Personal Data (Privacy) Law in Hong Kong – A Practical Guide on Compliance

an offer of employment.

The collection of personal data by a data user in excess of

that expressly permitted under the Code of Practice may result in contravention of

DPP1(1) under section 13 of the Ordinance.

5.7

In other situations where there are no applicable codes of practice for ensuring

compliance with DPP1(1), a data user should nonetheless, before collecting any personal

data, give due consideration to the relevant factors including:

• the particular function or activity to which the collection of the data concerned is

directly related;

• the sensitivity of such data;

• the legitimate purposes to be served in collecting such data and the possible

adverse impact on data privacy protection;

• whether there is a real need for the data to be collected in order to carry out that

function or activity;

• whether there is any less privacy intrusive alternative for attaining the purpose of

collection.

Some examples are given below to illustrate the application of DPP1(1).

Collection of HKID Numbers and Copies of HKID

5.8

A data user should be cautious when collecting HKID numbers and copies of HKID so as

to comply with DPP1(1) and to observe the restrictions imposed by clauses 2.3 and 3.2 of

the Code of Practice on the Identity Card Number and other Personal Identifiers.

5.9

The general principle is that unless it is authorised by law, a data user should not

compulsorily require a data subject to furnish his HKID number or a copy of his HKID. In

relation to authorisation by law, for instance, Schedule 2 of the Anti-Money Laundering

and Counter-Terrorists Financing (Financial Institutions) Ordinance, Cap 615, provides for

the circumstances under which a financial institution

must discharge the duty of due

diligence and keep records of documents used for verifying the identities of the

customers. A financial institution is therefore obliged to keep copies of the HKID of its

customers for such purposes.

5.10

The Commissioner has found that the collection of HKID numbers is justifiable where it

falls squarely within one of the circumstances outlined in Clause 2.3 of the Code of

Practice on the Identity Card Number and other Personal Identifiers, and no less privacy

intrusive method is available given the purpose of collection. These circumstances also

include cases where the collection and use of the HKID number by the data user is

Paragraph 2.2.4 of the Code of Practice on Human Resource Management.

See section 13(2) and (4) of the Ordinance.

For the definition of “financial institution”, see Part 2 of Schedule 1 of the Anti-Money Laundering and Counter-Terrorists

Financing (Financial Institutions) Ordinance, Cap 615.