied:39 2.2.3.1

the employer has a general policy to retain the Hong Kong Identity Card numbers of former employees and unsuccessful job applicants for a certain period;

2.2.3.2

the employer collects Hong Kong Identity Card numbers because it is necessary for the correct identification of individuals or for the correct attribution of records it holds relating to the applicants;

2.2.3.3

the employer conducts checks of whether any particular job applicant has applied for a position with it before, or is a former employee, and a large number of applicants or former employees may be involved; and

2.2.3.4

there is no less privacy-intrusive and practicable alternative of correctly identifying or attributing records to such individuals.

2.2.4 An employer should not collect a copy of the Hong Kong Identity Card of a job applicant during the recruitment process unless and until the individual has accepted an offer of employment.40

Paragraph 3.3.2 of the PI Code prohibits a data user from collecting a copy of the Hong Kong Identity Card of an individual merely in anticipation of a prospective relationship between the data user and the individual.

39. PI Code 40. Paragraph 3.3.2 of the PI Code

456

13_Data Protection_appendix_04C.indd 456

2016/6/27 2:01:02 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

2.2.5 An employer may collect personal data concerning a job applicant’s family members, if the personal data:



2.2.5.1

relate to employment circumstances of the applicant’s family members only to the extent necessary for assessing whether any conflict of interest might arise should the applicant be offered the job; and

2.2.5.2

are adequate but not excessive in relation to this purpose.

For example, if an employer wishes to know whether a job applicant’s family members are currently employed by a competitor, it should confine itself to asking whether this is the case and making further enquiries only in relation to any family members that are so employed. As a matter of good practice, an employer should consider collecting the data no earlier than at the time when the applicant is considered as a potential candidate for appointment.

2.2.6 Where an employer requires job applicants to fill in a job application form, either in a paper format or online on a web page of the employer’s website, it should ensure that the PICS notification requirement mentioned in paragraph 2.1.4 is complied with.41

2.3

A practical way to comply with the notification requirement is to print the PICS as an integral part of the paper application form or display it as part of the text of the online form. Alternatively, the PICS may be attached as a separate sheet to the paper application form. In the case of the online form, this can be done by displaying the PICS as a linked page to the online form or as a “pop-up” screen when a “confirm” button is pressed prior to the transmission of the online form.

Advertising of Job Vacancies 2.3.1 An employer who advertises an employment vacancy in a vacancy notice that directly solicits the submission of personal data by interested individuals thereby starts the process of collecting personal data of those individuals. Accordingly, the requirements mentioned

41. DPP1(3)

457

13_Data Protection_appendix_04C.indd 457

2016/6/27 2:01:02 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

in paragraphs 2.2.1 to 2.2.5 would apply for the purpose of this section.

It should be noted that if the vacancy notice merely invites interested individuals to contact an employer, there is no direct solicitation of personal data. An example would be where an employer advertises the job vacancy requirements and invites interested individuals to write in to obtain an application form in relation to the vacancy.

2.3.2 Where an employer advertises a vacancy in a vacancy notice that directly solicits the submission of personal data by job applicants, it should ensure that the PICS notification requirement, mentioned in paragraph 2.1.4, is complied with in the advertisement42 unless:



2.3.2.1

the advertisement invites job applicants to respond by filling in a job application form specified by the employer that prescribes the PICS notification; or

2.3.2.2

the advertisement expressly identifies the contact person from whom applicants may obtain a copy of the PICS.

For example, an employer may state in the vacancy notice the telephone number, name or title of the employer’s nominated person from whom a copy of the PICS pertaining to recruitment may be obtained. A statement to the following effect should be included —  “Personal data provided by job applicants will be used strictly in accordance with the employer’s personal data policies, a copy of which will be provided immediately upon request.”

2.3.3 An employer who directly, or through its agent, advertises a vacancy that solicits the submission of personal data by job applicants should provide a means for the applicant to identify either the employer or its agent.43

42. DPP1(3) 43. DPP1(2)

458

13_Data Protection_appendix_04C.indd 458

2016/6/27 2:01:02 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance



A blind advertisement is one that provides no means of identifying either the employer or the employment agency acting on its behalf. However, the advertisement may or may not directly solicit personal data from job applicants. A blind advertisement is permitted provided that there is no direct solicitation of personal data from job applicants.



For example, an employer should not use a vacancy notice to solicit the submission of personal data by applicants that gives only a Post Office Box Number. However, should an employer not wish to disclose its identity in a vacancy notice, it may request interested individuals to submit a written request to a Post Office Box Number for an application form for the vacancy that identifies the employer. Alternatively, the employer may use a recruitment agency identified in the vacancy notice to receive the personal data solicited from the applicants. In this case, the advertisement is required to identify the agency.

2.3.4 An employer should not solicit the submission of personal data of individuals by means of a job advertisement unless there are one or more positions of employment which are presently, or may become, unfilled.44

For example, an employer should not place an advertisement just to test the job market situation or to put pressure on existing staff members and, in that process, solicit the submission of personal data. Obtaining personal data by misrepresenting the purpose of collection may amount to an act of collection by means that are unfair in the circumstances.

2.4

Employment Agencies/Executive Search Company 2.4.1 An employer who engages an employment agency to solicit the provision of personal data by job applicants thereby collects personal data of those applicants. Accordingly, the requirements mentioned in paragraphs 2.2.1 to 2.2.5 would apply for the purpose of this section.

44. DPP1(2)

459

13_Data Protection_appendix_04C.indd 459

2016/6/27 2:01:02 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

2.4.2 Where an employer receives unsolicited personal data of an individual, whether directly from the individual seeking a job opportunity with the employer or offered by an employment agency about its job-seekers, the employer should:



2.4.2.1

use only such data as may be necessary for, or directly related to, its purpose of assessing the suitability of the individual for employment45; and

2.4.2.2

not use the data for a new purpose unless the prescribed consent from the individual is obtained.46

It is very common for an employer to receive personal data from an individual who is searching for a job opportunity. An employment agency may also refer its job-seeker’s information to an employer. Information received in this manner is often excessive for recruitment purposes by the employer. The employer should disregard any personal data provided which is irrelevant to the recruitment process.

2.4.3 An employer who engages a third party as an agent with express authority to perform specified recruitment functions for, and on behalf of, the employer should take all practicable steps to ensure that the third party will not act in contravention of the requirements under the Ordinance.47

The Ordinance imposes legal liability on an employer in relation to any wrongful acts or practices done by a third party where the third party is engaged as an agent on behalf of the employer. For example, an employer could request details of the third party’s personal data privacy policies and practices to verify that the appropriate standards have been adopted. Alternatively, an employer may consider having in place an agreement between the parties that incorporates clauses requiring certain procedures to be complied with. For example, the employer should

45. DPP1(1)(b) 46. DPP3(1) and DPP3(4) 47. Section 65, DPP2(3) and DPP2(4), DPP4(2) and DPP4(3)

460

13_Data Protection_appendix_04C.indd 460

2016/6/27 2:01:02 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

clearly identify the sets of personal data needed to facilitate the selection process undertaken by the agent, and the agent should agree to restrict the collection of personal data to the sets specified. 2.5

Internal Records about Job Applicants 2.5.1 An employer may use personal data of a job applicant whose data is collected during the course of a recruitment exercise for use in a later exercise of this nature, provided that:



2.5.1.1

the employer has a general policy to retain the data for such a purpose;

2.5.1.2

the employer has a stipulated retention period of keeping such data; and

2.5.1.3

the applicant has not otherwise objected to the use of his data for such a purpose.

As a matter of good practice an employer should take steps to inform job applicants about its retention policy of personal data collected in the course of a recruitment exercise. It should also provide an opportunity for unsuccessful applicants to request the destruction of the data if the applicant does not wish it to be used for a subsequent recruitment exercise.

2.5.2 An employer who, pursuant to paragraph 2.5.1, uses personal data collected on a previous occasion for the purpose of identifying suitable candidates should refrain from using the data until such time as the data has been updated should there be reasonable grounds to believe that such data has become inaccurate since it was collected.48 2.5.3 An employer who has retained personal data of job applicants that has been collected during the course of a recruitment exercise for use in a later exercise should:

48. DPP2(1)(b)

461

13_Data Protection_appendix_04C.indd 461

2016/6/27 2:01:02 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance



2.6

2.5.3.1

only use the data for such purpose or a directly related purpose unless the applicant has given his prescribed consent to the use in some other purposes;49 and

2.5.3.2

take all practicable steps to ensure that the data is retained securely and is accessible to authorised personnel on a “need-to-know” basis.50

It should be noted that the requirements mentioned in paragraphs 2.5.1 to 2.5.3 also apply to an employment agency that holds personal data provided by individuals searching for jobs.

Receiving and Processing Applications for Employment 2.6.1 An employer should take all practicable steps to ensure that, having regard to their confidential nature, the personal data of job applicants is collected, processed and stored securely, irrespective of whether the data is stored in electronic, photographic or hard copy format.51

For example, an employer that asks candidates to supply data in hard copy format should request that candidates place their applications in a sealed envelope marked in some way such as “Confidential. For the attention of the Human Resources Department (or of the relevant employee)”. Mailroom and reception staff should be instructed to deliver such letters unopened.



As a matter of good practice, databases comprising personal data of job applicants should be accessible only to authorised staff using secure passwords on a “need-to-know” basis. Hard copy data should be located in secure areas. Personal data relating to job applicants stored on physical media such as paper or microfilm should be stored in locked cabinets in a secure room. In the event of such information being analysed or reviewed, the contents of that data should not be left unattended by, or out of the control of, the authorised persons.

49. DPP3(1) and DPP3(4) 50. DPP4(1) 51. DPP4(1)

462

13_Data Protection_appendix_04C.indd 462

2016/6/27 2:01:02 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

2.6.2 An employer should take all practicable steps to ensure that staff authorised to access personal data have the appropriate qualities of integrity, prudence and competence.52

2.7

For example, an employer may implement training programmes to ensure that staff members who have responsibility for recruitmentrelated matters are made aware of the employer’s personal data handling policy and practices, and carry out supervisory checks to ensure compliance with policy requirements.

Seeking Information for Selection Assessment 2.7.1 An employer may compile information about a job applicant, to supplement other data collected at the time of the original application, to assess the suitability of potential candidates for the job provided that it does not in the process collect personal data that are excessive in relation to the purpose.53

Generally, it would not be excessive to collect data to increase an employer’s knowledge of a candidate’s skills, good character, competencies or abilities, provided this knowledge was relevant in relation to the nature of the job. A common selection technique is by means of a selection interview or by requiring applicants to undertake a written skill test. Depending on the nature of the job, other selection techniques may involve an applicant in psychological tests, security vetting or integrity checking procedures. These selection techniques often entail collection of additional personal data from applicants.



For example, an employer may use a security vetting procedure to establish the security credentials of a potential candidate for a security guard’s position if such knowledge is crucial prior to the employer’s consideration to offer the job to the candidate. However, recording the details of a candidate’s outside activities and interests might be excessive unless the employer can demonstrate that such detail is relevant to the inherent requirements of the job.

52. DPP4(1)(d) 53. DPP1(1)(c)

463

13_Data Protection_appendix_04C.indd 463

2016/6/27 2:01:02 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance



To ensure the impartiality of the post holder and to avoid any conflict of interest that may arise in respect of the capacity to which the potential candidate is appointed, integrity checking may be necessary. However, the employer must be able to demonstrate that the collection of personal data, such as the candidate’s investments or other financial matters, are relevant items essential for assessing the integrity of the individual concerned.

2.7.2 An employer who compiles information about a job applicant pursuant to paragraph 2.7.1 should ensure that the selection method so employed does not involve the collection of personal data by means that are unfair.54

2.8

As a matter of good practice, an employer should inform a job applicant before the selection method is used of its relevance to the selection process and the personal data to be collected by the chosen method.

Seeking Personal References of Job Applicants 2.8.1 An employer who wishes to obtain references from a potential candidate’s current or former employers or other sources should ensure that such references are provided with the consent of the candidate concerned.

The Ordinance requires the candidate’s current or former employers to have the candidate’s consent in providing references. Such consent may be given orally or in writing. As a matter of good practice, the prospective employer should consider seeking consent from the candidate prior to approaching the candidate’s current or past employers or other sources for a reference. If this is the case, the prospective employer should, when requesting for the reference, notify the source that provides the reference that consent of the candidate has been given. If in doubt, the current or past employer should seek evidence of such consent from the requesting party, or verify this with the candidate.

