Data Protection Principle 3 (“DPP 3”) governs the use of personal data.
“Personal data shall not, without the prescribed consent of the data subject, be used for a new purpose.” (DPP3(1))
In relation to personal data, “use” includes disclosure and transfer of data under the Ordinance. The Commissioner reminds that uploading or posting of personal data on internet would also amount to disclosure.
- Purpose: New Purpose
Any use of personal data which is not directly related to the original purpose for which the data was collected will amount to a ‘new’ use which thus triggers the “prescribed consent” obligation.
- Purpose: Original Purpose of Collection
In ascertaining the original purpose of collection, data users should take into account the following factors:
– Purposes specified in the Personal Information Collection Statement (“PICS”) and function or activity of the data user
As long as the collection purposes are lawful and directly related to a function/activity of data users (from data users’ perspectives), data users are not required to consult the data subjects when preparing their PICS. That said, when assessing whether the purposes stated in PICS are indeed the “original purpose of collection” under the context of DPP3, the Commissioner adopts the test of “reasonable expectation”.
As elaborated by the Commissioner in his book namely Personal Data (Privacy) Law in Hong Kong – A Practical Guide on Compliance, for provision of service, a data subject would reasonably expect his personal data to be used for application processing, service provision, billing, debt recovery etc.., but not other unrelated purposes, such as sale of his personal data by the data users to third parties. If data users intend to “sell” the data concerned, this will amount to a “new” use which means prescribed consent of the data subject should be obtained first. In the landmark investigation on the use of personal data of members collected by Octopus Rewards Limited (“ORL”) via its Reward Programme in July 2010, the Commissioner concluded that, by having shared the members’ personal data with insurance companies, magazine subscription service provider and marketing consulting company for monetary gains (which was neither the purpose for which the data was to be used for the first time nor a directly related to purpose) without the members’ prescribed consent, ORL had contravened DPP3.
– Personal data collected in public domain
Use of personal data collected from public domain (for example, public register) or which is made publicly available is covered and regulated under the Ordinance as well. Before the data users attempt to use these kinds of personal data, they should find out the original purpose of its collection at the first place by referring to the terms and conditions as stipulated by the operators of public registers and then consider whether their intended use would be consistent with the same. If no stated purposes can be found, data users should run the test of ‘reasonable expectation’ before further use of the publicly disclosed data.
- Purpose: Purpose directly related to the Original Purpose of Collection
Purpose(s) of use which is (are) classified as being ‘directly related to the original purpose’ should be within the reasonable contemplation of data subject that use of his data would be necessary to effect the intended transaction between the data user and the data subject.
- “Prescribed Consent”
“Prescribed consent” under DPP3 consists of two important elements: (i) express – that means data subject’s consent cannot be implied or inferred from his/her conduct/behaviour (ii) voluntary – it may not satisfy the requirement under DPP3 if consent is obtained through coercion or undue influence. There is no requirement that the consent given must be in written form. Nonetheless, if data subjects wish to withdraw prior consent given so that data users can no longer use their data for ‘new’ purpose, the written notice must be served to the person to whom the consent had been given.
One should bear in mind that the definition of “prescribed consent” under DPP3(1) is different from the “consent” required for use or provision of personal data in direct marketing (Part 6A of the Ordinance), which will further be elaborated in detail below.
– Direct Marketing
Almost inevitably, direct marketing activities become essential tools for businesses to reach out to their existing or potential customers. In light of the Octopus Card incident, the Amendment Ordinance introduced new provisions governing the use of personal data in direct marketing, which took effect on 1 April 2013. Shortly before the relevant sections came into force, the Commissioner has revised the old guidelines and issued New Guidance on Direct Marketing so as to assist data users in understanding their obligations under the Ordinance.
Unlike the traditional concept of “direct marketing”, which means offering of good or services to the general public, “direct marketing” under the Ordinance includes the following activities which are conducted through “direct marketing means”:-
- The offering, or advertising of the availability, of goods, facilities or services; or
- The solicitation of donations or contributions for charitable, cultural, philanthropic, recreational, political or other purposes.
“Direct marketing means” are further defined to mean: (a) sending information or goods, addressed to specific persons by name, by mail, fax, electronic mail or other means of communication; or (b) making telephone calls to specific persons. Note that the target(s) should be identified individual(s). Thus, mail sent to an address or the “occupant” of an address is not considered direct marketing as it is not addressed to specific persons.
Data users must not provide personal data for use in direct marketing without data subject’s consent. The mechanism for obtaining “valid consent” for direct marketing use is not a straightforward exercise. In addition, the Amendment Ordinance makes it an offence for a data user to use or provide personal data to another person for use in direct marketing without taking the requisite actions or obtaining data subject’s consent at a maximum fine of HK$500,000 and imprisonment for three years. In May 2019, an auction company was fined HK$20,000 for failing to obtain data subject’s consent before using her personal data for direct marketing.
If you have concern on whether your existing notifications to customers or consents obtained comply with the provisions under the Ordinance, our firm offers full spectrum of services to assist organizations overcome challenges in respect of direct marketing regulations. Click this link to get in touch with us.
This article is for information purposes only. Its contents do not constitute legal advice and readers should not regard this article as a substitute for detailed advice in individual instances.