Frequently Asked Questions

Personal data is recorded information, including expressions of opinion, relating to an identifiable living individual, which are organised such that they can be processed or retrieved. Examples of personal data used in everyday life include a person's name, telephone number, fax number, address, sex, age, occupation, marital status, salary and financial status, religious belief, nationality, photo, identity card number, medical records and employment records, including assessments of employment performance.

No, apart from written documents, personal data in other forms, such as audio and video tapes, is also covered under the Ordinance.

Yes, the Ordinance covers personal information in any type of storage system, subject to it meeting the definition of personal data.

Basically yes, but there are certain exemptions from specific provisions of the Ordinance. These have been provided for in order to maintain the convenience of everyday life and uphold certain social and public interests. One area of exemption relates to personal data held for domestic or recreational purposes. These are generally exempted from the requirements of the Ordinance.

To protect the public interest in such matters as security, defence, prevention or detection of crime, assessment or collection of tax, news activities and health, there are exemptions for data users from the requirements to grant access to individuals to their personal records and to limit the use of personal records to the original purpose at the time of the collection of information.

For employment-related records, there are certain limited exemptions from the requirement to comply with access requests from individuals. For example, some employment-related personal information held before came into effect is exempt from such access until 2002.

Yes, the Ordinance covers private sector and public sector, including Government departments. The Commissioner can carry out investigations in relation to data users in these sectors.

When collecting personal data from electors, candidates should take note of the following:

• Only adequate and necessary personal data for election purpose should be collected, and inform the data subjects of the purpose of collection of the data;
• Express consent from the electors must be obtained before personal data is used for election purpose if the data was obtained for non-election purposes;
• Ensure the personal data from published registers of electors is used only for election purposes as prescribed by the relevant election legislation; and
• Maintain a list of individuals who find election-related communication objectionable, and avoid approaching them to canvass for votes.

No. DPP 3 prohibits the use of personal data for any new purpose which is not or is unrelated to the original purpose when collecting the data. If the purpose of use of personal data is for a new purpose, the data subject’s express and voluntary consent should be obtained. Here is a real case for illustration:

• A resident of a building lodged a complaint with a political party in relation to the management of the building, and for this purpose supplied his personal data. Subsequently, the political party used his personal data in canvassing him to vote for a candidate in an election.
• In response to the complaint, the political party undertook in future to obtain express and voluntary consent from any resident that had lodged a complaint with the party, before using their personal data for election purposes.

When conducting election activities, candidates should take all practicable steps to protect personal data of electors against accidental or unauthorised access. For example, when sending email to a list of recipients canvassing votes for a candidate in an election, the candidates should conceal the names and email addresses of the recipients (for example, by use of the “blind carbon copy” (bcc) function), to prevent recipients’ names and email addresses being disclosed to other recipients.

No. Personal data collected for election purposes should not be retained upon completion of all the election activities. Candidates should dispose of all the electors’ personal data obtained from a published register of electors, or those provided by government departments for election purposes. When data processors are appointed or engaged by the candidates to destroy personal data of electors on their behalf, the candidates must use contractual or other means to prevent the personal data being transferred to data processors from: (i) being kept longer than is necessary for election purposes; and (ii) unauthorised or accidental access, processing, erasure, loss or use.

Relevant government departments should formulate, systematically review and update their personal data security policies, procedures and practical guidelines, effectively disseminate them to all staff, and provide adequate training to all relevant staff.

During the election campaign period, relevant government departments should take all practicable security measures to protect personal data of electors against accidental or unauthorised access.

In addition to encrypting the database of electors, government departments should only keep personal data that is necessary for access or use in the portable storage devices, adopt effective security measures to safeguard the devices and ensure that only authorised staff are able to retrieve or access personal data.

If multiple transfers and storage venues for the election documents is necessary, government departments should set up procedures in respect of proper recording of movements of electoral documents, retrieval systems and dossier reviews for the purposes of monitoring and reviewing the implantation of the security measures.

Upon completion of an election, relevant government departments should continue taking security measures to protect personal data of electors against accidental or unauthorised access.

For details, please refer to our “Guidance on Election Activities for Candidates, Government Departments, Public Opinion Research Organisations and Members of the Public”.

Generally speaking, a "blind" recruitment advertisement is one that does not identify either the employer or the employment agency acting on its behalf.

An employer or recruitment agency who clearly indicates its identity may ask job applicants to submit personal data in a recruitment advertisement, provided that the data are adequate but not excessive in relation to the purpose of recruitment and are to be used lawfully (section 2 of the Code).

An employer who collects personal data from job applicants without identifying itself, or an appointed recruitment agency, might have engaged in an act of unfair collection of personal data contrary to the requirement of Data Protection Principle 1(2) of the Ordinance ("DPP1(2)"). DPP1(2) provides that personal data should be collected by means which are fair in the circumstances of the case. It would generally not be fair for persons collecting personal data not to identify themselves when collecting personal information from job applicants since the latter will not know to whom they are providing their personal data when making a job application.

