5.85

The issue on what constitutes a class of person under paragraph (B) of DPP1(3)(b)(i) to

whom personal data may be transferred was also examined in the Octopus Card case

and the MoneyBack Programme case mentioned above. In the Octopus Card case,

the classes of transferees of the personal data included “any other person under a duty

of confidentiality to us …” This catch-all clause in effect suggested that it was entirely up

to the operator of the Octopus Card to decide what and to whom the personal data

was to be transferred. The Commissioner did not accept that the operator of the

Octopus Card had discharged its obligations under DPP1(3)(b)(i)(B) by adopting such

loose descriptions of the classes of transferees in the PICS on the grounds that the data

subjects would be unable to ascertain with a reasonable degree of certainty the classes

of transferees to whom their personal data would be transferred. In other words, the

data subjects’ right to control the use of their personal data would be compromised

and surrendered to the data user.

5.86

In the case of the MoneyBack Programme mentioned above, the Commissioner found

the classes of data transferees, such as “our Partners”, “Group” and “third parties” to be

ill-defined as they enabled ASW to transfer the personal data of its customers to

practically any companies within its group of related companies, business partners and

even third parties. While the goods and facilities provided to the customers under the

MoneyBack Programme were specific types of consumer products, the business of the

hundreds of companies in the Group was very diversified (comprising property, hotels,

retail, telecommunications, finance and investments). To permit the transfer of the

personal data of the MoneyBack Programme customers to all of these companies

would exceed the reasonable expectation of these customers.

5.87

Regarding the matters to be notified to a data subject under DPP1(3)(b)(ii), it should be

noted that they differ from those under DPP1(3)(b)(i) in that the notification is required to

be given “on or before first use of the data for the purpose for which it was collected”. It

is therefore permissible under DPP1(3)(b) for a data user, on or before the collection of

personal data, to give the data subject notification under DPP1(3)(b)(i) first, and later,

on or before first using such data, to give a separate notification under DPP1(3)(b)(ii).

However, save in exceptional situations, there would seem to be little advantage in

adopting a two-step process. Instead, it would be more sensible and practicable for a

data user to give a comprehensive PICS in compliance with both sets of requirements at

the same time.

The Right to Request Access to and Correction of the Data

5.88

Similar to DPP1(3)(b)(i), DPP1(3)(b)(ii) also consists of two paragraphs (A) and (B). The

requirement under paragraph (B) was revised by the Amendment Ordinance. Prior to

the legislative revision, a data user was required to notify the data subject of “the name

and address of the individual to whom any (data access or correction) request may be

made”. The law as it now stands permits the data user to notify the data subject of “the

name or job title, and address of the individual who is to handle any such request made

to the data user”. The legislative revision took into account the inevitable event of

personnel changes in an organisation.

5.89

It should be noted that there is an express exemption under DPP1(3) in that compliance

with that subsection is unnecessary where such compliance: