Privacy Ordinance in Hong Kong


Published on

Published in: Technology, Health & Medicine
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Privacy Ordinance in Hong Kong

  1. 1. Introduction to the Personal Data (Privacy) Ordinance
  2. 2. BACKGROUND <ul><li>Around 40 jurisdictions have data protection laws. </li></ul><ul><li>Overseas data protection laws are based on internationally accepted data protection principles. </li></ul><ul><li>Personal Data (Privacy) Ordinance enacted on </li></ul><ul><li>3 August 1995. </li></ul><ul><li>Effective on 20 December 1996. </li></ul>
  3. 3. SCOPE OF COVERAGE <ul><li>Personal data are data: </li></ul><ul><li>relating directly or indirectly to a living individual; </li></ul><ul><li>from which it is practical to ascertain the identity of the individual; and </li></ul><ul><li>in a form in which access or processing is practicable. </li></ul>
  4. 4. SCOPE OF COVERAGE <ul><li>Data </li></ul><ul><li>any representation of information in any document, including expression of opinion or personal identifier (e.g. ID Card Number). </li></ul><ul><li>Document </li></ul><ul><li>includes any visual or non-visual device. </li></ul>
  5. 5. SCOPE OF COVERAGE <ul><li>Covers users of personal data in both the public and private sector. </li></ul><ul><li>Covers both automatic and manual data. </li></ul>
  6. 6. SCOPE OF COVERAGE <ul><li>Data Subject </li></ul><ul><li>the living individual who is the subject of the personal data concerned. </li></ul><ul><li>Data User </li></ul><ul><li>any person (e.g. an individual company or government department) that controls the collection, holding, processing or use of personal data. “Use” includes disclosure or transfer. </li></ul><ul><li>But a person who holds, processes or uses data solely on behalf of other parties is NOT a data user. </li></ul>
  8. 8. PRINCIPLE 1 - PURPOSE AND MANNER OF COLLECTION <ul><li>Provides that personal data should only be collected by means that are lawful and fair for purposes related to the functions or activities of the data user. </li></ul><ul><li>The data collected should be adequate but not excessive for the purposes concerned. </li></ul>
  9. 9. PRINCIPLE 1 - PURPOSE AND MANNER OF COLLECTION <ul><li>Provides that where personal data are collected directly from </li></ul><ul><li>the data subject, he or she should be informed of </li></ul><ul><li>the purposes for which the data will be used; </li></ul><ul><li>the classes of persons to whom the data may be transferred; </li></ul><ul><li>the consequences of not providing the data; and </li></ul><ul><li>the rights to request access to and correction of the data. </li></ul>
  10. 10. Personal Information Collection Statement (PICS)
  11. 11. PRINCIPLE 2 - ACCURACY & DURATION OF RETENTION <ul><li>All practicable steps shall be taken to ensure that </li></ul><ul><li>- personal data are accurate having regard to the purposes; </li></ul><ul><li>- if believed to be inaccurate, not to use until rectified or </li></ul><ul><li>erase it. </li></ul><ul><li>Provides that personal data shall not be kept longer than </li></ul><ul><li>necessary. </li></ul>
  12. 12. PRINCIPLE 3 - USE OF PERSONAL DATA <ul><li>Provides that personal data should only be used for the purposes for which they were collected or directly related purposes, unless the data subject consents to a change in purposes. </li></ul><ul><li>Such consent must be express and given voluntarily. </li></ul>
  13. 13. PRINCIPLE 4 - SECURITY OF PERSONAL DATA <ul><li>All practicable steps shall be taken to ensure </li></ul><ul><li>protection against unauthorized or accidental access, processing, erasure or other use - where these could cause harm to the individual. </li></ul><ul><li>security in the storage, accessing and transmission of data. </li></ul>
  14. 14. PRINCIPLE 5 - INFORMATION TO BE GENERALLY AVAILABLE <ul><li>Provides for openness by data users about the kinds of personal data they hold and the main purposes for which personal data are used. </li></ul><ul><li>Example : Privacy Policy Statement (“PPS”) </li></ul><ul><li>- a general statement of an organization’s policies and practices in relation to its collection, holding and use of personal data about individuals. </li></ul>
  15. 15. PRINCIPLE 6 - ACCESS TO PERSONAL DATA <ul><li>Provides for an individual to have right to ascertain whether a data user holds his or her personal data; </li></ul><ul><li>and if so, to be provided with a copy of any such data within 40 days. </li></ul><ul><li>Any fee levied for compliance with a subject access request shall not be excessive. </li></ul>
  16. 16. PRINCIPLE 6 - ACCESS TO PERSONAL DATA <ul><li>Data users are required to correct personal data on request from a data subject within 40 days. </li></ul><ul><li>Where a data access/correction request is refused, the data user shall inform the requestor of this in writing within 40 days of receiving the request. </li></ul>
  17. 17. EXEMPTIONS <ul><li>A broad exemption for personal data held for domestic or recreational purposes . </li></ul><ul><li>Exemptions from the subject access requirements for certain employment-related personal data. </li></ul><ul><li>Exemptions from the subject access and use limitation requirements based on a harms test for certain competing public or social interests, such as : security; prevention of crime; assessment or collection of any tax or duty; news activities; and health. </li></ul>
  18. 18. OFFENCES <ul><li>Section 64 provides for a variety of offences, for example non-compliance with an enforcement notice served by the Privacy Commissioner carries a penalty of a fine at Level 5 (at present $50,000) and imprisonment for 2 years. </li></ul>
  19. 19. <ul><ul><li>Hotline: 2827 2827 </li></ul></ul><ul><ul><li> </li></ul></ul>