Q: We are a company relating to communication network. Please advise whether by virtue of inclusion of a waiver of right clause by the customer we can use the data collected for other purposes? What action will your office take?
A: It is our view that the requirements of the Ordinance are binding on a data user irrespective of any contrary terms contained in an agreement with a data subject. For example, under data protection principle ("DPP")1(1)(a) in Schedule 1 to the Ordinance it is provided that personal data shall not be collected except for a lawful purpose directly related to a function or activity of the party that will use the data. This requirement overrides any term or condition in a customer agreement that purports to give the company concerned the right to use personal data for any purpose whatsoever. Further, pursuant to DPP3 personal data shall not, without the "prescribed consent" of the subject of the data, be used for a purpose other than the purpose for which the data were to be used at the time of their collection or a directly related purpose. "Prescribed consent" in the Ordinance basically means express consent given voluntarily. Unless such consent is given to amendments to service agreement that purport to add new, unrelated purposes for which a customer's personal data may be used, the requirement of prescribed consent" under DPP3 will not have been complied with.
You also ask what action we will take in relation to such practices. The mere inclusion in a service agreement of terms that purport to override the requirements of the Ordinance may not contravene the Ordinance, but it is confusing to the public and when we come across such terms we will query them with the company concerned. On the other hand, any attempt to make use of such terms in a manner that is inconsistent with the requirements of the Ordinance would be a contravention of the Ordinance. As a general matter, we have powers to investigate suspected contraventions of the Ordinance, both on complaint from the individuals whose personal data are involved or on our own initiative (Part VII of the Ordinance refers). An investigation on our own initiative may take place following what we call a compliance check where we first draw the attention of the party concerned to the suspected contravention and invite a response and the taking of any necessary remedial action. Depending on the response we receive to such an approach, we would consider using our formal powers of investigation.