Secondly, personal data collected from job applicants is subject to access and correction by the person concerned. Unless exempted from doing so under the Ordinance, an employer is required to provide a copy of the data no later than 40 days after receiving a data access request. Job applicants would not be able to exercise their data access rights if the identity of the organisation which collected their personal data is not disclosed in the advertisement (clause 2.11 of the Code).

If an employer finds it necessary to conceal its identity in a recruitment advertisement, it may provide contact information in the advertisement for further enquiries or provide job applicants, upon request, with an application form that bears the employer’s identity. Alternatively, the employer may engage a recruitment agency and reveal its identity in the advertisement.

No. The practice of employers providing a fax number, postal address or e-mail address in a recruitment advertisement is perceived as a way of inviting job applicants to submit their personal data and is not permissible under the provisions of the Code.

The key question here is whether the data collected is necessary for the specific purpose of determining whether an applicant’s relative is employed by a competitor. To serve this purpose, a prospective employer may only need to ask the applicant whether he is related to anyone who works in the same or a similar field. If the answer is in the affirmative, then further inquiries can be made to assess whether this creates potential concerns for the prospective employer. However, if the applicant has no relative who works for a competitor, the employer does not need to know about the actual occupations of the relative(s) and should not collect this data.

DPP 2(2) requires all practicable steps to be taken to ensure that personal data is not kept longer than is necessary to fulfil the purpose (including any directly related purpose) for which the data is or is to be used. In addition, section 26 of the Ordinance also requires a data user to take all practicable steps to erase personal data no longer required for use, unless doing so is prohibited under the law or it is in the public interest (including historical interest) for the data not to be erased. In general, an employer should not retain the personal data of a former employee for more than seven years.

However, some exceptions may justify a longer period of retention, such as the administration of remaining duties to former employees in relation to pension, superannuation, or mandatory provident fund schemes; or the retention of evidence in relation to legal action brought under the Employees’ Compensation Ordinance.

When a job application is unsuccessful, the applicant’s personal data should not be retained for more than two years from the date of rejection, bearing in mind possible discrimination claims or complaints that may be lodged by an aggrieved applicant. The retention period may exceed two years if there is a reason that obligates the employer to do so, or if the applicant has given the prescribed consent (i.e. express consent given voluntarily) for the data to be retained beyond this period.

Yes, an employer should obtain the prescribed consent (i.e. express consent given voluntarily) from an employee or former employee before giving an employment reference. This consent should preferably be given in writing. The reason for this is that the disclosure of an employee’s or former employee’s employment records (including performance assessment) to another party constitutes a change in the purpose for which the data is used at the time of collection and no longer directly relates to the original employment purpose.

DPP 2(1) requires a data user to take all reasonably practicable steps to ensure that personal data is accurate having regard to the purpose (including any directly related purpose) for which the personal data is or is to be used. Whether or not the employer needs to update the data depends on the purpose for which the data is kept. For example, an employer may need to update the records of a former employee to administer pension funds and make monthly payments. Where the personal data of a former employee is retained only for record-keeping purposes or for future job references, the employer is under no duty to update records that are meant to be static after the cessation of the employment relationship.

The Hong Kong branch has to ascertain the purpose of collection of such personal data by its overseas head office. If it is collecting the personal data for purposes directly related to the purpose for which the data was to be used at the time of the collection of the data (e.g., to properly discharge human resource administration functions), then the Hong Kong branch may provide such personal data to its overseas head office. However, the Hong Kong branch should, through the “Personal Information Collection Statement”, clearly inform its employees that the overseas head office is included among the classes of transferees of their data.

If the data user possesses the requested personal data at the time of receiving the data access request, the data user should provide the relevant data to the requestor unless otherwise exempted under the Ordinance. In this regard, the employer should first comply with the former employee’s request by providing him with the requested data, and subsequently delete all the data that has been retained longer than is necessary as soon as practicable.

Generally speaking, employers may only need the minimum information about a sick leave application of an employee (such as the cause of illness and the number of sick days recommended by a doctor) to verify his entitlement to sick leave, and should only make it available to authorised personnel on a "need to know" basis. As for the process of submitting sick leave application documents, each company has its own administrative arrangements under unique circumstances, and there is no generalisation.

That said, it is generally necessary for the company's management and the employee's immediate supervisor to know the employee's health condition in order to make arrangements for work assignments and manpower deployment.

Each case turns on its own facts and should be determined individually. In a precedent case, the court held that it was reasonable for employers to collect detailed medical records from employees who applied for relatively more sick leave as their health conditions might affect the services provided to clients. In that case, the employer informing the employee of the consequences of not providing such data (such as facing a disciplinary proceedings, etc.) was in compliance with DPP 1(3) of the Ordinance.

