85 / 192
practice for the recipient to seek the prescribed consent of the data subject before
making further use of his personal data.
Personal Data Collected from the Public Domain
7.25
A common misconception is that personal data collected from the public domain (for
example, from a public register) or which is made publicly available (for example, from
the internet), is free to be used for whatever purpose the data user wishes. However, the
Ordinance does not differentiate or exempt from its application personal data collected
or made available in the public domain. With a view to assisting data users to comply
with the requirements under the Ordinance in using personal data obtained from the
public domain, the Commissioner published a Guidance Note on the Use of Personal
Data Obtained from the Public Domain in August 2013 (“Guidance Note”).
5
The
Guidance Note stresses that a data subject’s personal data that can be obtained from
the public domain should not be taken to mean that the data subject has given blanket
consent for re-use of his personal data for whatever purposes. The Guidance Note
highlights the relevant factors to be considered in assessing the permitted purposes of
use of the personal data. These factors include:
• ascertaining the original purpose for which the personal data was placed in the
public domain;
• the restrictions, if any, imposed by the data user who made the data available on the
public domain; and
• the reasonable expectation of the personal data privacy of the data subjects.
7.26
The tests to be applied are: whether the intended reuse of the data falls within the
scope of the original purpose of collection; and if not, or if the original purpose is not
clear, whether a reasonable person in the data subject’s situation would find the reuse
of the data unexpected, inappropriate or otherwise objectionable.
7.27
Data users should note that the use of personal data kept in public registers is governed
by the terms and conditions prescribed by the operators of the registers or the relevant
ordinances establishing such registers.
6
Some public registers have specified the
purposes for which the personal data is held or may be used. Certain public records
may expressly restrict the purposes for which the information, including the personal
data, contained in the records may be used, including in relation to direct marketing.
Where the lawful perimeters for making further use of the data so obtained are defined
or inferred, the subsequent data user will be liable and accountable for any misuse or
improper use of the personal data. If there is no such stated purpose, the Commissioner
5
See
Guidance Note on the Use of Personal Data Obtained from the Public Domain
, available on the Website:
https://www.pcpd.org.hk//english/resources_centre/publications/files/GN_public_domain_e.pdf6
In July 2015, the Commissioner published a survey report on the protection of personal data contained in ten
commonly-used public registers, namely Bankruptcy Register, Births Register, Business Register, Companies Register, Land
Register, Marriage Register, Register of Notice of Intended Marriage, SFC Register of Licensed Persons, Register of
Vehicles and Register of Electors. The survey report containing recommendations on safeguarding personal data
contained
in
the
registers,
available
on
the
Website:
https://www.pcpd.org.hk/english/resources_centre/publications/surveys/files/survey_public_registers.pdf