Table of Contents Table of Contents
Previous Page  81 / 192 Next Page
Information
Show Menu
Previous Page 81 / 192 Next Page
Page Background

7.8

Insofar as the data subject allows the collection of his personal data with the knowledge

of the informed purpose on or before such collection, pursuant to the data user’s

compliance with DPP1(3), he is expected to have implicitly agreed to the use of his

personal data for such purpose and therefore to be bound by it. Notwithstanding the

aforesaid, the Commissioner will also consider the following in assessing the original

purpose of collection of the personal data.

7.9

First, in most, if not all, cases of data collection, the PICS tends to be a statement through

which the collection purposes are prescribed by the data user, and are not drafted as a

result of negotiations between the data user and the data subject. This is especially so

where the activity giving rise to the collection of data is one involving the provision of an

essential service (e.g. educational, medical or other social service, public utility or

banking service), or is otherwise important to the data subject (e.g. concerning his

employment), or compulsory in nature (e.g. the collection of data at an immigration

checkpoint). In all these situations, it would be unrealistic to expect the data subject to

refrain from such activity solely because he is not satisfied with the PICS.

7.10

It is also common to find the purposes stated in the PICS couched in highly legalistic

language, appearing in fine print among other lengthy and complicated standard

terms and conditions of contract. Some data users may have a tendency to frame the

intended purposes in terms as general and as wide as possible for the sake of flexibility. It

would render the protection of personal data intended under DPP3 virtually meaningless

if the data user was allowed to unilaterally dictate the purposes of collection as it would

exceed its lawful functions and activities and the reasonable expectation of the data

subject. To take a hypothetical example, where an individual applies for a particular

service, the application form may contain the following statement:

Any information provided in this application may be transferred by the Company to any other

companies inside or outside Hong Kong for such purpose as the Company may in its absolute

discretion deem fit.

7.11

Such broad drafting of the PICS, coupled with the fact that the balance of power is

usually in the data users’ favour (e.g. data users are in a position to deny essential

services to the data subject if the data subject does not agree to the conditions and

terms imposed by the PICS and refuses to provide his personal data), will be taken into

account by the Commissioner when determining whether or not a particular use of

personal data is inconsistent with the original purpose of collection. The Commissioner

will have due regard for the data subject’s reasonable expectation that the data he has

provided to the company is to be used only for purposes directly related to the purpose

for which he provided his personal data. For example, where a data subject applies to a

data user for the provision of a service, the data subject would reasonably expect his

personal data to be used for application processing, service provision, billing and debt

recovery, etc., but not for any other unrelated purpose, such as the sale of his personal

data by the data user to third parties. This is the view taken by the Commissioner in the

Octopus card incident

1

which will be discussed below.

1

See Investigation Report No. R10-9866, available on the Website:

https://www.pcpd.org.hk/english/enforcement/commissioners_findings/investigation_reports/files/R10_9866_e.pdf
1 76 77 78 79 80 81 82 83 84 85 86 87 192  FlippingBook