The Personal Data (Privacy) Ordinance has been enacted in Hong Kong and should come into force early this year. Its purpose is to protect individuals in relation to the processing of personal information by other parties.
Personal data includes any information relating directly or indirectly to a living individual from which it is reasonably practical for the identity of the individual to be ascertained; and in a form in which access to the data is reasonably practicable. Personal data therefore includes information held on both automated and non-automated systems
The ordinance is likely to have a range of implications for companies and other organisations, particularly in relation to their sales and marketing activities. Under the new ordinance, for example, it seems that companies will no longer be able to buy databases of names and addresses to conduct direct marketing campaigns and, indeed, that companies set up purely to collect such data will no longer be legal. They will also have to be very careful when collecting such information to inform people of the ultimate use of the information.
The ordinance sets out to prevent a data user from doing any act that contravenes the following "data protection principles":
1. The manner of collection of personal data must be lawful and must be for a purpose directly related to a function or activity of the intended data user.
2. All practical steps must be taken to ensure that personal data is accurate and the data shall not be kept longer than is necessary for the fulfilment of the purpose for which the data is to be used.
3. Personal data shall not be used for any purpose other than that for which the data was to be used at the time of collection or a directly related purpose.
4. All practical steps shall be taken to ensure that personal data held by the data user is protected against unauthorised or accidental access, processing or erasure.
5. A data user shall generally make available its policy and practices, the kind of personal data held by it and the main purposes for which it holds personal information.
6. An individual shall be entitled to access personal data of which he is the subject.
The ordinance grants certain investigation powers to the 'Privacy Commissioner' to ensure enforcement. The Commissioner is empowered to require certain data users to register and submit a 'data user return' which will be available for public inspection.
Under the ordinance, any individual has the right to request to be informed as to whether a data user holds information on him and to be supplied with a copy of any such data. There are various exemptions from the Ordinance dealing with such matters as personal data held by individuals and data in the hands of an employer which is confidential.
The Ordinance also sets out various offences which would be committed for failure to comply with the provisions of the Ordinance including knowingly or recklessly supplying any information to the Commissioner or to individuals in respect of certain data which is false and misleading. There is also a catch all provision which covers any data user who, without reasonable excuse, contravenes any requirement under the Ordinance (other than the contravention of a data protection principle) for which no other penalty is specified.
The content of this article is intended to provide a general guide to this subject. Specialist advice should be sought about your specific circumstances.
If you would like further advice, please contact David Ellis, Johnson Stokes & Master, 16th Floor, Prince's Building, 10 Chater Road, Hong Kong, Telephone No: 2843 4226, Fax No: 2845 9121, E Mail address: daellis @ asiaonline.net.