@eLaw.com.hk 葉謝鄧律師行

The PCO’S Mission Statement is to secure the protection of privacy of the individual with respect to personal data through promotion, monitoring and supervision of compliance with the Personal Data (Privacy) Ordinance.

The PCO's key goals are to ensure that:

· individuals are aware of their rights as data subjects under the Ordinance and how to exercise them;

· public and private sector organizations are aware of their obligations as data users under the Ordinance and how to meet them;

· individuals and public/private sector organizations are aware of the role of the PCO and how we can assist them;

· enquiries are responded to courteously and efficiently to the satisfaction of the enquirer;

· complaints are investigated and resolved efficiently in a manner that is fair to all parties concerned;

· all other jurisdictions with data protection laws are aware of the robustness of our law protecting the privacy of the individual with respect to personal data so as to obviate any interference in the free flow of personal data to Hong Kong.

There are two main reasons why it is in the interest of organizations to make sure that their web sites comply with the Ordinance:

· Non-compliance with the laws can result in civil claims and criminal prosecutions

· By ensuring the best protection of individual's personal privacy and online safety, they are able to develop trust and confidence with users and potential customers.

The Ordinance consists of six distinctive data privacy principles which in effect are laws on data protection. However, violation of a principle (for example a bank accessing your credit records from a CRA for direct marketing) is not a criminal offence. Violation only triggers the Privacy Commissioner's power to issue an enforcement notice against the offending data user. Investigations into data violations take place before an enforcement notice is issued.

Under section 50(1) of the Ordinance, the Commissioner has the discretionary power to serve on the party complained against an enforcement notice if one of the following conditions is satisfied:

1 The party is found to be contravening a requirement of the Ordinance; or

2 The party is found to have contravened such a requirement in circumstances that make it likely that the contravention will be repeated.

According to the usual practice adopted by PCO, where a contravention is found to have occurred but is not continuing, whether the Commissioner considers it likely for the contravention to be repeated in the future may depend on factors including:

1 whether the contravention found was a first-time or repeated contravention, accidental or deliberate;

2 whether the party complained against is willing to prepare a written undertaking to the Commissioner regarding improvement to its future conduct in such form as the Commissioner deems fit; or

3 whether the party complained against has shown remorse during the course of the investigation by co-operating fully with the PCO, taking appropriate remedial actions, etc.

An enforcement notice is therefore essentially is a warning that tells the offending party that it must comply with the principles of the Ordinance. Continued failure to comply with an enforcement notice makes the violation a criminal offence that can lead to criminal prosecution. So if a bank was mishandling your credit data, and it was issued with an enforcement notice and still failed to cease using your records for direct marketing, it would be committing a criminal offense and prosecution would proceed.

The following link takes you to a fact sheet about the PCO's Code of Practice on Consumer Credit Data use: www.pco.org.hk/english/publications/files/RevisedCCDFactsheet_e.PDFThis fact sheet describes personal information about potential borrowers that banks (and other credit providers) can and cannot give to CRAs (credit reference agencies that assess whether someone is eligible for a loan or credit increase).

According to section 12(1) of the Ordinance, The Privacy Commissioner for Personal Data (also known as "the Commissioner") can issue Codes of Practice "for the purpose of providing practical guidance” to assist data users’ compliance of the Ordinance. Codes of Practice currently cover the collection and use of:

· Data used by Human Resource Management
· Identity card numbers and personal identifiers
· Consumer credit data

There is also a draft Code of Practice that addresses the issues of monitoring and personal data privacy at work. Full text versions of these Codes can be downloaded from: www.pco.org.hk/english/publications/listofpub.html

What happens is a data user does not observe these Codes of Practice? The provisions of the Codes are not legally binding. However, failure to observe a Code of Practice by a data user will weigh unfavourably against the data user in any complaint case before the Commissioner.

Who ensures that the Ordinance is observed?

The Privacy Commission Office (PCO) is an independent statutory body that was set up to oversee the enforcement of the Personal Data (Privacy) Ordinance. It also has the duty of receiving complaints from members of the public relating to any abuse or violation of the principles and carries out investigations into data privacy complaints. The PCO takes enforcement actions against those who are in breach of the Ordinance. The website of the PCO can be accessed at www.pco.org.hk. This site will give you access to the full text of the Ordinance and to several related publications, fact sheets, videos and case notes.

Under Part VIII, specific exemptions from the requirements of the Ordinance are provided.

They include:

1 a broad exemption from the provisions for personal data held for domestic or recreational purposes;

2 exemptions on subject access for certain employment related personal data (for example?) ; and

3 exemptions where application is likely to prejudice certain competing public or social interests, such as: security, defence and international relations; prevention or detection of crime; assessment or collection of any tax or duty; news activities; and health.

There are a variety of offences, for example non-compliance with an enforcement notice served by the Privacy Commissioner carries a penalty of a fine at Level 5 (at present $25,001 to $50,000) and imprisonment for 2 years.

An individual who suffers damage, including injured feeling, by reason of a contravention of the Ordinance in relation to his or her personal data may seek compensation from the data user concerned.

The Ordinance came into force on 20th December 1996. However, it must be noted that some of the provisions, especially those relating to the cross-border transfer of personal data to a place outside Hong Kong, have not yet come into effect.

The relevant laws that protect data privacy in Hong Kong are expressed by way of six principles under Schedule 1 of the Ordinance. These six principles regulate the collection, access, use, storage and processing of personal data by ‘data users’ and outline the rights that extend to ‘data subjects’. For the full version of the 6 principles, please refer to pages 232-234 of your textbook. The following is the brief description of the six principles.

Principle 1 Purpose and manner of collection of personal data

This principle provides for the lawful and fair collection of personal data and sets out the information a data user must give to a data subject when collecting personal data from a subject.

Principle 2 Accuracy and duration of retention of personal data

This principle provides that personal data should be accurate, up-to-date and kept no longer than necessary.

Principle 3 Use of personal data

Principle 3 discusses how data may be used. This principle restricts the uses to which data may be applied and provides that unless the data subject gives consent, personal data should be only used for the purposes for which they were collected or a directly related purpose.

Principle 4 Security of personal data

This principle establishes appropriate security measures to be applied to personal data (including data in a form in which access to or processing of the data is not practicable).

Principle 5 Information to be generally available

Principle 5 provides for openness by data users about the kinds of personal data they hold and the main purposes for which personal data are used.

Principle 6 Access to personal data

This provides for data subjects to have rights of access to and correction of their personal data.