The employer requested medical proof for the purpose of reviewing whether the payment in lieu of notice should be exempted, which was related to the employer's functions and activities in employment matters. Hence the employer's request would not contravene the requirements under the Ordinance.

An employee has the right to request a copy of his personal data held by his employer by making a data access request. However, if the employer had never issued a reference letter for the employee, it is not necessary for the employer to produce a reference letter for complying with the employee’s data access request.

If the photo (such as photo of company activities and group photo, etc.) is not coupled with other identifying particulars of an employee (such as name), and it is not practicable to ascertain the employee’s identity from the photo alone, it does not amount to disclosure of "personal data".

On the contrary, if it is practicable to ascertain the employee’s identity from the photo and its caption (for example, a photo of an employee winning an award in a competition, etc.), the employer should only use the employee’s personal data for a purpose for which the data is to be used at the time of collection, or a directly related purpose. If publishing the relevant information would constitute a “new purpose”, the employer should first obtain the employee's consent before publishing the information.

To learn more:

• This link will open in a new windowCode of Practice on Human Resource Management
• This link will open in a new windowCode of Practice on Human Resource Management: Compliance Guide for Employers and Human Resource Management Practitioners
• This link will open in a new windowHuman Resource Management: Some Common Questions
• This link will open in a new windowUnderstanding the Code of Practice on Human Resource Management – Frequently Asked Questions About Recruitment Advertisements
• This link will open in a new windowPersonal Data is Essential – Protect Your Privacy – Job Seeking

• In terms of collection of personal data –
  • DPP 1 stipulates that data users (such as employers) must collect personal data in a lawful and fair way, for legitimate purposes directly related to their functions or activities; the data collected is necessary and sufficient for the purpose, but not excessive.
  • In the interest of transparency, where the personal data is collected directly from the data subject, the data user should inform the data subject whether it is obligatory for him to supply the data, the purpose of collection of the data and the classes of person to whom the data may be transferred. The data user should also inform the data subject of the right and means to request access to and correction of his personal data.
• In terms of use and disclosure of personal data –
  • DPP 3 states that personal data shall not be used for a “new purpose”, i.e. a purpose other than that for which it was originally collected or for a directly related purpose, unless the data subject has given express and voluntary consent. The data subject has the right to withdraw his consent previously given by written notification.
• Exemptions
  • The interests protected under PDPO have to be balanced against other legitimate interest. The Ordinance provides a number of exemptions from some compliance requirements under particular circumstances. Among other things, personal data used for the purpose of detection and remedying of seriously improper conduct is exempted from DPP 3 by virtue of section 58 of the Ordinance.
• In addition, employers should consider the requirements of professional codes issued by relevant professional bodies and employment laws.

Before deciding to monitor, employers should first assess whether it is really necessary to conduct such activity having regard to the business risks that they seek to manage and the impact on personal data privacy of its employees. Employers should consider alternatives available in order to lessen the adverse impact brought by the monitoring activity. In carrying out monitoring, employers should also implement clear Employee Monitoring Policy and communicate it to the staff affected. The use, retention and processing of personal data collected should also be kept under control so as not to contravene the requirements under the Ordinance.

Learn more:

This link will open in a new windowPrivacy Guidelines: Monitoring and Personal Data Privacy at Work

The same assessment process as mentioned above also applies. Given that the workplace is also the place of rest for the domestic helpers, employers should seriously consider whether it is really necessary to engage in such activity, the reasonableness as well as the openness of the activity. They should therefore inform their helpers of such practice, restrict monitoring to targeted areas (not toilets or other private areas) and make clear the purpose of monitoring and the retention period for the taped records.

Learn more:

This link will open in a new windowMonitoring and Personal Data Privacy at Work: Points to Note for Employers of Domestic Helpers"

Covert monitoring is not encouraged especially when it is being used as preventive measure only. Unless justified by existence of relevant special circumstances, such as "a reasonable suspicion" of unlawful activity and there is no reasonable alternative, this should only be engaged in as a last resort.

This link will open in a new windowGuidance on CCTV Surveillance and Use of Drones

They can complain to the Privacy Commissioner, who can follow up with the employer and examine the case by reference to the recommended good practices suggested in the Guidelines. If the employer is uncooperative and the law on personal data protection has been breached, the Commissioner may serve an enforcement notice on the employer directing for remedial action, which, if not complied with, can attract criminal sanction.

Learn more:

This link will open in a new windowHow to Make a Complaint

We will not comment on individual cases before understanding the specific situation.

According to the Ordinance, "personal data" are any data relating to a living individual, which are stored in recorded form making access to or processing practicable and from which it is practicable for the identity of the individual to be directly or indirectly ascertained from it. Generally speaking, to constitute an act of collection of personal data by the data user, there should be compilation of information about an individual, whose identity must have been identified by the data user, or the data user intends or seeks to identify the identity of the individual.

