Hong Kong Unit 4B Appln and Scope II Flashcards
Which entity and areas does the PDPO not apply to?
The PDPO does not cover the PRC government in the HKSAR.
What is the definition of personal data in HK?
Personal data is defined as any data:
- Relating directly or indirectly to a living individual (data subject)
- From which it is practicable for the identity of the data subject to be directly or indirectly ascertained
- In a form in which access to or processing of the data is practical
Does not protect information concerning a deceased individual.
What is data user, data processor in HK?
“Data user”, in relation to personal data, means a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data.
“User”, in relation to personal data, includes disclosure or transfer of the data.
“Data processor” means a person who:
- Processes personal data on behalf of another person
- Does not process the data for any of the person’s own purposes
How does PDPO treat publicly available data? What must the data user do when using publicly available data for direct marketing? What are the 3 factors to consider?
A data user who collects and uses personal data from the public domain must observe the requirements under the Ordinance, in particular, Data Protection Principle (“DPP”) 1(2) and DPP3.
A data user who intends to use personal data obtained from the public domain for direct marketing activities has to comply with Part VIA of the Ordinance and obtain the consent of the data subjects.
The 3 factors in assessing the permitted purposes of use are:
1) Original purpose for which the personal data was placed in the public domain
2) Restrictions, if any, imposed by the data user for further uses
3) Reasonable expectation of the personal data privacy of the data subjects
What was the Commissioner’s decision for the “Do No Evil” case?
Commissioner’s decision: Use of personal data obtained from the public domain for due diligence review and background check was obviously inconsistent with the original purpose of data collection by the Judiciary, the Official Receiver’s Office and Companies Registry, as well as their purposes of making the data publicly available.
Case summary:
“Do Not Evil” was a smartphone application launched in 2012. It claimed to have two million records of civil and criminal litigation as well as bankruptcy cases. After installation of this application, users could search if such records existed for a targeted person. Search results could show the targeted person’s name, partial identity card numbers, address, court type, action number, nature of civil case, criminl charge, company directors’ data etc.
PCPD received complaints, investigated and decided that the application intruded on personal data privacy. Issued an Enforcement Notice directing the database operator, Glorious Destiny Investment Limited, to cease supplying such data to the application.
Which types of data has specific codes and guidance?
Which types of data has specific codes and guidance?
1) Identity card numbers
2) Personal identifiers
3) Consumer credit data (financial information considered sensitive)
4) Biometric data (considered sensitive, should only be collected where it is necessary and with the consent of the data subject)
5) Healthcare information (considered personal data)
What were the amendments to PDPO in 2012?
Personal Data (Privacy) (Amendment) Ordinance 2012 - principal effect was to introduce new rules into the PDPO on direct marketing:
- The use of personal data for direct marketing (new sections 35B-35H)
- The provision of personal data to another for use in direct marketing (new sections 35I-35M)
*These changes do not apply to social services/welfare dept, health care services.
Other changes:
- Disclosure of personal data obtained without consent (new section 64)
- Regulating data processors (revised DPP2 and DPP4)
- Enforcement notices (revised section 50(1) and new section 50A)
- Legal assistance for aggrieved individuals (new section 66B)
What is prescribed consent in HK PDPO?
“Prescribed Consent” means express consent given voluntarily by the data subject.
Non-response does not constitute “prescribed consent”.
Generally speaking, the data subject should give consent in circumstances in which they have other alternatives to choose from before the consent given is regarded as “prescribed consent”.
What are the rights of data subjects under HK PDPO? (How does it differ from SG PDPA)
1) Compensation
Data subjects have a right to bring proceedings in court to seek compensation for damage, including damages for injury to feelings
2) Fair processing information
Where personal data is collected from the data subject, all practicable steps shall be taken to ensure that the data subject is informed of:
- The purpose for which the data is to be used and
- The classes of persons to whom the data may be transferred
The data subject must also be informed of their rights to request access to, and the correction of, the data and the name or job title, and address, of the individual who is to handle any such request made to the data user.
3) Right to access information
- Under DPP6, data subject are entitled to request access to personal data within 40 days. The data user may charge a fee, but it must not be excessive. (The Privacy Commissioner has specified a prescribed form in which such a request has to be made.)
- Individuals can also lodge a formal “data access request’:
(i) To be informed by a data user whether the data user holds personal data of which the individual is the data subject
(ii) To be supplied with a copy of any such data
- Failure to comply with an enforcement notice to comply with data access request is an offence under the PDPO.
4) Objections to direct marketing
Before a data user may (i) use a data subject’s personal data for direct marketing or (ii) provide it to others for this purpose, the data user must obtain the data subject’s consent or “no objection” to the intended use or provision.
- Accordingly, a data subject may object to any intended use of their personal data for direct marketing.
- A data subject may later request that a data user ceases to use their personal data for direct marketing to which they had previously consented. A data user must comply with such a request without charge.
5) Other rights
Correction - Under DPP6, data subjects are entitled to request the correction of personal data without charge to the data subject. This data correction request must be preceded by a data access request. There is no particular form / mode in which a data correction request has to be made.
The Privacy Commissioner may, at his discretion and depending on the circumstances, grant assistance including arranging for legal representation of, and advice to, data subjects in respect of their legal proceedings against data users.