2. Are there any situations in which the persons/companies holding personal data may be exempt from the Ordinance or the Data Protection Principles?
In some situations, data users may be exempt from the restrictions imposed by the Ordinance or the six Data Protection Principles (DPP). The Personal Data (Privacy) (Amendment) Ordinance 2012 (the Ordinance) introduces further new exemptions. The situations for exemptions are summarised below:
Household affairs or recreational purposes
According to section 52 of the Ordinance, personal data for household affairs or recreational purposes is exempt from "DPP 4 and 5, and Ordinance sections 36 and 38(b). Keeping the phone numbers of your family members for daily communication or keeping the phone numbers of your friends to arrange leisure activities are examples in this category.
Performance of judicial functions
According to section 51A of the Ordinance (created by the Amendment Ordinance 2012), personal data held by courts, magistrates or judicial officers in the course of performing judicial functions is exempt from the provisions of all DPPs, Part 4, Part 5, and sections 36 and 38(b) of the Ordinance.
Under certain circumstances, data users may be exempt from some (but not ALL) of the restrictions of the six DPPs. Sections 53, 54, 55 and 56 of the Ordinance state that personal data used for employment-related purposes is exempt from the provisions of data-access requests. DPP 6 and section 18(1)(b) of the Ordinance require data users to supply the personal data they hold to the data subject. Such data includes, for example:
- personal data relating to staff planning proposals;
- personal data which is the subject of certain evaluative processes prior to the decision being taken and where an appeal can be made against such a decision, including the processes of recruitment, promotion, awarding, removal or disciplinary action; or
- a personal reference for an appointment up to the time when the position is filled.
Prevention or detection of crime
According to section 58 of the Ordinance, personal data held for the purpose of prevention or detection of a crime may be exempt from the provisions in respect of data-access requests (DPP 6 and section 18(1)(b) of the Ordinance) and restrictions on the use of personal data (DPP 3).
Under section 59 of the Ordinance, personal data relating to the physical or mental health of a data subject is exempt from the provisions of data access requests (DPP 6 and section 18(1)(b) of the Ordinance) and restrictions on data use (DPP3) if the application of those provisions would be likely to cause serious harm to the physical or mental health of the data subject or any other individual.
In addition, according to section 59(2), enacted in 2012, if the application of restrictions on data use would be likely to cause serious harm to the physical or mental health of a data subject or any other individual, personal data relating to the identity or location of the data subject would also be exempt from DPP 3.
Care and guardianship
Personal data in relation to a minor which is transferred or disclosed to the minor’s parent or guardian by the Hong Kong Police Force or the Customs and Exercise Department is exempt from the restrictions on personal data use (DPP 3) if the transfer or disclosure is in the interest of the minor and would facilitate proper care and guardianship of the minor. (section 59A, enacted in 2012)
Legal professional privilege
Under section 60, when personal data includes information about which a claim to legal professional privilege could be maintained in law, that is to say, when communication between professional legal advisers and their clients can be protected from being disclosed, such data is exempt from the data-access provisions (DPP 6 and section 18(1)(b)).
- required by law, authorized under law, or by court orders;
- required in connection with any legal proceedings in Hong Kong; or
- required for establishing, exercising or defending legal rights.
According to section 60A, a data user is exempt from complying with data-access requests under the provisions of DPP 6 and section 18(1)(b) if the user might be self-incriminated of any offence other than an offence under the Ordinance because of such compliance. In addition, information disclosed by a data user in compliance with a request under these provisions is not admissible against the user in any proceedings for an offence under the Ordinance.
Under section 61, if personal data is held for the purpose of news activities, such data may be exempt from the provision in respect of data-access requests (DPP 6; sections 18(1)(b), 38(i), 36 and 38(b)), unless and until the data is published or broadcast. If the data user is of the view that the disclosure of the personal data is in the public interest, then such disclosure may also be exempt from the restrictions on use (DPP 3).
In an appeal case reported by the Privacy Commissioner for Personal Data (PCPD) concerning the issue of public interest in news activities, the principal of an academic institute disclosed personal data of his staff to newspaper reporters in order to defend the reputation of the institute in response to accusations made by the complainant. It was held by the PCPD that such disclosure was in the public interest in facilitating fair and balanced reporting (please refer to Complaint Case Notes for full details).
Statistics and research
Under section 62, personal data that is used solely to prepare statistics or carry out research is exempt from the restrictions in DPP 3, if the resulting statistics or research is not made available in a form which identifies the data subjects.
Under section 63, personal data which consists of information showing that an identifiable individual was or may have been born in consequence of a reproductive technology procedure is exempt from the provisions of DPP 6 and section 18(1)(b), provided that its disclosure under those provisions is made in accordance with section 33 of the Human Reproductive Technology Ordinance (Cap 561).
Due diligence exercise
Under section 63B, amended in 2012, the transfer or disclosure of personal data by a data user for the sole purpose of a due diligence exercise conducted in connection with a business merger, acquisition or transfer of business is exempt from the restrictions on use (DPP 3).
Under section 63C, enacted in 2012, personal data is exempt from the restrictions on the collection of data (DPP 1(3)) and on the use of data (DPP 3) if the application of those provisions would be likely to prejudice the identification of an individual involved in a life-threatening situation, informing the individual’s immediate family members of his situation, the carrying out of emergency rescue operations, or the provision of emergency relief services.
Transfer of records to the Government Records Service
Under section 63D, enacted in 2012, the personal data contained in records that are transferred to the Government Records Service is exempt from the restrictions on use (DPP 3) when the records are used by the Government Records Service solely for the purpose of appraising the records to decide whether they are to be preserved, or for organizing and preserving the records.