Back to Intellectual Property Rights



Hong Kong's protection of privacy can be found in the Personal Data (Privacy) Ordinance, it intends to protect the interest in personal data of living individuals. It covers all data directly or indirectly related to the individual which ascertain the identity on the person. The data covered should be able to access and process.

Data Protection Principles (DPP)

Principle 1 – Purpose and Manner of Collection of Personal Data
Personal data shall only be collected for a lawful purpose of an activity in which the data user will use the collected data. The data shall be collected in a fair and lawful manner.

Some websites may not publish its actual identity which is quite unfair to data subjects (whose personal data are collected) for not knowing their real identity. This may fail to comply to DPP 1 which seeks to collect personal data on fair manner. Moreover, websites should publish a statement stating the purpose the data will be used and the class of people that the data may be passed to.

Principle 2 – Accuracy and Duration of Retention of Personal Data
Practical steps shall be taken to ensure that the personal data are accurate, up-to-date and will not be kept longer than necessary.

Websites owners should state the policies and duration of retention of data collected.

Principle 3 – Use of Personal Data
The personal data shall be use only for the purpose collected unless the data subject consent otherwise.

If you intended to display data collected on the web, you should clearly state so. Information that are anonymous or where the identity of subjects cannot be ascertained are not considered as personal data.
Principle 4 – Security of Personal Data
All practicable steps shall be taken to ensure the personal data will not be susceptible to unauthorised or incidental access, processing, erasure or other use.

Security measures such as encryption should be employed when transferring data over Internet or sending emails. If there is none, websites owners should draw the attention of users of the risk.

Principle 5 – Information to be Generally Available
All practicable steps shall be taken to ensure that information in relation to the kinds of data held, the main purposes of use and policies of data subject can be available.

To comply with DPP5, websites should have privacy policy statement clearly shown. They should let others know if there are data collecting modes such as "cookies" used on their websites.

Principle 6 – Access to Personal Data
Data subjects can request for access and correction to their data held by data user.

Websites should state clearly whether and how individuals can access or correct their data. They should provide the information of the person they can contact.

Exemptions
There are exemptions from the provisions in this Ordinance for certain actions including:

  • personal data collected for domestic or recreation purpose
  • certain personal data related to employment such as staff planning and personal references
  • where the access and use are likely to prejudice certain public or social interests (e.g. security, defence , news activities)


Transfer of personal data to a place outside Hong Kong
Under s33 of the ordinance, a data user doing business in Hong Kong shall not transfer personal data to a place outside Hong Kong. Unless the user has reasonable grounds to believe the other place has a law competent enough and serving the similar purpose as this Ordinance, or the data subject has consented in writing to the transfer. This is especially significant to data transfer over the Internet, however, this section has not been enforced yet.

Home | About Us | Areas of Practice | Legal Updates | Publications | FAQs | Download | Useful Links | Contact Us

Disclaimer | Copyrights Statement | Privacy Policy

Designed by GoTech Media