Skip to content

Codes of Practice/ Guidelines

Code of Practice on the Identity Card Number and other Personal Identifiers

Appendix II

Personal Data (Privacy) Ordinance
Cap. 486
(Schedule 1)
Sections 26,57(1) & 58(1)


26. Erasure of personal data no longer required

  1. A data user shall erase personal data held by the data user where the data are no longer required for the purpose (including any directly related purpose) for which the data were used unless -
    1. any such erasure is prohibited under any law; or
    2. it is in the public interest (including historical interest) for the data not to be erased.
       
  2. For the avoidance of doubt, it is hereby declared that -
    1. a data user shall erase personal data in accordance with subsection (1) notwithstanding that any other data user controls (whether in whole or in part) the processing of the data;
    2. the first-mentioned data user shall not be liable in an action for damages at the suit of the second-mentioned data user in respect of any such erasure.

57. Security, etc. in respect of Hong Kong

  1. Personal data held by or on behalf of the Government for the purposes of safeguarding security, defence or international relations in respect of Hong Kong are exempt from the provisions of data protection principle 6 and section 18(1)(b) where the application of those provisions to the data would be likely to prejudice any of the matters referred to in this subsection.

58. Crime, etc.

  1. A data subject shall be entitled to-
    1. the prevention or detection of crime;
    2. the apprehension, prosecution or detention of offenders;
    3. the assessment or collection of any tax or duty;
    4. the prevention, preclusion or remedying (including punishment) of unlawful or seriously improper conduct, or dishonesty or malpractice, by persons;
    5. the prevention or preclusion of significant financial loss arising from-
      1. any imprudent business practices or activities of persons; or
      2. unlawful or seriously improper conduct, or dishonesty or malpractice, by persons;
         
    6. ascertaining whether the character or activities of the data subject are likely to have a significantly adverse impact on any thing -
      1. to which the discharge of statutory functions by the data user relates; or
      2. which relates to the discharge of functions to which this paragraph applies by virtue of subsection (3); or
    7. discharging functions to which this paragraph applies by virtue of subsection (3),
      are exempt from the provisions of data protection principle 6 and section 18(1)(b) where the application of those provisions to the data would be likely to -
      1. prejudice any of the matters referred to in this subsection; or
      2. directly or indirectly identify the person who is the source of the data.

Previous Page