Skip to content

Frequently Asked Questions

Frequently Asked Questions

  •  
    General
    Print
    Expand
    Collapse
    • A1 What is personal data?
      Personal data is recorded information, including expressions of opinion, relating to an identifiable living individual, which are organised such that they can be processed or retrieved. Examples of personal data used in everyday life include a person's name, telephone number, fax number, address, sex, age, occupation, marital status, salary and financial status, religious belief, nationality, photo, identity card number, medical records and employment records, including assessments of employment performance.
    • A2 Does personal data refer to personal data in written documents only?
      No, apart from written documents, personal data in other forms, such as audio and video tapes, is also covered under the Ordinance.
    • A3 Does the Ordinance cover personal information held in both manual and computer files?
      Yes, the Ordinance covers personal information in any type of storage system, subject to it meeting the definition of personal data.
    • A4 Are my rights relating to personal data protected in every sphere of life?
      Basically yes, but there are certain exemptions from specific provisions of the Ordinance.. These have been provided for in order to maintain the convenience of everyday life and uphold certain social and public interests. One area of exemption relates to personal data held for domestic or recreational purposes. These are generally exempted from the requirements of the Ordinance.

      To protect the public interest in such matters as security, defence, prevention or detection of crime, assessment or collection of tax, news activities and health, there are exemptions for data users from the requirements to grant access to individuals to their personal records and to limit the use of personal records to the original purpose at the time of the collection of information.

      For employment-related records, there are certain limited exemptions from the requirement to comply with access requests from individuals. For example, some employment-related personal information held before came into effect is exempt from such access until 2002.
    • A5 Does the Ordinance cover private and public sector organisations, including Government departments?
      Yes, the Ordinance covers private sector and public sector, including Government departments. The Commissioner can carry out investigations in relation to data users in these sectors.
  •  
    Human Resource Management
    Print
    Expand
    Collapse
    • A1 What is a "blind" recruitment advertisement in the context of the Code of Practice on Human Resource Management ("the Code")?
      Generally speaking, a "blind" recruitment advertisement is one that does not identify either the employer or the employment agency acting on its behalf.
    • A2 Under what circumstances can job applicants be asked in a recruitment advertisement to submit personal data?
      An employer or recruitment agency who clearly indicates its identity may ask job applicants to submit personal data in a recruitment advertisement, provided that the data are adequate but not excessive in relation to the purpose of recruitment and are to be used lawfully (section 2 of the Code).
    • A3 Why is an employer required to identify itself in recruitment advertisements that solicit personal data from job applicants?
      An employer who collects personal data from job applicants without identifying itself, or an appointed recruitment agency, might have engaged in an act of unfair collection of personal data contrary to the requirement of Data Protection Principle 1(2) of the Ordinance ("DPP1(2)"). DPP1(2) provides that personal data should be collected by means which are fair in the circumstances of the case. It would generally not be fair for persons collecting personal data not to identify themselves when collecting personal information from job applicants since the latter will not know to whom they are providing their personal data when making a job application.

      Secondly, personal data collected from job applicants is subject to access and correction by the person concerned. Unless exempted from doing so under the Ordinance, an employer is required to provide a copy of the data no later than 40 days after receiving a data access request. Job applicants would not be able to exercise their data access rights if the identity of the organisation which collected their personal data is not disclosed in the advertisement (clause 2.11 of the Code).