54. DPP1(2)

464

13_Data Protection_appendix_04C.indd 464

2016/6/27 2:01:03 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

2.9

Acceptance by Candidates 2.9.1 An employer may, no earlier than at the time of making a conditional offer of employment to a selected candidate, collect personal data concerning the health condition of the candidate by means of a preemployment medical examination, provided that:



2.9.1.1

the personal data directly relates to the inherent requirements of the job;

2.9.1.2

the employment is conditional upon the fulfilment of the medical examination; and

2.9.1.3

the personal data is collected by means that are fair in the circumstances55 and are not excessive56 in relation to this purpose.

For example, an employer may have a policy requiring a suitable candidate to undertake a pre-employment medical check by a nominated medical board to confirm whether the candidate is fit for employment. In this circumstance, the employer needs only to be provided with the minimum information about the candidate’s health condition that supports the medical practitioner’s opinion that he or she is fit for employment. Details of the candidate’s medical history and treatment might be relevant for the medical board when conducting the medical check with the candidate, but these details need not be collected by the employer.

2.9.2 An employer may, at the time when a selected candidate accepts an offer of employment, collect additional personal data of the candidate and his family members, provided that the personal data is: 2.9.2.1

necessary for the purpose of employment in relation to the job57 for which the candidate is appointed; or

55. DPP1(2) 56. DPP1(1)(c) 57. DPP1(1)(b)

465

13_Data Protection_appendix_04C.indd 465

2016/6/27 2:01:03 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

2.9.2.2



necessary for a purpose pursuant to a lawful requirement that regulates the affairs of the employer.

For example, after the acceptance of an offer of employment, it would be necessary for the employer to collect personal data relating to the new employee such as bank details for the payment of salary. Other examples are information concerning the candidate’s family members that are needed for the administration of any benefits an employer provides for such family members. However, it would be excessive to collect personal data such as the candidate’s outside interests unless such information is necessary for, or directly related to, the inherent requirements of the job for which the employee has been appointed.

2.9.3 An employer may, at the time when the selected candidate accepts an offer of employment, collect a copy of the Hong Kong Identity Card of the candidate.58 2.9.4 An employer should obtain the prescribed consent of an appointee before publicly disclosing any personal data of the appointee in relation to the appointment unless such public disclosure is required by law or by any statutory authorities.59 2.10 Unsuccessful Candidates 2.10.1 An employer who has a general policy of retaining personal data of an unsuccessful job applicant for future recruitment purposes should not retain such data for a period longer than two years from the date of rejecting the applicant unless: 2.10.1.1 there is a subsisting reason that obliges the employer to retain the data for a longer period; or 2.10.1.2 the applicant has given prescribed consent for the data to be retained beyond two years.

58. Paragraph 3.2.2.1 of the PI Code 59. DPP3(1), DPP3(4) and section 60B(a)

466

13_Data Protection_appendix_04C.indd 466

2016/6/27 2:01:03 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance



As a matter of good practice, an employer wishing to retain personal data relating to an unsuccessful job applicant, for the purpose of future recruitment exercises, should inform the candidate of the period for which the employer will normally retain such data. It is also a good practice to provide unsuccessful job applicants with the opportunity to request the destruction of their data if they do not wish them to be used for this purpose. Generally speaking, actual or potential legal proceedings may constitute a subsisting reason for personal data of unsuccessful applicants being retained for longer than two years.

2.11 Data Access and Correction Requests by Job Applicants 2.11.1 Personal data collected from job applicants in respect of job recruitment and other data compiled about applicants in the course of a recruitment selection process mentioned in paragraphs 2.1.1 — 2.1.3 are subject to access and correction by the applicants. Accordingly, requirements mentioned in Section 1 — Complying with Data Access and Correction Requests, should be complied with for the purpose of this section unless there is an applicable exemption provided for under the Ordinance. 2.11.2 An employer may refuse to comply with a data access request made by a job applicant pursuant to paragraph 2.11.1 if: 2.11.2.1 the employer has received the request prior to it making a decision on filling the vacancy for which the job applicant has applied; and 2.11.2.2 the recruitment is a process whereby the applicant has a right to appeal against the appointment decision.60

It should be noted that a recruitment process falls outside the meaning of a “relevant process” under the Ordinance if it is a process where no appeal may be made against any such determination of the process (as most recruitment processes probably are). Furthermore, the exemption

60. Section 55

467

13_Data Protection_appendix_04C.indd 467

2016/6/27 2:01:03 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

in relation to a relevant process is only applicable for the period until the completion of that process. Completion, in relation to a recruitment process that falls within the meaning of a relevant process, means the making of the determination on the suitability of job applicants for employment or appointment to office. The availability of an appeal governs whether the recruitment process amounts to a relevant process and does not mean that the appeal period is part of the recruitment process period. Hence, an employer who receives a data access request by a job applicant after the determination of the recruitment process is completed should comply with the request. 2.11.3 An employer, who holds personal data that consists of a personal reference given by a third party individual other than in the ordinary course of his occupation, may refuse to comply with a data access request made by a job applicant pursuant to paragraph 2.11.1 if: 2.11.3.1 in any case, unless that third party individual has given his consent in writing to the employer for the disclosure of the reference; or 2.11.3.2 in the case of a reference given on or after 20 December 1996, until the applicant concerned has been informed in writing that he has been accepted or rejected for employment in respect of the job he applies.61

3 3.1

If the third party gives consent for disclosure of the reference before the applicant is informed of the employer’s decision, the employer might consider granting access to the data concerned.

Current Employment Introduction 3.1.1 On appointment, an employer may retain personal data of the appointee for the purpose of the employment. Examples of these are

61. Section 56

468

13_Data Protection_appendix_04C.indd 468

2016/6/27 2:01:03 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

the data provided by the appointee at the time of the job application and other data compiled about the appointee in the course of the recruitment process as mentioned in paragraph 2.1.3. 3.1.2 In addition, an employer may collect supplementary personal data from the employee for the purposes of employment and other related human resource management functions. Examples of these data would include, bank details for the payment of salary and information on family members of the employee that are needed for the administration of any benefits an employer provides for family members. A further example would be information that is required by the employer to fulfil certain legal obligations, such as personal data about the spouse of married employees for the purpose of filing returns under the Inland Revenue Ordinance. 3.1.3 In the course of employment of the employee, an employer may further compile information about the employee. Such information may include: 3.1.3.1

Records of remuneration and benefits paid to the employee.

3.1.3.2

Records of job postings, transfer and training.

3.1.3.3

Records of medical checks, sick leave and other medical claims.

3.1.3.4

Written records of disciplinary proceedings involving the employee.

3.1.3.5

Performance appraisal reports of the employee.

3.1.3.6

Written reports of staff planning exercises involving the employee.

3.1.3.7

Written reports of promotion exercises involving the employee.

3.1.4 The Ordinance requires an employer to take all practicable steps to ensure that employees are informed of certain matters in relation to

469

13_Data Protection_appendix_04C.indd 469

2016/6/27 2:01:03 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

the collection of their personal data.62 This requirement applies to situations mentioned in paragraphs 3.1.2 to 3.1.3 where the personal data is collected directly from the employee. This notification requirement can be made in the form of a written PICS pertaining to employment. As a practical guidance, an employer should provide the PICS notification at the time when the employee accepts the offer of employment or during induction. Practical Guidance on Employment-related Practices 3.2

Personal Data in relation to the Terms and Conditions of Employment 3.2.1 An employer may, pursuant to paragraph 3.1.2, collect personal data from an employee and his family members provided that the collection of the data is:



3.2.1.1

necessary for or directly related to a human resource function of the employer;63 or

3.2.1.2

pursuant to a lawful requirement that regulates the affairs of the employer; and

3.2.1.3

by means that are fair in the circumstances64 and the data is not excessive in relation to the purpose.65

Compensation and Benefits 3.2.2 An employer may collect personal data of an employee and his family members in relation to its provision of compensation and benefits to the employee provided that: 3.2.2.1

the requirements mentioned in paragraph 3.2.1 are complied with; and

62. DPP1(3) 63. DPP1(1)(b) 64. DPP1(2) 65. DPP1(1)(c)

470

13_Data Protection_appendix_04C.indd 470

2016/6/27 2:01:03 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

3.2.2.2





the data is necessary to ascertain the eligibility of the employee’s claim for compensation or benefits.

An employer may provide medical, housing or other benefits to its employees or their family members. In administering the provision of these benefits, the employer may have a policy that aims to prevent the provision of double benefits to employees or their family members. In this circumstance, the employer may require employees to provide evidential proof about claims made in relation to their family members. In processing statutory or contractual claims of compensation, an employer may also require an employee to provide evidential proof to substantiate payment of such claims.

Integrity Checking/Declaration of Conflict of Interest 3.2.3 An employer may collect personal data of an employee to facilitate integrity checking or to determine any conflict of interest by the employee, provided that:



3.2.3.1

the requirements mentioned in paragraph 3.2.1 are complied with;

3.2.3.2

the data is important to the employer in relation to the inherent nature of the job for which the employee is appointed; and

3.2.3.3

the employer has a policy covering such practices, prior notice of which has been brought to the attention of the employee concerned.

An employer may have a policy requiring its employees to disclose their private investments by means of a declaration submitted to the employer. The practice is usually concerned with ensuring the impartiality of the post holder and to avoid any conflict of interest that may arise in respect of the capacity to which the employee is appointed. However, the employer must be able to demonstrate that the personal data collected relating to the employee, his family members, or any third party individual acting on his behalf, are relevant items essential for the said purposes.

471

13_Data Protection_appendix_04C.indd 471

2016/6/27 2:01:03 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance



Medical Checking and Health Data 3.2.4 An employer may collect personal data relating to the health condition of an employee provided that the collection is for a purpose:



3.2.4.1

directly related to the assessment of the suitability of the employee’s continuance in employment; or

3.2.4.2

directly related to the employer’s administration of medical or other benefits or compensation provided to the employee.

For example, where the nature of a post requires the maintaining of a certain level of health, an employer may, by contract or statutory requirement, require an employee to undergo regular medical checking for consideration of his suitability for continuance in employment. In this circumstance, the employer needs only be provided with the minimum information necessary to determine whether the employee is fit for further employment. Similarly, an employer may only need the minimum information about a sick leave application of an employee to verify or calculate the entitlement to sick leave and other related benefits but not the details of the treatment prescribed for the medical condition afflicting the employee.

3.2.5 An employer who, pursuant to paragraph 3.2.4, collects personal data of an employee should ensure that:



3.2.5.1

the requirements mentioned in paragraph 3.2.1 are complied with; and

3.2.5.2

the employer has a policy covering medical checking, prior notice of which has been brought to the attention of the employee concerned.

In most cases, details of medical history are not necessary for the purposes concerned unless the collection of these details are required in order to fulfil certain legal requirements on the part of the employer, for

472

13_Data Protection_appendix_04C.indd 472

2016/6/27 2:01:03 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

example, for the purpose of processing statutory or contractual medical claims. 3.2.6 An employer should take all practicable steps to ensure that personal data collected pursuant to paragraphs 3.2.1 to 3.2.4 is kept secure having regard to the generally sensitive nature of the data concerned.66

3.3

As a matter of good practice, personal data held in relation to employees on an automated system should be accessible only to authorised staff using appropriate security procedures. Such procedures might include secure terminals, access protocols, audit trail software, logging and compliance checks. If such data is in hard copy form, it should be held in a secure area accessible only to authorised personnel on a “need-to-know” basis.

Disciplinary Proceedings 3.3.1 An employer who conducts a disciplinary investigation against an employee for a breach of the terms and conditions of employment should take all practicable steps to ensure that the personal data compiled about the employee concerned is:



3.3.1.1

accurate for the purpose upon which disciplinary decisions are taken;67 and

3.3.1.2

held securely and accessible only by authorised personnel on a “need-to-know” basis.68

For example, an employer may, in the course of disciplinary proceedings, compile information about an employee who is the subject of allegations of improper behaviour that may be a cause for his removal from employment or office. In this circumstance, the sensitivity

66. DPP4(1) 67. DPP2(1) 68. DPP4(1)

473

13_Data Protection_appendix_04C.indd 473

2016/6/27 2:01:03 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

of such information requires the employer to take effective measures to ensure that the information is accurate for decision making purposes. Correspondingly effective security measures should also be adopted to prevent the information from being accessed by unauthorised persons. 3.3.2 An employer who holds personal data about an employee obtained in the course of disciplinary proceedings, including information collected from third party sources about the employee concerned, should:



3.4

3.3.2.1

only use the data for a purpose directly related to the investigation of suspected wrongdoings; and

3.3.2.2

not disclose or transfer the data to a third party unless the third party has legitimate reasons for gaining access to the data.

