Personal Data (Privacy) Law in Hong Kong – A Practical Guide on Compliance

website access, the compilation of aggregate statistics on website usage, etc.

PPS to Be Made Generally Available

9.8

The PPS once in place has to be effectively communicated to the persons affected.

Some of the common ways of dissemination are by putting up conspicuous notices

displaying the PPS publicly, playing a pre-recorded PPS if personal data is collected

through a telephone conversation,

or incorporating it in the relevant documents at the

same time when personal data is collected (for example, a membership registration

page or a customer agreement page if personal data is collected online) or uploading

the PPS onto the data user’s website, etc. A data user may explore other effective and

appropriate means of keeping the data subjects informed of its updated personal data

policies and practices.

9.9

The complainant in AAB No. 35/2003 claimed that a library failed to comply with DPP5 in

not making known its privacy policies and practices in respect of personal data

collected in the library’s prescribed forms. The appeal was dismissed and the AAB, in

upholding the Commissioner’s decision not to investigate the complaint, decided that

the publication through the library’s website of its privacy policy statement was sufficient

compliance with DPP5.

Nowadays, many organisational data users have their own

websites intended for public access. The homepage has become an easily accessible

means through which the PPS can be effectively communicated.

9.10

The principle of transparency has assumed increasing importance not only in relation to

dealing with personal data in the business-to-customer market segment, but also in

respect of employees’ personal data privacy rights. This is particularly so when an

employer intends to carry out monitoring activities in the workplace where personal

data of employers is collected through telephone, email, internet or video monitoring.

Owing to its privacy intrusive nature, the employer should, as far as practicable,

formulate and disseminate its monitoring policy in order to keep employees informed of

the extent, scope and manner in which such activities are carried out and how their

personal data will subsequently be used or transferred, as well as the possible adverse or

disciplinary actions that may ensue. Employers must also ensure that new employees are

aware of the existing PPS. In AAB No.14/2006, the AAB was of the view that an employer

who failed to draw the attention of an employee employed in 2004 to an existing PPS

issued in 2000 could be in breach of DPP5. The employer in question did not have

procedures or guidelines in place to regularly or effectively communicate the PPS to its

employees.

For more details, please refer to the

Guidance on Preparing Personal Information Collection Statement and Privacy

Policy Statement

issued by the Commissioner, available on the Website:

See the Inquiry Case Note no. 2007E06, available on the Website: