Data Protection Principle 2 (“DPP2”) governs two aspects of processing of personal data:
All practicable steps shall be taken to ensure personal data is accurate having regard to the purpose for which the data is or is to be used. Where there are reasonable grounds for believing that personal data is inaccurate, data users should not use the relevant data unless the said grounds no longer exist, or the data concerned should be erased (DPP2(1)).
If personal data is inaccurate at the time of disclosure to third party, data users should inform the third party and provide the same with relevant particulars for rectification.
The meaning of “accurate” can be inferred from the definition of “inaccurate” under section 2 of the Ordinance. “Inaccurate”, in relation to personal data, means the data is incorrect, misleading, incomplete or obsolete.
The duty to maintain accurate data through taking “practicable steps” varies according to circumstances and the mere fact that the data users possess inaccurate data is not deemed to have contravened DPP2(1). The Administrative Appeal Board clarified the standard in an appeal case in 2008 (AAB No. 12/2008):-
“Provided that the data user has taken all practicable steps to ensure the personal data kept by him accurate, it is no breach of this requirement if the data is subsequently found to be incorrect by the data subjects.”
In an investigation of a complaint about the incorrect address used by the data user, information revealed that the mistake had been made by employees of data users which was repeated for more than once. Despite the fact that the complainant has submitted a written change of information request, the person in charge has failed to check and update the company’s database. The data user was thus found to be in breach of DPP2(1) in that it had failed to take all reasonable practicable steps to ensure the complainant’s address used by it was accurate. Enforcement Notice was served by the Commissioner on the data user directing it to conduct regular administrative audits.
Personal data shall not be kept longer than is necessary for fulfillment of the purpose for which the data is or is to be used (DPP2(2)). Besides, data users should take all practicable steps to erase data held where it is no longer required for the purpose for which the data was used unless the case falls within the exceptional circumstances stipulated in section 26(1) of the Ordinance. A data user who, without reasonable excuse, contravenes section 26(1) commits an offence and is liable for a conviction of fine.
Period of retention
When assessing how long data retention is “necessary for fulfillment of purpose”, the Commissioner will consider the nature of transactions involved and examine retention policy of data users (if any) and sector specific legislations. For example, in one case, the Commissioner was of the view that the optimal period for retention of personal data for unsuccessful insurance applications with and without money transaction involved should be no more than seven (7) and two (2) years respectively; in relation to bankruptcy data, given that normally a bankruptcy order should be discharged between four (4) and eight (8) years after commencement of bankruptcy, it is not justifiable for data users to retain bankruptcy data for more than eight (8) years.
To comply with the requirements under DPP2(2), businesses can consider the following options:-
- Anonymize the personal data held to the extent that no individuals can be directly or indirectly identified; or
- Delete or destroy the personal data so that it cannot be recovered.
Transfer to “Data Processor” for Processing
Generally, section 33 of the Ordinance prohibits the transfer of personal data to places outside Hong Kong unless one of the conditions stipulated in the provision is met. This section covers transfers from Hong Kong to a place outside Hong Kong and transfers between two other jurisdictions where the transfer is controlled by a Hong Kong data user. Though the Ordinance was enacted in 1996, section 33 has yet to be in force. Given the rapid increase in outsourcing data processing work, the Administration no longer waited for the implementation of section 33 and has decided to introduce new requirements in DPP2 which covers overseas transfer under the context of data retention by the Amendment Ordinance in 2012.
DPP2(3) provides that if a data user engages a data processor to process personal data on data user’s behalf, the data user must adopt contractual or other means to prevent any personal data transferred to the data processor from being kept longer than is necessary for processing of the data. “Data processor” means a person who processes personal data on behalf of another person; and does not process the data for any of the person’s own purposes (DPP2(4)). Data users and data processors may refer to the information leaflet issued by the Commissioner to facilitate the understanding of the new requirements.
For organizations which involve day-to-day collection and retention of personal data of clients and employees, it is essential to have a personal data retention and erasure policy which can provide clear directions to staff members on compliance obligations. Besides, organizations should also formulate strategies in identifying and managing voluminous data held. Only when businesses keep data inventory, they will then be able to have a comprehensive picture of the data flow within the organization. Based on the data inventory, companies can rely on the information to address incidents and standard risk assessments in effective manner.
At Hugill & Ip, we have experienced lawyers, who have worked with privacy, security and third-party risk technology platform providers, and can assist your company in going through the data mapping exercise and offer solutions if you have questions about international data transfers.
This article is for information purposes only. Its contents do not constitute legal advice and readers should not regard this article as a substitute for detailed advice in individual instances.