Press Releases

LCQ9: Protection of personal data

    Following is a question by the Hon Albert Ho and a written rely by the Secretary for Constitutional and Mainland Affairs, Mr Stephen Lam, in the Legislative Council today (July 4):


     On March 14 this year, the Privacy Commissioner for Personal Data published an investigation report on the alleged disclosure, by a local e-mail service provider, of the personal data of one of its account subscribers to mainland law enforcement agencies. In this connection, will the Government inform this Council:

(a) given that the Commissioner has pointed out in the investigation report that the Personal Data (Privacy) Ordinance (Cap. 486) is unclear in certain aspects, whether the Government will review and amend the Ordinance; if it will, of the legislative timetable; if it will not, the reasons for that, and whether there are other solutions;

(b) given that Hong Kong companies doing business on the Mainland are required to provide the personal data of their customers at the request lawfully made by mainland law enforcement agencies, and that in doing so, they may contravene the data protection principles stipulated in the aforesaid Ordinance, whether the authorities will discuss with the relevant Mainland government authorities how to resolve the problems arising from the need for Hong Kong companies doing business on the Mainland to comply with the legislation in both places; and

(c) whether the authorities will provide information and support to the Hong Kong residents who frequently visit the Mainland, so as to help them understand how they can protect their personal privacy when using Internet services on the Mainland?


Madam President,

(a) The Privacy Commissioner for Personal Data is undertaking a comprehensive review of the Personal Data (Privacy) Ordinance (PDPO) and will examine, among others, whether the existing provisions of the Ordinance can afford adequate protection to personal data having regard to developments, including advancement in technology, in the last decade. The Administration will consider the Commissioner's proposals when available.

(b) Use of personal data, including the disclosure or transfer of same, is regulated by Data Protection Principle (DPP) 3 of the PDPO. This principle provides in essence that unless with the prescribed consent of the data subject, personal data shall only be used for a purpose consistent with the original purpose of collection. In this connection, a data user is required under DPP1 to take all practicable steps to ensure that the data subject is explicitly or implicity informed, among others, of the purpose for which his data are to be used. This is usually done by way of a written statement generally referred to as a Personal Information Collection Statement (PICS). Where it is envisaged that personal data collected in Hong Kong by a Hong Kong company or organisation will be transferred for use in the Mainland, such purpose should be clearly stated in the PICS together with an indication that the data collected would be disclosed to the Mainland law enforcement agencies only in compliance with a court order or pursuant to statutory requirement. This should help remove concern of a possible contravention of the data protection principles arising from compliance with lawful requests made by the Mainland law enforcement agencies for disclosure of personal data held in the Mainland by the Hong Kong company or organisation at the time of such requests.

(c) To promote awareness and understanding of the provisions of the PDPO, particularly in the Internet environment, the Commissioner has published two information booklets entitled "Personal Data Privacy and the Internet - A Guide for Data Users" and "Internet Surfing with Privacy in Mind - A Guide for Individual Net Users", which can be accessed at the website of Office of the Commissioner. The Guides aim to assist data users in complying with the PDPO when collecting, displaying or transmitting personal data over the Internet, as well as to raise general awareness of individuals of the privacy risks in using the Internet and to alert them of the precautionary actions that can be taken to protect their privacy.

Ends/Wednesday, July 4, 2007