Thank you very much for your further enquiry. Our consolidated response is as follows:
Question: How could an individual ensure the collection of personal data is fair or lawful? Is there a definition as to what is "fair"?
Answer: Under the six Data Protection Principles (DPP) of Personal Data (Privacy) Ordinance (PDPO), a data user should ensure that the collection of the personal data is fair, and for a lawful purpose. Fairness of the collection of personal data should take into account the totality of the circumstances. The collection of personal data should only be necessary and not excessive. Also, the purpose for which personal data is being collected should be stated in an open and straightforward manner, without trickery or deception. For example, collecting personal data by inviting applications for job vacancies that are non-existent or by inviting submissions to fake lucky draws is not a fair data collection practice. Special care is needed when collecting personal data from children. The language used in the collection process should be clear and simple. Organisations should advise children to consult their parents before providing their personal data.
An individual should, upon collection of his/her personal data, consider carefully if the scope, nature and extent of personal data to be collected is commensurate with the stated purpose for which personal data will be used. He/She should assess the consequences of not providing (or only partially providing) his/her personal data. In the final analysis, he/she should make an informed decision on the extent of his/her personal data being collected.
Question: There are many situations where those who collect personal data DO NOT inform the data subjects. Under such circumstances, what can the data subject do?
Answer: Under DPP 1, when collecting personal data from the data subject directly, a data user is required to take all reasonably practicable steps to inform the data subject:
It therefore follows that organisations or enterprises have statutory responsibility to furnish personal information collection statement when collecting personal data from individual directly.
Question: Could you provide some daily examples? For instance, what kind of personal data from students would be required for managers or owners of malls and shops, schools or education institutions, as well as public facilities such as the library? Could you also specifically highlight when both audio and voice recording would be considered necessary?
Answer: DPP 1 (purpose and manner of collection of personal data principle) suggests that an organisation shall only collect personal data that is necessary for the purposes for which the data is to be used, and that the data collected is adequate but not excessive for those purposes. For example, if no credit card purchase or delivery is to be made, generally it would not be necessary for a shop owner to collect the credit card number or residential address of a customer. Normally, date of birth should not be requested when all that is needed is the age of the customer or a declaration that he/she attains a certain age.
In April 2019, the office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) released the result of the compliance checks on 41 shopping malls that had membership programmes and 19 website operators that appeared to have excessive collection of personal data. The results of the compliance checks revealed that 31 membership programmes (60% of a total of 52 membership programmes found in the site visits) adopted a "the more the merrier" approach when collecting personal data including contact information, sensitive personal data and information relating to personal and family status, contrary to the no-excessive data collection principle under PDPO and the practice of collecting minimum information for the purpose of data collection.
Question: What would happen if the data subject was not informed of uses of their personal data other than the prescribed purposes?
Answer: DPP 3 (use of personal data principle) provides that personal data should not be used for a new purpose unless prescribed consent (i.e. express and voluntary consent) is obtained from the data subject or his/ her “relevant person”, who could be his/her parent. Otherwise, it would be in breach of that principle.
Under certain circumstances, using personal data other than the original purposes and without letting the data subjects know or consent may attract criminal liabilities. For instance, using personal data for direct marketing without getting data subjects' consent is a criminal offence, which may attract a maximum penalty of $500,000 and an imprisonment for 3 years. In some more serious situations, for example, if a data user, in exchange for a gain, provides personal data to a third party for direct marketing without getting data subjects' consent, the data user may be punished by a maximum penalty of $1,000,000 and an imprisonment for 5 years.
Question: Could you explain in what ways and the duration in which a data subject could request for their personal data?
Answer: A data subject can make a Data Access Request (DAR) to request the data user:
(a) to inform him/her whether the data user holds personal data of which the individual is the data subject; and
(b) if the data user holds such data, to supply him/her with a copy of such data.
A DAR is usually made on the Data Access Request Form specified by the Privacy Commissioner for Personal Data, Hong Kong. The DAR Form contains an explanatory note about the rights and responsibilities of a requestor and the data user respectively. In normal circumstances, a data user is required to supply a copy of the requested data to the requestor (the data subject) within 40 calendar days after receiving the DAR.
Question: What is the definition of a minor - is it someone who's under 18?
Answer: The term “minor” is not defined under PDPO. However, according to section 3 of Interpretation and General Clauses Ordinance (Cap. 1), a “minor” means a person who has not attained the age of 18 years.
Question: Are there exceptional scenarios where a third party and/or a data subject would have access to the full (unedited) version of a CCTV footage? If so, what are they exactly?
Answer: Generally speaking, when a data subject makes a DAR, the data user should only supply a copy of the personal data relating to that data subject only. Where a third party requests access to personal data of another data subject, the data user should carefully consider whether disclosure to the third party is related to the collection purpose. If not, the data user would be in breach of DPP 3 unless prescribed consent is obtained from the data subject. However, PDPO provides certain exemptions where data users may be exempt from DPP 3, e.g. where non-disclosure would prejudice the purpose of prevention or detection of crime. If an enforcement agency requests disclosure of certain personal data, it should explain to the data user whether the disclosure of the personal data is obligatory and how non-disclosure would prejudice prevention or detection of crime.