Generally, an employer should not publicly disclose any disciplinary findings that lead to the disclosure of the identity of the employee concerned unless such disclosure is in compliance with DPP3. For example, if an employer wishes to make an internal announcement of a disciplinary finding to all staff members, it should take into account the possible harm that might be caused to the employee concerned and consider removing from the announcement any identifiable particulars that relate to the employee.

Performance Appraisal 3.4.1 An employer who has a policy of conducting performance appraisals may compile personal data about the employee provided that the data is to be used for the purpose of: 3.4.1.1

assessing the employee’s performance;

3.4.1.2

assessing the employee’s suitability for advancement;

3.4.1.3

determining the employee’s continuance in employment; or

474

13_Data Protection_appendix_04C.indd 474

2016/6/27 2:01:03 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

3.4.1.4

determining the employee’s job posting or training needs.

3.4.2 An employer who compiles performance appraisal information about an employee should collect personal data that is not excessive in relation to the purpose and by means that are fair in the circumstances.69

For example, it would not be fair to record an employee’s work-related telephone conversations as part of a performance appraisal process unless there is no other reasonably practicable way of monitoring the employee’s performance, and prior notification is given of such a practice. It may not be fair to use electronic surveillance of employees at work, such as the use of a finger-scan system, to monitor staff attendance at work unless there is no other less privacy-intrusive means of doing so. As a matter of good practice, employees should be served notice in writing if specific techniques are to be deployed to monitor their performance.

3.4.3 An employer who holds personal data about an employee compiled in the course of performance appraisal, should:



3.4.3.1

only use the data for a purpose mentioned in paragraph 3.4.1; and

3.4.3.2

not disclose or transfer the data to a third party unless the third party has legitimate reasons for gaining access to the data.

For example, if the performance appraisal report compiled about an employee requires follow-up action by a third party, e.g. by a third party authority, then the report can be referred to the third party for the purpose of completing the appraisal. As a matter of good practice, an employer should invite employees to comment on all assessments that are made and record such comments on the appraisal form.

69. DPP1(1)(c) and DPP1(2)

475

13_Data Protection_appendix_04C.indd 475

2016/6/27 2:01:03 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

3.5

Staff Planning 3.5.1 An employer, who holds personal data that consists of information relevant to any staff planning proposal may withhold such data from an employee requesting access.70 Staff planning proposals consist of plans to fill a series of employment positions, i.e. two or more such positions, or the cessation of the employment of a group of employees.

3.6



Examples of activities that would be considered to be staff planning would be restructuring, reorganising, redundancy or succession plans involving a group of employees. Normally, such planning would result in the addition or removal of positions in an organisation. It should be noted that a recruitment process does not fall within the meaning of staff planning. Similarly, a performance appraisal report prepared in the course of a normal human resource management function would not be covered.



Neither promotion planning nor career development planning of employees amount to staff planning under section 53 of the Ordinance as they do not result in the addition or removal of positions in an organisation.

Promotion Planning 3.6.1 An employer who compiles information about an employee for the purpose of determining an individual’s suitability for promotion should collect personal data that is not excessive in relation to the purpose71 and by means that are fair in the circumstances.72

Promotion planning refers to the process of assessing an individual’s readiness to assume the duties of a more senior position within the

70. Section 53 71. DPP1(1)(c) 72. DPP1(2)

476

13_Data Protection_appendix_04C.indd 476

2016/6/27 2:01:03 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

organisation. As a matter of good practice, an employer should restrict the use of psychological tests, assessment role-plays, simulations and other related techniques so that only those skills, abilities and attitudes relevant to the advancement are assessed. 3.6.2 An employer who holds personal data about an employee compiled in the course of promotion planning, including information collected from third party sources about the employee concerned, should:



3.7

3.6.2.1

only use the data for a purpose directly related to its promotion planning process; and

3.6.2.2

not disclose or transfer the data to a third party unless the third party has legitimate reasons for gaining access to the data.

For example, an employer may have a policy that requires a third party authority to endorse or confirm recommendations made by a selection board in respect of a promotion planning exercise. In this circumstance, the transfer of the information to the third party concerned is permissible only if the use of the data by the other party directly relates to matters concerning the promotion planning.

Providing Job References for Employees 3.7.1 An employer should not provide a reference concerning an employee or former employee to a third party without the employee’s prescribed consent unless the employer is satisfied that the third party requesting the reference has obtained the prior consent of the employee concerned.73 Such consent means the express consent of the employee given voluntarily.74

The consent may be given by the employee directly to the employer or may be given to the third party seeking the reference. In the latter case, the third party seeking the reference should notify the employer that

73. DPP3(1) and DPP3(4) 74. Section 2(3)(a)

477

13_Data Protection_appendix_04C.indd 477

2016/6/27 2:01:03 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

he has documentary evidence of the consent of the employee to request the reference and is prepared to furnish a copy of that evidence upon request. If in doubt, the employer may verify this with the employee concerned before releasing any reference to the requesting party. 3.8

Data Access and Correction Requests by Employees 3.8.1 Personal data collected from employees and other data compiled about employees in the course of their employment mentioned in paragraphs 3.2 to 3.7 are subject to access and correction by the employees.75 Accordingly, requirements mentioned in Section 1 — Complying with Data Access and Correction Requests, should be complied with for the purpose of this section unless there is an applicable exemption provided for under the Ordinance.



Relevant Process Exemption76 3.8.2 An employer who holds personal data that is the subject of a relevant process may withhold such data from an employee requesting access for as long as the process is in progress and until a determination has been made regarding the relevant process. A relevant process means an employment-related evaluative process whereby the employee concerned has a right to appeal against any such determination.

For example, disciplinary proceedings conducted against an employee for a breach of the terms and conditions of employment would fall within the meaning of a relevant process if the proceedings consist of a process whereby the employee may appeal against any determination of the disciplinary action taken. Other examples include promotion exercises or evaluative processes concerning an employee’s continuance in employment or removal from employment where the employee has a right of appeal against the decision made.

75. Sections 18 and 22 76. Section 55

478

13_Data Protection_appendix_04C.indd 478

2016/6/27 2:01:03 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance





It should be noted that the relevant process exemption is only applicable for the period until the completion of that process. Completion, in relation to a relevant process, means the making of the determination of action taken. The availability of an appeal governs whether a particular process amounts to a relevant process and does not mean that the appeal period is part of the process period. Hence, an employer who receives a data access request by an employee after the determination of the relevant process is completed should comply with the request.



As a matter of good practice, employers should have a written policy that documents the procedures and personal data collected for the purpose of conducting a relevant process. The policy should stipulate any right of appeal against the decision of the process and any conditions pertaining to that right.

Transitional Provision Exemption 3.8.3 [Omitted as spent on 3 August 2002] 3.8.4 An employee who has been provided with a copy of personal data by the employer in compliance with a data access request is entitled to request the employer to make the necessary correction in respect of any data that the employee considers to be inaccurate.77 If satisfied that the data is indeed inaccurate, the employer is required to comply with the request.78

An employer is required to make the necessary correction if it is satisfied that the personal data to which the request relates is inaccurate. This should be made within 40 days upon receiving the request from the employee and the employer should provide the employee with a copy of the corrected data within the same time limit. However, if the correction requested relates to data, whether a fact or an expression of opinion, and the employer is not satisfied that the data is inaccurate, it

77. Section 22(1) 78. Section 23(1)

479

13_Data Protection_appendix_04C.indd 479

2016/6/27 2:01:03 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

may refuse to make the correction. An “expression of opinion” includes an assertion of fact that is unverifiable or in all circumstances of the case, is not practicable to verify. Further guidance on handling data correction requests is given in Section 1 — Complying with Data Access and Correction Requests. 3.9

Accuracy and Retention of Employment-related Data 3.9.1 An employer should take all practicable steps to ensure that the employment-related data it holds about employees is accurate having regard to the purpose for which the data is used.79

An employer may implement a reminder system to ask employees to report changes of their personal data so that any changes in personal circumstances concerning the employees could be made. As a matter of good practice, an employer may consider providing employees with copies of employment-related data at regular intervals and invite them to report on any changes that need to be made. For example, medical benefit records may require updating to include information on an employee’s spouse, if the employee has married during the course of the employment, so that medical benefits may be extended to cover the spouse.

3.9.2 An employer should take all practicable steps to ensure that information about its policies and practices in relation to personal data can be made available to its employees.80

For example, an employer may comply with this requirement by preparing a written PPS concerning its personal data handling policies and practices. The PPS should include a list of the kinds of employment-related data held by the employer, and the main purposes for which the data is used. As a matter of good practice, the PPS should also include a retention policy covering employment-related data and be circulated to employees at regular intervals.

79. DPP2(1)(a) 80. DPP5

480

13_Data Protection_appendix_04C.indd 480

2016/6/27 2:01:04 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

3.10 Use of Employment-related Data of Existing Employees 3.10.1 An employer should not use or disclose employment-related data of an employee for any purpose other than the purpose directly related to the employment of the employee unless: 3.10.1.1 the employee has given his prescribed consent to such other use or disclosure;81 3.10.1.2 the purpose is directly related to the purpose for which the data was collected;82 3.10.1.3 such use or disclosure is required by law or by statutory authorities;83 or 3.10.1.4 there is an applicable exemption provided for under the Ordinance.

For example, an employer may wish to enter into an agreement with a credit card company to offer a credit card with special terms and conditions for its employees. In such a case, the employer should not use the employees’ data and pass it to the credit card company for marketing of the card without first obtaining the prescribed consent of the employees. Alternatively, the employer may use the address data of employees, which was collected to facilitate communication with the employer, to notify the employees directly of the service.



However, an employer may transfer documents regarding an employee’s medical claim to its insurer who provides employee medical cover to effect the claim. This would be a purpose directly related to the original purpose for which the claim documents are collected. As a matter of good practice, an employer could remind the recipient to confine its use of the data to only those purposes that are directly related to the purpose of the disclosure. In the example of the insurer given above, the

81. DPP3(1) 82. DPP3(1) and DPP3(4) 83. Section 60B(a)

481

13_Data Protection_appendix_04C.indd 481

2016/6/27 2:01:04 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

employer may include in its instruction to the insurer a statement to the effect that “The employment-related personal data attached should only be used to effect insurance cover under the terms and conditions of our Employee Medical Insurance policies with you”.

An example of statutory requirement for disclosure would be the disclosure of employment-related data to public authorities that are authorised by law to require the production of personal data. For example, the reporting of employment-related data of employees in the annual Employer’s Return of Remuneration and Pensions to the Inland Revenue Department.

3.10.2 An employer who, pursuant to paragraph 3.10.1, discloses employment-related data to a third party should take all practicable steps to ensure that: 3.10.2.1 the data thereby disclosed is accurate having regard to the purpose for which the data is disclosed;84 and 3.10.2.2 where it is practicable in all circumstances to know that the data was inaccurate at the time of such disclosure, the recipient is informed of the inaccuracy and is provided with such particulars as will enable the recipient to rectify the data.85

As a matter of good practice, an employer should also avoid disclosure of data in excess of that is necessary for the purpose of use by the recipient. For example, employment-related records held on a computer should not be printed in full and passed on to an insurer without consideration of the insurer’s needs. Only the information reasonably required to effect the type of insurance policy being written should be transferred to the underwriter or insurance agency.

3.10.3 An employer should take all practicable steps to ensure that the

84. DPP2(1)(a) 85. DPP2(1)(c)

482

13_Data Protection_appendix_04C.indd 482

2016/6/27 2:01:04 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

means of transferring employment-related personal data to a third party are secure, having regard to the sensitivity of the data thereby disclosed and the harm that could result if unauthorised or accidental access should occur.86

For example, in mailing out documents containing employmentrelated data, an employer may consider putting the documents in a sealed envelope addressed to the recipient and marked “Private and Confidential” on the envelope. If a window envelope is used, care should be taken not to make visible through the window opening personal data other than that necessary for the purpose of postal delivery. It should be noted that email transmission is insecure unless security protection software is used. Depending on the level of sensitivity of data to be transmitted, an employer may consider implementing appropriate security protection software before employment-related data is allowed to be transferred via email.

