PDPO'S DATA PROTECTION PRINCIPLES (DPPs) Flashcards
What should personal data be collected for according to DPP1?
Personal data should be collected for a lawful purpose directly related to a function or activity of the data user.
What must data subjects be informed about according to DPP1?
Data subjects must be informed about the purpose of data collection and to whom their data may be transferred.
What are the Codes of Practice issued for HK DPP1?
Consumer credit data - human resource management - IC and other personal identifiers.
What is required under DPP2 regarding accuracy?
Personal data should be accurate and kept up to date.
What is required under DPP2 regarding retention?
Personal data should not be kept longer than necessary for the fulfillment of the purpose for which it is used.
What does DPP3 state about purpose limitation?
Personal data should only be used for the purposes for which it was collected or for a directly related purpose unless the data subject gives consent otherwise.
What does excessive disclosure of personal information breach in HK?
DPP3 Use.
What are the info security requirements in HK under DPP4?
A data user needs to take practical steps to safeguard personal data from unauthorized or accidental access - processing - erasure - loss - or use.
What are the security measures (DPP4) for outsourcing in HK?
In outsourcing arrangements (within or outside HK) - data users must adopt contractual or other means to prevent unauthorized or accidental access - processing - erasure - loss - or use of the data transferred to the data processor (DPP4(2)).
What are the new amendments for DPP5 in HK under the Amendments Ordinance?
The Commissioner is empowered to serve an enforcement notice directing the data user who is found to have contravened DPP5 (Openness) to remedy and - if appropriate - prevent any recurrence. Recommendations include a systematic approach by data users in implementing a privacy management program built upon a robust data privacy policy and practices that are properly executed - reviewed - and assessed by designated data protection officers.
What rights do data subjects have under DPP6?
Data subjects have the right to access their personal data and request corrections if the data is inaccurate.
What are the DPO requirements in HK?
No legal requirement for DPO. However - PCPD issued a best practice guide to encourage users to appoint DPO.
What are the children’s data protection rules in HK?
No concept or specific requirement. PCPD issued a leaflet to help parents and teachers protect children’s personal data in the online environment.
What are the breach notification requirements in HK?
No mandatory requirement. However - according to non-binding guidance issued by the PCPD - it encourages notification to the PCPD and to data subjects where there would be a risk of harm.
Which two DPPs were breached by Octopus in 2010?
DPP1 Data collection - collected HKID etc. for authentication. The Commissioner found that Octopus had failed to justify the claim that collecting HKID numbers was necessary to safeguard against damage and loss. PICS was also in an unreasonably small font. DPP3 - Data use (sale of personal data not made clear to data subjects).
