PCPD News 私隱專員公署通訊•

Issue no. 28

4

PCPD in action

公署動態

Case in Brief

個案摘要

Data Protection in Property Management

物業管理的資料保障

COVER STORY

專題報道

Mark Your Diary

活動日誌

Resources Updates

資源快訊

Statistics

統計

Glossary

詞彙

Technology Updates

科技新知

小檔案：

公共領域個人資料應否獲豁免於私

隱條例的規管？

法律改革委員會曾研究把公共登記冊

完全豁免於私隱條例，但結論認為不

應被豁免。及至私隱條例最近一次修訂

的公眾諮詢，政府重申資料存在於公

共領域並不等於容許有關資料用於任

何用途。上訴法庭在今年初一宗判決（參

考案件

CACV 4/2012

）亦肯定這觀點。

Background:

Should personal data available in

the public domain be exempt from

regulation under the Ordinance?

The LawReformCommission had carefully

deliberated on whether public registers

should be completely exempt from the

Personal Data (Privacy) Ordinance and

concluded that they should not. In the

public consultation exercises leading up to

the latest amendments to the Ordinance,

the Government reaffirmed the view

that “putting personal data in the public

domain does not make the data available

for use for any purpose”. This was upheld

in a recent Court of Appeal judgment (see

CACV 4/2012).

Many people are under the belief that

personal data collected from the public

domain, not from the data subjects directly, is

open to unrestricted use. This is not correct.

There are many sources from which we

can collect individuals’ personal data:

for example, information about company

directors and secretaries from the

Companies Registry; properties owners’

information from the Land Registry;

vehicle owners’ information from the

Register of Vehicles; parties involved in

a legal proceeding from the daily cause

lists and cause books maintained by the

courts; bankruptcy notices published in

the Gazette; and information published

in the mass media and on websites.

Personal data, be it publicly available

or not, is subject to protection under the

Personal Data (Privacy) Ordinance (“the

Ordinance”). Imagine the consequences

if the opposite were true. Data users who

intend to abuse personal data could get

around the law by deliberately publicising

the data in order to make it “personal

data in the public domain”. Furthermore,

improper use of personal data that was

leaked to the public domain by accident

would be legitimised.

Use-limitation principle

Data Protection Principle 3 (“DPP3”) of

the Ordinance is a use-limitation principle,

which provides that personal data should

be used only for the purposes for which

it was collected or for a directly related

purpose, unless the explicit and voluntary

consent of the data subject is obtained.

With respect to personal data in the public

domain, the starting point for an application

of DPP3 is thus the original purpose of

collecting the personal data and making

it publicly available. In the case of public

registers, they are normally set up by

statute. Ideally, the purpose of a public

register should be stated as specifically as

practicable in the legislation governing the

operation of the registry.

Where the purpose of maintaining a

public register is not expressly stated

in the legislation, the purposes and

limitations of use of the data may be

found in the privacy policy or personal

data collection statement of the registers,

or the application form designed for

access to the data maintained on the

registers (see Table 1 on page 5).

Reasonable expectation of privacy

Where the original purpose is not

prescribed or is unclear, before we further

use the personal data concerned, we

must look at the context in which the

data was collected and made publicly

available, and the reasonable expectations

of the data subjects regarding personal

data privacy. The test here is whether a

reasonable person in the data subject’s

situation would find the re-use of the

data unexpected, inappropriate or

otherwise objectionable. If the answers

are affirmative, the new purpose of data

use would very likely violate the Data

Protection Principle. At the very least,

personal data in the public domain, if

used and re-used indiscriminately and

without appropriate safeguards, would

result in loss of control over the accuracy,

retention and security of the data, thus

jeopardising the interests of the data

subjects.

Exemptions

The right of individuals to privacy is not

absolute. It must be balanced against

other rights and public interest, such as

freedom of information. Accordingly,

the Ordinance specifically provides for

certain exemptions from the application

of DPP3 and they apply equally to

personal data in the public domain.

These exemptions cover a wide range of

areas.

For example, section 58 caters for personal

data used for the prevention or detection of

crime or for the prevention, preclusion or

remedying of unlawful or serious improper

conduct or dishonesty or malpractice by

individuals. This may be relevant for data

users engaged in law enforcement and

professional due diligence.

Also, section 60B applies where the use

of personal data is required or authorised

by law, or in connection with any legal

proceedings in Hong Kong.

Fu r t he r , s e c t i on 61 p r ov i de s f o r

exemption from DPP3 for news activities

where the publishing or broadcasting of

the personal data is in the public interest.

Guideline

There is no blanket approval of secondary

use of personal data obtained from the

public domain. Each case has to be

determined based on its merits. In this

regard, the PCPD issued

Guidance on

Use of Personal Data obtained from

the Public Domain

(www.pcpd.org.hk/

english/files/publications/GN_public_

domain_e.pdf)

.

At the very least, personal data in the public domain,

if used and re-used indiscriminately and without

appropriate safeguards, would result in loss of control

over the accuracy, retention and security of the data,

thus jeopardising the interests of the data subjects.