3.10.4 An employer may, without the consent of the employee, disclose employment-related data of the employee to a third party provided that: 3.10.4.1 such disclosure concerns data that is necessary for a purpose that falls within the ambit of section 58(1) of the Ordinance; and 3.10.4.2 the employer has reasonable grounds for believing that non-disclosure would be likely to prejudice such purposes.87

The purposes referred to in section 58(1) of the Ordinance include, inter alia, purposes used for the prevention or detection of crime, the prevention, preclusion or remedying (including punishment) of unlawful or seriously improper conduct, dishonesty or malpractice by individuals. The words “unlawful or seriously improper conduct”

86. DPP4(1)(e) 87. Section 58(2)

483

13_Data Protection_appendix_04C.indd 483

2016/6/27 2:01:04 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

extend beyond criminal conduct to include civil wrongs.88 Hence, an employer may disclose employment-related data of an employee to a third party if it has reasonable grounds for believing that the data thereby disclosed will be used by the third party in civil proceedings and non-disclosure of the data would be likely to prejudice the prevention, preclusion or remedying of a civil wrong by the employee.

However, it should be noted that the requirement is for the employer to have reasonable grounds for holding the belief referred to above and the Ordinance does not oblige the employer to accede to such a request for disclosure by the third party. For example, if employment-related data of an employee is requested without a warrant by the Police in connection with a criminal investigation, the Police will need to satisfy the employer that investigation would be prejudiced by a failure to disclose the data being sought. If the data is sought pursuant to a warrant, the employer may rely on the warrant as providing sufficient grounds for providing the Police with such information even though such a disclosure was not one of the purposes for which the data was collected.

3.11 Disclosure or Transfer of Employment-related Data

Transfer to Outside Professional Services 3.11.1 An employer who seeks professional services of third parties on matters that involve the disclosure or transfer of employment-related data should ensure that the data is limited to that required for the specific services that they are to provide.

An employer may employ external professional services, such as legal representatives or consultants to advise on human resource management matters. In doing so, the employer should avoid disclosure of data in excess of that is necessary for the purpose of use by the recipient in providing the service. For example, data such as home address or detailed salary payment of individual employees would

88. Court of First Instance in case HCPI 828/97

484

13_Data Protection_appendix_04C.indd 484

2016/6/27 2:01:04 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

generally be unnecessary for use by a management consultant who is engaged to devise a career development plan for employees.



An employer may use the services of an external auditor for the purpose of carrying out a financial audit. Such access to employment-related data by the auditor is in accordance with section 412 of the Companies Ordinance (Cap 622). External auditors’ requirements for access will generally be limited to information such as emoluments, taxation and personal expenses, sight or copies of any contract between employer and employee, or employer and contractor, and documents relating to termination of employment where these are required to substantiate the terms of relevant transactions.

Outsourcing of Human Resource Data Processing 3.11.2 An employer who out-sources or contracts out its human resource processing to an external agency should take all practicable steps to ensure that the processing agency protects the employment-related data against unauthorised or accidental access or disclosure.



It should be noted that the Ordinance imposes legal liability on an employer in relation to any wrongful acts or practices done by a third party89 where the third party is engaged as an agent on behalf of the employer. For example, an agreement may be drawn up controlling how the data are transmitted or processed and requiring the processing agency to take steps to ensure the integrity, prudence and competence of its staff having access to the data.90

Sub-contracting out Employees’ Service to Other Organisations 3.11.3 An employer may disclose or transfer employment-related data of an employee for a purpose of sub-contracting the service of the employee to a third party organisation provided that:

89. Section 65(2) 90. Reference can be made to the Information Leaflet: Outsourcing the Processing of Personal Data to Data Processors issued by the Commissioner.

485

13_Data Protection_appendix_04C.indd 485

2016/6/27 2:01:04 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

3.11.3.1 such sub-contracting arrangement relates to a function or activity that the employer engages in; or 3.11.3.2 the use of the employee’s data for such a purpose is one of the purposes for which the employee is so employed.

Most sub-contracting arrangements are governed by an agreement between the employer and the third party organisation. The employer is the prime contractor as a party to the agreement and the employees concerned are assigned to work on the job contracted for. For example, the employer has successfully won a project in a tender with the third party and the employee is assigned as one of the project members. In this situation, the employment relationship remains between the employee and his employer although the third party might have supervisory responsibility over the employee in terms of the job.

3.11.4 An employer who, pursuant to paragraph 3.11.3, discloses or transfers employment-related data to a third party organisation should ensure that the personal data disclosed is: 3.11.4.1 relevant to the inherent requirements of the job as specified in the third party’s job description; 3.11.4.2 adequate but not excessive in relation to the purpose of the sub-contracting service; and 3.11.4.3 limited to employment-related data of the employee concerned.

In a sub-contracting arrangement, the employer may be required by the other party to provide personal data of its employees for selection purposes. For example, it may be necessary to include in a project proposal information about the employee to demonstrate his qualifications and suitability for the project tendered for. The employee’s data, such as his curriculum vitae, is collected primarily for the purpose of employment with the employer. In so far as the data is disclosed for a purpose of inclusion in a project proposal that the employer engages in, the disclosure of such data could be regarded as a purpose directly related to the purpose for which the data is collected.

486

13_Data Protection_appendix_04C.indd 486

2016/6/27 2:01:04 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

However, the data thereby disclosed should be limited to the skills, competencies, abilities and work experience of the employee that are relevant to the inherent requirements of the job to which the employee may be assigned.

Transfer to a Place outside Hong Kong 3.11.5 Employment-related personal data may be transferred to a related office of the organisation outside Hong Kong provided that such a transfer is for a purpose directly related to the employment of employees and the data is adequate but not excessive in relation to that purpose.



For example, transfer of employment-related personal data outside Hong Kong to an overseas head office may be done for a permitted purpose, such as for a purpose relating to an intended posting of staff to an overseas office. It should be noted that the Ordinance provides for specific controls on the transfer of personal data outside Hong Kong.91

Transfer to Other Offices within the Organisation 3.11.6 Employment-related personal data may be transferred within the employing organisation for purposes directly related to the employment of employees provided that the data is adequate but not excessive in relation to the purpose of use by the party to whom it is transferred.

For example, staff of the employer’s accounting department need not be provided with data that is irrelevant for its use in calculating salary payment to an employee, such as the employee’s performance appraisal report. Similarly, internal auditors of the organisation should not have access to employment-related data that is not necessary in performing an internal audit.

91. Section 33. This section of the Ordinance is not currently in force. Reference can be made to the Guidance on Personal Data Protection in Cross-border Data Transfer issued by the Commissioner.

487

13_Data Protection_appendix_04C.indd 487

2016/6/27 2:01:04 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance



Mergers, Acquisitions, and Associated Due Diligence Exercises92 3.11.7 Where an employer transfers employment-related data to an outside party involved in a merger, acquisition or due diligence exercise, such data should be limited to that is reasonably required to make a decision on the quality of personnel employed by the organisation, or other reasonable matters relating to the acquisition or merger.93

Parties wishing to acquire a substantial share in a company, or organisations contemplating a merger, may request that employmentrelated personal data of the key officers be transferred to them. Examples of relevant data might be salary, job title, length of service, promotion history, qualifications, achievements and assessment of strengths and weaknesses. It is reasonable for employees to expect that if the organisation for which they work is a target for acquisition by another, or is actively considering a merger, certain employment data might be disclosed or transferred to the other party.

3.11.8 An employer may transfer employment-related data to intermediate parties in any transactions relating in any way to mergers, acquisitions and due diligence including financial advisors, bankers and lawyers provided that they use the data only on behalf of the employer for the purpose of facilitating the merger or acquisition.94

As a matter of good practice, the employer should obtain an undertaking from such parties that they would keep the data secure and comply with all other relevant provisions of the Ordinance. If it becomes clear that a contemplated merger or acquisition will not take place, the other party, and any agent acting on their behalf, should forthwith destroy or return to the employer concerned any employmentrelated personal data received for the purpose of considering the merger or acquisition.95

92. Section 63B 93. Section 63B(1) & (2)(a) 94. Section 63B(4)(a) 95. Section 63B(4)(b)

488

13_Data Protection_appendix_04C.indd 488

2016/6/27 2:01:04 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

3.11.9 An employer may continue to use the employment-related data of employees for purposes directly related to their employment, notwithstanding any acquisition, in part or whole, of the employing organisation by another party.

For example, where two or more organisations merge, the resulting employer may continue to use employment data of employees in relation to their continued employment. As a matter of good practice, the employer should ensure that a single set of privacy policies and practices are developed for the combined employment-related personal data of the merged organisations.

3.12 Matters Concerning the Engagement of Subcontract Staff 3.12.1 An employer, who engages individuals on a subcontract basis, should not collect personal data about them that is excessive for the purpose of carrying out the employer’s functions and activities in employing such individuals.96

For the purpose of this section, subcontract staff include staff employed through a third party such as an employment agency, workers employed by one company but who undertake work on behalf of another company, or staff who are self-employed. In these circumstances, the employer does not have a direct employment contract with the individuals concerned.



In general, an employer would need to collect less personal data relating to subcontract staff compared with data collected in respect of employees. For example, the employer would not normally collect personal data in relation to subcontract staff such as details of their bank accounts and family members. However, an employer may need to collect data of next of kin in case there is an emergency at work.

3.12.2 An employer who engages subcontract staff may retain personal data that it holds in respect of such staff only for so long as the data is required:

96. DPP1(1)(c)

489

13_Data Protection_appendix_04C.indd 489

2016/6/27 2:01:04 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

3.12.2.1 for carrying out the purposes (or any directly related purposes) for which the data was collected;97 or 3.12.2.2 where there is a reasonable likelihood that such staff may be re-engaged on subsequent work.

For example, the employer may retain personal data relating to subcontract staff where this is necessary for the purpose of dealing with possible work disputes arising from the performance of subcontract staff. In the case where subcontract staff may be re-engaged for subsequent work, the employer may retain the data of subcontract staff for two years after the completion of the current or most recent contract. Once the two-year period has elapsed the data may only be retained if the staff concerned have given prescribed consent to an extension.

3.12.3 An employer who holds employment-related data of subcontract staff should observe the requirements mentioned in paragraph 3.11 in relation to the disclosure or transfer of such data.

It is very common for a property management company to act as an agent of the Owners’ Incorporation of a building and handle all affairs relating to the management and security of the building. In doing so, the property management company may sub-contract the security management duty to a third party security company who employs security guards or caretakers to work in the building premises.



The subcontracted security company may be asked to provide remuneration details of security guards to the property management company for the purposes of account auditing by the Owners’ Incorporation. In this circumstance, the security company who is the employer of the guards should take special care in preparing the information requested as it may involve a disclosure of the data not only to the property management company but also the Owners’ Incorporation. Generally, it would be adequate to provide the requested remuneration data without disclosing the identity of the individual guards concerned.

97. DPP2(2)

490

13_Data Protection_appendix_04C.indd 490

2016/6/27 2:01:04 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

4 4.1

Former Employees’ Matters Introduction 4.1.1 Employees may leave an employer by transferring to another company, resigning, or because of termination of employment as a result of disciplinary action, redundancy, retirement, invalidity, or death. 4.1.2 Relevant personal data pertaining to a former employee may be required by an employer to fulfil its obligations to the former employee and its legal obligations under certain ordinances. The data may be required to: 4.1.2.1

meet statutory requirements — these may relate to the retention of salaries’ tax records, business records, and sick leave records;

4.1.2.2

administer any remaining duties in respect of former employees or their family members under a pension, superannuation, or MPF scheme;

4.1.2.3

defend the organisation in any civil suit or criminal prosecution — in cases where legal action may be brought under, for example, legislation such as the Employees Compensation Ordinance;

4.1.2.4

defend the organisation against any claim for damages resulting from a purported medical condition or injury allegedly sustained during, and/or resulting from, the period of employment;

4.1.2.5

re-employ a former employee if there is a reasonable likelihood of the individual re-applying for employment; or

4.1.2.6

provide job references at the request of the employee.