      If an employer finds it necessary to conceal its identity in a recruitment advertisement, it may provide contact information in the advertisement for further enquiries or provide job applicants, upon request, with an application form that bears the employer’s identity. Alternatively, the employer may engage a recruitment agency and reveal its identity in the advertisement.
    • A4 Some employers provide their fax number, postal address or e-mail address in a recruitment advertisement without explicitly asking job applicants to submit their personal data. Is this practice acceptable under the Code?
      No. The practice of employers providing a fax number, postal address or e-mail address in a recruitment advertisement is perceived as a way of inviting job applicants to submit their personal data and is not permissible under the provisions of the Code.
    • A5 A company’s job application form includes questions about the occupations of the applicant’s spouse and children, the sole purpose of which is to ascertain whether any relative of the applicant works for its competitors. Is this acceptable?
      The key question here is whether the data collected is necessary for the specific purpose of determining whether an applicant’s relative is employed by a competitor. To serve this purpose, a prospective employer may only need to ask the applicant whether he is related to anyone who works in the same or a similar field. If the answer is in the affirmative, then further inquiries can be made to assess whether this creates potential concerns for the prospective employer. However, if the applicant has no relative who works for a competitor, the employer does not need to know about the actual occupations of the relative(s) and should not collect this data.
    • A6 For how long should an employer keep the personal data of former employees and unsuccessful job applicants?
      DPP 2(2) requires all practicable steps to be taken to ensure that personal data is not kept longer than is necessary to fulfil the purpose (including any directly related purpose) for which the data is or is to be used. In addition, section 26 of the Ordinance also requires a data user to take all practicable steps to erase personal data no longer required for use, unless doing so is prohibited under the law or it is in the public interest (including historical interest) for the data not to be erased. In general, an employer should not retain the personal data of a former employee for more than seven years.

      However, some exceptions may justify a longer period of retention, such as the administration of remaining duties to former employees in relation to pension, superannuation, or mandatory provident fund schemes; or the retention of evidence in relation to legal action brought under the Employees’ Compensation Ordinance.

      When a job application is unsuccessful, the applicant’s personal data should not be retained for more than two years from the date of rejection, bearing in mind possible discrimination claims or complaints that may be lodged by an aggrieved applicant. The retention period may exceed two years if there is a reason that obligates the employer to do so, or if the applicant has given the prescribed consent (i.e. express consent given voluntarily) for the data to be retained beyond this period.
    • A7 Must an employer obtain consent from the relevant employee before giving an employment reference to another employer?
      Yes, an employer should obtain the prescribed consent (i.e. express consent given voluntarily) from an employee or former employee before giving an employment reference. This consent should preferably be given in writing. The reason for this is that the disclosure of an employee’s or former employee’s employment records (including performance assessment) to another party constitutes a change in the purpose for which the data is used at the time of collection and no longer directly relates to the original employment purpose.
    • A8 If an employer needs to retain the personal data of a former employee, is the employer required to update the data regularly or keep it as is?
      DPP 2(1) requires a data user to take all reasonably practicable steps to ensure that personal data is accurate having regard to the purpose (including any directly related purpose) for which the personal data is or is to be used. Whether or not the employer needs to update the data depends on the purpose for which the data is kept. For example, an employer may need to update the records of a former employee to administer pension funds and make monthly payments. Where the personal data of a former employee is retained only for record-keeping purposes or for future job references, the employer is under no duty to update records that are meant to be static after the cessation of the employment relationship.
    • A9 The overseas head office regularly accesses personnel information related to salaries, bonuses, ex-gratia payments, and similar information pertaining to the staff members employed by its Hong Kong branch. Would such practice constitute a contravention of the Ordinance?
      The Hong Kong branch has to ascertain the purpose of collection of such personal data by its overseas head office. If it is collecting the personal data for purposes directly related to the purpose for which the data was to be used at the time of the collection of the data (e.g., to properly discharge human resource administration functions), then the Hong Kong branch may provide such personal data to its overseas head office. However, the Hong Kong branch should, through the “Personal Information Collection Statement”, clearly inform its employees that the overseas head office is included among the classes of transferees of their data.
    • A10 An employee who had left the company for over ten years made a data access request to the employer for the payroll records during his employment. The employer found that it retained the relevant records, but realised that the retention period exceeded the seven-year period as stipulated under the Code. Should the employer destroy the records immediately, or comply with the data access request?
      If the data user possesses the requested personal data at the time of receiving the data access request, the data user should provide the relevant data to the requestor unless otherwise exempted under the Ordinance. In this regard, the employer should first comply with the former employee’s request by providing him with the requested data, and subsequently delete all the data that has been retained longer than is necessary as soon as practicable.
    • A11 Employers required employees to submit their sick leave application documents to the Human Resources Department through their immediate supervisors and the General Manager. If an employee did not want his direct supervisor and the General Manager to know about his illness, could he submit the documents directly to the Human Resources Department?
      Generally speaking, employers may only need the minimum information about a sick leave application of an employee (such as the cause of illness and the number of sick days recommended by a doctor) to verify his entitlement to sick leave, and should only make it available to authorised personnel on a "need to know" basis. As for the process of submitting sick leave application documents, each company has its own administrative arrangements under unique circumstances, and there is no generalisation.