In general, if a monitoring and recording system is installed in a public place merely for the sake of security, it may not constitute collection of personal data (unless the data of a certain or some particular individuals are collected) and it may not be subject to the Ordinance. However, collection of personal data may take place under some special circumstances. For example, after a special incident has happened, the Authority concerned may need to review the video records for the purpose of ascertaining the identity of the individuals involved in the incident and it may then amount to collection of personal data. Therefore, organizations which intend to install monitoring and recording systems should, at least, post a notice in a prominent position near the installation, stating that the area is being monitored, the purposes of monitoring, as well as the ways of handling the records.

Broadly speaking, organizations can install monitoring and recording systems only if it is necessary for fulfilling their legitimate functions or activities, such as for security reasons, the monitoring of illegal acts (e.g. throwing objects from height, installation of closed-circuit televisions at hygiene blackspots by Team Clean), etc. Before an organization installs a monitoring and recording system, it is suggested that it should establish the collection purposes, evaluate the risks of monitoring, and consider if there is any other substitute that is less privacy intrusive in order to strike a balance between the protection of privacy rights of individuals and the smooth operation of the organizations.

When an organization has decided to install a monitoring and recording system, it is suggested that in the interest of transparency it should post a notice in a prominent position near the installation (the notice should be as close to the installation as practicable; the words should be clear and noticeable) so that sufficient notice is drawn to the public or the people affected hat their activities may be recorded and the reasons for collection of their personal data. The organizations concerned are suggested to formulate policies on video monitoring, and the persons who can access and view the contents of the tapes. Moreover, the organizations should also prescribe the retention period of the tapes and delete the data in the tapes accordingly, and steps shall also be taken to ensure that the tapes are securely kept.

In conclusion, when using monitoring and recording devices in public place, it is our view that a proper balance should be struck between the protection of public interests and personal data privacy. Data users should handle the issue in a fair and transparent manner giving due regards to the rights of personal data privacy.

Learn more:

This link will open in a new windowGuidance on CCTV Surveillance and Use of Drones

As drones can fly close to private properties and capture images with a fine level of detail in places that are not expected, the threat posed to privacy is particularly severe. Users of drones should be mindful of public concerns and consider adopting the recommendations below:

• Obtain consent from an individual before using drones to record him;
• Flight paths should be carefully planned so as to avoid causing nuisance to other people;
• Erase images of individuals being captured accidentally as soon as possible;
• If images are transmitted through wireless means, encryption should be considered to avoid the adverse consequences of interception by unrelated parties;
• Let people who may be affected by drones clearly understand that the drone is in operation, for example by installing signal lights, making it easier for nearby individuals to notice, thereby building mutual trust.

The main purpose for most vehicle owners using dash cameras is to provide evidence in the event of a traffic accident. Therefore, it is sufficient for the camera to capture driving conditions on the road without needing high resolution or audio recording capabilities, in order to avoid capturing the faces of unrelated individuals or recording conversations of passengers inside the vehicle. Additionally, the retention period for the footage should not exceed what is necessary to achieve the purpose of data collection. Regarding data storage, unless an accident occurs, vehicle owners should avoid backing up the dash camera footage to reduce the risk and impact of data leakage.

Whether the Ordinance is applicable to this case hinges on whether personal data of the passenger is being collected or compiled, whether the identity of the passenger can be identified, and whether the identity of the passenger is important information for the driver. Generally speaking, it would constitute the collection of personal data under the Ordinance only if the driver has identified the passenger or intends to identify the passenger's identity when compiling information. The driver should observe the requirements under the Data Protection Principles of the Ordinance in this case. Conversely, the driver may be infringing on the passenger’s "personal privacy" (such as clandestine photo-taking or stalking activities without a specified target), which falls outside the jurisdiction of the Ordinance. Nonetheless, even if there is no collection of personal data in the incident described, disclosing other people’s information on the internet and causing adverse impacts or even bullying incidents for that person may also contravene other ordinances or constitute offenses.

If you install a CCTV camera solely for security reasons, without the intention of using the recorded footage to identify specific individuals, such actions do not constitute 'collection of personal data' and are therefore not regulated by the Ordinance. However, if you intend to use the CCTV footage to identify specific individuals, you must comply with the provisions of the Ordinance. Before installation, you should evaluate whether there is a real need (for example, if there have been disturbances or thefts near your unit); otherwise, you should avoid installation. Additionally, consider consulting your neighbors to understand their concerns and actively address their worries. Generally, you should avoid using covert cameras and refrain from using recording functions. You should also pay attention to the camera's angle (for example, avoid pointing it directly at a neighbor's front door) to prevent causing discomfort, invading privacy, or creating unnecessary misunderstandings. Furthermore, you should post a visible notice near the camera to inform that the area is being recorded, and take care to securely manage the footage to prevent leaks or access by unauthorised persons. Unless a crime or other security incident occurs, you should avoid reviewing the CCTV footage and should not keep the footage for too long (for instance, consider deleting the footage a week after it is recorded).

