Data Privacy Focus Monday: Data Protection Principle (1) – Data Collection Principle

Data Privacy Focus Monday: Data Protection Principle (1) – Data Collection Principle

Data Privacy Focus Monday: Data Protection Principle (1) – Data Collection Principle 780 520 Carmen Tang

Protection of privacy rights of individuals in relation to personal data is generally governed by six Data Protection Principles (“DPPs”) under the Personal Data (Privacy) Ordinance (“the Ordinance”) in Hong Kong.   Everyone who is responsible for handling data should follow the DPPs covering the life cycle of a piece of personal data.

This week, we will guide you through the application of each principle and explore some of the common issues.

  • Purpose and Means – DPP1(1) and (2)
“Collect”

DPP1(1) provides that personal data must be collected by lawful and fair means for lawful purpose directly related to a function or activity of those who are to use the data.   Data collected shall only be necessary but not excessive in relation to the said purpose.

No one has ever thought the meaning of the word “collect” could be an issue in dispute until the famous judicial review brought by Eastweek Publisher Limited (“Eastweek”) (Eastweek Publisher Limited & Another v Privacy Commissioner for Personal Data [2000] 2 HKLRD 83) before the Court of Appeal four years after the Ordinance came into force in 1996.

The case arose from a complaint lodged with the Commissioner in which Eastweek’s photographer took a picture of the complainant while walking on the street one day.  The photograph was subsequently published in Eastweek’s magazine accompanied by comments on the complainant’s style of dress.   The Court of Appeal laid down the judicial interpretation of “collect” as provided in the Ordinance:-

It is… of the essence of the required act of personal data collection that the data user must thereby be compiling information about an identified person or about a person whom the data user intends or seeks to identify

Hence, for an act to be classified as ‘collection’, two conditions should be satisfied:-

  • Compiling information about an individual; and
  • An individual must be one whom the one who collects the information has identified or intends or seeks to identify

The Eastweek case seems to have introduced the mental element of a person who gathers the information to the test of “collection”.   If the identity of the subject is of no relevant concern to the person who compiles the information, it is likely there is no collection of personal data.

Without “collection” of personal data, DPP1 would not apply, so as the Ordinance.

“Lawful and Fair means in the circumstances”

“Unlawful means” refer to collecting data through methods which are prohibited by law, for example by theft or false representations.

The concept of “fairness” appears to be broad and vague in application.  One may refer to Commissioner’s previous decisions in ascertaining his interpretation in different circumstances.  For example, collecting personal data by means which data subject is not aware of is highly privacy intrusive, for example, covert monitoring.  Unless data users are able to provide credible explanation with legitimate grounds for conducting covert monitoring, this means of collection of personal data will be considered as “unfair” in most cases.

“Adequate but not Excessive”

Businesses had tendency to request potential or existing clients to provide them with as much information as possible, retaining for future use, including data which they had no idea why they would need the same at the time of collection.   Under the Ordinance, data users will contravene DPP1(1)(c) of Schedule 1 if they are unable to demonstrate the personal data collected is necessary for the purpose directly related to their function/activity.   That said, the scope of “purpose” and “function / activity” can be very much a grey area in some situations.

Recently, Hong Kong airline Cathay Pacific (“CX”) has announced the release of their revised privacy policy.  One of the updates include the expansion of scope of information which CX collects from their passengers, for example, information about data subjects’ use of CX products and services such as ‘…your use of our inflight entertainment system and inflight connectivity, your images captured via CCTV in our airport lounges and aircraft.’   It is noted that ‘data collection is designed to improve the flying experience with additional personalization’.    It is not unusual for companies to rely on “experience enhancement” as the purpose of data collection these days.  When data users are mostly classified as service providers, it is difficult to argue that improving customers’ experience is not a purpose directly related to their function / activity.   That said, it remains in question how willing consumers would like to share with businesses their personal data.  Hence, data users are required to fulfill notification obligation which will be explained in more detail below.  Amongst which data users should let data subjects know the type of data they have to provide to them and the consequences for failing to do so.   With such information, the ultimate decision on disclosure of personal data rests on the consumers.

  • Notification Obligation – DPP1(3)

The specific matters of which an individual needs to be informed under DPP1(3) are set out below:

  • Data subjects should be explicitly or implicitly informed:
  1. Whether it is obligatory or voluntary for him to supply the data
  2. Where it is obligatory, the consequences if he fails to supply the data
  • Data subjects should be explicitly informed:
    1. On or before collecting the data, the purpose (in general or specific terms) for which the data is to be used; and the classes of persons to whom the data may be transferred
    2. On or before the first use of the data, his rights to request access and to request correction; and the name or job title, and address, of the individual who is to handle any such request made to the data user.

There is no requirement for the notification under DPP1(3) to be in writing.  Nonetheless, it is common practice to include the notifications in one written statement, namely Personal Information Collection Statement.   For details in fulfilling the obligations under DPP1(3), you may refer to the Guidance Notice on Preparing Personal Information Statement (“PICS”) and Privacy Policy Statement (“PPS”) issued by the Commissioner in July 2013.

If your company requires assistance in preparing the PICs and/or PPS, kindly get in touch with us.

This article is for information purposes only. Its contents do not constitute legal advice and readers should not regard this article as a substitute for detailed advice in individual instances.

Carmen Tang

Carmen Tang

Carmen is a commercial litigator primarily in relation to disputes relating to financial services, shareholders’ disputes and contractual disputes. In 2010, she accepted the appointment by the Privacy Commissioner for Personal Data, Hong Kong as Legal Counsel.

All articles by : Carmen Tang
    Privacy Preferences

    When you visit our website, it may store information through your browser from specific services, usually in the form of cookies. Here you can change your Privacy preferences. It is worth noting that blocking some types of cookies may impact your experience on our website and the services we are able to offer.

    For performance and security reasons we use Cloudflare
    required
    Google Analytics tracking code disabled/enabled
    Google Fonts disabled/enabled
    Google Maps disabled/enabled
    video embeds (e.g. YouTube) disabled/enabled
     
    View our Privacy Policy
    We don't eat shark fin but our website does use cookies, mainly for analytics and provision of content from other websites. Define your Privacy Preferences and agree to our use of cookies. Privacy Policy