      That said, it is generally necessary for the company's management and the employee's immediate supervisor to know the employee's health condition in order to make arrangements for work assignments and manpower deployment.
    • A12 An employer required an employee to provide detailed medical records on the grounds that the employee applied for sick leave more than other colleagues. The employer indicated that the employee might be dismissed if he refused to accede to the request. Did the employer contravene the provisions of the Ordinance?
      Each case turns on its own facts and should be determined individually. In a precedent case, the court held that it was reasonable for employers to collect detailed medical records from employees who applied for relatively more sick leave as their health conditions might affect the services provided to clients. In that case, the employer informing the employee of the consequences of not providing such data (such as facing a disciplinary proceedings, etc.) was in compliance with DPP 1(3) of the Ordinance.
    • A13 An employee would like to resign and leave the company as soon as possible to take care of his sick father. The employer agreed to waive the payment in lieu of notice if the employee could present medical proof showing that his father was in need of care due to illness. Could the employer collect the said medical proof?
      The employer requested medical proof for the purpose of reviewing whether the payment in lieu of notice should be exempted, which was related to the employer's functions and activities in employment matters. Hence the employer's request would not contravene the requirements under the Ordinance.
    • A14 The employer did not issue a reference letter when the employee resigned from the company. Could the employee request the employer to provide a reference letter by exercising the right of data access request?
      An employee has the right to request a copy of his personal data held by his employer by making a data access request. However, if the employer had never issued a reference letter for the employee, it is not necessary for the employer to produce a reference letter for complying with the employee’s data access request.
    • A15 Can an employer include photos of an employee in its publications?
      If the photo (such as photo of company activities and group photo, etc.) is not coupled with other identifying particulars of an employee (such as name), and it is not practicable to ascertain the employee’s identity from the photo alone, it does not amount to disclosure of "personal data".

      On the contrary, if it is practicable to ascertain the employee’s identity from the photo and its caption (for example, a photo of an employee winning an award in a competition, etc.), the employer should only use the employee’s personal data for a purpose for which the data is to be used at the time of collection, or a directly related purpose. If publishing the relevant information would constitute a “new purpose”, the employer should first obtain the employee's consent before publishing the information.

      To learn more:
    • A16 Can employers review the information uploaded by their employees on social platforms, and if any inappropriateness is found, punish or even dismiss the employee?
      • In terms of collection of personal data –
        • DPP 1 stipulates that data users (such as employers) must collect personal data in a lawful and fair way, for legitimate purposes directly related to their functions or activities; the data collected is necessary and sufficient for the purpose, but not excessive.
        • In the interest of transparency, where the personal data is collected directly from the data subject, the data user should inform the data subject whether it is obligatory for him to supply the data, the purpose of collection of the data and the classes of person to whom the data may be transferred. The data user should also inform the data subject of the right and means to request access to and correction of his personal data.
      • In terms of use and disclosure of personal data –
        • DPP 3 states that personal data shall not be used for a “new purpose”, i.e. a purpose other than that for which it was originally collected or for a directly related purpose, unless the data subject has given express and voluntary consent. The data subject has the right to withdraw his consent previously given by written notification.
      • Exemptions
        • The interests protected under PDPO have to be balanced against other legitimate interest. The Ordinance provides a number of exemptions from some compliance requirements under particular circumstances. Among other things, personal data used for the purpose of detection and remedying of seriously improper conduct is exempted from DPP 3 by virtue of section 58 of the Ordinance.
      • In addition, employers should consider the requirements of professional codes issued by relevant professional bodies and employment laws.
  •  
    Direct Marketing
    Print
    Expand
    Collapse
    • A1 I have a savings account at "Bank A". Recently I received a phone call from a staff member of this bank marketing its investment products to me. I am really annoyed at this kind of direct marketing calls. How does the Ordinance protect me from the unsolicited approach?

