Overview of the Current Data Protection Regime in Hong Kong
Under section 2 of the Personal Data (Privacy) Ordinance (Cap 486) (PDPO), personal data means any data:
- relating directly or indirectly to a living individual;
- from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and
- in a form in which access to or processing of the data is practicable.
The Office of the Privacy Commissioner for Personal Data (the Commissioner) is an independent statutory body set up to oversee the enforcement of and to promote compliance with PDPO.
The Six Data Protection Principles (DPPs) under PDPO form the data protection regime in Hong Kong. A data user (a person who controls the collection, holding, processing or use of personal data) shall not engage in a practice that contravenes a DPP unless the act or practice is exempted from Part 8 of the PDPO.
Reference: Section 4 of the Personal Data (Privacy) Ordinance (Cap 486) (PDPO)
PDPO also prescribes enforcement power on the Privacy Commissioner for Personal Data, including the power to request information, general power of investigations, power to carrying out inspection at premises, to hold hearings and to summons witnesses. Obstruction to the exercise of the Commissioner’s investigation power it a criminal offence.
PDPO also provides that contravention of any requirement under the Ordinance is an offence, including the failure to comply with an enforcement notice served by the Commissioner. On first conviction upon contravening an enforcement notice, the offender is liable to a HK$50,000 fine and two-year imprisonment. If the offence continues, there is a daily penalty of HK$1,000.
Reference: PDPO, s 50A
A data user has a right of appeal to the Administrative Appeals Board against the Commissioner’s enforcement notice, for example, against the Commissioner’s refusal to carry out or decision to terminate an investigation, or the Commissioner’s decision not to serve an enforcement notice after an investigation.
References:
PDPO, s 39(4)
PDPO, s 47(4)
PDPO, s 50(7)
An individual who suffers damage by reason of a contravention of a requirement under PDPO is entitled to compensation from the data user for that damage. Damage includes injury to feelings.
Reference: PDPO, s 66
The data protection principles
The six data protection principles (‘DPP’) are found in the Personal Data (Privacy) Ordinance (Cap 486 (‘PDPO’), Schedule 1 and are explained in the below with examples.
Principle 1: Purpose and manner of collection
Data should be collected for a purpose directly related to a function or activity of the data user in a manner that is lawful and fair. For example, financial institutions should not use deceptive or misleading means to collect data, for example, by misrepresenting itself as another company.
The amount of data collected should not be excessive to its intended purpose. The Commissioner has held that the collection of identity card numbers and names of employers by a credit card company was excessive for the purpose of updating personal data for promotional purposes.
Reference: The Commissioner’s website, Investigation Report: Collection of Personal Data by Credit Provider for Business Promotion (21 September 2007)
The data subject should be notified of the following in a personal information collection statement (the PICS):
- the purpose (in general or specific terms) for which the data is to be used
- the classes of persons to whom the data may be transferred
- whether it is obligatory or voluntary for him or her to supply the data, and where it is obligatory to supply the data, the consequences for him or her if he or she fails to supply the data and
- his or her rights to request access to and correction of the data, and the name or job title and address of the person handling such requests
Reference: The Commissioner’s website, Investigation Report: Collection of Excessive Data from Savings Account Applicants by Hang Seng Bank Limited (15 December 2011)
Principle 2: Accuracy and duration of retention
Data retained should be accurate with regard to the purpose for which the data is or is to be used. In one case, a bank continually sent statements to a wrong address despite the customer’s repeated requests to update it. This was held to breach data protection principle 2.
Reference: The Commissioner’s website, Complaint/Enquiry Case Note No 2009C08
Data should also not be kept longer than is necessary for the fulfilment of the purpose for which the data is used. In one case, the Commissioner held that there is no need for a bank to keep its customer’s bankruptcy records for 99 years.
References: The Commissioner’s website, Investigation Report: Retention of Customers’ Bankruptcy Data by Hang Seng Bank Limited (15 December 2011)
Principle 3: Use of personal data
Data should not be used for new purposes without the prescribed consent of the data subject.
In one case, a tutorial center published its student’s personal data to demonstrate that its students could attain excellent results. The original purpose of data collection was to verify the student’s identity and the examination to release the award cheque. In a few other examples, banks transferred customers’ personal data to insurance companies without the customers’ consent. The Commissioner held that the banks had breached data protection principle 3.
References:
The Commissioner’s website, Investigation Report: Tutorial Centre Using a Student’s Results Notice for Promotion without the Student’s Consent (3 August 2009)
The Commissioner’s website, Investigation Report: Debt Collection Agency Authorized by a Finance Company Disclosed Personal Data of Debtor’s Family Members During Debt Recovery (24 February 2010)
PDPO exempts compliance with data protection principle 3 in certain circumstances. For example, disclosure of customers’ personal data to law enforcement agencies and financial regulators is permitted and not in breach of DPP 3 if a data user had reasonable belief that the data would prejudice the prevention or detection of crime. ‘Reasonable belief’ is judged as an objective standard.
