HK rules shed light on personal data protection
Author: Maggie Qin、Jason Chan 2017-03-05The legal framework governing personal information in mainland China is quite limited, with most provisions addressing the issue scattered in the individual clauses of various regulations. Despite this, numerous large enterprises, in order to reduce compliance risks in their operation, have internally formulated policies for protecting customers’ personal information and, when entering into contracts with customers, will sign an agreement for protecting personal information. Hong Kong has substantial reference value when it comes to legislation and the regulation of information protection. This article will discuss personal information protection practice based on the six basic principles enumerated in Hong Kong’s Personal Data (Privacy) Ordinance and relevant cases published by Hong Kong’s Office of the Privacy Commissioner for Personal Data (PCPD).
Data collection principle. First, a data user is required to collect personal data in a fair and lawful manner, and the purpose needs to be directly related to its function or activity. Second, the data user is required to take all practicable steps to inform the data subject of the purpose for collecting his or her personal data, and the classes of persons to whom the data may be transferred. Third, the collected data need to be actually required and may not exceed the adequate level.
For example, the mobile phone app for purchasing travel products (excluding airline tickets, passage tickets, train tickets, etc.) of a certain travel company required the consumer to provide his or her name, telephone number or e-mail address, date of birth and ID card number when registering as a user. The PCPD found that the provision of dates of birth and ID card numbers exceeded the adequate level for data collection, with the consumer’s name and telephone number or e-mail address adequate for the company to engage in the sale of its products, the accumulation of points, consumer confirmation and other such operational activities.
Data accuracy and retention principle. A data user is required to take practicable steps to ensure that the personal data that it holds are accurate and not kept longer than is actually necessary for the fulfilment of the original purpose for which the data are to be used.
A certain customer filed a complaint stating that he had long ago secured a discharge of personal bankruptcy, but a certain bank still retained data on his bankruptcy and he also learned that internal regulations of the bank specified that information of personal bankruptcy was to be kept for 99 years. The PCPD held that although personal data relating to personal bankruptcy was important data for banks to manage credit risks and for assisting bankruptcy trustees in identifying and seizing the property and accounts of a bankrupt, this did not automatically bestow on the bank the right to retain personal data indefinitely or for an extended period of time.
Pursuant to the Bankruptcy Ordinance, a bankrupt can recover control of his finances four to eight years after discharge. The PCPD held that the act of the bank was not conducive to the individual leading a normal life without encumbrance. Accordingly, a bank should not retain personal bankruptcy data for more than eight years.
Data use principle. Without the voluntary and express consent of the data subject, personal data may only be used for the purpose for which the data were collected or a purpose directly related to such purpose. A certain tutorial organization notified a student who had achieved excellent marks in the college entrance exams that it would award him a scholarship and interview him after he provided the original results notice for checking. Subsequently, the tutorial organization published the contents of the interview with the student, the results notice and a photo of the student taken with the organization’s teachers in the tutorial organization’s publication. The PCPD found that the student’s acceptance of the scholarship did not constitute express consent by the student to the tutorial organization’s use of his personal data, and that the student had the right to demand civil damages from the organization.
Data security principle. A data user is required to take all practicable steps to ensure that personal data are protected against unauthorized or accidental access, processing, erasure, loss or use.
A certain person found 16mm wide strips of diagnostic appointment slips of a certain hospital outside the shredding factory of a certain confidential materials disposal company, which, when put together, revealed some of the relevant medical information of the patients. Through the investigation it was learned that the contract between the hospital and the confidential materials disposal company specified that the strips of shredded paper were not to exceed 4mm, and that the 16mm strips were due to improper operation by a new employee of the confidential materials disposal company. The PCPD found that the hospital had ultimate responsibility for data protection and recommended: (1) adding a clause in the contract restricting employees of the outsourcing company from removing data from the company without authorization; and (2) strengthening scrutiny and monitoring of the performance of the contract by the outsourcing company.
Principle of disclosure of policies. A data user is required to take practicable steps to disclose its policies and practices on the handling of personal data and make known the type of personal data held, and its purpose.
Due to the theft of stamps, a post office installed pinhole cameras near the washrooms and changing rooms for surveillance purposes. The PCPD held that, where an employer wishes to monitor its employees, it needs to take reasonable steps to formulate clear privacy policies and statements, and ideally notify in writing the subjects of the monitoring. The PCPD found that the secret recording by the post office violated the principle of disclosure of policies.
Access and correction principle. A data subject has the right to access his or her personal data, and if he or she discovers that relevant personal data are inaccurate, the right to request correction.
A certain bank was to charge HK$200 for applications made by customers to access their data. After familiarizing itself with the bank’s internal procedures and costs, the PCPD found that the bank ought to consider the quantity and nature of the data that a customer wished to access. A single charge rate of HK$200 seemed too high for accessing their personal data, and recommended that the bank set different fee rates based on the quantity and nature of the data.
Maggie Qin is a partner and Jason Chan is a foreign legal consultant of AllBright Law Offices