Personal Data (Privacy) Law in Hong Kong – A Practical Guide on Compliance

Counter-Terrorist Financing (Financial Institutions) Ordinance (Cap 615); and therefore,

such purpose was directly related to the original collection purpose, i.e. for the

legitimate purpose of verifying the identity of the partners of the law firm.

7.38

In commercial transactions, relating to services, such as the hire purchase or credit sale

of goods, the provision of banking or financial services, the provision of utility or

telecommunications services, etc., service providers have a legitimate interest to ensure

the full and prompt settlement of all sums due and owed by the party to the

transactions for services rendered. Hence, it is generally viewed that debt collection is a

directly related purpose for the provision of the paid services and the creditor may

transfer the personal data of the debtor to the debt collection agent or its solicitors to

take recovery action.

7.39

However, pursuant to DPP1(3), service providers must ensure that the data subject was

informed on or before the collection of his personal data that his personal data may be

transferred to a debt collection agent (see paragraph 5.83 above).

7.40

In another case of AAB No. 39/2006, the complaint concerned a credit provider for

having transferred the complainant’s personal data to a debt collector, who

subsequently disclosed the personal data in a public place in the course of collecting a

debt owed by the son of the complainant. The Commissioner found that the personal

data of the complainant had been provided to the credit provider in a loan application

form as a family member of the son and in the capacity of referee when the son

applied for a loan from the credit provider. The credit provider explained to the

Commissioner that the application form was prepared by its agent and it did not require

the personal data of the family members of a loan applicant at all. When it passed the

loan application form to the debt collector for recovery of the son’s debt, the

complainant’s personal data was not intended to be used by the debt collector. The

AAB came to the view that the credit provider should have withheld the personal data

of the complainant from the debt collector since it was not intended to be used by the

debt collector. As the credit provider had disclosed the complainant’s personal data to

the debt collector, the credit provider had contravened DPP3.

7.41

In the field of human resources management, employees’ personal data is collected for

human resources purposes, such as promotion or renewal of contracts or termination of

employment, etc. Examples of the use of employees’ personal data by employers for

directly related purposes include: the disclosure to Mandatory Provident Fund providers

for administering the MPF scheme; integrity checking warranted by the inherent nature

and needs of the job; enrolling an employee in a medical insurance plan; conducting

disciplinary proceedings or compiling performance appraisal reports. In a complaint

that came before the Commissioner, the complainant contended that her employer

was wrong in disclosing her medical records to the Medical Board convened for the

purpose of determining her fitness for employment. The Commissioner found that the

disclosure of her medical records was necessary for the purpose of the Board’s hearing

and hence were directly related to her employment under DPP3. Not satisfied with the

AAB No. 19/1999

, the AAB decided that there was no change in the purpose of use of the customer’s personal data

by a telecommunications company in passing the data to a debt collection agent to pursue a debt owed by the

customer.