I. The meaning of "personal data" and the six data protection principles
Personal data means any data "relating directly or indirectly to a living individual, from which it is possible and practical to ascertain the identity of the individual from the said data, in a form in which access to or processing of the data is practicable" (e.g. a document or a video tape). The legal definition of personal data can be found in section 2 of the Personal Data (Privacy) Ordinance (Cap. 486 ("the Ordinance").
Obvious examples of personal data are an individual's identity card number and fingerprints, through which he or she can be identified. Alternatively, it may also be practicable to ascertain an individual through a combination of data such as telephone number, address, sex and age of an individual.
The Ordinance came into force on 20 December 1996. It applies to any person who collects, holds, processes and uses personal data within the private and public sectors as well as government departments. Generally speaking, the Ordinance governs the ways of collecting and using personal data, and prevents any abuse of data that is considered as intruding on an individual's privacy.
Under current statutory and common law in the Hong Kong SAR, only personal data is protected under the Ordinance. Article 14 of the Hong Kong Bill of Rights stipulates that "no one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation." However, the Ordinance does not cover privacy matters other than personal data.
The six data protection principles
Any person or organization collecting, holding, processing or using personal data must comply with the six data protection principles laid down in section 4 and schedule 1 of the Ordinance. (Note: The individual to which the data relates is called the "data subject", and the person or organization who, either alone or jointly with other persons, controls the collection, holding, processing or use of the personal data is called the "data user".)
Principle 1 – purpose and manner of collection of personal data
Personal data must be collected for a lawful purpose. The purpose of collection must be directly related to a function or activity of the data user. The data collected should be adequate but not excessive in relation to that purpose.
Personal data should also be collected by lawful and fair means. Unauthorized access to another person's bank account records or credit card information is an example of unlawful means of collecting personal data. If a person/organization intentionally uses a misleading way to collect personal data, this amounts to an unfair means of data collection. A company collecting the personal data of job applicants by means of recruitment activities when in fact they are not really recruiting any one is an example of unfair means of collecting personal data.
When personal data are collected from the data subject directly, he must be provided with the following information (unless the purpose for collection is exempt from DPP6), which includes:
- the purpose for which the data are to be used;
- the classes of persons to whom the data may be transferred;
- whether it is obligatory or voluntary for the data subject to supply the data;
- the consequences arising if the data subject fails to supply the data; and
- the data subject has the right to request access to and correction of the data.
Principle 2 – accuracy and duration of retention of personal data
Data users must ensure that the data held are accurate and up-to-date. If there is doubt as to the accuracy of the data, data users should stop using the data immediately. They should not keep the data any longer than is necessary for the purpose for which the data were collected.
Principle 3 – use of personal data
Unless personal data are used with the prescribed consent of the data subject, the data must not be used for any purpose other than the one mentioned at the time the data were collected (or a directly related purpose). "Prescribed consent" means the express consent given voluntarily by the data subject.
Principle 4 – security of personal data
Data users must take appropriate security measures to protect personal data. They must ensure that personal data are adequately protected against unauthorized or accidental access, processing, erasure, or use by other people without authority.
Principle 5 – information to be generally available
Data users must publicly disclose the kind (not the content) of personal data held by them and their policies and practices on how they handle personal data.
The best practice is to formulate a "Privacy Policy Statement" that encompasses information such as the accuracy, retention period, security and use of the data as well as measures taken regarding data access and data correction requests.
Principle 6 – access to personal data
A data subject is entitled to ask a data user whether or not the data user holds any of his/her personal data, and to request a copy of such personal data held by that user. If it is found that the data contained therein is inaccurate, the data subject has the right to request the data user to correct the record.
The data user must accede to the access and correction requests within a statutory period of 40 days. If the data user could not process the request within the period specified, it must provide a reply and state its reasons within 40 days.
Individuals/data subjects who wish to make data access requests may download the Data Access Request Form (OPS003) from the Privacy Commissioner's Office and send the completed form to the company which holds the personal data. It should be noted that the Ordinance permits data users, in complying with the data access requests, to charge a reasonable fee. However, the data users concerned should not charge more than the direct cost of complying with the requests.