Are You Infringing On Hong Kong’s PDPO?
By Will Elton, Last updated: 2021-05-26 (originally published on 2019-02-14)
Personal Data (Privacy) Ordinance In Hong Kong
Personal data or privacy Ordinance is Introduced to protect the privacy rights of a person in relation to personal data (Data Subject). As a business owner you should know about PDPO as like your care about corporate tax in Hog Kong.
Have you done any of these lately?
- Sent emails to old clients that your company no longer serves,
- Failed to update your marketing database with opt-out requests,
- Contacted someone in your mailing list who had requested to be removed from your mailing list, or
- Sent personal data of clients to your email account.
If so, whatever your intentions, you will have violated the Personal Data (Privacy) Ordinance (PDPO).
Enacted in Hong Kong in 1995, PDPO seeks to protect the privacy of individuals in relation to personal data.
In an article titled “Hong Kong Regulators Step up Enforcement on Personal Data Protection” by the Data Protection Report in May 2016, an insurance agent, marketing agency, as well as portfolio manager were penalised for the improper handling of personal data by the Securities and Futures Commission (“SFC”) under the PDPO. In each case, the plaintiffs were sentenced to a Community Service Order, fine, and SFC disciplinary action respectively.
So, what is personal data?
Personal data is information that:
- Relates to a living person,
- Can identify that person, and
- Is stored in a form that allows for processing.
These include names, identity card numbers, and medical and employment records.
Six Data Protection Principles
Everyone who is responsible for handling data (Data User) should follow the Six Data Protection Principles (“DPPs”) which represents the core of the Ordinance covering the life cycle of a piece of personal data:
DPP1 – Data Collection Principle
Personal data must be collected in a lawful and fair way, for a purpose directly related to a function /activity of the data user.
Data subjects must be notified of the purpose and the classes of persons to whom the data may be transferred.
Data collected should be necessary but not excessive.
DPP2- Accuracy & Retention Principle
Practicable steps shall be taken to ensure personal data is accurate and not kept longer than is necessary to fulfil the purpose for which it is used.
DPP3 – Data Use Principle
Personal data must be used for the purpose for which the data is collected or for a directly related purpose, unless voluntary and explicit consent with a new purpose is obtained from the data subject.
DPP4 – Data Security Principle
A data user needs to take practicable steps to safeguard personal data from unauthorised or accidental access, processing , erasure, loss or use.
DPP5 – Openness Principle
A data user must take practicable steps to make personal data policies and practices known to the public regarding the types of personal data it holds and how the data is used.
DPP6 – Data Access & Correction Principle
A data subject must be given access to his/her personal data and allowed to make corrections if it is inaccurate.
Hong Kong privacy ordinance –Section 35C of the PDPO requires that your company provide the following information to the individual orally or in writing before using his personal data in direct marketing:
- You intend to use his/her personal data;
- You may not so use the data without his/her consent
- The kind(s) of personal data you will use;
- The classes of goods, facilities or services you offer/advertise; and
- The channel through which the individual may communicate his/her consent to the intended use.
Pursuant to section 35G(3) of the Ordinance, a company which receives a customer’s request for cessation of using his personal data in direct marketing must comply with the request without charge.
Offences and Compensation on Hong Kong privacy ordinance
- Non-compliance with Data Protection Principles does not constitute a criminal offence directly. The Commissioner may serve an Enforcement Notice to direct the data user to remedy the contravention and/ or instigate the prosecution action.
- Contravention of an enforcement notice is an offence which could result in a maximum fine of HK$50,000 and imprisonment for 2 years.
- An individual who suffers damage, including injured feelings, by reason of a contravention of the Ordinance in relation to his or her personal data may seek compensation from the data user concerned.
- The Ordinance also criminalises misuse or inappropriate use of personal data in direct marketing activities (Part VI); non-compliance with Data Access Request (section 19); unauthorised disclosure of personal data obtained without data user’s consent (section 64) etc.
So, what can organisations do to avoid infringing on Hong Kong privacy ordinance ?
Ensure you have a well-drafted data protection policy that outlines the following:
- Your purpose of collecting the data,
- The classes of persons to whom the data may be transferred,
- How long you will keep the data for,
- The steps you will take in event of unauthorised or accidental access, processing, erasure, loss or use, and
- How an individual can reach out to access his/her personal data and make corrections.
In today’s era of internet and connectivity, consumers are more concerned than ever about protecting the privacy of their personal data. Observe good data management practices, and you will be putting your customers at ease.