Home | Databases | WorldLII | Search | Feedback Privacy Law and Policy Reporter

Berthold, Mark --- "Hong Kong's Personal Data (Privacy) Ordinance 1995" [1995] PrivLawPRpr 105; (1995) 2(9) Privacy Law & Policy Reporter 164

Hong Kong's Personal Data (Privacy) Ordinance 1995

Mark Berthold

On 3 August 1995 the Governor of Hong Kong, with the Legislative Council's advice and consent, enacted the Personal Data (Privacy) Ordinance ('the Ordinance'). The legislation adopts most of the Law Reform Commission's (LRC's) proposals providing for data privacy published in August 1994 (see 1 PLPR 165). Those proposals were based on recommendations formulated following a five-year examination of the issue by the LRC's Privacy sub-committee chaired by Mr Justice Barry Mortimer. That examination included consideration of over 80 submissions elicited by a comprehensive public consultation exercise.

The Ordinance reflects an accelerated but nonetheless thorough examination by a committee of legislators chaired by the Hon Emily Lau resulting in the adoption of 30 committee-stage amendments to the Bill. The law is expected to come into force in the second quarter of 1996, following the setting up of the office of the Privacy Commissioner ('the Commissioner').

Legislative aims

The Ordinance's short title states that it is 'an Ordinance to protect the privacy of individuals in relation to personal data'. 'Privacy' is a notoriously vague expression, but in the context of the Ordinance it can be attributed an operational definition, namely compliance with the data protection principles. Traditionally, organisations in Hong Kong have tended to assume that they have exclusive control over data they hold about an individual (the data subject). The data protection principles enable the data subject to share this control.

Scope

The Ordinance regulates data users in both the public and private sectors. Section 2 defines 'data user' as the person who 'controls' personal data, either alone or jointly with another person. Section 2(12) excludes from this definition a person doing so solely on behalf of another person and not for any of his own purposes, such as an Internet service provider. Section 52 exempts from the application of all the data protection principles data held by an individual and concerned only with the management of his personal, family or household affairs, or held only for recreational purposes.

Personal data

'Data' is defined as 'any representation of information (including an expression of opinion) in any document, and includes a personal identifier.' In Hong Kong the identity card number constitutes an ubiquitous personal identifier. To constitute 'personal data' and hence be subject to the Ordinance the data must fulfil all three following requirements:

1. The data must be data 'relating directly or indirectly to a living individual'. 'Relating to' connotes some nexus between the individual and the data referring to him or her, such as possessing a personality trait, income or phone number. Mere linkage of the data with a particular individual would be insufficient. For example, application of general criteria such as a minimum income requirement to a loan applicant would not result in those criteria 'relating to' that individual, whereas reference to the individual's income would so relate.
2. The data must be such that 'it is practicable for the identity of the individual to be directly or indirectly ascertained' from them. 'Practicable' is defined as 'reasonably practicable'. Accordingly, a 'reasonable data user' test is appropriate in determining whether data controlled by the data user is retrievable. Relevant factors would include the sensitivity of the data and the resources of the data user: greater efforts can be expected of large organisation to identify the subject of the data in question, particularly when they may seriously impact on that individual.
3. The data must be 'in a form in which access to or processing of the data is practicable'. This flexible test is not technology-bound and encompasses both automated data and organised manual data. While the Ordinance does not directly impose good record-keeping standards, the reasonable data user test may require that additional compensatory measures be taken to retrieve poorly organised data. The Ordinance treats data as retrievable whether or not the data user is disposed to make reasonable efforts to retrieve the data.

The identification and retrievability tests modify the Ordinance's focus on recorded personal information. They recognise a harm test: personal data may pose only insignificant risks to the individual unless and until they can be reasonably identified or retrieved. It follows that whether the data in question fall within the definition of 'personal data' is not determined by their category (for example, name, address) but will fluctuate according to the context provided the data by different data users controlling the data.

The data protection principles

The data protection principles distil the principles of fair information practice that form the heart of the Ordinance and are set out in Sched 1. Although based on those formulated by the OECD, the wording adopted differs in some respects. They have also been supplemented in some respects.

This principle imposes various requirements on the collection of personal data. 'Collection' is undefined but covers two situations:

1. The creation of data by eliciting information (for example, interview responses) from the data subject or third parties and recording them.
2. The gathering of existing data from the data subject (for example, a completed questionnaire) or third parties.

