Skip to main content

2. Are there any situations in which the persons/companies holding personal data may be exempt from the Ordinance or the Data Protection Principles?

In some situations, data users may be exempt from the restrictions imposed by the Ordinance or the six Data Protection Principles (DPP). The Personal Data (Privacy) (Amendment) Ordinance 2012 (the “Amendment Ordinance 2012”) introduces further new exemptions. The situations for exemptions are summarised below:

 

Household affairs or recreational purposes

 

According to section 52 of the Ordinance, personal data for household affairs or recreational purposes is exempt from all DPPs, Part 4, Part 5, and sections 36 and 38(b) of the Ordinance. Keeping the phone numbers of your family members for daily communication or keeping the phone numbers of your friends to arrange leisure activities are examples in this category.

 

Performance of judicial functions

 

According to section 51A of the Ordinance (created by the Amendment Ordinance 2012), personal data held by courts, magistrates or judicial officers in the course of performing judicial functions is exempt from the provisions of all DPPs, Part 4, Part 5, and sections 36 and 38(b) of the Ordinance.

 

Employment-related purposes

 

Under certain circumstances, data users may be exempt from some (but not ALL) of the restrictions of the six DPPsSections 535455 and 56 of the Ordinance state that personal data used for employment-related purposes is exempt from the provisions of data-access requests. DPP 6 and section 18(1)(b) of the Ordinance require data users to supply the personal data they hold to the data subject. Such data includes, for example:

 

  • personal data relating to staff planning proposals;

 

  • personal data which is the subject of certain evaluative processes prior to the decision being taken and where an appeal can be made against such a decision, including the processes of recruitment, promotion, awarding of awards, scholarships or other benefits, removal or disciplinary action; or

 

  • a personal reference for an appointment up to the time when the position is filled.

 

Prevention or detection of crime

 

According to section 58 of the Ordinance, personal data held for the purpose of prevention or detection of a crime may be exempt from the provisions in respect of data-access requests (DPP 6 and section 18(1)(b) of the Ordinance) and restrictions on the use of personal data (DPP 3).

 

Health grounds

 

Under section 59 of the Ordinance, personal data relating to the physical or mental health of a data subject is exempt from the provisions of data access requests (DPP 6 and section 18(1)(b) of the Ordinance) and restrictions on data use (DPP3) if the application of those provisions would be likely to cause serious harm to the physical or mental health of the data subject or any other individual.

 

In addition, according to section 59(2), enacted in 2012, if the application of restrictions on data use would be likely to cause serious harm to the physical or mental health of a data subject or any other individual, personal data relating to the identity or location of the data subject would also be exempt from DPP 3.

 

Care and guardianship

 

Personal data in relation to a minor which is transferred or disclosed to the minor’s parent or guardian by the Hong Kong Police Force or the Customs and Exercise Department is exempt from the restrictions on personal data use (DPP 3) if the transfer or disclosure is in the interest of the minor and would facilitate proper care and guardianship of the minor (section 59A, enacted in 2012).

 

Legal professional privilege

 

Under section 60, when personal data includes information about which a claim to legal professional privilege could be maintained in law, that is to say, when communication between professional legal advisers and their clients can be protected from being disclosed, such data is exempt from the data-access provisions (DPP 6 and section 18(1)(b)).

 

Legal proceedings

 

Under section 60B, enacted in 2012, personal data is exempt from the restrictions on the use of such data (DPP 3) if the use of the data is:

 

  • required by law, authorized under law, or by court orders;

 

  • required in connection with any legal proceedings in Hong Kong; or

 

  • required for establishing, exercising or defending legal rights.

 

Self-incrimination

 

According to section 60A, a data user is exempt from complying with data-access requests under the provisions of DPP 6 and section 18(1)(b) if the user might be self-incriminated of any offence other than an offence under the Ordinance because of such compliance. In addition, information disclosed by a data user in compliance with a request under these provisions is not admissible against the user in any proceedings for an offence under the Ordinance.

 

News activities

 

Under section 61, if personal data is held for the purpose of news activities, such data may be exempt from the provision in respect of data-access requests under DPP 6 and sections 18(1)(b) and 38(i) unless and until the data is published or broadcast; and sections 36 and 38(b) of the Ordinance. If the data user has reasonable grounds to believe that the disclosure of the personal data is in the public interest, then such disclosure may also be exempt from the restrictions on use (DPP 3).

 

In an appeal case reported by the Privacy Commissioner for Personal Data (PCPD) concerning the issue of public interest in news activities, the principal of an academic institute disclosed personal data of his staff to newspaper reporters in order to defend the reputation of the institute in response to accusations made by the complainant. It was held by the PCPD that such disclosure was in the public interest in facilitating fair and balanced reporting (please refer to Complaint Case Notes for full details).

 

Statistics and research

 

Under section 62, personal data that is used solely to prepare statistics or carry out research is exempt from the restrictions in DPP 3, if the resulting statistics or research is not made available in a form which identifies the data subjects.

 

Human embryos

 

Under section 63A, personal data which consists of information showing that an identifiable individual was or may have been born in consequence of a reproductive technology procedure is exempt from the provisions of DPP 6 and section 18(1)(b), provided that its disclosure under those provisions is made in accordance with section 33 of the Human Reproductive Technology Ordinance (Cap 561).

 

Due diligence exercise

 

Under section 63B, enacted in 2012, the transfer or disclosure of personal data by a data user for the sole purpose of a due diligence exercise conducted in connection with its business merger, acquisition or transfer of business may be exempt from the restrictions on use when certain conditions are satisfied (DPP 3).

 

Emergency situations

 

Under section 63C, enacted in 2012, personal data is exempt from the restrictions on the collection of data (DPP 1(3)) and on the use of data (DPP 3) if the application of those provisions would be likely to prejudice the identification of an individual involved in a life-threatening situation, informing the individual’s immediate family members of his situation, the carrying out of emergency rescue operations, or the provision of emergency relief services.

 

Transfer of records to the Government Records Service

 

Under section 63D, enacted in 2012, the personal data contained in records that are transferred to the Government Records Service is exempt from the restrictions on use (DPP 3) when the records are used by the Government Records Service solely for the purpose of appraising the records to decide whether they are to be preserved, or for organizing and preserving the records.