Chapter 6
Data Protection Principle 2
The main questions:
• What are the general requirements for accuracy of personal data under DPP2(1), and
how do they apply?
• What are the general requirements for retention of personal data under DPP2(2) and
section 26, and how do they apply?
• What are the changes introduced by the Amendment Ordinance? Who is a “data
processor”?
• How to comply with the new requirements under DPP2(3) when personal data is
outsourced to a “data processor”?
The questions of accuracy and duration of retention of personal data discussed in this Chapter
concerning DPP2 and section 26 have been selected on the basis of their practical
importance in light of the Commissioner’s own experience. Before reading this Chapter,
readers should read paragraphs 1.7 to 1.11 in Chapter 1 —
Introduction, which contain
important general information on using this Book.
DPP2(1)
6.1
Data Protection Principle 2(1) in Schedule 1 of the Ordinance provides as follows:
Principle 2 – accuracy and duration of retention of personal data
(1) All practicable steps shall be taken to ensure that –
(a) personal data is accurate having regard to the purpose (including any directly
related purpose) for which the personal data is or is to be used;
(b) where there are reasonable grounds for believing that personal data is inaccurate
having regard to the purpose (including any directly related purpose) for which
the data is or is to be used –
(i) the data is not used for that purpose unless and until those grounds cease to
be applicable to the data, whether by the rectification of the data or
otherwise; or
(ii) the data is erased;
(c) where it is practicable in all the circumstances of the case to know that –
(i) personal data disclosed on or after the appointed day to a third party is