Protection of Personal Data

The Personal Data (Privacy) Ordinance (the Ordinance) was enacted on 3 August 1995 and came into force on 20 December 1996. It aims to protect the individual's right to privacy with respect to personal data. It also safeguards the flow of personal data to Hong Kong from restrictions by countries that already have such laws.

The Ordinance gives statutory effect to a set of internationally-recognised data protection principles and provides for the establishment of an independent statutory authority - the Privacy Commissioner for Personal Data (the Privacy Commissioner) - to enforce and promote compliance with them.

The Ordinance applies to any data relating directly or indirectly to an individual, from which it is practicable to ascertain the identity of the individual and which are in a form in which access or processing is practicable. Users of personal data in both the public and private sectors are subject to the provisions of the Ordinance.

The main features of the Ordinance are as follows -

• It gives statutory effect to internationally-accepted data protection principles, which provide for - the fair collection of personal data; requirements that personal data be accurate and not kept for longer than necessary; limits on the use of personal data; security of personal data; openness by data users about the kinds of personal data they hold and purposes to which they are put; and for data subjects to have rights of access and correction with respect to their personal data.
  
  
• It contains detailed provisions to enable individuals to obtain access to and seek correction of personal data held by either private or public bodies.
  
  
• It establishes an independent statutory authority - the Privacy Commissioner for Personal Data - to promote and enforce compliance with the legislation.
  
  
• The Privacy Commissioner is given powers to - approve and issue codes of practice giving guidance on compliance with the Ordinance; inspect personal data systems and investigate suspected breaches of the Ordinance's requirements.
  
  
• It subjects the automated comparison of personal data and the transfer of personal data to places outside Hong Kong to suitable control to protect the privacy interests of data subjects.
  
  
• It provides for a broad exemption for personal data held for domestic purposes and narrowly defined exemptions from the requirements on subject access and use limitation to cater for a variety of competing public and social interests, such as - human resources management; security, defence and international relations; the prevention and detection of crime; the assessment or collection of taxes; financial regulation; an individual's physical or mental health; and news gathering and reporting.
  
  
• It provides for a variety of offences, including non-compliance with an enforcement notice issued by the Privacy Commissioner, which carries a fine up to $50,000 and imprisonment for two years. Provision is also made for an individual who suffers damage as a result of a contravention of the Ordinance to claim compensation.

Section 11 of the Ordinance provides for the establishment of the Committee to advise the Commissioner on matters relevant to the privacy of individuals in relation to personal data and the operation of the Ordinance.

The membership of the Committee is as follows: