Skip to content

Media Statements

Media Statement - Privacy Commissioner Issues the Guidance on Election Activities and Reminds Candidates, Government Departments and Public Opinion Research Organisations to Comply with the Privacy Ordinance

Date: 11 January 2018

Privacy Commissioner Issues the Guidance on Election Activities and Reminds Candidates, Government Departments and Public Opinion Research Organisations to Comply with the Privacy Ordinance


(11 January 2018)   The Privacy Commissioner for Personal Data, Hong Kong (the Privacy Commissioner) Mr Stephen Kai-yi WONG issued the Guidance on Election Activities for Candidates, Government Departments, Public Opinion Research Organisations and Members of the Public (the Guidance Note) to remind stakeholders involved in election activities to comply with the requirements under the Personal Data (Privacy) Ordinance (the Ordinance) in handling personal data at different stages of election activities so as to avoid data leakage. The Guidance Note is to replace the Guidance Note on Electioneering Activities issued in 2015, with a wider coverage not only on candidates but also other stakeholders including members of the public.  The Privacy Commissioner also provided advice on personal data protection to members of the public.
 
The Privacy Commissioner said, “Candidates, political bodies, government departments or public opinion research organisations should comply with the various provisions of the Ordinance during election activities. In 2017, the office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) received about 2,000 complaints relating to election activities, and we consider it necessary to step up publicity and education efforts on the related issues. The PCPD therefore issued the Guidance Note in December 2017, providing practical guidance with relevant complaint cases received previously to illustrate how to comply with the requirements of the Ordinance.”
 
The Guidance Note covers different stages of election activities and provides stakeholders with practical guidance. Highlights of the guidance are as follows:

 
For Candidates and their Affiliated Political Bodies (Not exhaustive)
  • Only adequate and necessary personal data for election purposes should be collected; ensure the individuals are informed of the purpose of collection of the data;
  • Consent from the electors must be obtained beforehand if the personal data was obtained for non-election purposes;
  • Ensure the personal data from published registers of electors is used only for election purposes as prescribed by the relevant election legislation;
  • Provide the electors an option to decline receipt of any electioneering communication from the candidates; maintain a list of individuals who find election-related communication objectionable and avoid approaching them to canvass for votes; and
  • Should not retain personal data collected for election purposes for a period beyond completion of election activities.

For the Relevant Government Departments (Not exhaustive)
 
  • When conducting activities of elector registration and updating registration particulars,  practicable steps should be taken to safeguard personal data collected in the activity against accidental or unauthorised access by unrelated parties;
  • When managing the database of electors, other than encrypt the database,
  • Only those personal data that is necessary for access or use should be kept in portable storage devices, and effect adequate physical security measures to safeguard devices;
  • Only authorised staff are able to retrieve or access relevant personal data;
  • Security policies, procedures and practical guidelines should be established. Relevant policies, procedures and guidelines should be reviewed and updated systematically, and also disseminated to all staff effectively.
 
For Public Opinion Research Organisations (Not exhaustive)
  • Avoid providing untrue or misleading information concerning the background and objectives of the personal data collection;
  • Clearly state the nature of the activities and identify the data user to the participants;
  • Make risk assessment to ensure the personal data collected is appropriately protected when employing the use of computer programmes or software developed by third parties;
  • Destroy the personal data collected within a reasonable time after completion of activities.
 
The Privacy Commissioner also reminds members of the public that they should stay smart in protecting their own personal data: get to know the identity and background of those asking for personal data as well as their purposes of collection before providing their personal information via any channel. The Guideline Note also provides personal data protection advice for members of the public, including:
 
  • Verify senders’ identities of emails or letters in relation to election;
  • Report the change of registration particulars to the relevant government department as soon as possible for record update;
  • Ascertain if the organisers of opinion or mock polls have clearly stated the nature of the activities, their identities and the purpose of personal data collection, etc.;
  • Ascertain whether the data collected by political bodies during their activities in subsequent elections; and
  • Convey objection to the candidates and their affiliated political bodies of receiving electioneering communications from them.
The Guidance on Election Activities for Candidates, Government Departments, Public Opinion Research Organisations and Members of the Public and its infographic are now available for download at the PCPD website


– End –