Hong Kong Unit 4A Legislative History II

Question 1

Is there constitutional protection of privacy in Hong Kong? What are they?

Answer 1

Yes.

1. The Basic Law - It provides the continued application of the International Covenant on Civil and Political Rights (ICCPR).
2. The Basic Law also contains provisions in relation to privacy (Article 17).
3. Bill of Rights Ordinance - It replicates the provisions of ICCPR (Article 14 of the Bill of Rights, Article 17 of the ICCPR). => Note that the Bill of Rights is only binding on the government and all public authorities — cannot be used by individuals.

Question 2

What is the scope and application for PDPO? What are the exemptions?

Answer 2

It is comprehensive, covering ‘data users’ in both the private sector and the public sector of the HKSAR (but not the PRC government in the HKSAR). Applies where the data user in question controls the processing of data in or from HK, even if the data processing cycle occurs outside HK.

Does not distinguish between automated and non-automated data or processing.

Does not cover deceased persons. Employers are liable for contraventions of the Ordinance by their employees in the course of their employment. Principals are liable for the acts and practices of their agents carried out with their authority(S65(2)).

General exemption for personal data held for domestic or recreational purposes, does not apply to the PRC government in the HKSAR, exemption from access requirement for certain employment-related personal data and relevant process.

Question 3

What is personal data in HK? Give examples? What is not personal data?

Answer 3

Personal Data is any data:
Relating directly or indirectly to a living individual (data subject)
From which it is practicable for the identity of the data subject to be directly or indirectly ascertained
In a form in which access to or processing of the data is practical

Examples of personal data: Healthcare information.

Not personal data (on their own, unless coupled with other personally identifiable information): IP address, email address, biometric data, examination script, mobile phone number, fabricated or untrue information.

Also does not protect information concerning a deceased individual.

Question 4

What is publicly available data (public domain) in HK? How is it to be treated?

Answer 4

It is personal data which can be accessed and obtained from the public domain through different channels, e.g. a public register, a public search engine or a public directory, etc.

The protection afforded by the Ordinance does apply to such publicly personal data and there is no general exemption from compliance with the requirements under the Ordinance.

It is a misconception that publicly accessible personal data can be further used or disclosed for any purpose whatsoever without regulation. The protection afforded by the Ordinance does apply to such personal data and there is no general exemption from compliance with the requirements under the Ordinance.

A data user who collects and uses such data must observe DPP 1(2) and DPP 3. Further, if such data is to be used for direct marketing activities, Part VIA of the Ordinance must be complied with and consent of the data subjects must be sought.

Question 5

What are the new requirements of direct marketing under section 6A?

Answer 5

Inform data subjects of direct marketing on or before collection on kinds of PD used, classes of marketing subjects. Need response channel to give consent. General purpose NOT acceptable.

Question 6

What are the guidance for employment matters during recruitment?

Answer 6

• Employer should not solicit personal data from job applicants in an advert that provides no identification of either the employer or the employment agency acting on its behalf.
• If an employer finds it necessary to conceal its identity, it may ask the applicant to obtain an application form in the advert; or the employer may use a recruitment agency which should be identified in the advert.
• Recruitment adverts that directly ask job applicants to provide their personal data should include a statement informing applicants about the purposes for which their personal data is to be used.
• Personal data collected from job applicants should be adequate but not excessive, and it should be relevant to the purpose of identifying suitable candidates for the job.
• Employer should not collect a copy of the HK identity card of a job applicant during the recruitment process unless and until the individual has accepted an offer of employment.
• Information may be compiled about a job applicant (e.g. by means of security vetting or integrity checking); the data collected should be relevant to the nature of the job.
• Personal health data (where required) of the selected candidate should only be collected after the employer has made a conditional offer of employment.
• Personal data of unsuccessful applicants may be retained for a period of up to two years from the date of rejection (in case there is an employment discrimination claim against the employer) and should then be destroyed. The employer may retain the data beyond two years if it has a subsisting reason to do so or the applicants have given their consent.

Question 7

What are the guidance for employment matters for current employment?

Answer 7

• On appointment, an employer may collect additional personal data from an employee and their family members for the purpose of employment or to fulfil lawful requirements.
• On or before collection of personal data from an employee, an employer should provide the employee with a Personal Information Collection Statement (PICS).
• Information compiled about an employee in the process of disciplinary proceedings, performance appraisal or promotion planning should only be used for the intended purposes. The information should not be disclosed to a third party unless the third party has legitimate reasons of access to the data.
• Employer should not disclose employment-related data of employees to third parties without first obtaining the employees’ express and voluntary consent unless the disclosure is directly related to employment or is required by law or statutory authorities.
• Employer should avoid disclosure of data in excess of what is necessary for the purpose of use by the third party.
• Employer who engages a third party as its data processor must use contractual or other means to ensure that the third party abides by the data protection requirements.
• Employer will be held accountable in its capacity as principal for the act or omission of the third party.

Question 8

What are the guidance for employment matters for former employees?

Answer 8

• Personal data of former employees may be retained for up to seven years from the date of cessation of employment. The data may be retained by the employer for a longer period if there is subsisting reason or retention is necessary to fulfil contractual or legal obligations.
• Employer must take all practicable steps to ensure that only relevant and necessary information of ex-employees is retained.
• In any public announcement regarding ex-employees, the employer should not disclose their IC numbers nor disclose excessive personal data about them.
• Employer should not provide references concerning ex-employees to third parties without first obtaining the ex-employees’ express and voluntary consent.

Question 9

What are the guidance for employment matters for current employees?

Answer 9

Monitoring employees in the workplace
- Employers are obliged to carry out a privacy impact assessment and evaluate less intrusive approaches to achieving the objectives of the monitoring
- Employers must draft and communicate a written policy on employee monitoring to affected employees, explaining:
the business purposes of the monitoring, the circumstances under which monitoring takes place, and
the kinds of personal data collected as part of the monitoring