Personal Data (Privacy) Law in Hong Kong – A Practical Guide on Compliance

5.2

The drafting of DPP1(1) appears to allow wide interpretation. The Commissioner will

therefore take into account all relevant factors according to the circumstances

and be

mindful of the proper application of the rules of interpretation stated in paragraphs 1.7

to 1.9 in Chapter 1.

5.3

For the purpose of DPP1(1)(a), in the case of a government bureau or department or a

public body being the data user, the Commissioner will generally regard the function

and activity of the data user as being restricted to its generally recognized functions,

whether conferred on it by statute or otherwise. Hence, a government department

should not collect personal data for the sole purpose of assisting another department,

where such collection is directly related to the function and activity of the other

department, but not to that of its own.

5.4

The same approach is adopted in the case of data users that are private organisations.

It is also noted that the functions or activities of a private or commercial organisation

may change in response to external changes in the social or business environment.

5.5

Indeed, given the advent of low cost and high performance technology for information

storage, an organisation may easily be tempted to collect from a variety of sources and

hoard personal data (especially those of prospective customers or clients) just in case

such data may become useful in future. Insofar as there is an intention on the part of the

data user to compile information about these identified or identifiable individuals in the

Eastweek sense,

the personal data of these data subjects is treated as having been

collected. The indiscriminate collection of personal data, especially where it involves

sensitive personal data, is likely to be viewed by the Commissioner as a contravention of

DPP1(1), in that it may not be considered as directly related to, or be considered as

excessive for, the organisation’s functions and activities.

5.6

Three codes of practice have so far been issued by the Commissioner under section

12(1) of the Ordinance setting out the scope of personal data that, in the opinion of the

Commissioner, may be collected under DPP1(1) in respect of the relevant industries

and/or fields of activity.

For instance, under the Code of Practice on Human Resource

Management, an employer should not collect a copy of the identity card of a job

applicant during the recruitment process unless and until the individual has accepted

For enquiries made to the Commissioner concerning the application of DPP1(1) to the collection of personal data in

particular situations, readers may refer to relevant cases in the Complaint and Enquiry Case Notes Section on the

Website.

For a discussion of the treatment of different government bureaux and departments as separate data users, readers

may refer to paragraphs 4.19 to 4.24 in Chapter 4.

See Chapter 3 on the

Eastweek

case and the meaning of “collect”.

See Appendix IV of this Book for the following Codes of Practice issued by the Commissioner:

a. Code of Practice on the Identity Card Number and Other Personal Identifiers;

b. Code of Practice on Consumer Credit Data; and

c. Code of Practice on Human Resource Management.