individual whom he has identified or intends or seeks to identify. To give a simple

illustration, a newspaper may publish an article about a named individual which, in a

technical sense, constitutes that individual’s personal data. According to the Eastweek

case, a person who merely holds a copy of the newspaper need not worry about

compliance with DPP2(2) or section 26(1), but the situation may change if the

newspaper clippings are retained and filed by that person as part of his compilation of

information about that data subject mentioned in the clippings.

9

6.24

Finally, according to section 26(1), it is to be noted that the erasure of personal data is

not required under two alternative conditions, namely: (a) where the erasure of the

data is prohibited under any law,

10

or (b) where it is in the public interest (including

historical interest) for the data not to be erased.

11

Hence, in a case where one of the

two conditions mentioned in section 26(1) is satisfied, the data in question may be

retained even though the purpose of use is fulfilled.

New Requirements under DPP2(3) and (4): Personal Data Transferred to “Data

Processor” for Processing

6.25

The trend of outsourcing and entrusting personal data processing work by data users to

their agents is increasingly common. Personal data leakage incidents were often found

to be caused by insufficient steps being taken by the data processors to protect the

personal data entrusted to them for handling. The damage caused to the data subjects

could be substantial and irreparable, particularly if it involves an online data breach. The

Amendment Ordinance sought to tighten the control over the outsourcing activities by

imposing a new obligation upon the data user under DPP2(3) which provides as follows:

(3) Without limiting subsection (2), if a data user engages a data processor, whether within

or outside Hong Kong, to process personal data on the data user’s behalf, the data

user must adopt contractual or other means to prevent any personal data transferred

to the data processor from being kept longer than is necessary for processing of the

data.

6.26

The natural question to ask is who is a “data processor”? DPP2(4) provides a definition

as follows:

(4) Data processor means a person who –

(a) processes personal data on behalf of another person; and

9

For enquiries made to the Commissioner concerning whether the proposed retention of personal data in particular

situations is likely to be consistent with DPP2(2) and section 26, readers may refer to relevant cases in the Complaint and

Enquiry Case Notes Section on the Website.

10

For example, under section 56(3) of the Employment Ordinance, Cap 57, an employment agency shall retain records of

all job applicants for a period of not less than twelve months after expiration of each accounting year of the

employment agency concerned.

11

For example, the Government Records Service of Hong Kong manages and records information for the HKSAR

Government through its Public Records Office by developing a record-keeping programme that enables bureaux and

departments to manage information resources appropriate to their purposes. The public can access Hong Kong’s

archives through documents, movies, photographs, posters or other records kept by it.