Hong Kong Unit 4B PDPO II

Question 1

How many principles for PDPO?

Answer 1

Six data protection principles (DPPs).

Question 2

What is DPP1? What is required with direct marketing activities?

Answer 2

DPP1 - Data Collection Principle

1) Personal data must be collected in a lawful and fair way, for a purpose directly related to a function/activity of the data user.
2) Data subjects must be notified of the purpose (in Personal Info Collection Statement - PICS) and the classes of persons to whom the data may be transferred.
3) Data collected should be necessary but not excessive.

3 Codes of Practice Issued:
- Consumer Credit Data
- Human Resource Management
- Identity Card Number and
- Other Personal Identifiers

Direct Marketing Requirements (6A):
- Provide response channel to give consent (opt-in) (35C,J)
- If consent obtained is verbal, written confirmation needed within 14 days
- Grandfathering agreement applies to updates of personal data held by data user before 1 Apr 2013. Similar rules for pre-existing data as PDPA SG (35D)
- Inform data subject if data user is planning to use data received from third party (unless there is written notice/consent obtained)
- Consent is needed if online tracking information relates to personal data and is collected for direct marketing purposes.

Question 3

Part 6A Direct Marketing - What information must be in the “prescribed” notice to data subjects?

Answer 3

Data subjects must be notified of the purpose (in Personal Info Collection Statement - PICS) and the classes of persons to whom the data may be transferred.

Inform data subject if data user is planning to use data received from third party (unless there is written notice/consent obtained).

Provide response channel to give consent (opt-in).

Question 4

What is DPP2? What must data user do when outsourcing?

Answer 4

DPP2 - Accuracy and Retention Principle

Practicable steps shall be taken to ensure personal data is:

1) Accurate in relating to the purpose
2) Not kept longer than is necessary to fulfill the prevent any personal data transferred purpose for which it is used.
3) And where practical, inform third parties if personal data is materially inaccurate at time of or after disclosure and provide updated particulars for rectification

Personal Data transferred to Data Processors for processing:
- In outsourcing arrangements (within or outside HK), data user must adopt “contractual means or other means” to prevent any personal data transferred to the data processor from being kept longer that is necessary for processing of the data
- Data user remains accountable for the acts done and practices engaged by data processor

Question 5

What is DPP3? What must be considered for direct marketing?

Answer 5

DPP3 - Data User Principle
- Personal data must be used for the purpose for which the data is collected or for a directly related purpose, unless voluntary and explicit consent with a new purpose is obtained from the data subject.
- Personal data shall not, without the prescribed consent of the data subject, be used for a new purpose.
- Any excessive disclosure of personal data not necessary for the purpose of use will risk contravening DPP3.
- Only necessary and relevant personal data should be used or disclosed.
- Personal data collected from public domain should not be taken to mean that the data subject has given blanket consent for re-use of personal data for whatever purposes.

Any relevant person in relation to a data subject may, on his or her behalf give prescribed consent for using personal data for a new purpose (Applies to minors, incapable of managing his/her own affairs, incapable of understanding new purpose, etc.)

Direct Marketing Requirements:
- (6A) Data user need to get consent; “indication of no objection”; silence or no response not considered valid consent.
- Must allow data subject to withdraw consent (opt-out right); non- compliance HK$500k-1m and imprisonment of 3-5 years depending if personal data used for personal gain

Question 6

Part 6A Direct Marketing - Describe what a data user (data controller) has to do before using a data subject’s personal data for direct marketing or transferring the data to a third party for direct marketing.

Answer 6

Data user need to get consent; “indication of no objection”; silence or no response not considered valid consent.

Must allow data subject to withdraw consent (opt-out right); non- compliance HK$500k-1m and imprisonment of 3-5 years depending if personal data used for personal gain.

Question 7

Part 6A Direct Marketing - What happens to a data user if he breaches direct marketing provisions?

Answer 7

Non-compliance HK$500k-1m and imprisonment of 3-5 years depending if personal data used for personal gain.

Question 8

What is DPP4? What must be considered when outsourcing?

Answer 8

DDP4 - Data Security Principle
A data user needs to take practical steps to safeguard personal data from unauthorised or accidental access, processing, erasure, loss or use – DPP4(1)

Considerations:
- The kind of data and the harm that could result
- Physical location where data is stored
- Any security measures incorporated in any equipment
- Any measures taken for ensuring integrity, prudence and competency of personnel having access to the data
- Any measures taken for ensuring secure transmission
- Not mandatory for data users to report a data breach to the Privacy Commissioner. (However, there is a Guidance on Data Breach Handling)

In outsourcing arrangements (within or outside HK), data user must adopt “contractual means or other means” to prevent unauthorised or accidental access, processing, erasure, loss or use of the data transferred to the data processor for processing - DPP4(2).