Principle 1 requires that personal data be collected:

• Only for a purpose directly related to the functions or activities of the data user and only if necessary for that purpose. This requirement is derived from the Australian Act, but is extended to private bodies.
• Lawfully and in a manner that is 'fair in the circumstances of the case'. Trickery and undue pressure would be two examples of unfair collection. However, the wording (which derives from the NZ Act) provides some flexibility to accommodate pressing social need.

Where the collection is from an individual, he or she must be informed at the time of matters relevant to the decision whether to provide the data, namely whether it is obligatory or not to provide them, the consequences of not providing them, the purposes for which they will be used, and the classes of persons to which they will be transferred. The data subject must prior to their use be also advised of his or her access and correction rights and contact details of the officer handling such requests. Except as regards voluntariness and consequences (which will often be obvious from the context), the data subject must be explicitly informed of these matters. Where repeated collections are involved in similar circumstances (for example,. hospital patients), s 35 provides that annual reminders suffice so as to avoid pointless repetition. These requirements derive not from the OECD principles but from the EU Directive on data protection, as modified in response to submissions received.

This imposes the requirement that personal data be accurate having regard to the purpose for which they are used. No absolute standard is accordingly imposed. In addition it requires that:

1. Personal data not be kept longer than is necessary.
2. Corrections be transmitted to data users previously supplied the inaccurate data. This is also the subject of s 23(1)(c).

Data users will be faced with a major undertaking in upgrading the quality of their data to conform to the Ordinance. Accordingly while s 66 provides that an individual who suffers damage (including injury to feelings) as a result is entitled to compensation, this right does not accrue for inaccurate data until one year after the law comes into force.

This provides that personal data shall not, without the prescribed consent of the data subject, be used for any purpose other than 'the purpose for which the data were to be used at the time of the collection of the data'. 'Purpose' includes a directly related purpose.

A noteworthy feature of this formulation is that it dispenses with the OECD Purpose Specification Principle's requirement that data purposes must be specified not later than the time of data collection. As regards collections from the data subject, we saw above that principle 1 requires the specification of purposes. But where the data are collected from third parties, principle 3 envisages the attribution of a data purpose whether or not it was explicitly formulated at the time of collection. In view of the increasingly unilateral nature of data collection from other data users this probably makes sense. It has also facilitated dispensing with a mandatory notification requirement (see below).

This principle is the linchpin of the regulation of the use of data and is very broad. As mentioned above, 'collection' of data may be from either the data subject or from a third party. Under principle 3 the data subject's prescribed consent is required to a change of purpose in either case.

The most logical interpretation of 'time of collection of data' is that it is not restricted to the initial collection but extends to subsequent collections. On this basis, consent would be required to a change of use from the purpose that the data user in question collected it for. This purpose may differ from that applicable to data users controlling the data earlier in the data 'food chain'.

'Use' of data would appear to extend to merely calling up the data for inspection, in view of the wording adopted in principle 4 set out below. Under the differently worded provisions of the UK Data Protection Act 1984, in R v Brown [1994] QB 547 the Court of Appeal held that 'use' did not extend to such activities (see (1994) 1 PLPR 32).

'Prescribed consent' is defined (in s 2) as 'express consent given voluntarily'. Express consent must be given affirmatively and it would not suffice to simply advise the data user of the change of purpose and indicate that his consent will be inferred unless he objects. Further, consent must be informed consent and the data subject must given a clear idea of what is proposed.

This requires the data user holding data to take 'all reasonably practicable steps' to protect that data against unauthorised or accidental 'access, processing, erasure or other use' having particular regard to a number of matters there set out.

This is the only data protection principle which extends to data that do constitute 'personal data' because they are not reasonably retrievable. It accordingly regulates the insecure storage and disposal of unstructured manual data.

This principle provides a general exhortation of transparency in dealing with personal data. It requires data users to be open about their data policies and practices, the kinds of personal held and their main purposes.

This principle provides the data subject with the right to ascertain from a data user whether it holds data on him and if so to access and correct or qualify that data. The mechanics of this process are elaborate and are spelt out in Pt V of the Ordinance. The combined effect of s 19(3)(a)(ii) and s 19(5) is that for the first year that the Ordinance is in force the right is qualified and the data user is allowed to clean up his data and only provide the data subject with the residue.

Compliance with Principles required

The relationship between the principles articulated in Sched 1 and Pts I-X is defined by s 4 which provides that a data user shall not do an act, or engage in a practice, that contravenes a data protection principle unless it is required or permitted under the body of the Ordinance.

