Chapter 5

Data Protection Principle 1

The main questions:

• What are the general requirements under DPP1(1)?

• In particular, for the purpose of DPP1(1)(a), how is the function and activity of a data

user ascertained?

• What are the general requirements under DPP1(2)?

• What are the common examples of collection of personal data by unfair means?

• What are the general requirements under DPP1(3)? What are the changes introduced

by the Amendment Ordinance?

• When do such requirements apply to the collection of personal data, and how?

What are the points to note when collecting personal data for direct marketing

purposes?

The questions of the purpose and manner of collection of personal data discussed in this

Chapter concerning DPP1 have been selected on the basis of their practical importance in

light of the Commissioner’s own regulatory experience. Before reading this Chapter, readers

should read paragraphs 1.7 to 1.11 in Chapter 1 —

Introduction, which contain important

general information on using this Book.

DPP1(1)

5.1

Data Protection Principle 1(1) in Schedule 1 of the Ordinance provides as follows:

Principle 1 – purpose and manner of collection of personal data

(1) Personal data shall not be collected unless –

(a) the data is collected for a lawful purpose directly related to a function or activity

of the data user who is to use the data;

(b) subject to paragraph (c), the collection of the data is necessary for or directly

related to that purpose; and

(c) the data is adequate but not excessive in relation to that purpose.