Personal Data (Privacy) Law in Hong Kong – A Practical Guide on Compliance

developer as principal was liable for its contractor’s misdeed. Therefore, the developer

was found to have contravened DPP4(1) for failing to take all reasonably practicable

steps to ensure that the personal data handled through the operation of its contractor

was protected against unauthorised or accidental access.

Application of DPP4: Storage and Transmission of Data

8.31

It is important to note that DPP4 concerns only the way in which personal data is kept or

transmitted, but not the way it is used (which is governed under DPP3). This distinction

was explained by the AAB in the case of AAB No. 5/1999.

8.32

In that case, the Commissioner received a complaint from an individual against a

newspaper for publishing his name and the address to which he had moved in a news

report. The report related to an assault in which the complainant’s father was injured by

a former neighbour. The publishing of the address of the complainant was considered

likely to cause risk of serious harm to him and his family, since the assailant, who

remained at large, was a known dangerous individual suspected to be of unsound mind,

and had previously committed a series of assaults on the complainant and his family. In

fact, it was because of those previous attacks that the complainant and his family had

moved to their current address which was exposed in the news report.

8.33

Despite the harm likely to be caused to the data subject by the disclosure of his personal

data in the news report, the AAB reversed the Commissioner’s original finding of

contravention of DPP4 against the newspaper publisher. In particular, the AAB observed

that a newspaper uses personal data in publishing it. Once published, the public will

inevitably gain access to such data. Accordingly, any access by the assailant to the

address of the complainant in the case would not have been “unauthorised or

accidental” within the meaning of DPP4.

According to the AAB, therefore, the

relevance of DPP4 is confined only to the security in storage and transmission of the data.

There is a fine distinction between the use, especially the disclosure to the public or third

parties of the personal data of the data subject which might involve a change in the

purpose of use (which is a DPP3 concern) on the one hand, and the security

requirements of the transit and storage of personal data to prevent unauthorised or

accidental access to the personal data (which is a DPP4 issue) on the other.

Outsourcing the Processing of Personal Data to Data Processors

8.34

It is increasingly common for data users to outsource and entrust the processing of

personal data to their agents. Data leakage sometimes occurs as a result of insufficient

Section 65(2) of the Ordinance provides that any act done or practice engaged in by a person as agent for another

person with the authority (whether express or implied, and whether precedent or subsequent) of that other person shall

be treated for the purposes of the Ordinance as done or engaged by that other person as well as by him.

Whether the publication of the address data by the newspaper publisher could have been regarded as giving rise to

any requirement in the Ordinance other than DPP4 (e.g. DPP3) was not raised, and hence the issue was not decided by

the AAB.