You may install a webcam and monitor your home through websites or mobile applications. If you have not taken security measures, images captured by the webcam might be intercepted by unauthorised persons, or even being made public online, just like a “reality show”. In order to protect your privacy, you should take the following measures:

When purchasing network cameras equipped with encryption technology (such as SSL), ensure that the transmitted footage is encrypted to prevent unauthorised third parties from intercepting the images. When setting up the network camera, enable password protection, change the manufacturer's default username and password, and use a strong password (such as a combination of letters, numbers, and symbols) to prevent unauthorised third parties from easily connecting to your network camera. Timely install firmware updates provided by the manufacturer for the network camera and apply patches for related video playback software and applications to fix security vulnerabilities. Additionally, turn off the camera when it is not in use (for example, after returning home).

Learn more:

This link will open in a new windowGuidance on CCTV Surveillance and Use of Drones

Having approached both organizations, it was clarified that the telephone company would only provide to FSD the telephone number and installation address of the numbers concerned, i.e. the building or the estate from which the call is made. No full address and name of the subscriber would be disclosed to FSD.

According to section 2 of the Ordinance, personal data means any data relating directly or indirectly to a living individual and from which it is practicable for the identity of the individual to be directly or indirectly ascertained. As the information passed over by the telephone company to FSD do not contain any personal identifying particulars such as name and full address, these data are not regarded as personal data and this arrangement would not be in breach of the Ordinance.

Learn more:

The Personal Data (Privacy) Ordinance

Regulation on data protection in direct marketing

Part VIA of the Ordinance regulates the use and provision for use of personal data in direct marketing activity.

Data user (Bank A) is required to inform the data subject (you as a client of the bank) certain prescribed information and to obtain his consent. Prescribed information include the notification that the data user intends to use your personal data in direct marketing; that it will not so use your personal data unless it has received your consent or indication of no objection; the kinds of personal data to be used; and the classes of goods, facilities or services that it will promote to you.

The data user should also provide the data subject with a response channel to communicate his consent or indication of no objection. Non-response of the data subject to the data user's notification does not constitute consent or an indication of no objection. The data user cannot use the data subject's personal data in direct marketing unless it has obtained the consent or an indication of no objection from the data subject.

Failure to comply with the new requirements by the data user is a criminal offence punishable by a fine and imprisonment.

When you receive a marketing message, ask yourself:

Had the organisation sent you direct marketing messages before 1 April 2013 regarding the same kind of products it currently promotes, and you had never rejected those messages?

YES – Bank A may invoke the grandfathering provisions of the Ordinance. In which case, it can continue to use your personal data for the purpose of direct marketing the same class of products, without having to inform you of the prescribed information and obtain your consent or indication of no objection.

NO –Bank A may commit a breach of the new requirements if it had not obtained your consent or indication of no objection for using your personal data in direct marketing the current type of products. You may ask Bank A to remedy the breach or lodge a complaint to the PCPD.

You can opt out at anytime

As a data subject, you can opt out from direct marketing at anytime whether or not you have previously consented to receiving direct marketing messages.

Although the Ordinance does not prescribe the manner of how a data subject should raise an opt-out request, the PCPD advises data subject to do so in writing for better protection. You should keep a copy of it which can serve as evidence for future investigation.

If, after you have made an opt-out request and the organisation still keeps on using your personal data for direct marketing purpose, it may have committed an offence under the Ordinance.

Learn more:

This link will open in a new windowExercising Your Right of Consent to and Opt-out from Direct Marketing Activities under the Personal Data (Privacy) Ordinance

This link will open in a new windowInfographic: It is Your Choice to Accept or Refuse Direct Marketing. File a Complaint Against Failed Opt-Out Requests

This link will open in a new windowHow to Make a Complaint

Pursuant to the Ordinance, “Direct Marketing” is defined as:

• the offering, or advertising of the availability, of goods, facilities or services; or
• the solicitation of donations or contributions for charitable, cultural, philanthropic, recreational, political or other purposes,

through direct marketing means.

“Direct Marketing Means” is defined as:

• sending information or goods, addressed to specific persons by name, by mail, fax, electronic mail or other means of communication; or
• making telephone calls to specific persons.

Since monthly statements are mailed directly to individual customers by name, regardless of the size of the sticker, the bank must comply with the requirements under the Ordinance in relation to the use of personal data in direct marketing activities, provided that the information involved meets the definition of direct marketing as outlined above.

Since the telecommunications company is aware of your contract’s impending expiration, the call is clearly targeted at you. According to relevant cases, if the call merely informs you of the contract’s expiration, it does not constitute direct marketing. However, if the staff member offers you the option to renew the contract at a discounted rate or promotes additional services, it would constitute direct marketing. In this circumstance, the telecommunications company must comply with the requirements under the Ordinance in relation to the use of personal data in direct marketing activities.

