In the wake of the furore surrounding the sale of personal data by Octopus Rewards Limited to unconnected third parties for marketing purposes, it is a good time to remind ourselves of our privacy rights and responsibilities under Hong Kong law. The current legal framework governing the collection and use of personal information in Hong Kong is the Personal Data (Privacy) Ordinance (PDPO).
The PCPD is a statutory body responsible for enforcing the PDPO. The organisation has set out to promote and encourage adherence to data privacy principles. The PDPO itself defines personal data as “any information relating to an identifiable individual who can be directly or indirectly identified from the information in any form and whether recorded in manual, electronic or other form”.
Interestingly, while the PDPO does not explicitly require that all forms of personal data must be collected for processing purposes, it does stipulate that data users are ultimately accountable for the actions of their agents (DPP 11). This legal provision serves to highlight that all parties should take reasonable steps to ensure that the privacy requirements set out in the PDPO are complied with by any processors that they engage.
Another point of interest is the fact that the PDPO requires data users to expressly notify individuals upon or before collecting their personal data about its intended uses and any potential transfers (DPP 1 and DPP 3). While this is not always practical or feasible, it is generally good practice for organisations to do so.
The PDPO also stipulates that data users must prevent personal information transferred outside of Hong Kong from being kept for longer than necessary for processing (DPP 4). Again, this is not strictly required, but again it is a matter of best practice. The PDPO has published model clauses that may be included in contracts between data users, both within and without Hong Kong, which can help to achieve this aim.
Lastly, the PDPO prohibits the public display of an individual’s name and HKID number together unless it is necessary for the purpose for which it has been collected (DPP 6). This requirement is likely to be a common feature on staff cards, which usually exhibit an individual’s full name, photo, company name, job title and employee number.
Overall, the PDPO has some strong provisions to safeguard individual privacy, but it does need to be more clear and robust to provide sufficient protection for data-related technologies, which have become increasingly pervasive in everyday life. This is especially true when it comes to the proliferation of artificial intelligence, big data analytics and internet-of-things devices. Hopefully, the upcoming consultation on the proposed PDPO reforms will address these concerns and help to further strengthen data protection in Hong Kong. We will continue to monitor and report on developments in the field.