What Other Information Is Recommended to Be Made Available

9.14

If a data user intends to collect personal data from young people and/or its website

contains content of interest to young people, it is recommended that a statement on its

practices in relation to the collection of personal data from young people be included

in its PPS. Generally, data users are not advised to collect personal data from minors

without prior consent from a person with parental responsibility for the minor.

9.15

If technical means such as cookies are used to collect information from individuals

without their knowledge, the data user should include statements on this practice in the

PPS. Matters that should be covered in the PPS include when such means are used,

what information is collected and if personal data is collected, what the purposes of use

are.

9.16

The PPS may state in general terms for how long the personal data collected will be

retained. It is advisable that information be given on how deletion of data is done and

whether the personal data so deleted is permanently removed from the system.

9.17

If a data user collects sensitive personal data, such as data relating to health or finance,

the data user should explain how it uses, processes, handles and transfers such data. If

personal data will not be disclosed to other persons without the data subject’s express

and voluntary consent, it is advisable for such policy to be stated in the PPS. If personal

data will be disclosed to third parties or if the website will share visitors’ details (such as IP

addresses and browser types) with other persons, all such practices should be made

known in the PPS.

9.18

It is also good practice for the data users to state in the PPS how they ensure the security

and proper access to the personal data collected, for instance, whether access to

personal data is restricted on a “need-to-know” basis and whether encryption is applied

to protect the personal data. This practice assures data subjects that their personal data

is duly protected. If personal data will be outsourced to an agent or a data processor for

handling on behalf of the data user, the PPS may include a statement on how the

personal data will be transferred to such third parties and the personal data protection

measures that will be adopted.

9.19

For the sake of transparency, it is advisable for a data user to state in the PPS its policy in

handling a data access or correction request from an individual. It should include

information on how the data user prefers to receive such requests, what the data user

requires in order to be satisfied that the requestor is properly authorised and entitled to

make the request, and the amount of fee payable, if any.

9.20

The PPS may also include the contact details, for example, the office address, email

address, telephone number, etc. of the officer in the data user’s organisation who will

answer enquiries regarding the data user’s privacy policies and practices.

The Exercise of the Commissioner’s Enforcement Powers under Section 50

9.21

Section 50 was revised under the Amendment Ordinance to empower the

Commissioner to serve an enforcement notice directing the data user who is found to