Examples:

• Telecommunications service providers contacting existing customers by phone to promote upgraded services;
• Beauty salons contacting specific individuals by phone to offer free beauty treatments;
• Banks enclosing donation forms of charitable organisations in the monthly bank statements sent to individual customers;
• Professional organisations attaching promotional offers or co-branded promotions with partner organisations to newsletters mailed to their members;
• Fitness centres notifying members via email about discount offers for new programmes;
• Political parties sending information to their members inviting participation in recreational activities (e.g. cooking classes);
• Educational institution sending emails to students introducing the latest fee-based courses.

• Service providers sending SMS to existing customers informing them of their impending contract expiration and providing their enquiry hotlines;
• Promotional mailings sent to an address or “resident” of an address without addressing specific persons by name;
• Recreation clubs posting event leaflets on their websites to encourage public participation;
• Face-to-face presentations of products or services by customer service managers (if the manager subsequently uses customers’ personal data to deliver promotional materials, it would constitute direct marketing);
• Banks sending supermarket coupons to existing customers as a gesture of appreciation.

Generally speaking, WhatsApp or SMS that are not addressed to specific persons fall outside the scope of the Ordinance. For instance, if someone creates a WhatsApp group and adds a list of mobile phone numbers with the same prefix (without knowing any other personal data about the owners) and subsequently sends messages promoting referral services, or if an unknown sender sends promotional SMS to your mobile phone number without addressing you by name, these messages are not regulated by the Ordinance as they are not addressed to specific persons. However, such messages may be classified as unsolicited electronic messages under the Unsolicited Electronic Messages Ordinance, which falls under the purview of the Office of the Communications Authority.

While the surname alone may not constitute personal data, as a customer of the bank, the bank likely possesses additional personal data of you (such as your name and telephone number) and uses such data to contact you by phone. Therefore, this falls within the scope of direct marketing under the Ordinance.

If you have never used any services of the bank and are uncertain whether the caller is authorised by the bank, you should refrain from disclosing any personal data and contact the bank for verification. If the call involves impersonation of bank staff, you should consider reporting the case to the Police.

It hinges on whether the boutique informed you of its intention to use your personal data for direct marketing purposes and provided the following information to you, either orally or in writing, prior to engaging in direct marketing:

• The organisation intends to so use your personal data;
• The organisation may not so use the data unless with your consent;
• The kinds of personal data to be used;
• The classes of goods, facility or service offered/advertised;
• A response channel through which you may, without charge, communicate your consent to the intended use.

The meaning of “consent” includes “indication of no objection”. To qualify as an “indication of no objection”, you must have explicitly indicated that you do not object to the use of your personal data in direct marketing. In other words, “consent” should not be inferred from your non-response. In order to avoid any misunderstanding, you are recommended to express your indication clearly by using definite terms, for example:

• An oral consent: “Okay, please send me the promotional offer/information to my address at XYZ.”
• An oral objection: “No, I do not agree to your use of my personal data in direct marketing.”
• A written consent: Tick the box “I agree to the use of my personal data for direct marketing of (classes of goods, facility or service)” in a service application form.

Sometimes, an organisation may provide a tick box for you to indicate objection on a service application form:

• “I object to the use of my personal data for direct marketing of (classes of goods, facility, or service).”

If you do not tick the box but sign on the application form to signify your acceptance of the terms and conditions, you will normally be regarded as having indicated you have no objection (i.e. consent) to the use of your personal data in direct marketing. Hence, you should study the application form carefully before signing.

Regulation on data protection in direct marketing

The organisation must, within 14 days, send to your last known correspondence address (which may include your physical address, email address and telephone number for SMS) a written confirmation of the following:

• The date of receipt of the consent;
• The permitted kind of personal data; and
• The permitted class of marketing subjects.

You should read the written confirmation carefully upon receipt of the written confirmation. If you find anything objectionable, you should raise it immediately with the organisation. Otherwise, the organisation may start using your personal data in direct marketing without further notice.

Before transferring your personal data to any third parties (i.e. the resort), the shopping mall must inform you in writing of its intention to so use the data in direct marketing and further provide you with the following information:

• The shopping mall may not so transfer the personal data unless with your written consent;
• Whether the personal data is transferred for gain; and
• The classes of persons to which the data is to be provided.

Please note that the shopping mall must obtain your written consent before providing your personal data to the resort for direct marketing purposes.

Regardless of how the company obtained your personal data, the company must obtain your consent before using your personal data in direct marketing. The company would contravene the requirements of the Ordinance unless your friend informed you with the prescribed information in writing in accordance with the requirements of the Ordinance and obtained your written consent for the transfer of your personal data. Furthermore, your friend would be committing an offence if he/she provided your personal data to the company for direct marketing purposes without taking the specified actions required in the Ordinance.

