HONG KONG'S PERSONAL DATA PRIVACY ORDINANCE Flashcards
How is ‘person’ defined in HK PDPO?
Includes any public body and any body of persons, corporate or unincorporate.
What is the definition of a data user?
A person who, either alone or jointly or in common with other persons, controls the collection, holding, processing, or use of the data.
What is the definition of personal data in HK?
Data relating directly or indirectly to a living individual, from which it is practicable to identify the individual in a form in which access to or processing of the data is practical. It does not protect information concerning a deceased individual.
Is fabricated or untrue data relating to an individual considered as personal data under HK PDPO?
No. However, biometric data, mobile phone numbers, and exam scripts on their own will not be considered personal data unless coupled with other personally identifiable information.
What is the treatment of publicly available data/registries in HK?
May access and obtain public information, but must still observe Data Protection Principle 1(2) and 3 : lawful and directly related purposes & should not be used for a new purpose without obtaining consent from the data subject, unless an exemption applies.
If for direct marketing activities, it has to comply with Part VIA of the PDPO and obtain consent.
Relevant factors for assessing include: Original purpose for which the personal data was placed in the public domain, Restrictions, Reasonable expectation of the personal data privacy of the data subjects.
What is the definition of sensitive data in HK?
There is no concept or specific requirement. Sensitive data include IC card numbers, healthcare, biometric data, and financial information.
What are the different consent obligations in HK?
Consent is needed in relation to direct marketing. If verbal, written confirmation is needed within 14 days. Consent is also needed if online tracking information related to personal data is collected for direct marketing purposes.
What are the notification obligations in HK?
Personal Information Collection Statement (PICS) - Informed of the purpose for which data is to be used and classes of person to whom the data may be transferred.
What are the access obligations in HK?
The data subject must be informed of his/her rights to request access and correction of the data, and the name, job title, and address of the individual to handle any such request made to the data user. Under Data Protection Principle 6 (Access and Correction), data subjects are entitled to request access to personal data within 40 days. Failure to comply with a data access request is an offense under the PDPO.
What is the response period and fulfillment of request for HK?
Data users are required to inform a data requestor if they do not hold any of the requested data within 40 days of receiving such a request.
Can an access fee be charged in HK?
Data users may be entitled to request a fee if it is not excessive.
What are the correction obligations in HK?
Data subjects are entitled to request the correction of personal data without charge to the data subject.
What are the complaint rights of individuals in HK?
Individuals can submit a complaint to the Privacy Commissioner for Personal Data (PCPD). The Privacy Commissioner may grant assistance such as legal representation and advice to data subjects.
Does the PDPO distinguish between automated and non-automated data or processing?
No.
What are the consequences of not providing a HK user with an opt-out right from consent?
Non-compliance can result in fines ranging from HK$500,000 to HK$1,000,000 and imprisonment of 3-5 years, depending on whether personal data is used for personal gain.
