Protection of privacy rights of individuals in relation to personal data is generally governed by six Data Protection Principles (“DPPs”) under the Personal Data (Privacy) Ordinance (“the Ordinance”) in Hong Kong. Everyone who is responsible for handling data should follow the DPPs covering the life cycle of a piece of personal data.
This week, we will guide you through the application of each principle and explore some of the common issues.
- Purpose and Means – DPP1(1) and (2)
DPP1(1) provides that personal data must be collected by lawful and fair means for lawful purpose directly related to a function or activity of those who are to use the data. Data collected shall only be necessary but not excessive in relation to the said purpose.
No one has ever thought the meaning of the word “collect” could be an issue in dispute until the famous judicial review brought by Eastweek Publisher Limited (“Eastweek”) (Eastweek Publisher Limited & Another v Privacy Commissioner for Personal Data  2 HKLRD 83) before the Court of Appeal four years after the Ordinance came into force in 1996.
The case arose from a complaint lodged with the Commissioner in which Eastweek’s photographer took a picture of the complainant while walking on the street one day. The photograph was subsequently published in Eastweek’s magazine accompanied by comments on the complainant’s style of dress. The Court of Appeal laid down the judicial interpretation of “collect” as provided in the Ordinance:-
“It is… of the essence of the required act of personal data collection that the data user must thereby be compiling information about an identified person or about a person whom the data user intends or seeks to identify…”
Hence, for an act to be classified as ‘collection’, two conditions should be satisfied:-
- Compiling information about an individual; and
- An individual must be one whom the one who collects the information has identified or intends or seeks to identify
The Eastweek case seems to have introduced the mental element of a person who gathers the information to the test of “collection”. If the identity of the subject is of no relevant concern to the person who compiles the information, it is likely there is no collection of personal data.
Without “collection” of personal data, DPP1 would not apply, so as the Ordinance.
“Lawful and Fair means in the circumstances”
“Unlawful means” refer to collecting data through methods which are prohibited by law, for example by theft or false representations.
The concept of “fairness” appears to be broad and vague in application. One may refer to Commissioner’s previous decisions in ascertaining his interpretation in different circumstances. For example, collecting personal data by means which data subject is not aware of is highly privacy intrusive, for example, covert monitoring. Unless data users are able to provide credible explanation with legitimate grounds for conducting covert monitoring, this means of collection of personal data will be considered as “unfair” in most cases.
“Adequate but not Excessive”
Businesses had tendency to request potential or existing clients to provide them with as much information as possible, retaining for future use, including data which they had no idea why they would need the same at the time of collection. Under the Ordinance, data users will contravene DPP1(1)(c) of Schedule 1 if they are unable to demonstrate the personal data collected is necessary for the purpose directly related to their function/activity. That said, the scope of “purpose” and “function / activity” can be very much a grey area in some situations.
- Notification Obligation – DPP1(3)
The specific matters of which an individual needs to be informed under DPP1(3) are set out below:
- Data subjects should be explicitly or implicitly informed:
- Whether it is obligatory or voluntary for him to supply the data
- Where it is obligatory, the consequences if he fails to supply the data
- Data subjects should be explicitly informed:
- On or before collecting the data, the purpose (in general or specific terms) for which the data is to be used; and the classes of persons to whom the data may be transferred
- On or before the first use of the data, his rights to request access and to request correction; and the name or job title, and address, of the individual who is to handle any such request made to the data user.
If your company requires assistance in preparing the PICs and/or PPS, kindly get in touch with us.
This article is for information purposes only. Its contents do not constitute legal advice and readers should not regard this article as a substitute for detailed advice in individual instances.