According to the Ordinance, you may at any time make an opt-out request to an organisation requiring it to:

• Stop using your personal data in direct marketing;
• Stop transferring your personal data to any other person for use in direct marketing; and
• Notify the transferee(s) to whom the organisation has transferred your personal data to stop using such data in direct marketing.

An opt-out request automatically supersedes any previous consent given by you. It is an offence if the organisation continues to send you direct marketing messages after receiving your opt-out request.

You can raise an opt-out request orally or in writing. We recommend making a written opt-out request to avoid any miscommunication or misunderstanding. Additionally, you are strongly advised to retain a copy of your written opt-out request for record purposes.

The company reminds customers about the impending contract expiration is considered a form of after-sales service and thus does not constitute direct marketing. However, if the company takes this opportunity to promote its services, it does constitute direct marketing. In this circumstance, it would contravene the requirements under the Ordinance by using personal data for direct marketing after customers have made opt-out requests. To avoid any human errors or overstepping behaviour by salespersons, service providers are recommended to notify customers of the contract expiration date and post-contractual arrangements in a standardised written format. Additionally, wordings which may constitute the offering of any products and services should be avoided. This approach not only serves to remind customers but also enables service providers to satisfy the defence requirements under the Ordinance (i.e. they have taken all reasonable precautions and exercised all due diligence to avoid contravening the offences relating to direct marketing).

You may inquire about the source of your personal data from the organisation. However, the organisation is under no legal obligation to provide such information. If you do not wish the organisation to continue to use your personal data in direct marketing, you may exercise your right to opt-out from receiving direct marketing messages.

Learn more:

This link will open in a new windowGuidance on Direct Marketing

This link will open in a new windowExercising Your Right of Consent to and Opt-out from Direct Marketing Activities under the Personal Data (Privacy) Ordinance

This link will open in a new windowInfographic: It is Your Choice to Accept or Refuse Direct Marketing. File a Complaint Against Failed Opt-Out Requests

This link will open in a new windowHow to Make a Complaint

Building management staff should consider less privacy-intrusive alternatives to verify visitors’ identities (e.g. verifying visitors’ identities by the flat occupant concerned and recording information of visitors’ work permit). Building management staff should only record visitors’ HKID Card numbers if the above alternatives are not practicable.

Building management staff can only collect the full identity card number under the circumstances set out in the “Code of Practice on the Identity Card Number and other Personal Identifiers”, otherwise, they should not collect any part of the HKID Card numbers.

In general, it is recommended that personal data recorded in the visitors’ logbook not be retained over one month. However, it is justifiable to retain the data for a longer retention period under special circumstances, such as when the records are required for evidentiary purposes or to assist in a police investigation.

Generally speaking, collection of the name, flat number and contact phone number of the access card applicant is sufficient for the property manager to verify the applicant’s identity and process the application. Since the other cardholders listed in the application form are authorised by the applicant, collecting their names is adequate for the card issuance process. If there is a need to trace or verify the identities of these cardholders, this can be achieved through the applicant.

Property management companies should adopt less privacy-intrusive alternatives to combat car theft, such as issuing an “exit pass” to car park users which includes their vehicle’s license plate number. This would allow security personnel at the exit to verify and collect the pass when the vehicle leaves the car park. Another alternative is to capture an image of the vehicle’s license plate number upon entry to ensure that the same parking ticket is used for the corresponding vehicle. Meanwhile, the property management companies should remind vehicle owners not to leave the “exit pass” or parking ticket inside their cars.

Property management company may consider invoking the exemption provision under section 60B of the Ordinance to provide “Resident A” with the video footage for the court’s consideration. According to a judicial precedent, once an exemption in section 60B is invoked, it is no longer required to redact personal data contained in the documents disclosed to the other party in a court proceeding. Therefore, it is not necessary to redact the images of other passers-by from the video footage.

• Generally speaking, when displaying notices that contain personal data, property management organisations must carefully consider the necessity and extent of disclosing such information. Excessive disclosure of personal data may contravene the Ordinance unless exemption provisions apply. For instance, the Building Management Ordinance requires that if the owners’ corporation is involved in legal proceedings, the management committee must display a notice detailing the particulars of the case in a prominent location. In this circumstance, if the owners’ corporation is legally required to display writs of summons and statements of claim, and disclose the personal data of the other party, it would be exempt from the Ordinance under the exemption provisions, thus not constituting a contravention of the Ordinance.
• However, owners’ corporation should also consider the nature of the personal data being disclosed and the involved matter at hand, the method of disclosure, and the parties to whom the personal data is disclosed, etc. and use common sense to assess whether the disclosure might cause disproportionate or unreasonable inconvenience or prejudice to the parties concerned. If sensitive personal data is included in the documents, it should be appropriately masked before being displayed.

The posting of the notice of application is required by the “Landlord and Tenant (Consolidation) Ordinance” (Chapter 7, Laws of Hong Kong). The personal data included in the notice is exempt from DPP 3 under Section 60B of the Ordinance. Therefore, the landlord would not contravene the Ordinance.