Exemptions

Part VIII prescribes specific exemptions from principles 3 and 6 where their application to data is likely to prejudice a competing public interest. Three general points are:

1. The exemptions relate to data, not to data users as such. For example, the exemption relating to the prevention, detection, or prosecution of crime is not restricted in its application to data held by the police. Conversely, much data held by the police will not be subject to this exemption.
2. The exemptions sanction, but do not require, a data user to dispense with compliance with the relevant data protection principle. Relevant factors on whether to invoke an exemption will be the potentially adverse consequences on data quality arising from denying access (which may ultimately result in a compensation claim) and (particularly as regards employment data) the expected impact on staff morale of releasing or denying access to the data in question.
3. There is a degree of overlap between the exemptions and accordingly sometimes more than one will apply.

Exemptions from both principles are accorded where their application to the data in question is likely to prejudice health, the prevention, preclusion or remedying of illegal or 'seriously improper conduct' (for example, disciplinary breaches), law enforcement, the collection of tax, and security, defence or international relations in respect of Hong Kong. Financial regulation is accorded some elaborate supplementary exemptions. Also exempted are data held by a news business solely for the purpose of a news activity.

1. Employment data comprising staff succession plans involving long term and hence necessarily hypothetical projections, data generated during an evaluative process which is subject to appeal, and references. There is also a seven year transition period regarding access to confidential employment data compiled prior to the law coming into force and which continues to be held by the data subject's employer. These last two exemptions are the sole instances where the law differentiates access rights according to whether the data were compiled before it comes into force. The policy basis is that as the employment relationship is ongoing and intense, the employer should have room to manoeuvre when access is sought to data compiled without any expectation that it would be seen by the employee.
2. Data for which a claim for professional privilege could be made out.

1. Statistics and research data.

Privacy Commissioner

Part II details the setting up of the office of the Privacy Commissioner (the Commissioner). This will be a new regulatory body to monitor and, if necessary, enforce compliance with the legislation. Part VII prescribes the procedures to be followed by the Commissioner in investigating and reporting on complaints and confers various powers in this regard. Main features are:

1. The office is a corporation sole and completely independent of government. NZ similarly utilises the corporation sole structure.
2. To be appointed by the Governor, the Commissioner may only be removable for misbehaviour or inability pursuant to a resolution of the Legislative Council. This protection of tenure goes further than other data protection laws, but mirrors that of Hong Kong's Commissioner for Administrative Complaints.

Prescribed functions include supervising compliance, education, promoting codes of practice, examining proposed legislation that may affect privacy, and monitoring computer technology impinging on privacy. These last two functions were omitted from the LRC's recommendations, but correspond with those of his Australian and NZ counterparts.

The Commissioner's investigative powers are accompanied by powers of entry to premises and enabling him to collect evidence. These powers are balanced by competing civil liberties concerns. Accordingly, a judicial warrant is required for entry to domestic premises. Nor do his evidence seeking powers extend to the seizure of evidence.

Section 28(4) provides that a data subject may complain to the Commissioner about an act or practice engaged in by a specified data user which may contravene a requirement of the Ordinance. In the first instance the emphasis will be on resolving a dispute through conciliation. However, the Commissioner is conferred comprehensive mandatory powers to enforce compliance. Appeals on the merits will be entertained by the Administrative Appeals Board. Criminal sanctions are prescribed for some contraventions.

In exercising his investigative powers, the Commissioner is not restricted to reacting to complaints but may initiate his own investigations and conduct systematic inspections of selected data users. These powers are circumscribed in relation to news organisations and he may only conduct an investigation following receipt of a complaint following publication or broadcast of the data. Nor may he conduct inspections of news organisations. The concern was that the application of these powers to the media could weaken its institutional integrity. An additional safeguard to press freedom is the requirement that the Commissioner may only require the identification of journalistic sources after obtaining a court order so permitting. The Hong Kong legislation more explicitly balances privacy and press freedom concerns than its counterparts. This is largely to address a growing concern about the development of media self-censorship in the territory.

To assist the Privacy Commissioner an advisory committee will be established. Contrary to the LRC's recommendations, it will lack any executive functions. This conforms to doubts expressed by international experts about the feasibility of a hybrid body.

The exemptions are identified exhaustively and the scheme permits no role for the Commissioner in varying their scope. The Commissioner's role is limited to monitoring the application of exemptions in particular instances. Upon receiving a complaint or otherwise investigating a suspected breach, the Commissioner may review the claim that an exemption is applicable. The Commissioner will be assisted in discharging this function by the requirement that upon refusing an access request, the data user must enter the particulars in a log book (a requirement unique to the Hong Kong). The only sphere in which the Commissioner's review powers are restricted relates to data likely to prejudice security, defence or international relations in respect of Hong Kong. As regards these matters, the Governor or Chief Secretary may sign a certificate so providing, giving reasons. The common law principles of judicial review apply to such certificates.

Codes of practice

Part III deals with the promulgation of codes of practice to elaborate on the application of the necessarily generally expressed data protection principles to particular sectors. The provisions of such codes may elaborate on, but not amend or abridge, any requirement of the law. The Commissioner may issue his own codes or approve suitable codes prepared by others. In either case he must consult affected parties. A breach of a code does not of itself constitute a contravention of the law, but will be admissible in the investigation of an alleged contravention.

Notification requirement

Part IV provides the Commissioner with powers to require specified classes of data users to furnish him with returns providing general information about their record-keeping activities. The requirement only applies to data users falling within a class specified to be specified by the Commissioner. This flexible approach departs from that recommended by the LRC, which felt constrained by the Purpose Specification Principle to impose a statutory requirement that all data users provide notifications. As mentioned earlier, the requirement that data purposes always be explicitly specified has been omitted from the principles. The approach adopted allows for the phased introduction of a notification scheme, taking into account the nature of data processing activities in question. Before specifying a class of data users the Commissioner must consult relevant parties.

Regulation of specific practices

Part VI regulates specific data processing situations, namely matching procedures, opt-out procedures for direct marketing data, and transfers of data to a place outside Hong Kong.

Data matching

The Ordinance regulates 'matching procedures' involving the comparison of data collected for difference purposes with a view to taking adverse follow-up action. The definition of 'matching procedure' is similar to the New Zealand provision, but emphasises an objective test in ascertaining whether the data may be used for the purpose of taking adverse action, whether immediately or at any subsequent time. Such programs are intrusive in nature and their results are susceptible to error and to address these concerns it is required that:

1. No adverse action be taken in consequence of a matching procedure without 7 days notice allowing the individual to contest the matter
2. The Commissioner give prior approval to the matching procedure. The onus is on the data user to justify the need for matching, including reference to whether it is in the public interest, the benefits to be derived, and whether there is any practicable alternative to the matching procedure. The only exception is where the matching procedure belongs to a class approved by the Commissioner.

The developing trend in Europe is to discourage the transfer of data to jurisdictions lacking adequate data protection. This trend will accelerate following the adoption in July 1995 of the European Union Directive on data protection. Furthermore, such states may be hesitant to transfer personal data to a jurisdiction possessing legal controls which, however, countenance further transfers to data havens. Accordingly, the Ordinance imposes controls aimed at precluding Hong Kong from being a conduit for transfers to data havens. There are two aspects, namely the territorial reach of the Ordinance and a restriction on the transfer of data to jurisdictions outside Hong Kong.

The application of the control test included in s 2's definition of 'data user' means that the transfer of data to a jurisdiction out of Hong Kong will only cease to be subject to the Ordinance's general provisions if control is also relinquished. Where the transfer is of data is accompanied by a loss of control of the data, s 33 applies. This permits a transfer where it is to a jurisdiction possessing 'any law which is substantially similar to, or serves the same purposes as, this Ordinance' and the Commissioner may specify such jurisdictions by gazette. Also permitted are transfers justifiable on public interest grounds, or which further the interests of the data subject.

In all other cases, however, s 33 requires that the transferrer should be subject to a duty to take all reasonable steps to ensure that the transferee applies similar data privacy standards to those applicable in Hong Kong. It will be for the transferrer to assess the situation and take the most appropriate steps. Consideration will have to be given to such measures as obtaining contractual assurances. But in the last analysis, it will be for the Commissioner to determine upon receipt of a complaint or at his own initiative, whether the duty has been discharged by the transferrer.

These provisions obviously have major implications for Australia and other jurisdictions presently lacking comprehensive legal regulation of data privacy in the private sector. They are not restricted to transfers out of Hong Kong but extends to Hong Kong controlled transfers between two jurisdictions outside Hong Kong.

Direct marketing

Upon the first communication for the purposes of marketing following the Ordinance coming into force, s 34 requires that the data subject must be expressly offered the opportunity to require that all data relating to him used for marketing purposes be no longer so used.

Conclusion

With the enactment of the Personal Data (Privacy) Ordinance, Hong Kong joins NZ as a Pacific-rim jurisdiction with a comprehensive legal regime protecting personal data in both the public and private sectors. On 13 August 1995 they were joined by Taiwan (see (1995) 2 PLPR 160). Moreover, the Hong Kong law's restrictions on transborder dataflows are directly relevant to data users in the region. The implications of these restrictions merit separate treatment.

Mark Berthold is consultant to the Hong Kong Law Reform Commission.