Originally Published 2nd June 2008

Recent reports of high-profile leakages of personal data in Hong Kong clearly illustrate the importance of businesses complying with privacy laws from a reputation perspective.

Breaches of privacy will quickly impact consumer confidence in a business, and are likely to affect all stakeholders. Accordingly, this is a fitting opportunity to re-examine the main privacy law in Hong Kong: the Personal Data (Privacy) Ordinance (Cap.486) (the "Ordinance").

Over the past several weeks, reports of public and private organisations in Hong Kong leaking confidential personal data have appeared frequently in the media. The Department of Immigration is the latest to reveal such a leak. On 8 May 2008, the Department of Immigration was reported as having leaked confidential files containing a list of the names of people for officers to watch including their travel document information and travel records. This follows recent disclosures by the Department of Health, the Hospital Authority and a Hong Kong private banking institution.

Who and what is affected?

The Ordinance, which generally reflects the OECD guidelines for the Protection of Privacy and Transborder Flows of Personal Data (1980), has been in force since December 1996. The purpose of the Ordinance is to protect individuals' right to privacy by regulating the handling of personal data in Hong Kong: it applies to any person or organisation, both public and private, that collects, holds, processes or uses personal data.

Personal data refers to all information (however recorded, including expressions of opinions and personal identifiers such as identity card numbers) relating directly or indirectly to a living individual and from which it is practicable to ascertain the identity of the individual. Nearly all active businesses in Hong Kong will be holding some form of personal data, whether that data is kept on electronic databases or in hard-copy files.

What activities are regulated by the Ordinance?

When collecting, holding, processing or using personal data in Hong Kong, businesses should comply with the data protection principles set out in the Ordinance relating to:

  • the purpose and manner of collection of personal data
  • the accuracy and retention of personal data
  • the use of personal data
  • the security of personal data
  • information that should be made generally available, and
  • access to personal data.

What are my customers' rights?

Under the Ordinance, individuals have the right to confirm with businesses whether their personal data is held and to have their personal data corrected if it is inaccurate. Individuals also have the right to obtain a copy of their data upon payment of a reasonable fee.

What about direct marketing?

If a business conducts direct marketing activities, the Ordinance requires the business to inform recipients the first time their data is used that the business must cease use of the recipient's personal data if requested. This regime (commonly referred to as an "opt-out" regime) is consistent with the anti-spam laws in Hong Kong.

Can data be transferred overseas?

Despite the Ordinance coming into force over a decade ago, the relevant section regulating the transfer of data outside Hong Kong is still not in force. This section prohibits the transfer of data outside Hong Kong except in specified circumstances - for example, if written consent to the transfer has been obtained from the individuals to which the data relates.

Although this section is not yet in force, it would be prudent for businesses to comply with it as the section supplements the application of the general data protection principles set forth in the Ordinance. In addition, if a Hong Kong business retains control over the data after the transfer, all other provisions of the Ordinance will continue to apply.

What are the consequences of breaching the Ordinance?

Individuals may complain to the Privacy Commissioner about suspected breaches of the Ordinance's requirements. Suspected breaches of the Ordinance may be investigated by the Privacy Commissioner, either in response to a complaint or at its own initiative. If the Privacy Commissioner concludes that a contravention is likely to be repeated, an enforcement notice may be issued.

Contravention of an enforcement notice is an offence under the Ordinance and is liable upon conviction to fines up to HK$50,000 and/or imprisonment for up to 2 years - continuing offences are liable to a daily penalty of HK$1,000. Individuals may also claim compensation through civil proceedings for damage caused to them as a result of a contravention of the Ordinance, including that for injured feelings.

How do I comply and what can I do to manage risk in my business?

Practically speaking, all Hong Kong businesses that handle personal data should consider the following risk management initiatives:

  • Sensitive information - As far as possible, avoid the collection of sensitive information without first seeking legal advice.
  • Privacy statement - Draft a privacy statement which complies with the Ordinance.
  • Guidelines and processes - Develop and regularly review formal guidelines and processes in respect of privacy related matters.
  • Log Book - Maintain a log book of refusals to grant access to personal data.
  • Privacy officer - Appoint a privacy officer to administer compliance with the Ordinance as well as the training of relevant staff.
  • Security measures - Implement physical and electronic security measures to prevent unauthorised access and misuse of personal data, and
  • Transferring personal data - Prior to the transfer of personal data to foreign countries, ensure that the obligations under the Ordinance are satisfied.

Are there exemptions?

Aside from a broad exemption from compliance for data held for recreational or domestic purposes - that is, personal data concerned only with the management of personal, family or household affairs - the Ordinance provides that businesses need not give employees access to certain employment related personal data. However, not all employment related data is exempt and businesses should be careful to ensure that the data falls within the exemption before refusing to grant an employee access to their personal data.

There are also various categories of data that are exempt from specific provisions of the Ordinance on the basis of prevailing public or social interests. The exempt categories of data include those in respect of security, defence and international relations, prevention or detection of crime, assessment or collection of any tax or duty, news activities and health.

What's in store for the future?

Due to the recent high-profile leakages of personal data, the Privacy Commissioner has indicated that the Ordinance may be revised, including:

  • enhancing the efficiency and effectiveness of enforcing the Ordinance
  • introducing preventative measures against potential data leakages, and
  • clarifying regulatory matters under the Ordinance.

To assist with your compliance obligations, Mallesons will keep you informed of revisions to the Ordinance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.