If non-disclosure of the complainant’s identity does not hinder the handling of the complaint, the property management company should accommodate the complainant’s preference. On the contrary, if non-disclosure of the complainant’s identity makes it impracticable for the property management company to handle the subject matter, the property management company should communicate this challenge to the complainant, allowing them to make an informed decision.

Learn more:

Guidance for Property Management Sector

Code of Practice on the Identity Card Number & Other Personal Identifiers

Code of Practice on the Identity Card Number and other Personal Identifiers: Compliance Guide for Data Users

Your Identity Card Number and Your Privacy

Cookies are small files transmitted by a website to a computer, which may contain information such as browsing history and viewing preferences. The types and functions of cookies are as follows:

• Session Cookies: Many websites that require user log-in utilise session cookies, enabling users to navigate each webpage without re-entering their username and password. Session cookies are deleted upon closing the user’s browser. If you wish to avoid being rejected from accessing a website, you may consider accepting session cookies.
• First-party Cookies: These cookies record your browsing preference and activities. Unlike session cookies, first-party cookies remain on your computer even after closing the browser. Refusing these cookies may prevent access to certain websites or specific parts of them. For example, some websites use first-party cookies to record your verification code to facilitate security checks on online forms. You will not be able to submit the online forms if you refuse to accept such cookies.
• Third-party Cookies: Online advertising companies often place these cookies on websites for which they have paid. If you do not wish to be tracked, you should deny third-party cookies and it should not affect your browsing experience. You may refer to your browser settings for instructions on how to deny third-party cookies.
• Flash Cookies: Also known as “Flash / Super / Zombie cookies”, these cookies are difficult to remove and remain on your computer regardless of your browser settings. If you have installed the latest version of Acrobat Flash, you can configure the “FlashPlayer” on your console to refuse flash cookies. Given the rapid development of cookies, you should stay informed about the latest developments if you are concerned about online tracking.

Cookies that do not contain any data that can identify an individual (such as name and online account number) do not constitute collection of “personal data”. On the contrary, if an organisation collects cookies to track the behaviour and preferences of identifiable users, these cookies should be handled in accordance with the provisions of the Ordinance.

Pursuant to the Data Protection Principle of the Ordinance regarding data collection, website operators should only collect necessary, adequate but not excessive amount of personal data in a lawful and fair way. Generally speaking, fair data collection practices include informing users of: (1) the types of information being collected and the purposes for which it will be used; (2) whether it is obligatory to allow cookies to collect the relevant data; and (3) the consequences of not accepting cookies (e.g. being unable to use certain features of the website). If website operators collect users’ personal data covertly via cookies, it may constitute unfair data collection.

Organisations should consider whether the purpose of using cookies is necessary for the services provided. If an organisation uses cookies to collect unnecessary personal data (such as users’ browsing habits on other websites), such collection might be considered excessive. In this circumstance, organisations should allow users to decide whether to accept the use of cookies. The best practice would be for organisations to require users to read a “Personal Information Collection Statement” upon their initial access to the website. This statement should specify the types of information to be collected and the purposes for which the information will be used, thereby allowing them to make an informed decision about whether to accept the use of cookies.

Organisation which intends to use the personal data collected from cookies in direct marketing (such as sending promotional emails tailored to user preferences) should comply with the provisions of the Ordinance in relation to the use of personal data for direct marketing purposes (such as informing users of the intention to use their personal data in direct marketing and obtaining prior consent for such use). Even if users have given consent to the use of their personal data in direct marketing, they can still request the organisation to cease using the data.

Enabling “Private/Secure Mode”, which are available in many browsers, allows users to configure their browsers to refuse the use of cookies. Consequently, no browsing traces (such as browsing or download history, cache files and saved passwords) will remain after closing the browser. However, the level of privacy protection offered by this mode may vary depending on the functionalities of different browsers. You may wish to check whether this mode is activated in your browser.

Unless the purpose of uploading someone’ photos / videos on social media websites or forums is consistent with or directly related to the purpose for which the data was collected, a voluntary and explicit consent must be obtained from the data subject concerned. If you are a cameraman who uploaded a photo of your customer without their consent on your personal social media platform for promotional purposes, you may have contravened the provisions of the Ordinance in relation to the use of personal data.

Pursuant to Section 52 of the Ordinance, personal data held by an individual solely for managing personal or family affairs, or for recreational purposes, is exempt from the provisions of the data protection principles (including Data Use Principle). Generally speaking, you will not contravene the requirements under the Ordinance by uploading photos taken at family or friends gathering onto social media without their consent.

Learn more:

Guidance for Data Users on the Collection and Use of Personal Data through the Internet

Privacy Implications for Organisational Use of Social Networks

Online Behavioural Tracking

Protect Your Personal Data - Be Smart on Social Media

Protecting Privacy – Using Computers and the Internet Wisely