3. Do the Data Protection Principles apply to the outsourced processing of personal data?
It is an increasingly common practice for data users to outsource and entrust personal data processing to third parties. There have also been an increasing number of personal data leakage incidents which have occurred during the outsourced processing of personal data, which may have caused substantial and irreparable damage to the affected data subjects.
All the data protection principles apply to the processing of personal data by a third party. Under the Ordinance, where personal data is entrusted to a data processor, a data user is liable as the principal for any act done by its authorised data processor.
The Amendment Ordinance 2012 provides enhanced protection by amending DPP 2 and DPP 4. With effect from 1 October 2012, additional obligations are imposed on a data user which engages a data processor, whether within or outside Hong Kong, to carry out data processing on that user’s behalf. The data user must adopt contractual or other means to prevent any personal data transferred to the data processor from being kept longer than necessary for processing the data (DPP2(3)) and to prevent unauthorised or accidental access, processing, erasure, loss or other inappropriate use of the data (DPP 4(2)).
Under the amended Ordinance, data processor means a person who:
- processes personal data on behalf of another person; and
- does not process the data for any of the person’s own purposes.
Please read the PCPD’s leaflet for more details on the new obligations.
With the rapid advancement in information and communication technologies (ICT) and the popularization of outsourcing the processing of personal data, the collection (other than from the data subject directly) and dissemination of personal data has become much easier. This also makes it easier for data subjects to suffer damage if a person, whether or not entrusted by the data user, intentionally discloses the personal data obtained from a data user. In view of the seriousness of any intrusions into personal data privacy and the gravity of the harm that may be caused to the data subjects, the Amendment Ordinance 2012 creates a new offence to combat the disclosure of personal data obtained without the consent of the data user under certain conditions.
Under section 64, it is an offence for any person to disclose any personal data of a data subject obtained from a data user without the data user’s consent:
- with the intent to obtain gain in money or other property, whether for the benefit of the person or another person;
- with the intent to cause loss in money or other property to the data subject; or
- irrespective of his intent, with the disclosure causing psychological harm to the data subject.
The maximum penalty is a fine of $1,000,000 and imprisonment for five years.
Please read the PCPD’s leaflet for more details on the new offence and its justification.