Question 9

What is DPP5?

Answer 9

DPP5 - Openness Principle

A data user must take practicable steps to make personal data policies and practices known to the public regarding the types of personal data it holds and how the data is used.

A Privacy Policy Statement (PPS) is required if data user controls the collection, processing/use of personal data.

• Commissioner is empowered to serve enforcement notice directing the data user who is found to have contravened DPP5 “to remedy, and, if appropriate, prevent any recurrence of the contravention”.
• Recommendations: systematic approach by data users in implementing a privacy management programme built upon a robust data privacy policy and practices that are properly executed, reviewed and assessed by designated data protection officers.

Question 10

What is difference between PPS and PICS? When is each provided, who are the audience?

Answer 10

PICS (Personal Info Collection Statement) is provided by data user to a data subject when personal data is collected vs PPS being a general statement about data user’s privacy policies and practices.

Question 11

What is DPP6? What is the turnaround time to fulfill data subject access request in HK vs SG?

Answer 11

DPP6 Access and Correction
A data subject must:
- Be given access to his/her personal data
- Be allowed to make corrections if it is inaccurate

Must respond (and correct if relevant) within 40 days.

A data subject may also be entitled to request personal data:
- within a reasonable period of time
- at a fee, if any, that is not excessive
- in reasonable manner
- in a form that is intelligible
- be given reasons if request is refused
- also applies to data request made by a “relevant person”

Data user cannot ignore an access request. Must expressly require data users to inform a data requestor if it does not hold any of the requested data within 40 days of receiving such a request.

Question 12

In section 63B regarding transfer or disclosure of personal data, what is exempt from DPP3?

Answer 12

Under section 63B, amended in 2012, the transfer or disclosure of personal data by a data user for the sole purpose of a due diligence exercise conducted in connection with a business merger, acquisition or transfer of business is exempt from the restrictions on use (DPP 3).

Question 13

What are the guidance on erasure and anonymisation for HK? What must the data user do?

Answer 13

Data users should adopt a top-down approach to managing data destruction so that there is an organisation-wide view of all personal data held by the data user.

This necessitates the development of organisation-wide policies, guidelines and/or procedures:
- Personal data retention policy (retention periods of each type of personal data)
- Personal data erasure policy (including copies of personal data, digital and paper records, obsolete or damaged storage devices)

The data user should maintain retention records and erasure records.

Data users must have clear policies and procedures on recycling so that employees understand the risks and know how to prevent them.

When outsourcing erasure work to a service provider, the organisation should include in the service contract:
- The security requirements relating to transporting and handling the personal data
- The erasure standard and service level
- The mechanism to ensure/confirm that all personal data is erased according to the agreed requirements
- The consequences of any non-compliance with the contractual terms

Data users must:
- realise that using anonymisation instead of erasure entails the risk that data subjects may be re-identified from the anonymised data (especially in the era of Big Data)
- weigh the benefits of keeping anonymised data against the risk of re-identification
- review regularly whether anonymised data can be re- identified and take appropriate actions to protect the data and
- consider carefully whether or not to release the anonymised data (or subsets of the data) to third parties or the public

Anonymising personal data means removing from the personal data any information from which an individual may be identified by anyone reading the record.

Anonymisation also means that the data user is not in a position to re-establish the identity of any individual with its other existing or future information on the individual.

Most importantly, data user should commit, by clear policy, that it does not and will not attempt to re-identify any individuals from anonymised data or to use the information or any individuals even if re-identification is possible.

Question 14

How should employers treat personal data of job applicants? How long can the CVs of unsuccessful applicants be kept?

Answer 14

• Employer should not solicit personal data from job applicants in an advert that provides no identification of either the employer or the employment agency acting on its behalf.
• If an employer finds it necessary to conceal its identity, it may ask the applicant to obtain an application form in the advert; or the employer may use a recruitment agency which should be identified in the advert.
• Recruitment adverts that directly ask job applicants to provide their personal data should include a statement informing applicants about the purposes for which their personal data is to be used.
• Personal data collected from job applicants should be adequate but not excessive, and it should be relevant to the purpose of identifying suitable candidates for the job.
• Employer should not collect a copy of the HK identity card of a job applicant during the recruitment process unless and until the individual has accepted an offer of employment.
• Information may be compiled about a job applicant (e.g. by means of security vetting or integrity checking); the data collected should be relevant to the nature of the job.
• Personal health data (where required) of the selected candidate should only be collected after the employer has made a conditional offer of employment.
• Personal data of unsuccessful applicants may be retained for a period of up to two years from the date of rejection (in case there is an employment discrimination claim against the employer) and should then be destroyed. The employer may retain the data beyond two years if it has a subsisting reason to do so or the applicants have given their consent.

Question 15

What must employers do when processing personal data of current employees?

