Chapter 6

Data Protection Principle 2

The main questions:

• What are the general requirements for accuracy of personal data under DPP2(1), and

how do they apply?

• What are the general requirements for retention of personal data under DPP2(2) and

section 26, and how do they apply?

• What are the changes introduced by the Amendment Ordinance? Who is a “data

processor”?

• How to comply with the new requirements under DPP2(3) when personal data is

outsourced to a “data processor”?

The questions of accuracy and duration of retention of personal data discussed in this Chapter

concerning DPP2 and section 26 have been selected on the basis of their practical

importance in light of the Commissioner’s own experience. Before reading this Chapter,

readers should read paragraphs 1.7 to 1.11 in Chapter 1 —

Introduction, which contain

important general information on using this Book.

DPP2(1)

6.1

Data Protection Principle 2(1) in Schedule 1 of the Ordinance provides as follows:

Principle 2 – accuracy and duration of retention of personal data

(1) All practicable steps shall be taken to ensure that –

(a) personal data is accurate having regard to the purpose (including any directly

related purpose) for which the personal data is or is to be used;

(b) where there are reasonable grounds for believing that personal data is inaccurate

having regard to the purpose (including any directly related purpose) for which

the data is or is to be used –

(i) the data is not used for that purpose unless and until those grounds cease to

be applicable to the data, whether by the rectification of the data or

otherwise; or

(ii) the data is erased;

(c) where it is practicable in all the circumstances of the case to know that –

(i) personal data disclosed on or after the appointed day to a third party is