THIS CODE OF PRACTICE has been issued by the Privacy Commissioner for Personal Data ("the Commissioner") in the exercise of the powers conferred on him by section 12(1) of the Personal Data (Privacy) Ordinance (Cap. 486) ("the Ordinance"), which empowers him to issue Codes of Practice "for the purpose of providing practical guidance in respect of any requirements under this Ordinance imposed on data users", and pursuant to section 12(8) of the Ordinance, which provides that the Commissioner shall approve a code of practice in respect of all or any requirements of the Ordinance in so far as they relate to personal data that are personal identifiers.
This Code was identified by notice in the Gazette on 19 December 1997. The relevant Gazette Notice, as required by section 12(2) , specified that the Code has been approved with effect from 19 December 1997 in relation to the following requirements of the Ordinance: section 26, Data Protection Principles 1, 2, 3 and 4 in Schedule 1.
The provisions of the Code are not legally binding. A breach of the Code by a data user, however, will give rise to a presumption against the data user in any legal proceedings under the Ordinance. Basically the Ordinance provides (in section 13) that:
then that essential matter shall be taken as proved unless there is evidence that the requirement of the Ordinance was actually complied with in a different way, notwithstanding the non-observance of the Code of Practice.
Aside from legal proceedings, failure to observe a Code of Practice by a data user will weigh unfavourably against the data user in any case before the Commissioner.