Answer 15

• On appointment, an employer may collect additional personal data from an employee and their family members for the purpose of employment or to fulfil lawful requirements.
• On or before collection personal data from an employee, an employer should provide the employee with a Personal Information Collection Statement (PICS).
• Information compiled about an employee in the process of disciplinary proceedings, performance appraisal or promotion planning should only be used for the intended purposes. The information should not be disclosed to a third party unless the third party has legitimate reasons of access to the data.
• Employer should not disclose employment-related data of employees to third parties without first obtaining the employees’ express and voluntary consent unless the disclosure is directly related to employment or is required by law or statutory authorities.
• Employer should avoid disclosure of data in excess of what is necessary for the purpose of use by the third party.
• Employer who engages a third party as its data processor must use contractual or other means to ensure that the third party abides by the data protection requirements.
• Employer will be held accountable in its capacity as principal for the act or omission of the third party.

Question 16

How do employers treat personal data of former employees? How long can the personal data be retained for?

Answer 16

• Personal data of former employees may be retained for up to seven years from the date of cessation of employment. The data may be retained by the employer for a longer period if there is subsisting reason or retention is necessary to fulfil contractual or legal obligations.
• Employer must take all practicable steps to ensure that only relevant and necessary information of ex-employees is retained.
• In a public announcement regarding ex-employees, the employers should not disclose their IC numbers nor disclose excessive personal data about them.
• Employer should not provide references concerning ex-employees to third parties without first obtaining the ex-employees’ express and voluntary consent.

Question 17

What must employers do if they want to monitor employees at work?

Answer 17

Employers are obliged to carry out a privacy impact assessment and evaluate less intrusive approaches to achieving the objectives of the monitoring.

Employers must draft and communicate a written policy on employee monitoring to affected employees, explaining:
- the business purposes of the monitoring
- the circumstances under - which monitoring takes place and
- the kinds of personal data collected as part of the monitoring

Question 18

What is section 33 on data transfer/export? What must data user do if it commenced?

Answer 18

• Section 33 of the PDPO prohibits the transfer of personal data outside of Hong Kong except in certain circumstances. It has not yet commenced operation, despite being included in the PDPO since 1996.
• In December 2014, the Commissioner issued a voluntary Guidance Note on Cross Border Transfer of Personal Data. Some data users have taken the approach of complying with the restrictions to avoid disruption when and if section 33 eventually comes into force.
• In May 2022, the Commissioner issued Guidance on Recommended Contractual Clauses for Cross-Border Transfer of Personal Data. The clauses of the model contract are based on an agreement jointly prepared by the Council of Europe, the Commission of the European Communities and the International Chamber of Commerce. They have been adapted to meet the requirements of the Ordinance.

Transfers covered:
- Section 33 covers two situations, (1) transfers from Hong Kong outside Hong Kong and (2) transfers between two other jurisdictions where transfer controlled by Hong Kong data user.

Restrictions:
Before a data user may transfer personal data outside Hong Kong, at least one
of the following requirements must be satisfied:
- the place to which the data are transferred has in force “any law which is substantially similar to, or serves the same purposes as, this Ordinance”. The Privacy Commissioner may specify a place satisfying this requirement by notice in the gazette.
- Data subject has consented in writing to the transfer.
- Data user has reasonable grounds for believing that the transfer is for the avoidance or mitigation of adverse action against the data subject; it is not practicable to obtain the data subject’s consent, but if practicable, such consent would be given.
- Data are exempt from data protection principle 3 by virtue of an exemption under “Part VIII - Exemptions” in the Ordinance.
- Data user has taken “all reasonable precautions and exercised all due diligence to ensure” that the data will not be dealt with in a manner that would constitute a contravention of the Ordinance.

Transfer Mechanism (Summary)
- Recipient country has similar law
- Consent
- Transfer to mitigate adverse action and consent not practical
- Exemption from DPP3 under Part VIII
- Contract and agreements

Question 19

What should a model contract for outsourcing the processing of personal data to data processors provide?

Why would a model contract be used?

Answer 19

A Contract for Outsourcing the Processing of Personal Data to Data Processors should provide that :

1) The data processor:
- must not use or disclose personal data for any purpose other than for the purpose for which the personal data has been entrusted to it by the data user
- must take certain security measures to protect the personal data entrusted to it by the data user
- must comply with the DPPs
- must return or delete the personal data when it is no longer required for the purpose for which it is entrusted by the data user

2) Sub-contracting is prohibited or restricted and

3) Audit and inspection rights are provided to the data user.

A data user:
- is liable for its agent’s or contractor’s breach of the requirements under the PDPO and
- must use contractual or other means to ensure that personal data:
> is protected from unauthorised or accidental access, processing, erasure, loss or use and
> is not retained for longer than necessary for the purpose of processing the data