      Regulation on data protection in direct marketing

      Part VIA of the Ordinance regulates the use and provision for use of personal data in direct marketing activity.

      Data user (Bank A) is required to inform the data subject (you as a client of the bank) certain prescribed information and to obtain his consent. Prescribed information include the notification that the data user intends to use your personal data in direct marketing; that it will not so use your personal data unless it has received your consent or indication of no objection; the kinds of personal data to be used; and the classes of goods, facilities or services that it will promote to you.

      The data user should also provide the data subject with a response channel to communicate his consent or indication of no objection. Non-response of the data subject to the data user's notification does not constitute consent or an indication of no objection. The data user cannot use the data subject's personal data in direct marketing unless it has obtained the consent or an indication of no objection from the data subject.

      Failure to comply with the new requirements by the data user is a criminal offence punishable by a fine and imprisonment.

      When you receive a marketing message, ask yourself:

      Had the organisation sent you direct marketing messages before 1 April 2013 regarding the same kind of products it currently promotes, and you had never rejected those messages?

      YES – Bank A may invoke the grandfathering provisions of the Ordinance. In which case, it can continue to use your personal data for the purpose of direct marketing the same class of products, without having to inform you of the prescribed information and obtain your consent or indication of no objection.

      NO –Bank A may commit a breach of the new requirements if it had not obtained your consent or indication of no objection for using your personal data in direct marketing the current type of products. You may ask Bank A to remedy the breach or lodge a complaint to the PCPD.

      You can opt out at anytime

      As a data subject, you can opt out from direct marketing at anytime whether or not you have previously consented to receiving direct marketing messages.

      Although the Ordinance does not prescribe the manner of how a data subject should raise an opt-out request, the PCPD advises data subject to do so in writing for better protection. You should keep a copy of it which can serve as evidence for future investigation.

      If, after you have made an opt-out request and the organisation still keeps on using your personal data for direct marketing purpose, it may have committed an offence under the Ordinance.

      Learn more:

      Exercising Your Right of Consent to and Opt-out from Direct Marketing Activities under the Personal Data (Privacy) Ordinance

      Infographic: It is Your Choice to Accept or Refuse Direct Marketing. File a Complaint Against Failed Opt-Out Requests

      How to Make a Complaint

  •  
    Disclosure of information
    Print
    Expand
    Collapse
    • A1 I read from the news that a telephone company would provide its subscribers' telephone numbers and address information to the Fire Services Department ("FSD") to facilitate its handling of emergency calls more efficiently. Has it contravened the Ordinance?

      Having approached both organizations, it was clarified that the telephone company would only provide to FSD the telephone number and installation address of the numbers concerned, i.e. the building or the estate from which the call is made. No full address and name of the subscriber would be disclosed to FSD.

      According to section 2 of the Ordinance, personal data means any data relating directly or indirectly to a living individual and from which it is practicable for the identity of the individual to be directly or indirectly ascertained. As the information passed over by the telephone company to FSD do not contain any personal identifying particulars such as name and full address, these data are not regarded as personal data and this arrangement would not be in breach of the Ordinance.

  •  
    Employee Monitoring
    Print
    Expand
    Collapse
    • A1 Can employers monitor employees' e-mails and phone calls?

      Before deciding to monitor, employers should first assess whether it is really necessary to conduct such activity having regard to the business risks that they seek to manage and the impact on personal data privacy of its employees. Employers should consider alternatives available in order to lessen the adverse impact brought by the monitoring activity. In carrying out monitoring, employers should also implement clear Employee Monitoring Policy and communicate it to the staff affected. The use, retention and processing of personal data collected should also be kept under control so as not to contravene the requirements under the Ordinance.