4.1.3 For example, the Employment Ordinance98 requires an employer to retain wage and employment records of employees covering the

98. Section 49A of the Employment Ordinance (Cap 57) refers.

491

13_Data Protection_appendix_04C.indd 491

2016/6/27 2:01:04 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

period of their employment during the preceding twelve months. Such records should be kept for six months after they cease employment. 4.1.4 Personal data of former employees retained by an employer for purposes mentioned in paragraph 4.1.2 is subject to access and correction by the employee. Accordingly, requirements mentioned in Section 1 — Complying with Data Access and Correction Requests, should be complied with for the purpose of this section unless there is an applicable exemption provided for under the Ordinance. Where relevant, attention should be paid to observing the requirements mentioned in paragraphs 3.10 and 3.11 in relation to Use, Disclosure and Transfer of Employment-related data that may be applicable to former employees. Practical Guidance on Former Employees’ Matters 4.2

Continued Retention of Personal Data of Former Employees 4.2.1 An employer may retain personal data of a former employee for purposes mentioned in paragraph 4.1.2 or other purposes provided that such other purposes are: 4.2.1.1

necessary for the employer to fulfil its contractual or legal obligations;

4.2.1.2

directly related to the purpose of managing the relationship between the employer and the former employee; or

4.2.1.3

those that the former employee has given prescribed consent.

4.2.2 An employer may retain a former employee’s Hong Kong Identity Card number for linking, retrieving or processing records held by it concerning the employee.

For example, paragraph 2.6.4 of the PI makes provision for an employee’s Hong Kong Identity Card number to be used for linking the

492

13_Data Protection_appendix_04C.indd 492

2016/6/27 2:01:04 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

employee’s records held by different data users under the Mandatory Provident Fund system. 4.2.3 An employer should not retain the personal data of a former employee for a period longer than seven years from the date the former employee ceases employment with the employer unless:

4.3

4.2.3.1

there is a subsisting reason that obliges the employer to retain the data for a longer period;99 or

4.2.3.2

the former employee has given prescribed consent for the data to be retained beyond seven years.



Generally, an employer is permitted to retain personal data where the erasure of the data is prohibited under any law, where there is ongoing litigation, where there are contractual obligations on the part of the employer to retain the data, or where it is in the public interest (including historical interest) for the data not to be erased.



The employer must take all practicable steps at the earliest opportunity upon the departure of an employee to ensure that only relevant information of the employee is retained to satisfy its retention requirements. For example, a summary of service records or testimonial about the service of a former employee can be compiled for the purpose of providing job references or processing applications for re-employment relating to the former employee instead of keeping full details that may otherwise be unnecessary for the purpose.

Accuracy of Former Employees’ Personal Data 4.3.1 An employer should take all practicable steps to maintain the accuracy of personal data retained for purposes that continue after the employee has left employment.100

99. Section 26(1)(a) and (b) 100. DPP2(1)(a)

493

13_Data Protection_appendix_04C.indd 493

2016/6/27 2:01:04 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance



Generally, this requirement could be met by updating the data when the former employee informs the employer of a change, or when data is about to be used where any inaccuracies of the data would have a material effect on the use of the data.

4.3.2 Where an employer has reasonable grounds for believing that personal data of a former employee is inaccurate, having regard to the purpose of its retention, the employer should not use such data unless and until those grounds cease to be applicable.101

For example, an employer may need to regularly mail documents relating to a former employee’s benefit payments. If the employer repeatedly received return mail, indicating wrong delivery, this would suggest that the contact address of the former employee was inaccurate. In this circumstance, the employer should avoid using the address for further mailing of benefit payments until the former employee’s address can be verified.

4.3.3 An employer who engages a third party to administer any postemployment matters that concern former employees, such as a provident fund scheme, should take all practicable steps to ensure that:

4.4

4.3.3.1

the data transferred is accurate having regard to the purpose for which the data is used;102 and

4.3.3.2

where it is practicable in all circumstances to know that the data was inaccurate at the time of such transfer, the recipient is informed of the inaccuracy and is provided with such particulars as will enable the recipient to rectify the data.103

Security of Former Employees’ Personal Data 4.4.1 An employer should take all practicable steps to ensure secure

101. DPP2(1)(b) 102. DPP2(1)(a) 103. DPP2(1)(c)

494

13_Data Protection_appendix_04C.indd 494

2016/6/27 2:01:04 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

protection measures are implemented in locations, either on-site at the employer’s premise or off-site on other premises, to prevent unauthorised or accidental access to the retained personal data of former employees.104

4.5

As a matter of good practice, where the personal data of former employees is retained in computer or paper files, such files should be kept separately from the files of existing staff to enhance their security. If an employer retains former employees’ data in a low-cost storage facility, this should be reasonably secure.

Providing Job References for Former Employees 4.5.1 An employer should ensure that former employees have given their prescribed consent before giving a reference on them to a third party.105

4.6

Very often, a third party may request a job reference about a former employee of the employer when the employee applies for a job with the third party. Before doing this, the employer should obtain the consent of the employee concerned or request the third party to provide proof that the consent of the employee has been provided. It should be noted that an individual providing an oral personal reference based upon personal data from written or computer records is disclosing personal data and should therefore have the prescribed consent referred to above of the individual concerned.

Public Announcements about Former Employees 4.6.1 An employer who finds it necessary to announce publicly that a former employee has left employment, and no longer represents it, should include only the minimum information required to identify the employee concerned.

In any announcement regarding a former employee that may be made public, the employer should take care not to disclose the Hong Kong

104. DPP4(1) 105. DPP3(1) and DPP3(4)

495

13_Data Protection_appendix_04C.indd 495

2016/6/27 2:01:04 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Identity Card number of the employee. Generally, the individual’s full name, former job title and name of the organisation would be sufficient for the purpose. Normally, an employer making an announcement for such purposes need not state the reason for the former employee having left the organisation. If it is necessary to disclose the reason, the employer should consider obtaining prior consent of the individual concerned unless the employer has reasonable grounds to believe that such disclosure to a news organisation would be in the public interest. 4.7

Erasure of Former Employees’ Personal Data 4.7.1 An employer who has retained personal data of former employees for purposes mentioned in paragraph 4.2.1 should ensure that, if the data is no longer necessary for such purposes prior to the expiry of the permitted retention period under paragraph 4.2.3, the data is not used for any purposes and is erased at the earliest practicable opportunity.106

Very often, records containing personal data of former employees are maintained in a storage medium other than paper files, e.g. microfiche or microfilm. If this is the case, it might not be practicable to delete individual data items from the records when the data needs to be erased. However, where the records are kept on physical paper files, then it would be practicable to destroy records that are no longer necessary for the purpose concerned. Such destruction might take place on the next occasion that the file is accessed for a particular purpose, or at the next scheduled time of the employer’s file “weeding programme”.



As a matter of good practice, an employer should develop a personal data management policy that will result in the implementation of a data disposal programme to facilitate deletion of those classes of data that are no longer necessary. This policy should also specify scheduled intervals for record destruction and disposal.

106. DPP2(2)

496

13_Data Protection_appendix_04C.indd 496

2016/6/27 2:01:05 PM

Appendix IV — The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

4.7.2 The requirement mentioned in paragraph 4.7.1 also applies to personal data of family members of the former employee held by the employer. 4.8

Retirement 4.8.1 An employer may retain relevant personal data of retired employees, or their family members, so long as there is an obligation on the part of the employer to administer any affairs relating to the retirement plan of employees.107

4.9

Generally, an employer may need to retain the name, contact, and perhaps bank details of those former employees or their dependents entitled to receive any benefits under the retirement plan. To ensure the accuracy of personal data relating to former employees, an employer should require former employees to notify it of any changes in their personal circumstances, or those of their family members (if relevant), that would necessitate updating of the data.

Death of an Employee 4.9.1 Data relating to a former employee who has died are not subject to the code. However, if an employer retains personal data relating to a living relative of a deceased employee, such data is subject to the code.108

For example, an employer may need to retain personal data of the relatives of deceased employees for the purposes of administering a company retirement fund. Such data is subject to the code.



person to prove that he took such steps as were practicable to prevent the employee from doing that act or engaging in that practice, or from doing or engaging in, in the course of his employment, acts or practices, as the case may be, of that description.

107. DPP2(2) 108. Definition of “personal data” in Section 2

497

13_Data Protection_appendix_04C.indd 497

2016/6/27 2:01:05 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

(4) For the avoidance of doubt, it is hereby declared that this section shall not apply for the purposes of any criminal proceedings.

498

13_Data Protection_appendix_04C.indd 498

2016/6/27 2:01:05 PM

Appendix V Checklist for Data Users in Ensuring Compliance with the Ordinance

The following are the pertinent questions that a data user should address in order to ensure that its personal data management practice complies with the requirements of the Ordinance: 1.

Is there any function or activity involving the collection of personal data? (Please refer to Chapters 2, 3 and 4 on the meaning of “personal data”, “collection” and “data user” respectively.)

2.

What are the purposes of use? Is collection of personal data necessary and are means of collection lawful and fair? Is data collected adequate and not excessive? What information would be provided to the data subject on or before collection? (Please refer to Chapter 5 for the requirements of DPP1.)

3.



What are the practicable steps taken to ensure data accuracy and how long will the collected personal data be retained before erasure? What are the contractual or other means taken to ensure that the personal data processed by a data processor is not kept for longer than is necessary? (Please refer to Chapter 6 for the requirements of DPP2 and section 26.)

4.

Does the use (including disclosure and transfer) of personal data amount to a new purpose (i.e. any purpose other than the original purpose of collection or its directly related purpose)?

5.

If the personal data is intended to be used for a new purpose, has the prescribed consent of the data subject been obtained, or is there any applicable exemption?

13_Data Protection_appendix_05.indd 499

2016/6/27 2:01:11 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

  6. Who can give the prescribed consent other than the data subject and under what circumstances? (Please refer to Chapter 7 for the requirements of DPP3 and Chapter 12 on the applicability of the exemption provisions.)   7. What are the practicable steps taken to ensure that there are adequate security measures in place to protect personal data? What are the contractual or other means taken to ensure that the personal data processed by a processor is protected from unauthorised or accidental processing, erasure, loss or use? (Please refer to Chapter 8 for the requirements of DPP4.)   8. Are there privacy policies and practices in place and are these made generally available? (Please refer to Chapter 9 for the requirements of DPP5.)   9. Are data access and correction requests being properly handled? (Please refer to Chapters 10 and 11 for the requirements of DPP6 and Part 5 of the Ordinance.) 10. Are there any applicable exemptions from compliance with the relevant requirements under the Ordinance? (Please refer to Chapter 12 for the exemption provisions under Part 8 of the Ordinance.)

500

13_Data Protection_appendix_05.indd 500

2016/6/27 2:01:11 PM

Appendix VI Data Subject’s Rights When His Personal Data Privacy Interest is Infringed

1. Conciliation with the Data User

Conciliation can be an effective informal channel in stopping infringement and in preventing repeated or continual acts or practice of personal data infringement. Sometimes misunderstanding of the application of the Ordinance can be clarified and avoided. The Commissioner encourages conciliation as an alternative means of dispute resolution.

2. Lodging of a Complaint with the Commissioner under Section 37

An individual who elects to lodge a complaint may do it in writing in either Chinese or English language, giving contact details and full particulars of the case to the Commissioner. For convenience, this can be done by using a complaint form obtainable from the Commissioner’s office or the Website. The complaint will be handled in accordance with the Commissioner’s Complaint Handling Policy.1 In general, the Commissioner will first liaise with the complainant before formal investigation commences, where a prima facie case is established. The Commissioner may or may not liaise with the

1. Available on the Website.

13_Data Protection_appendix_06.indd 501

2016/6/27 2:01:17 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

party complained against. If the Commissioner commences an investigation during which it is revealed that the data user contravened a requirement under the Ordinance, the Commissioner may serve an enforcement notice on the data user concerned directing it to take steps to remedy the contravention, and where appropriate, to prevent any recurrence of the contravention. Contravention of an enforcement notice is an offence under section 50A(1) of the Ordinance which may result in a fine and imprisonment.2 The data user may be liable to a heavier fine and imprisonment3 upon a repeated conviction. A data user who, having complied with an enforcement notice, intentionally performs the same act or omission in contravention of the requirements under the Ordinance, commits an offence under section 50A(3) (without the need for a further enforcement notice to be issued), which may result in a fine and imprisonment.4 Where there is suspected commission of an offence under the Ordinance, the Commissioner may, with the consent of the complainant, refer the case to the police for investigation, followed by prosecution by the Department of Justice, where appropriate.

