Protection of Personal Data
Personal Data (Privacy) Ordinance
The Personal Data (Privacy) Ordinance aims to protect the individual's right to privacy with respect to personal data. It gives statutory effect to internationally-recognised data protection principles and provides for the establishment of an independent statutory authority - the Privacy Commissioner for Personal Data (the Privacy Commissioner) - to enforce and promote compliance with them.
The Ordinance applies to any data relating directly or indirectly to an individual, from which it is practicable to ascertain the identity of the individual and which is in a form in which access to or processing is practicable. Users of personal data in both public and private sectors are subject to the provisions of the Ordinance.
The main features of the Ordinance are as follows -
- It establishes an independent statutory authority - the Privacy Commissioner - to promote and enforce compliance with the Ordinance.
- It gives statutory effect to internationally-accepted data protection principles, which provide for the fair collection of personal data; accuracy of personal data; duration for retention of personal data; limits on the use of personal data; security of personal data; openness by data users about the kinds of personal data they hold and purposes to which they are put; as well as data subjects' rights of access and correction with respect to their personal data.
- It regulates the use of personal data in direct marketing and the provision of personal data for use in direct marketing.
- It criminalises doxxing acts and confers on the Privacy Commissioner for Personal Data (the Commissioner) statutory powers to issue cessation notices demanding the cessation or restriction of disclosure of doxxing content. It also confers on the Commissioner power to conduct criminal investigation and institute prosecution for doxxing-related cases.
- It gives the Privacy Commissioner powers to approve and issue codes of practice giving guidance on compliance with the Ordinance; inspect personal data systems and investigate suspected breaches of the requirements under the Ordinance.
- It subjects the automated comparison of personal data to suitable control to protect the privacy interests of data subjects.
- It provides for a broad exemption for personal data held for domestic purposes and narrowly defined exemptions from the requirements on subject access and use limitation to cater for a variety of competing public and social interests, such as human resources management; security, defence and international relations; the prevention and detection of crime; the assessment or collection of taxes; financial regulation; an individual's physical or mental health; news gathering and reporting, legal proceedings, due diligence exercise, and emergency situations.
- It gives the Privacy Commissioner power to provide legal assistance to an aggrieved data subject who intends to institute legal proceedings against a data user.
To combat doxxing acts, the Ordinance was amended in 2021 and the relevant amended provisions have already come into operation. If you wish to view the relevant promotional video, you may click this link - TV announcements. Relevant information is also available at the website of the Office of the Privacy Commissioner for Personal Data.
Personal Data (Privacy) Advisory Committee (The Committee)
Section 11 of the Ordinance provides for the establishment of a Committee to advise the Privacy Commissioner on matters relevant to the privacy of individuals in relation to personal data and the operation of the Ordinance.
The membership of the Committee is as follows:
Privacy Commissioner for Personal Data
Ms Terese AU-YEUNG Kar-wai