The Personal Data (Privacy) Ordinance (Cap. 486) (“Ordinance”) sets out six data protection principles that must be complied with by all data holders. We summarise these principles below.
Principle 1: Purpose and Manner of Collection of Personal Data
- Data may only be collected through fair and lawful means for a lawful purpose, and be directly related to a function or activity of the data user
- Collection of the data is necessary for or directly related to that lawful purpose, and is not excessive
- All practical steps must be taken to inform the data subject whether supply of the data is compulsory or voluntary, the purpose of the data collection, the classes of persons who may use the data, and the data subject’s rights to access or request correction to the data
Principle 2: Accuracy and Duration of Retention of Personal Data
- All practicable steps must be taken to ensure the accuracy of data, including the rectification or erasure of inaccurate data
- Data must not be retained for longer than necessary for fulfilment of the relevant purpose
- Where data is disclosed to a third party, the third party must be informed of the inaccuracy and provided with particulars to enable the third party to rectify the inaccuracy
- Data users who employ data processors to manage or process data must ensure appropriate contractual or other means are implemented to ensure the data processor does not retain the data for an excessive period.
Principle 3: Use of Personal Data
- Data may only be used for a purpose which the data subject has consented to
- A parent or guardian may give consent for data to be used for a new purpose if it is clearly in the interests of the data subject to do so, and the data subject is a minor or incapacitated
Principle 4: Security of Personal Data
- All practicable steps must be taken to ensure that data is protected from unauthorised or accidental access, processing, erasure, loss or use
- The steps that will be appropriate in the circumstances will depend on the type of data and the nature of the potential harm, the physical location of the data storage, the security measures of the data storage, the measures taken for regulating the class of persons with access to the data, and the measures taken to ensure secure transmission
- Appropriate contractual means should be taken to ensure that any external data processor complies with this principle
Principle 5: Information to be Generally Available
- All practicable steps must be taken to ensure that a data subject can access the data user’s policies and practices regarding data, be informed of the type of data held, and be informed of the main purposes for which data is used.
Principle 6: Access to Personal Data
Data users are entitled to:
- Ascertain whether a data user holds their personal data
- Request access to any such data
- Be informed of the reasons for any refusal to permit access to data, and to object to the refusal
- Request correction of any inaccurate data
- Be informed of the reasons for any refusal to correct inaccurate data, and to object to the refusal
Businesses operating within Hong Kong are subject to the Ordinance and should incorporate these 6 principles into their terms and conditions and data protection policies.