3. Appeal to the Administrative Appeals Board under Section 9 of the Administrative Appeals Board Ordinance, Chapter 442, Laws of Hong Kong

A data subject who is dissatisfied with the Commissioner’s decision not to carry out or to continue to carry out an investigation has the right under section 39(4) of the Ordinance to appeal to the AAB. He also has the right under section 47(4) of the Ordinance to appeal against a decision of the Commissioner not to serve an enforcement notice to the relevant data user in consequence of the investigation concerned.

2. A fine at level five and imprisonment for two years. If the offence continues after the conviction, a daily penalty of $1,000. 3. A fine at level six and imprisonment for two years. If the offence continues after conviction, a daily penalty of $2,000. 4. A fine at level five and imprisonment for two years. If the offence continues after the conviction, a daily penalty of $1,000.

502

13_Data Protection_appendix_06.indd 502

2016/6/27 2:01:17 PM

Appendix VI—Data Subject’s Rights When His Personal Data Privacy Interest is Infringed

4. Civil Remedies

Apart from criminal sanctions imposed under specific provisions of the Ordinance, a data subject who suffers damage, including injury to feelings, resulting from a contravention of a requirement under the Ordinance is entitled to compensation from the data user concerned through civil proceedings brought under section 66 of the Ordinance. The Commissioner may, pursuant to section 66B of the Appendix Ordinance, grant legal assistance to the aggrieved individual who intends to institute legal proceedings for compensation.5

5. See the information leaflet Legal Assistance for Civil Claims under the Personal Data (Privacy) Ordinance issued by the Commissioner for details on granting legal assistance, available on the Website.

503

13_Data Protection_appendix_06.indd 503

2016/6/27 2:01:17 PM

13_Data Protection_appendix_06.indd 504

2016/6/27 2:01:17 PM

Appendix VII List of Publications of the Commissioner

Codes of Practice/Guidelines 1.

2.

3.

Code of Practice on the Identity Card Number and Other Personal Identifiers a.

Compliance Guide for Data Users

b.

Your Identity Card Number And Your Privacy — A Guide to Individuals

Code of Practice on Human Resource Management a.

Compliance Guide for Employers and Human Resource Management Practitioners

b.

Human Resource Management: Some Common Questions

Code of Practice on Consumer Credit Data a.

4.

Understanding the Code of Practice on Consumer Credit Data — Frequently Asked Questions on the Sharing of Mortgage Data for Credit Assessment Purpose

Privacy Guidelines: Monitoring and Personal Data Privacy at Work a.

Monitoring and Personal Data Privacy at Work: Points to Note for Employers of Domestic Helpers

13_Data Protection_appendix_07.indd 505

2016/6/27 2:01:24 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Guidance Notes Biometric Data   1. Guidance on Collection and Use of Biometric Data

Children Privacy   2. Collection and Use of Personal Data through the Internet — Points to Note for Data Users Targeting at Children

Corporate Governance   3. Privacy Management Programme: A Best Practice Guide

Data Access Request   4. Guidance on the Proper Handling of Data Correction Request by Data Users   5. Proper Handling of Data Access Request and Charging of Data Access Request Fee by Data Users

Data Breach Notification   6. Guidance on Data Breach Handling and the Giving of Breach Notifications

Direct Marketing   7. New Guidance on Direct Marketing

Electioneering   8. Guidance on Electioneering Activities

Industry-specific   9. Guidance on the Proper Handling of Customers’ Personal Data for the Banking Industry 10. Guidance on the Proper Handling of Customers’ Personal Data for the Insurance Industry 11. Guidance on Property Management Practices 12. Personal Data Privacy: Guidance for Mobile Service Operators

506

13_Data Protection_appendix_07.indd 506

2016/6/27 2:01:24 PM

Appendix VII — List of Publications of the Commissioner

Information and Communications Technology 13. Best Practice Guide for Mobile App Development 14. Guidance on the Use of Portable Storage Devices 15. Guidance for Data Users on the Collection and Use of Personal Data through the Internet 16. Guidance on Personal Data Erasure and Anonymisation

Monitoring & Surveillance 17. Guidance on CCTV Surveillance and Use of Drones

Personal Information Collection Statement and Privacy Policy Statement 18. Guidance on Preparing Personal Information Collection Statement and Privacy Policy Statement

Public Domain 19. Guidance on Use of Personal Data Obtained from the Public Domain

Trans-border Data Flow 20. Guidance on Personal Data Protection in Cross-border Data Transfer

Information Leaflets Corporate Governance   1. Privacy Impact Assessments

Data Access Request   2. A Guide for Data Users — No. 2 — Compliance with Data Access and Correction Requests

Healthcare   3. Personal Data (Privacy) Ordinance and Electronic Health Record Sharing System (Points to Note for Healthcare Providers and Healthcare Professionals)   4. Care for Patients — Protect Their Personal Data

507

13_Data Protection_appendix_07.indd 507

2016/6/27 2:01:24 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Human Resources   5. Understanding the Code of Practice on Human Resource Management — Frequently Asked Questions About Recruitment Advertisements   6. Compliance Guide for Employers and Human Resource Management Practitioners   7. Human Resource Management: Some Common Questions

Information and Communications Technology   8. Cloud Computing   9. Privacy Implications for Organisational Use of Social Networks 10. Online Behavioural Tracking 11. Personal Data Privacy Protection: What Mobile Apps Developers and their Clients should know

Matching Procedure 12. Matching Procedure: Some Common Questions

Others 13. Outsourcing the Processing of Personal Data to Data Processors 14. Offence for disclosing personal data obtained without consent from the data user

PCPD & the Ordinance 15. About the Office of the Privacy Commissioner for Personal Data, Hong Kong 16. An Overview of the Major Provisions of the Personal Data (Privacy) (Amendment) Ordinance 2012

Books   1. A Practical Guide for IT Managers and Professionals on the Personal Data (Privacy) Ordinance published by Hong Kong Computer Society supported by PCPD

508

13_Data Protection_appendix_07.indd 508

2016/6/27 2:01:24 PM

Appendix VII — List of Publications of the Commissioner

  2. How Insurance Practitioners Can Protect Their Customers’ Personal Data, jointly published by the PCPD and the Hong Kong Federation of Insurers.   3. Data Protection Principles in the Personal Data (Privacy) Ordinance — From the Privacy Commissioner’s perspective   4. Proper Handling of Customers’ Personal Data by Estate Agents jointly published by the PCPD and the Estate Agents Authority to protect customers’ personal data through real-life examples.   5. Recommended Procedures for IT Practitioners on Personal Data Handling

Leaflets/Booklets Children Privacy   1. Children Online Privacy — Practical Tips for Parents and Teachers   2. Children Handbook: Protect, Respect Privacy (兒童手冊：保護私隱尊重別人) (Chinese version only)

Data Access Request   3. Exercising Your Data Access Rights Under the Personal Data (Privacy) Ordinance

Direct Marketing   4. Exercising Your Right of Consent to and Opt-out from Direct Marketing Activities under the Personal Data (Privacy) Ordinance

General   5. Have My Say on Personal Data Privacy   6. Personal Data is Essential — Protect your Privacy — For Senior Citizens   7. Personal Data is Essential — Protect your Privacy (個人資料好重要保障私隱不 可少) (Chinese version only)

Healthcare   8. Electronic Health Record Sharing System and Your Personal Data Privacy (10 Privacy Protection Tips)

509

13_Data Protection_appendix_07.indd 509

2016/6/27 2:01:24 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Human Resources   9. Personal Data is Essential — Protect Your Privacy — Job Seeking

Information and Communications Technology 10. Protecting Online Privacy — Be Smart on Social Networks 11. Leaflet: Protect Privacy by Smart Use of Smartphones 12. Cyber-bullying — What you need to know 13. Protecting Privacy — Using Computers and the Internet Wisely

Legal Assistance 14. Legal assistance for civil claims under the Personal Data (Privacy) Ordinance

510

13_Data Protection_appendix_07.indd 510

2016/6/27 2:01:24 PM

Index (All references are to page number)

absurd result 3–4, 12 presumption against 3–4 accurate 75, 98–99, 102, 191, 227, 229, 276, 356, 442, 473–474, 480, 482, 494 inferred from the meaning of “inaccurate” 22, 99 Administrative Appeals Board appeals to 68, 71, 128, 227, 237, 265, 332, 334, 337–340, 347, 352, 358, 361, 365, 502 Amendment Ordinance 1, 5, 46–49, 60, 86–87, 89, 98, 103, 108, 133, 138, 144, 148, 171, 182, 186, 192, 200, 213, 236, 247, 254, 256, 260, 269, 272–273, 312, 337, 357, 508 took effect 236 biometric data 19–20, 74, 77, 105, 506 CCTV 8, 18, 30–31, 67, 76, 179, 191, 507 Code of Practice consumer credit data, on 51, 72, 74, 106, 268, 392, 394, 505 human resource management, on 51, 64, 106, 433, 436, 505, 508 identity card number and other personal identifiers, on 51–59, 371, 373, 452, 505 prima facie evidence of contravention 118, 217, 339, 344, 349, 355 collect for meaning of, see Eastweek Case

14_Data Protection_index.indd 511

compensation 2, 35, 43, 101, 258, 262, 265, 301, 306, 438, 470–472, 491, 503 civil remedy, section 66 35, 503 complaint lodged under section 37 501 report of complaint case, section 48 66 contravention of data protection principles 24, 51, 54, 60, 71, 76, 99, 107, 117–118, 121, 126, 129, 132, 137, 170, 245, 249, 253, 264–265, 352, 357, 369, 397, 399–400, 403–415, 417–419, 421, 423–425, 429 of an enforcement notice, offence 1, 48, 502 exercise of the Commissioner’s enforcement powers 1, 48, 53, 159, 162, 307, 336, 347, 361, 365 repeated contravention on same act or omission as specified in enforcement notice 1, 48, 502 covert surveillance 66, 254 crime exemption, section 58 33, 53, 118, 245–254, 262, 286–288, 316–317, 342–343 security of Hong Kong, section 57 233, 235, 243–244, 268, 293, 375, 382 customer loyalty programme 57–59 data definition, section 2(1) 8–9 requirement of being recorded 79, 332

2016/6/27 2:02:01 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

data access request for application, see Data Protection Principle 6(a) to (d) Data Access Request Form 190–191 data correction request for application, see Data Protection Principle 6(e) to (g) data processor 38, 46–47, 98, 108–109, 147, 171–173, 181, 277, 279, 485, 499, 508 definition, DPP2(4), DPP4(3) 108–109, 170–173

reasonably practicable steps to inform, take all 79–81 statement of 77–78 unsolicited data 79–80 Data Protection Principle 2(1) 97–100, 103, 221, 355–356, 403–404, 409, 412, 419, 423, 442–443, 461, 473, 480, 482, 493–494 absolute accuracy, not required 98–99 defects in data handling system 99–100 dispute of accuracy 100–102 meaning of “inaccurate” 99 statement of 98

Data Protection Principle 1(1) 44, 49–57, 59–60, 71, 76, 83, 115, 405–407, 415, 455, 460, 463, 465, 470, 475–476, 489 excessive collection of personal data 50–51, 54–55, 58–61, 75–76, 275, 300, 489, 499 lawful purpose in relation to function and activity, collection for 50, 115, 275 statement of 50

Data Protection Principle 2(2) 48, 98, 103–107, 113, 349, 411, 417–419, 490, 496–497 Eastweek case, implication of 107 erasure of personal data, section 26(1) personal data kept for fulfilment of purpose 103–105 personal data kept longer than usual statement of 105–107

Data Protection Principle 1(2) 24, 49, 63–68, 71, 75–76, 267, 298–299, 311, 346–347, 365–366, 405–410, 458–459, 464–465, 470, 475–476 consumer credit data 72–74, 268, 392–432 lawful and fair, means of collection 63–-77, 95, 298–300, 499 news reporting 70, 265–267 statement of 63 unlawful collection 63, 69

Data Protection Principle 2(4) 108, 171, 460 statement of 108

Data Protection Principle 1(3) 6, 49, 77–87, 90–91, 113, 127, 272, 299, 338–339, 397, 399, 435, 437–441, 455, 457–458, 470 direct collection from data subject 78 exemption from notification 79–80 matters explicitly to be informed 82–83 matters implicitly to be informed 82–83 meaning of “use” 82–84 personal information collection statement (PICS) 6, 80, 82–87, 113–115, 177–178, 338–339, 435, 437–438, 442, 455, 457–458, 470

