Personal Data (Privacy) Law in Hong Kong – A Practical Guide on Compliance

Terrorist Financing (Financial Institutions) Ordinance, Cap 615 and the Guidelines on

Prevention of Money Laundering issued by the Monetary Authority to combat money

laundering and retain records for that purpose.

Some statutes,

codes of practices

guidelines may prescribe periods of retention for documents containing personal data in

which case data user may be obliged to comply.

6.22

Practical difficulty may arise where personal data is collected at different times for

various purposes. Strict compliance with DPP2(2) and section 26(1) may oblige the data

user to painstakingly go through the items of personal data held and deleting the data

that has outlived their purposes on a regular basis. In this respect, a clearly promulgated

retention policy may facilitate the data users, especially organisational ones, in

implementing appropriate measures, such as the deployment of automated software to

ensure the unnecessary data is properly erased. As long as all reasonably practicable

steps are taken by a data user to erase personal data that is no longer required when

the purpose of use is met, the data user is considered to have complied with the

requirements under DPP2(2) and section 26(1).

6.23

In addition to the practical difficulty mentioned above, in considering the application of

DPP2(2) and section 26, it is also relevant to give due regard to the Eastweek case

where the Court held, inter alia, that where no personal data is collected by a data user

(as defined in the case), the DPPs will not be engaged. On that basis, it seems a person

need not worry about accidental contravention of DPP2(2) or section 26(1) in respect of

any information that happens to be in his physical possession, unless he has “collected”

such personal data in the sense that he has compiled information about the relevant

Chapter 8 of The Guideline on Anti-Money Laundering and Counter Terrorist Financing issued by the Monetary Authority

under section 7(3) of the Banking Ordinance.

For instance, in complying with section 51C of the Inland Revenue Ordinance, Cap 112, on keeping business records for

not less than seven years, personal data contained in such records shall be so retained. Under section 59(3) of the Police

Force Ordinance, Cap 232, the police who arrested a person and took identifying particulars of the arrested person,

such as photographs and fingerprints, may retain the identifying particulars if the arrested person had been previously

convicted of any offence or was the subject of a removal order under the Immigration Ordinance, Cap 115. The

retention period of twelve months for the identifying particulars was specified in the Hong Kong Police Force Procedures

Manual. Another example is found in the four pieces of anti-discrimination legislation, namely, the Disability

Discrimination Ordinance, Cap 487; the Family Status Discrimination Ordinance, Cap 527; the Sex Discrimination

Ordinance, Cap 480 and the Race Discrimination Ordinance, Cap 602 which permit an individual to make a claim to

the District Court against another person for an act of discrimination against him before the end of the period of two

years from (a) the time when the act complained of was done; or (b) if there is a relevant report in relation to the act,

the day on which the report was published or made available for inspection. The relevant documents containing

personal data may therefore be kept for responding to a possible claim brought by the employee or ex-employee.

Clause 1.3.3 of the Code of Practice on Human Resource Management issued by the Commissioner provides that

personal data in respect of recruitment-related data held about job applicants be retained for not longer than two

years and that personal data in respect of employment-related data about an employee be kept for not longer than

seven years. Clause 3.3 of the Code of Practice on Consumer Credit Data issued by the Commissioner provides that

credit reference agency may retain account repayment data revealing material default (i.e. default in payment for a

period in excess of sixty days) for five years either from the date of final settlement of the amount in default or from the

date of the individual’s discharge from bankruptcy, whichever is the earlier, irrespective of any write-off by the credit

provider of the amount in default in full or in part at any time after such default occurred.

AAB No. 15/2015

, the AAB dismissed the appeal lodged by a complainant who requested a credit reference agency

to remove the records of his Individual Voluntary Arrangement in his credit report. The AAB took the view that credit

history was an essential element to a credit provider to assess the risk of extending credit to an individual. There was no

valid ground to depart from the retention period of seven years from the date of the event shown in the official record

as provided under Clause 3.6.1 of the Code of Practice on Consumer Credit Data.