Why Data Protection?
At the onset of the Information Age, we all got excited with the evolution of technology in daily life, in particular the benefits arising from the modernization of information and communication processes offered by organizations. With the influx of social media platforms, users were willing to gain attention and self-fulfillment through data sharing. We shared the belief that disclosing personal information would allow us to stay connected with colleagues, acquaintances, friends, loved ones. Not long later, when personal information was used as tools for money or other agendas, many started to realize data explosion was something of no turning back. Given the technological advancement, it seems like collection, disclosure and use is no longer under individuals’ control. Demands for relevant laws and regulations around the world became inevitable.
In Hong Kong, the right to privacy in respect of data protection was first recognized in 1996 by way of a dedicated piece of legislation – Personal Data (Privacy) Ordinance (“the Ordinance”) while an office by the name of Privacy Commissioner for Personal Data was established as the city’s privacy watchdog.
What is “Personal Data”?
Personal data is defined as any data relating directly or indirectly to a living individual from which it is reasonably practicable for the identity of the individual to be directly or indirectly ascertained in a form in which access to or processing of the data is reasonably practicable (Section 2 of the Ordinance). It is worth noting that when considering the “reasonably practicable” condition, the Commissioner adopts the totality approach: all relevant information controlled by the party in question will be taken into account. Series of numbers or address itself may not allow us to confirm the identity of a particular individual. Where data contained in several documents is being read or construed together, or is linked with other data held by the party concerned, identification will become feasible. For example, strictly speaking, a mobile phone number alone may not be classified as ‘personal data’ under the Ordinance. Nonetheless, if data users are in control of other identifying data, such as names and address, which a specific individual can be identified by linking up all pieces of data, the mobile phone number may fall within the scope of the Ordinance.
Data Protection Principles
From collection to destruction, the life-cycle of a piece of personal data is now regulated by six Data Protection Principles (“DPPs”) under the Ordinance (section 4 of the Ordinance):
- DPP1 – Purpose and manner of collection
- DPP2 – Accuracy and duration of retention
- DPP3 – Use
- DPP4 – Security
- DPP5 – Information to be generally available
- DPP6 – Access
Function of the Commissioner and its office
DPPs are broad, common and technological neutral principles which tend to apply to public and private sectors. The Commissioner makes it clear that the Ordinance is meant to be instructive in nature, rather than prohibitive. The function of the watchdog is, in short, to monitor and supervise compliance; promote awareness and understanding of the compliance of the Ordinance. If the Commissioner reaches a finding of contravention of DPPs, he or she is empowered to require the data user concerned to comply with terms of an enforcement notice (“EN”) issued by the same. Power to instigate prosecution against offending data users who fail to comply with EN rests with the police and the Department of Justice. As for civil redress, since the amendments to the Ordinance were introduced in 2012, aggrieved individual may now bring civil suit against the data user in question for compensation of damage suffered due to its breach of the Ordinance.
Privacy Governance and Accountability
Nowadays, when it comes to legal compliance, Hong Kong favors the ‘carrot and stick’ approach. Apart from carrying out investigations and issuing warnings and ENs, the Commissioner also plays a crucial role in advocating data ethics and educating different sectors the value of fairness in collection and use of data.
Sanctions can hurt co-operations’ reputation, nonetheless, in long run, only a win-win situation can achieve sustainability. Respecting individual’s rights will earn businesses trust and confidence of customers. As technological developments continue to shape the legal landscape and enhance the economic importance of data, businesses begin to appreciate the importance of the concept of accountability – whoever collects and uses information has responsibilities to manage it appropriately. In simple term, data users are responsible to put in place adequate polices and measures to ensure and demonstrate compliance. That said, implementation of accountability requirements is easier to be said than done.
If you want to explore how to develop and implement privacy framework for your business or you would like to understand specific requirements under current international data protection regimes, our lawyers at Hugill & Ip, who have extensive experience in dealing with local and global privacy and data protection issues, can assist you in formulating bespoke strategies to address your company’s needs.
Get in touch with our team now for further information.
This article is for information purposes only. Its contents do not constitute legal advice and readers should not regard this article as a substitute for detailed advice in individual instances.