References:
PDPO, s 58
The Commissioner’s website, Decision Case Note AAB No. 5/2006 (Chinese only)
Personal data is also exempt from the provisions of data protection principle 3 if the use of the data is required or authorized under any enactment, law, or court order, or it is required in legal proceedings in Hong Kong.
Reference: PDPO, s 60B
Principle 4: Security of personal data
Data should be secured to prevent unauthorized or accidental access, processing, erasure or loss. Examples held to have contravened data protection principle 4 include the loss by a bank staff of a briefcase containing credit card application forms, identity card copies, the loss of a USB flash drive containing personal data of hospital patients, and online leakage of internal documents via the sharing software Foxy.
References:
The Commissioner’s website, Complaint/Enquiry Case Note No. 2003C07
The Commissioner’s website, Investigation Report: Loss of Patient’s Personal Data by United Christian Hospital (24 December 2008)
The Commissioner’s website, Investigation Report: The Hong Kong Police Force Leaked Internal Documents Containing Personal Data via Foxy (24 December 2008)
Principle 5: Information to be generally available
All practicable steps shall be taken to ensure that a person can ascertain a data user’s policies and practices in relation to personal data. The Commissioner has held that data protection principle 5 was breached when the employer did not have a privacy policy to address the use of a video recording system to monitor employee activities.
References:
The Commissioner’s website, Investigation Report: The Practice of Collection of Employees’ Personal Data by Pinhole Cameras without Proper Justification Is Excessive and Unfair in the Circumstances of the Case (8 December 2005)
Principle 6: Access to personal data
A data subject shall be entitled to request access and correct his personal data. This DPP overlaps with the detailed provisions on data access and correction requests in PDPO, Pt V. Failure to comply with a data access or correction request without reasonable excuse constitutes an offence and the data user is liable on conviction to a fine of HK$10,000.
References: PDPO, s 19, PDPO, s 23, PDPO, s 64A(1)
What it means for Financial Institutions
Financial institutions should have measures, such as trainings, to ensure that employees are well aware of the firm data protection policies and will not commit any acts for which the employer might be vicariously liable.
References: PDPO, s 65(1) and (3), PDPO, s 66
Furthermore, financial institutions may be held liable for the acts or practices of its agents, for example, a debt collection agent or a contractor.
References:
PDPO, s 65(2)
The Commissioner’s website, Investigation Report: Debt Collection Agency Authorized by a Finance Company Disclosed Personal Data of Debtor’s Family Members During Debt Recovery (24 February 2010)
Proposed Amendments to the PDPO
There are six key proposed amendments.
Mandatory Data Breach Notification Mechanism
At present any notification regarding data breach is made on a voluntary basis with not specified timeframe. The paper proposes a mandatory notification mechanism that requires a data user to notify the PCPD and the relevant data subject of any data breach incident having “a real risk of significant harm” within a specified timeframe (currently suggested to be as soon as practicable and, under all circumstances, in not more than five business days).
Data Retention Period
The Current Data Protection Principle 2 does not specific when such personal data is “no longer necessary”. The Papers recognises, like many other jurisdictions, that it is not feasible to spell out a uniformed definite retention period given the diverse service nature and unique needs of different organisations. Instead, the Paper proposes to require data users to formulate a clear retention policy which specifies a retention period for the personal data collected. Such policy should cover (i) the maximum retention period for different types of personal data; (ii) legal requirement which may affect the designated retention period; (iii) how the retention period is counted.
Sanctioning Powers
Currently, criminal fines for different offences under the PDPO are set at Level 3 (HK$10,000), Level 5(HK$50,000) and Level 6 (HK$100,000) prescribed under the Criminal Procedure Ordinance. The maximum penalty for non-compliance of an enforcement notice is at Level 5 and imprisonment for two years on first conviction. The Paper is of the opinion that the current fine levels is not adequate to reflect the severity of the offences and to provide deterrence. The Paper explores the feasibility of introducing a direct administrative fine that is linked to the company’s annual turnover of the data user as an administrative penalty.
Regulations of Data Processors
The Paper proposes extension the obligation to protect personal data to data processors by introducing direction regulation over data processors to increase their incentive to present personal data leakage and to pose a fairer sharing of responsibility. For instances, data processors may be required to be directly accountable for personal data retention and security, and to make notification to the PCPD and the data user upon being aware of any data breach.
Definition of Personal Data
The Paper proposes to expand the definition of “personal data” to cover information relating to an “identifiable natural person” rather than “identified person”.
Regulation of Disclosure of Personal Data of Other Data Subjects
The Paper also expresses major concern that about incidents of doxxing that has arisen recently, and proposes to consider amendments to confer the statutory power on the PCPD to request removal of doxxing content from social media platforms or websites, as well as the power to criminal investigation and prosecutions.
ORIGINALLY PUBLISHED ON LEXISNEXIS