Response to Media Enquiry or Report

Date: 24 April 2018

Response to Media Enquiry on the Transparency of Personal Data Policies and Practices

Thank you for your enquiry and our office’s responses are as follows:
 

• Generally speaking, if a data user controls the collection, holding, processing or use of personal data in Hong Kong, he must comply with the requirements under the Personal Data Privacy Ordinance (the Ordinance), including the six Data Protection Principles (DPPs). With respect to the openness of personal data policies and practices (DPP 5):-

 
Data user (e.g. organisations) must take practical steps to ensure that a person can:-

• ascertain a data user’s policies and practices in relation to personal data;
• be informed of the kind of personal data held by a data use;
• be informed of the main purposes of which personal data held by a data user is or is to be used.

 

• It is important for an organisation who engages in acts of practices that involve regular collection of personal data in the course of its business or performance of its activities or functions to make known and be transparent about is personal data policies and practices. Good governance dictates that organisations take heed of the increasing public concern that consumers’ personal data privacy should be properly protected under a set of privacy policies and practices that is made generally available (e.g. corporate website).

 

• In order to effectively communicate its data handling policies and practices to its consumers (as data subjects) and for the avoidance of doubt, it is proper and prudent for an organisation to have a written statement, which is commonly known as a Privacy Policy Statement (PPS). A PPS should be made generally available to the public in an easily accessible, understandable and readable manner. It covers privacy related policies and practices such as data retention policy, data security measures and data breach handling.

 

• The Privacy Commissioner has issued the Guidance on Preparing Personal Information Collection Statement and Privacy Policy Statement to provide general reference for organisations when preparing PPS.  Recommended good practices for the content of PPS related to retention of personal data include:

 

• The PPS may state, in general terms, for how long the personal data will be retained; and

 

• If a data user provides online facilities that allow a data subject to make a deletion request or directly delete his or her account or personal data held by the data user, the PPS should give details such as how it is done and whether the personal data or account so deleted is permanently removed from the system.

 

• Meanwhile, the Privacy Commissioner also reminds the consumers that they should always read the PPS before providing their personal data in order to find out how the organisation will handle the data they provided, their data collection purposes or subsequently will share to other parties. 
   

 (The information can be attributed to the Privacy Commissioner for Personal Data, Mr Stephen Kai-yi Wong)