Data Protection Principle 2(3) 97, 108–109, 411, 460 data processor 108–109 statement of 108

Data Protection Principle 3 44, 78, 83, 111–114, 117–119, 121–130, 132–136, 138–141, 169–170, 235–236, 239, 243, 246, 248–249, 252–256, 261–262, 264–265, 267, 269, 272–273, 303, 305, 314–320, 342–343, 346–347, 351–353, 357–359, 367–369, 400, 408, 411–412, 420–421, 429, 435, 442, 451, 460, 462, 466, 474, 477, 481, 495, 500 directly related purpose 126–128 excessive disclosure, change in purpose of use 130–132 factors in ascertaining 113 necessary for the functions and activities, examples 115–116 non-related purpose, examples 115, 121–126

512

14_Data Protection_index.indd 512

2016/6/27 2:02:01 PM

Index

exemptions under Part 8 135 new purpose 112–113 original purpose 113–115 as imposed by data user 120 compliance with legal or statutory requirements 120–121 functions and activities of data user 115–116 personal data in public domain 120–121 restrictions of use imposed by data subject or transferor 116–117 prescribed consent 135–138 adverse consequence, given without fear of 136–137 definition, section 2(3) 135 express, not implied 136 voluntarily, given 136–137 given by relevant person 138–140 statement of 112 transfer of personal data 119, 125, 127, 129 “use” of personal data, meaning of 112 Data Protection Principle 4(1) 148, 158, 169, 172, 413–414, 424–425, 444–445, 447, 462–463, 473, 483, 495 absolute security, no requirement of 148 appropriate steps 149–158, 165 data breach 158 degree of sensitivity of data and harm test 148–149 Internet service providers 162–163 outsourcing 170–173 precautionary steps, examples of 149– 157 statement of 148 storage and transmission, limited to 169–170 use of HKID number as password 163 use of portable storage devices 155 Date Protection Principle 4(2) 171–172, 411, 424, 446, 460 outsourcing 170–173 statement of 171 Data Protection Principle 5 6, 83, 113, 175–180, 338–339, 452, 480, 500

monitoring policy, an example of 180 policies and procedures ascertainable 176–180 practicable steps, not absolute duty 176, 179 privacy policy statement (PPS) 176–179 statement of 176 Data Protection Principle 6(a) to (d) 26, 48, 87, 104, 219, 234–235, 239, 240, 242–243, 245–246, 252, 254, 257, 265, 269, 301, 326, 330, 334, 336, 500 compliance with data access request 184, 192–201 clarification, request for, section 20(3)(b) 194–195 in writing, section 19(1)(b) 192–194 material time, reference to, section 19(3)(a)subjective element, access request containing 193–194 language and format 198–200 discretionary refusal for compliance, section 20(3) 189–191, 195, 210–213 duty of confidentiality, section 20(3)(d) 212–213 exemptions under Part 8 184, 192, 211 part refusal 214 fees for compliance, section 28 204– 207 how to make a data access request 189–191 judicial function 209–210 obligatory refusal to comply, section 20(1) and (2) 208–210 consent of another individual required 201–202 erasure of identifying information 202–203 proper exercise of the right 216–217 relevant person 185, 187–189, 208, 211 statement of 184 steps to take in refusing access request 214–216 log book, entry in 214–216 notification of refusal 214–215 reasons for refusal 214–215 within 40 days, given 214

513

14_Data Protection_index.indd 513

2016/6/27 2:02:01 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

time for compliance within 40 days 186, 192, 197–198, 214 what constitutes a data access request 185–187 who may make a data access request 187–189 Data Protection Principle 6(e) to (g) 26, 48, 87, 104, 219, 234–235, 239–240, 242–243, 245–246, 252, 254, 257, 265, 269, 301, 326, 330, 334, 336, 500 compliance with correction request, section 23(1) 221, 223–225 fee chargeable, no 225 satisfied that data is inaccurate 221, 223–224, 226–227, 229, 231 within 40 days 223–224, 230 discretionary refusal for compliance, section 24(3) 222, 226–227, 229 meaning of “correction” 220, 224 obligatory refusal for compliance, section 24(1) 221–222, 226 opinion, expression of 227–228, 231– 232 prescribed form, no 190 relationship with data access request 220–221 statement of 220 steps taken for refusal to comply with correction request 229–232 log book, entry in 229–230 notify requestor within 40 days, section 25(1) 223–224, 230 data subject ascertainment of identity 9, 13–15, 17, 19–20 conditions of use imposed by 113, 116–119 Eastweek case 26 personal data of, see definition of Personal Data PICS to be given to 80, 83, 87 prescribed consent 78, 112–113, 137– 138, 141–142, 269, 277–278, 380, 396, 435 reasonable expectation of 69, 84, 86, 114–115, 120–121, 123, 126, 134– 135, 320

relevant person of 138–140, 187–189, 221–222, 256–257, 277–278, 290 right of access to personal data, DPP6 184, 187, 196, 216, 220, 441 right to claim for damages, section 66 and other rights 2, 35, 250, 305, 315 data user control over personal data 38, 40, 42–46 definition, section 2(1) 38 examples of not being a data user 38–42 permitted act or practice 47–48, 51, 54, 120–126, 204, 225, 435, 487, 493 required act or practice 47–48 exclusion under section 2(12)b 41–42 “solely on behalf of another person” 41 garbage collector, example of 167 government 42–44, 50, 160–162, 176, 205, 284–285, 301–302, 360–363 internet service provider, example of 17–18, 162–163, 250 joint data users 44–46 meaning in the light of Eastweek case 38–39 meaning of “person” 42–44 obligation of, section 4 47–48 direct marketing consent 61, 64, 89–95, 137, 144–145 marketing subject 89–94, 142–143 means 88 notification requirements 90–92 offence 143–144 permitted class of marketing subjects 142–143 permitted class of persons 140 permitted kind of personal data 254 personal data, definition 9 provision 87–91, 93–94 use 87–94 pre-existing data 92–93, 143–144 response channel 89–91, 141 disclosure 8, 13, 17, 41, 71, 98, 170, 201–204, 209–210, 225, 232, 247, 251, 255, 260, 262–265, 268, 270–271, 290,

514

14_Data Protection_index.indd 514

2016/6/27 2:02:01 PM

Index

292, 294, 299, 301–303, 305, 314–320, 323, 325, 342, 345–347, 351–353, 358, 402, 423, 449, 451, 466, 468, 481–486, 490, 492, 496, 499 a form of “use” 112, 116–117, 119, 126–128, 243 excessive disclosure, change in purpose of use 112–113, 122–123, 128–132, 238, 249, 253 not the same as transit or storage 170– 171 document definition, section 2(1) 8 in relation to data access request, creation of 15, 184, 189–191, 200 relates to the definition of “data” 8 domestic purposes 233–234, 238, 282 exemption, section 52 233–234, 238– 239, 282, 347 Eastweek case 6, 23–24, 26–31, 37–38, 51, 67, 70, 107, 264, 327, 365, 369 “collection” of personal data, judicial interpretation of 23–26, 38, 51 absence of collection 24, 26, 28, 38–39 compiling information by collecting party 25–36, 38, 51 identified individual, of 25–26, 28 identity being an important item of information 25–27, 369 data protection principles, no invoking of 29, 31, 107 examples of indifference to or irrelevance of identity 25, 28, 31 examples of no compilation of information 27–28, 38–39 facts of the case 24, 311–313 photograph, taking of 24, 28, 70, 264, 365 significance of 26, 30–32, 37–38 subjective element of data collector 25 electronic storage and transmission 150–153, 157 DPP4, specific situations 169–170 email addresses 7, 18–19, 433–498

employment 307–309, 355, 375, 388 blind recruitment advertisements 64–65 Code of Practice on Human Resource Management, Appendix IV 433–498 compilation of information 27, 51, 67, 79, 119, 242–243, 455 criminal records of prospective employees 62–63 data access request 228, 259 data correction request 101 employee monitoring 66, 68, 179 employment agency 107, 115, 130 exemptions, Part 8 239–240 health data of employees 61–62, 472 past medical records 298–300 recruitment and human resource management 107, 151, 234, 239– 240, 282 examination scripts 7, 20–21, 349–350 exemptions under Part 8 83, 233 general application, section 51 233–234 section 51A, performance of judicial functions 236–237, 281, 319 “judicial officer” 236, 281 section 52, domestic purposes 233, 238–239, 282, 347 key words of “held”, “individual”, “only” 238 scope of application 238–239 the relationship with DPP3 239 sections 53 and 54, staff planning and employment 233, 239–240, 282, 476 “employer” in section 54(1)(a)(ii), meaning of 240, 282–283 scope of application of section 53 239–240 transitional provision, section 54 240, 282 section 55, relevant process 87, 233, 240–242, 283–284, 467, 478 “appeal”, meaning of 241 application 239–241 “relevant process”, definition of 241, 283 section 56, personal references application 233, 242–243, 284, 468 exemption from DPP6 and section 18(1)(b) 242

515

14_Data Protection_index.indd 515

2016/6/27 2:02:01 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

section 57, security, etc., in respect of Hong Kong 233, 235, 243–245, 284–288, 293, 375, 382 certificate, as conclusive evidence 244 data access request to police, as example 244–245 statement given by informant to police, as example 244 section 58, crime 53, 55, 233, 235, 245–253, 286–288, 302, 304–305, 314–317, 342–343, 347, 351–352, 354, 376, 382, 483 “crime” 245, 247, 250, 252, 286, 351–352, 354, 376, 483 “offender” 245, 247, 250, 286, 352, 376 “likely to prejudice” in section 58(2)(b) 246, 252–253, 347 “tax” 245, 247, 252, 286 “the remedying of unlawful or seriously improper conduct” in section 58(1)(d) 245–247, 249– 250, 286, 305, 317 section 58A, protected product and relevant records under Interception of Communications and Surveillance Ordinance 254, 289 key words of “collection”, “holding”, “processing”, “use” 254, 289 “protected product” 234, 254, 289 “relevant records” 254, 289 section 59(1) & (2), health 106, 233, 235, 254–256, 289–290 criteria of application 254 examples of application 255 section 59A, care and guardianship of minors 233, 235, 256–257, 290 exemption from DPP3 256, 290 “relevant person” 256, 290 section 60, legal professional privilege “could be maintained in law”, as standard of proof 233, 235, 257–259, 290 exemption from DPP6 and section 18(1)(b) 257, 290 section 60A, self incrimination 233, 235, 260, 291 criteria of application 260

section 60B, legal proceedings 233, 235, 251–252, 260–263, 291, 305– 306, 319, 466, 481 exemption from DPP3 261, 291 section 61, news 233, 235, 263–267, 291–292, 364, 366 application 263 circumscribing the power of investigation 263–264 Eastweek case, see Eastweek case exemption from DPP3 264, 292 exemption from DPP6 and section 18(1)(b) 265–266, 291 “news activity”, meaning of 263, 292 “public interest” in section 61(2)(b), illustrated 264–265, 292 section 62, statistics and research 235, 267–269, 292, 420 conditions to be satisfied 267 retention of raw data, no contravention when conditions met 268 section 63, exemption from section 18(1)(a) 233, 235, 245, 268–269, 293 application 245 saving for section 57 and section 58 268–269 section 63A, human embryos, etc., 235, 269, 293 section 63B, due diligence exercise, 233, 235, 269–271, 293–295, 488 conditions to be satisfied 270–271, 294 “due diligence exercise”, meaning 270, 294 “provision for gain” in section 35A(2) 271, 295 offence 271 section 63C, emergency situations 233, 235, 272, 295 exemption from DPP1(3) and DPP3 272, 295 “immediate family member”, meaning 272, 295 section 63D, transfer of records to Government Records Service 235, 272–273, 295 exemption from DPP3 272

