(B) the classes of persons to whom the data may be transferred; and

(ii) on or before first use of the data for the purpose for which it was collected, of –

(A) his rights to request access to and to request the correction of the data;

and

(B) the name or job title, and address, of the individual who is to handle such

request made to the data user,

unless to comply with the provisions of this subsection would be likely to prejudice the

purpose for which the data was collected and that purpose is specified in Part 8 of this

Ordinance as a purpose in relation to which personal data is exempt from the provisions of

data protection principle 6.

5.66

DPP1(3) requires a data user to notify the data subject of prescribed information

(outlined further below) on or before the collection of his personal data. This requirement

is generally only applicable where a data user collects personal data directly from the

data subject, except in respect of personal data used for direct marketing purposes

(see paragraph 5.107 below). However, the data user is still required to comply with

DPP3, i.e. without the data subject’s prescribed consent it cannot use the personal data

for any purpose other than the original purpose for which it was collected from the data

subject or a directly related purpose (DPP3 is discussed in further detail in Chapter 7).

Application of DPP1(3)

5.67

DPP1(3) provides, at the outset, “Where the person from whom personal data is or is to

be collected is the data subject,...” there is a duty to inform the data subject of the

prescribed matters where the data in question is collected directly from the data

subject. Hence, the notification requirement under this principle is generally considered

by the Commissioner not to be applicable where the personal data in question is:

• collected from a third party;

• unsolicited and supplied by the data subject; or

• generated by the data user itself (considering the definition of “data”, as explained in

paragraph 2.1 of Chapter 2, includes an expression of opinion in a document).

5.68

The notification obligation under DPP1(3) arises in commonly encountered situations of

collection of personal data, such as where:

• an individual is asked to provide written information about himself (e.g. by filling in a

form);

• the individual is asked to provide oral information to be recorded (e.g. making a

statement to the police);

• personal data is generated by the data user in the course of its conduct with the

data subject (e.g. entering into employment or banking transactions); or

• personal data about the individual is obtained through automatic or scientific

devices (e.g. recording a telephone conversation, conducting a medical checkup,

etc.).