DPP2(2) and Section 26

6.12

Data Protection Principle 2(2) provides as follows:

(2) All practicable steps must be taken to ensure that personal data is not kept longer than

is necessary for the fulfillment of the purpose (including any directly related purpose) for

which the data is or is to be used.

6.13

The Amendment Ordinance made changes to DPP2(2) by clarifying that a data user is

only required to take all (reasonably) practicable steps to comply with this data

retention principle. The amendment brings about a consistent legislative requirement in

respect of the duties that are imposed upon a data user under DPP2(1) and DPP2(2).

Before the law was amended, DPP2(2) had generally been interpreted to impose an

absolute duty on the data user to ensure that personal data was not kept longer than is

necessary. Similar amendments were made to section 26(1) concerning erasure of

personal data no longer required, which provides as follows:

26(1) A data user must take all practicable steps to erase personal data held by the data

user where the data is no longer required for the purpose (including any directly

related purpose) for which the data was used unless –

(a) any such erasure is prohibited under any law; or

(b) it is in the public interest (including historical interest) for the data not to be erased.

6.14

In connection with the penalty for contravention of section 26(1), it is relevant to note

section 64A(1) of the Ordinance which provides as follows:

(1) A data user who, without reasonable excuse, contravenes any requirement under this

Ordinance commits an offence and is liable on conviction to a fine at level 3.

6.15

Section 64A(1) does not apply to a contravention of a DPP and section 26(1) does not

relate to a DPP. A contravention of section 26(1) without reasonable excuse constitutes

an offence under section 64A(1). Thus, backed by section 26(1), DPP2(2) seems to

impose a more stringent obligation on the data user than the other DPPs (except for

DPP6, which is backed by parallel provisions in Part 5 of the Ordinance, as discussed in

Chapters 10 and 11).

6.16

The central concept, by reference to which both DPP2(2) and section 26(1) operate, is

the purpose for which the data in question was, or is to be, used. Indeed, the concept of

purpose is important not only for the operation of DPP2(2) and section 26(1), but also for

the operation of the other requirements under the Ordinance. How the permitted

purposes of use are to be ascertained will be discussed in detail in Chapter 7.

6.17

In the absence of any statutory requirements or strong evidence supporting a genuine

need for a data user to do so, the Commissioner is unlikely to accept retention of

personal data indefinitely. In a case handled by the Commissioner in 2008, a former

insurance agent abandoned copies of a huge amount of documents containing

personal data of the agent’s former clients collected more than four years ago. The