516

14_Data Protection_index.indd 516

2016/6/27 2:02:01 PM

Index

expression of opinion 8, 12, 79, 102, 228, 231–232, 450, 479–480 definition, section 25(3) 227, 231 included in definition of “data” 8, 12 in relation to data correction request, section 25(2) and (3) 231 fabricated information 7, 22 form meaning of 15–16 guidelines xix, 33, 66, 68–69, 100, 105– 106, 152–153, 162, 165, 179, 252, 365, 383, 413, 425, 505 issued under section 8(5) 66, 179 Privacy Guidelines: Monitoring and Personal Data Privacy at Work 30, 33, 66, 68, 179, 505 health 11, 29, 61–62, 89, 138, 141, 166, 181, 188, 235, 278, 324, 465, 472, 507, 509 exemption, section 59 233, 254–256, 289–290 HKID number 47, 52–54, 56–60, 64, 104, 122, 130–131, 150, 154, 163, 166, 223, 227, 232, 250–251, 323, 371 information privacy xxv–xxvii, 31–32, 34, 311, 313 a kind of privacy interest 31, 34 injury to feeling 309 damages suffered, section 66 35, 503 interpretation of Ordinance 2 common law rules 3 definitive interpretation, no grey areas, treatment of 2 Interpretation and General Clauses Ordinance, section 19 2, 3, 42 presumption against absurdity 4 IP addresses 7, 17, 181 law enforcement 30, 43, 105, 157, 272, 288, 342 exemption under section 57, security of Hong Kong 244–245 exemption under section 58, crime, etc. 33, 247, 252–253, 288 notification not required under DPP1(3)

Law Reform Commission xxv, xxvi, 6, 33 Report on Reform of the Law Relating to the Protection of Personal Data 32 Report on Privacy: Regulating the Interception of Communications 33 Report on Privacy and Media Intrusion 33 Report on Civil Liability for Invasion of Privacy xxv, 71, 366 legal advice obtained before invoking Part 8 exemptions 211, 257–258 obtained prior to compliance with data access request 197, 206 legal assistance xix, 247, 352, 510 application 258 compensation 35, 503 grant 35, 503 legal professional privilege 214, 233, 235, 257–259, 290 exemption, section 60 214, 233, 251– 252, 257–263, 290–291, 304–306, 319, 466, 481 mobile apps 59, 81, 156, 508 mobile phone numbers 7, 21, 60, 323 news activity 233, 235 definition 263, 292 exemption, section 61 263–264, 266, 291 online behavioural tracking 94–95, 508 outsourcing 108–109, 147, 170, 173, 485, 508 personal data collection of, by data user 28, 30–31, 50–51, 60, 63–65, 73, 79, 81, 84, 86, 113, 176, 180–181, 238, 267, 275– 276, 298–299, 346–347, 364–365, 437, 454–456, 461, 464, 499 definition, section 2(1) 9 relating to a living individual 9–12 ascertainment of identity 13–15 form of existence 15–17 examples of no collection of 24, 26, 27, 39, 369

517

14_Data Protection_index.indd 517

2016/6/27 2:02:01 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

meaning of “collection” of, in the light of the Eastweek case 51, 311–313, 327 see also Eastweek case, “collection” of personal data, judicial interpretation of Personal Information Collection Statement (PICS) 6, 80, 82–87, 113– 115, 177–178, 338–339, 435, 437–438, 442, 455, 457–458, 470 DPP1(3), matters to be informed 6, 77–87, 90–91, 113, 127, 272, 299, 338–339, 397, 435, 437–441, 455, 457–458, 470 personal privacy xxi, xxii, xxv, 32–33, 311, 313 a kind of privacy interest xxv, 23, 31, 34, 177, 312–313, 502–503 personal references 234, 242, 454, 464 exemption, section 56 42, 109, 125, 167, 169, 351, 358–359, 446, 451, 460, 485 principal 42–43, 101, 125, 169, 264–265, 351, 359, 395, 444 liability, section 65(2) 42, 109, 125, 167, 169, 351, 358–359, 446, 451, 460, 485 privacy interests xxv, 23, 31, 34, 177, 312–313 communications and surveillance privacy xxv, 32–33, 313 information privacy xxv–xxvii, 31–32, 34, 311, 313 personal privacy 32–33, 311, 313 territorial privacy xxv, 32, 313 Privacy Policy Statement (PPS) 6, 82, 176–182, 233–235, 312, 338–339, 359 , 452, 480, 507 DPP5, general requirement 6, 83, 113, 175–180, 338–339, 500

publishers of newspapers 26, 263 compilation of personal data 107, 169–170, 235 Eastweek case, implication of 29, 38, 107, 264 news activities, exemption under section 61 234, 263–267 regulatory approach 3 relevant process 234, 240–241, 283, 467–468 exemption, section 55 240–242, 283, 478–479 Secrecy Obligation 210, 320, 445 of the Commissioner and his officers, section 46 209, 309 seriously improper conduct 245–250, 252, 301, 314, 316, 347 exemption, section 58(1)(d) 286–287, 302, 305, 315, 317, 342–343, 382, 483 staff planning 234, 239–240, 469, 476 exemption, section 53 240, 282, 476 stalking 32–34 statistics and research exemption, section 62 235, 267, 292 transfer a form of “use” 45, 82, 84–86, 90–91, 93–94, 127, 133–134, 141–142, 437, 499 not the same as transit or storage 108, 112, 158, 160 unsolicited data 80 compilation of personal data, any 80 no Personal Information Collection Statement (PICS) applicable 116 use meaning of, section 2(1) 38, 85, 112

public domain 73, 113, 120, 123–124, 358–359, 367, 369, 507

518

14_Data Protection_index.indd 518

2016/6/27 2:02:01 PM

List of Court Cases and Administrative Appeals Board Decisions (Page numbers appear in bold)

Court Cases Cathay Pacific Airways Limited v. Administrative Appeals Board & Another [2008] 5 HKLRD 539 61, 298–299 Chan Chuen Ping v. The Commissioner of Police [2014] 1 HKLRD 142 251–252, 301–302 Chan Wai Ming v. Leung Shing Wah [2014] 1 HKLRD 376 251 Chan Yim Wah Wallace v. New World First Ferry Services Limited (HCPI 820/2013) 10, 252, 261, 303–306 Cinepoly Records Company Limited and Others v Hong Kong Broadband Network Limited and Others [2006] HKLRD 255 17–18, 250, 305 Dr. Alice Li Miu-ling v The Hong Kong Polytechnic University (DCEO 1/2004) 35, 307–310 Durant v Financial Services Authority [2003] EWCA Civ 1746 9–10 Eastweek Publisher Limited & Another v Privacy Commissioner for Personal Data [2000] 2 HKLRD 83 6, 311–313 Gillick v West Norfolk and Wisbech Area Health Authority and Another [1986] AC 112 138 HKSAR v Hung Chan Wa [2005] 3 HKLRD 291 4 Jones v Tsige, 2012 ONCA 32 34 Lily Tse Lai Yin & Others v The Incorporated Owners of Albert House & Others (HCPI 828/1997) 249–250, 305, 314–315, 484 M v M (FCMC 1425/1998) 248–249, 316–317

15_Data Protection_list of court cases.indd 519

2016/6/27 2:02:05 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

Ng Shek Wai v The Medical Council of Hong Kong (HCAL 167/2013) 262, 318– 320 Oriental Press Group Limited v Inmediahk.net Limited [2012] 2 HKLRD 1004 250, 321–323 R. v. R. [1991] 4 All ER 481 250 The Medical Council of Hong Kong v David Chow Siu Shek [2000] 2 HKLRD 674 4 Tso Yuen Shui v Administrative Appeals Board (HCAL 1050/2000, CACV 960/2000, unreported) 326–328, 331 Tsui Koon Wah v Privacy Commissioner for Personal Data [2004] 2 HKLRD 840 217 Wong Kar Gee Mimi v Hung Kin Sang Raymond & Another [2011] 5 HKLRD 241 131 Wong Tze Yam v Tang King-shing, Commissioner of Police and Secretary for Justice (CACV 199/2009) 63 Wu Kit Ping v. Administrative Appeals Board [2007] 4 HKLRD 849 10–11, 196– 197, 203–204, 216, 324–325 黃佩雲 對 行政上訴委員 (CACV 351/2006) 196

Administrative Appeals Board Decisions AAB No. 4/1997 38–39 AAB No. 22/1997 38 AAB No. 23/1997 265 AAB No. 5/1999 169, 381 AAB No. 19/1999 127 AAB No. 21/1999 8–9 AAB No. 24/1999 16, 27–28, 330–331 AAB No. 25/1999 80 AAB No. 15/2000 176 AAB No. 16/2000 13, 332–333 AAB No. 22/2000 101, 227, 334–335

520

15_Data Protection_list of court cases.indd 520

2016/6/27 2:02:05 PM

List of Court Cases and Administrative Appeals Board Decisions

AAB No. 24/2001 187, 195, 336–337 AAB No. 29/2001 22 AAB No. 49/2001 11–12 AAB No. 17/2002 128 AAB No. 35/2003 178, 338–339 AAB No. 66/2003 115 AAB No. 6/2004 8–9 AAB No. 11/2004 128 AAB No. 14/2004 249 AAB No. 17/2004 195, 198, 340–341 AAB No. 26/2004 119, 247–248 AAB No. 39/2004 236 AAB No. 41/2004 53 AAB No. 46/2004 217 AAB No. 3/2005 40–41 AAB No. 5/2005 220 AAB No. 8/2005 40 AAB No. 27/2005 12 AAB No. 49/2005 22 AAB No. 61/2005 196 AAB No. 64/2005 247 AAB No. 67/2005 15 AAB No. 5/2006 252, 342–343 AAB No. 10/2006 131 AAB No. 14/2006 67, 179 AAB No. 27/2006 196, 344–345 AAB No. 39/2006 128 AAB No. 41/2006 118 AAB No. 42/2006 229 AAB No. 46/2006 68, 236, 346–348 AAB No. 55/2006 39

521

15_Data Protection_list of court cases.indd 521

2016/6/27 2:02:06 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

AAB No. 3/2007 71 AAB No. 7/2007 20, 349–350 AAB No. 14/2007 12 AAB No. 16/2007 17–18, 40, 351–353 AAB No. 22/2007 237 AAB No. 34/2007 266 AAB No. 1/2008 200 AAB No. 12/2008 99, 222, 228, 355–356 AAB No. 16/2008 196 AAB No. 23/2008 79, 87 AAB No. 25/2008 18 AAB No. 29/2008 80 AAB No. 32/2008 255 AAB No. 19/2009 259 AAB No. 20/2009 46 AAB No. 21/2009 84 AAB No. 24/2009 126 AAB No. 25/2009 124, 357-359 AAB No. 37/2009 205–206, 360–363 AAB No. 38/2009 80, 133 AAB No. 50/2009 232 AAB No. 4/2010 117 AAB No. 5/2010 74 AAB No. 10/2010 186 AAB No. 20/2010 249 AAB No. 28/2010 12, 239 AAB No. 2/2011 101 AAB No. 5/2011 31 AAB No. 7/2011 80 AAB No. 12/2011 102 AAB No. 13/2011 132

522

15_Data Protection_list of court cases.indd 522

2016/6/27 2:02:06 PM

List of Court Cases and Administrative Appeals Board Decisions

AAB No. 14/2011 101 AAB No. 51/2011 85 AAB No. 52/2011 17, 206 AAB No. 57/2011 237 AAB No. 74/2011 229 AAB Nos. 5 & 6/2012 364–366 AAB No. 15/2012 204 AAB No. 21/2012 198 AAB No. 25/2012 19, 116 AAB No. 31/2012 255 AAB No. 33/2012 129 AAB No. 10/2013 209 AAB No. 12/2013 41 AAB No. 20/2013 196 AAB No. 23/2013 62 AAB No. 24/2013 56 AAB No. 25/2013 68 AAB No. 26/2013 213, 243 AAB No. 232/2013 41 AAB No. 233/2013 177, 210 AAB No. 8/2014 129 AAB No. 12/2014 252 AAB No. 18/2014 132 AAB No. 19/2014 165 AAB No. 20/2014 191 AAB No. 26/2014 252 AAB No. 41/2014 262 AAB No. 46/2014 127 AAB No. 50/2014 31 AAB No. 54/2014 123, 236, 367–369 AAB No. 1/2015 129, 251, 261

523

15_Data Protection_list of court cases.indd 523

2016/6/27 2:02:06 PM

Personal Data (Privacy) Law in Hong Kong — A Practical Guide on Compliance

AAB No. 4/2015 15, 22 AAB No. 8/2015 228 AAB No. 15/2015 106

524

15_Data Protection_list of court cases.indd 524

2016/6/27 2:02:06 PM