The Personal Data (Privacy) Ordinance (the “PDPO”) was passed in 1995 and took effect from December 1996 (except certain provisions). It is one of Asia’s longest standing comprehensive data protection laws.Here we look at the six data protection principles
The six data protection principles
Any person or organization collecting, holding, processing or using personal data must comply with the six data protection principles laid down in section 4 and schedule 1 of the Personal Data (Privacy) Ordinance . (Note: The person from whom personal data are or will be collected is called the “data subject” , and the person or organization that is collecting the personal data is called the ” “data user” .)
The Privacy Commissioner’s Office (PCO) may issue an enforcement notice to the person or company who committed the breach, with intent to direct that wrongdoer to stop violating the data collection principles and take any necessary remedial action. Non-compliance with the PCO’s enforcement notice is an offence and is liable to a fine or imprisonment. The victim who suffers damage, including injury to feelings, as a result of such violation may also be entitled to compensation from the wrongdoer through civil proceedings.
Principle 1 – purpose and manner of collection of personal data
Personal data must be collected for a lawful purpose. The purpose of collection must be directly related to a function or activity of the data user. The data collected should be adequate but not excessive in relation to that purpose.
Personal data should also be collected by lawful and fair means. Unauthorized access to another person’s bank account records or credit card information is an example of unlawful means of collecting personal data. If a person/organization intentionally uses a misleading way to collect personal data, this amounts to an unfair means of data collection. A company collecting the personal data of job applicants by means of recruitment activities when in fact they are not really recruiting any one is an example of unfair means of collecting personal data.
When personal data are collected from an individual, that person (the data subject) must be provided with the following information, which includes:
- the purpose for which the data are to be used;
- the classes of persons to whom the data may be transferred;
- whether it is obligatory or voluntary for the data subject to supply the data;
- the consequences arising if the data subject fails to supply the data; and
- the data subject has the right to request access to and correction of the data.
Principle 2 – accuracy and duration of retention of personal data
Data users must ensure that the data held are accurate and up-to-date. If there is doubt as to the accuracy of the data, data users should stop using the data immediately. They should not keep the data any longer than is necessary for the purpose for which the data were collected.
Principle 3 – use of personal data
Unless personal data are used with the prescribed consent of the data subject, the data must not be used for any purpose other than the one mentioned at the time the data were collected (or a directly related purpose). “Prescribed consent” means the express consent given voluntarily by the data subject.
Principle 4 – security of personal data
Data users must take appropriate security measures to protect personal data. They must ensure that personal data are adequately protected against unauthorized or accidental access, processing, erasure, or use by other people without authority.
Principle 5 – information to be generally available
Data users must publicly disclose the kind (not the content) of personal data held by them and their policies and practices on how they handle personal data.
Principle 6 – access to personal data
A data subject is entitled to ask a data user whether or not the data user holds any of his/her personal data, and to request a copy of such personal data held by that user. If it is found that the data contained therein is inaccurate, the data subject has the right to request the data user to correct the record.
The data user must accede to the access and correction requests within a statutory period of 40 days. If the data user could not process the request within the period specified, it must provide a reply and state its reasons within 40 days.
Individuals/data subjects who wish to make data access requests may download the Data Access Request Form (OPS003) from the Privacy Commissioner’s Office and send the completed form to the company which holds the personal data. It should be noted that the Ordinance permits data users, in complying with the data access requests, to charge a reasonable fee. However, the data users concerned should not charge more than the direct cost of complying with the requests.
For more details of the six principles, please go to the Personal Data Privacy Liberal