Data Privacy Focus Monday: Data Protection Principle (2) – Accuracy and Retention Principle

Data Privacy Focus Monday: Data Protection Principle (2) – Accuracy and Retention Principle

Data Privacy Focus Monday: Data Protection Principle (2) – Accuracy and Retention Principle 780 520 Carmen Tang

Data Protection Principle 2 (“DPP2”) governs two aspects of processing of personal data:

  • Accuracy

All practicable steps shall be taken to ensure personal data is accurate having regard to the purpose for which the data is or is to be used.  Where there are reasonable grounds for believing that personal data is inaccurate, data users should not use the relevant data unless the said grounds no longer exist, or the data concerned should be erased (DPP2(1)).

If personal data is inaccurate at the time of disclosure to third party, data users should inform the third party and provide the same with relevant particulars for rectification.

“Accurate”

The meaning of “accurate” can be inferred from the definition of “inaccurate” under section 2 of the Ordinance.  “Inaccurate”, in relation to personal data, means the data is incorrect, misleading, incomplete or obsolete.

The duty to maintain accurate data through taking “practicable steps” varies according to circumstances and the mere fact that the data users possess inaccurate data is not deemed to have contravened DPP2(1).   The Administrative Appeal Board clarified the standard in an appeal case in 2008 (AAB No. 12/2008):-

“Provided that the data user has taken all practicable steps to ensure the personal data kept by him accurate, it is no breach of this requirement if the data is subsequently found to be incorrect by the data subjects.”

“Practicable Step”

In an investigation of a complaint about the incorrect address used by the data user, information revealed that the mistake had been made by employees of data users which was repeated for more than once.  Despite the fact that the complainant has submitted a written change of information request, the person in charge has failed to check and update the company’s database.   The data user was thus found to be in breach of DPP2(1) in that it had failed to take all reasonable practicable steps to ensure the complainant’s address used by it was accurate.   Enforcement Notice was served by the Commissioner on the data user directing it to conduct regular administrative audits.

  • Retention

Personal data shall not be kept longer than is necessary for fulfillment of the purpose for which the data is or is to be used (DPP2(2)).  Besides, data users should take all practicable steps to erase data held where it is no longer required for the purpose for which the data was used unless the case falls within the exceptional circumstances stipulated in section 26(1) of the Ordinance.   A data user who, without reasonable excuse, contravenes section 26(1) commits an offence and is liable for a conviction of fine.

Period of retention

When assessing how long data retention is “necessary for fulfillment of purpose”, the Commissioner will consider the nature of transactions involved and examine retention policy of data users (if any) and sector specific legislations.  For example, in one case, the Commissioner was of the view that the optimal period for retention of personal data for unsuccessful insurance applications with and without money transaction involved should be no more than seven (7) and two (2) years respectively;  in relation to bankruptcy data, given that normally a bankruptcy order should be discharged between four (4) and eight (8) years after commencement of bankruptcy, it is not justifiable for data users to retain bankruptcy data for more than eight (8) years.

Compliance

To comply with the requirements under DPP2(2), businesses can consider the following options:-

  1. Anonymize the personal data held to the extent that no individuals can be directly or indirectly identified; or
  2. Delete or destroy the personal data so that it cannot be recovered.
Transfer to “Data Processor” for Processing

Generally, section 33 of the Ordinance prohibits the transfer of personal data to places outside Hong Kong unless one of the conditions stipulated in the provision is met.   This section covers transfers from Hong Kong to a place outside Hong Kong and transfers between two other jurisdictions where the transfer is controlled by a Hong Kong data user.  Though the Ordinance was enacted in 1996, section 33 has yet to be in force.   Given the rapid increase in outsourcing data processing work, the Administration no longer waited for the implementation of section 33 and has decided to introduce new requirements in DPP2 which covers overseas transfer under the context of data retention by the Amendment Ordinance in 2012.

DPP2(3) provides that if a data user engages a data processor to process personal data on data user’s behalf, the data user must adopt contractual or other means to prevent any personal data transferred to the data processor from being kept longer than is necessary for processing of the data.   “Data processor” means a person who processes personal data on behalf of another person; and does not process the data for any of the person’s own purposes (DPP2(4)).    Data users and data processors may refer to the information leaflet issued by the Commissioner to facilitate the understanding of the new requirements.

For organizations which involve day-to-day collection and retention of personal data of clients and employees, it is essential to have a personal data retention and erasure policy which can provide clear directions to staff members on compliance obligations.    Besides, organizations should also formulate strategies in identifying and managing voluminous data held.  Only when businesses keep data inventory, they will then be able to have a comprehensive picture of the data flow within the organization.  Based on the data inventory, companies can rely on the information to address incidents and standard risk assessments in effective manner.

At Hugill & Ip, we have experienced lawyers, who have worked with privacy, security and third-party risk technology platform providers, and can assist your company in going through the data mapping exercise and offer solutions if you have questions about international data transfers.

This article is for information purposes only. Its contents do not constitute legal advice and readers should not regard this article as a substitute for detailed advice in individual instances.

Carmen Tang

Carmen Tang

Carmen is a commercial litigator primarily in relation to disputes relating to financial services, shareholders’ disputes and contractual disputes. In 2010, she accepted the appointment by the Privacy Commissioner for Personal Data, Hong Kong as Legal Counsel.

All articles by : Carmen Tang
    Privacy Preferences

    When you visit our website, it may store information through your browser from specific services, usually in the form of cookies. Here you can change your Privacy preferences. It is worth noting that blocking some types of cookies may impact your experience on our website and the services we are able to offer.

    For performance and security reasons we use Cloudflare
    required
    Google Analytics tracking code disabled/enabled
    Google Fonts disabled/enabled
    Google Maps disabled/enabled
    video embeds (e.g. YouTube) disabled/enabled
     
    View our Privacy Policy
    We don't eat shark fin but our website does use cookies, mainly for analytics and provision of content from other websites. Define your Privacy Preferences and agree to our use of cookies. Privacy Policy