      Learn more:

      Privacy Guidelines: Monitoring and Personal Data Privacy at Work

    • A2 Can employers of domestic helpers install surveillance cameras at home?

      The same assessment process as mentioned above also applies. Given that the workplace is also the place of rest for the domestic helpers, employers should seriously consider whether it is really necessary to engage in such activity, the reasonableness as well as the openness of the activity. They should therefore inform their helpers of such practice, restrict monitoring to targeted areas (not toilets or other private areas) and make clear the purpose of monitoring and the retention period for the taped records.

      Learn more:

      Monitoring and Personal Data Privacy at Work: Points to Note for Employers of Domestic Helpers"

    • A3 Can employers install pinhole cameras?

      Covert monitoring is not encouraged especially when it is being used as preventive measure only. Unless justified by existence of relevant special circumstances, such as "a reasonable suspicion" of unlawful activity and there is no reasonable alternative, this should only be engaged in as a last resort.

      Guidance on CCTV Surveillance and Use of Drones

    • A4 What can employees do if they find employers not following the "Privacy Guidelines: Monitoring and Personal Data Privacy at Work"?

      They can complain to the Privacy Commissioner, who can follow up with the employer and examine the case by reference to the recommended good practices suggested in the Guidelines. If the employer is uncooperative and the law on personal data protection has been breached, the Commissioner may serve an enforcement notice on the employer directing for remedial action, which, if not complied with, can attract criminal sanction.

      Learn more:

      How to Make a Complaint

  •  
    Use of CCTV
    Print
    Expand
    Collapse
    • A1 Can government departments install closed-circuit televisions at gambling and hawker blackspots in housing estates, such as pavilions and parks, to tackle the problems?

      We will not comment on individual cases before understanding the specific situation.

      According to the Ordinance, "personal data" are any data relating to a living individual, which are stored in recorded form making access to or processing practicable and from which it is practicable for the identity of the individual to be directly or indirectly ascertained from it. Generally speaking, to constitute an act of collection of personal data by the data user, there should be compilation of information about an individual, whose identity must have been identified by the data user, or the data user intends or seeks to identify the identity of the individual.

      In general, if a monitoring and recording system is installed in a public place merely for the sake of security, it may not constitute collection of personal data (unless the data of a certain or some particular individuals are collected) and it may not be subject to the Ordinance. However, collection of personal data may take place under some special circumstances. For example, after a special incident has happened, the Authority concerned may need to review the video records for the purpose of ascertaining the identity of the individuals involved in the incident and it may then amount to collection of personal data. Therefore, organizations which intend to install monitoring and recording systems should, at least, post a notice in a prominent position near the installation, stating that the area is being monitored, the purposes of monitoring, as well as the ways of handling the records.

      Broadly speaking, organizations can install monitoring and recording systems only if it is necessary for fulfilling their legitimate functions or activities, such as for security reasons, the monitoring of illegal acts (e.g. throwing objects from height, installation of closed-circuit televisions at hygiene blackspots by Team Clean), etc. Before an organization installs a monitoring and recording system, it is suggested that it should establish the collection purposes, evaluate the risks of monitoring, and consider if there is any other substitute that is less privacy intrusive in order to strike a balance between the protection of privacy rights of individuals and the smooth operation of the organizations.

      When an organization has decided to install a monitoring and recording system, it is suggested that in the interest of transparency it should post a notice in a prominent position near the installation (the notice should be as close to the installation as practicable; the words should be clear and noticeable) so that sufficient notice is drawn to the public or the people affected hat their activities may be recorded and the reasons for collection of their personal data. The organizations concerned are suggested to formulate policies on video monitoring, and the persons who can access and view the contents of the tapes. Moreover, the organizations should also prescribe the retention period of the tapes and delete the data in the tapes accordingly, and steps shall also be taken to ensure that the tapes are securely kept.

      In conclusion, when using monitoring and recording devices in public place, it is our view that a proper balance should be struck between the protection of public interests and personal data privacy. Data users should handle the issue in a fair and transparent manner giving due regards to the rights of personal data privacy.

      Learn more:

      Guidance on CCTV Surveillance and Use of Drones