We thank Herbert Smith Freehills for providing the answers to these questions.
Q: What is data privacy and what are the main laws or regulations governing data privacy relevant to civil society organizations (CSOs) in Hong Kong?
A: Data privacy/ data protection is the fair and proper use of information about people. It is part of the fundamental right to privacy. Data privacy is about building trust between people and organisations. People should be treated fairly and openly, and their right to have control over their own identity and their interactions with others should be recognised.
The Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”) is the main piece of legislation in Hong Kong to protect the privacy of individuals in relation to personal data. The PDPO governs the collection, holding, use (which includes disclosure or transfer) and processing (which includes amending, augmenting, deleting or rearranging the data, whether by automated means or otherwise) of personal data in Hong Kong.
The Office of the Privacy Commissioner for Personal Data, Hong Kong (“PCPD”) has issued codes of practices to provide practical guidance on how to comply with the requirements under the PDPO. Non-compliance with a code of practice itself is not an offence but can be a proof of contravention of the requirements under the PDPO. Examples of such codes of practice are the Code of Practice on the Identity Card Number of Other Personal Identifiers and the Code of Practice on Human Resource Management.
The PDPO is applicable to both the private and the public sectors. Unlike some jurisdictions in Asia, there is no general exemption for public agencies under the PDPO. Therefore, any CSO which controls the collection, holding, use or processing of personal data in Hong Kong must comply with the PDPO.
It is important to note that while data privacy is an important right, it is not an absolute right. An individual’s right to privacy should be balanced against other important rights or public interest.
Under the PDPO, there are a number of exemptions from certain data protection obligations in particular circumstances. However, the exemptions are applicable in limited circumstances and some exemptions only exempt the data users from certain DPP(s) but not all the DPPs. If a data user wants to rely on an exemption rather than complying with the PDPO, the burden is on the data user to prove that an exemption applies in the data user’s case to defend a contravention of PDPO. Examples of exemptions under the PDPO include, amongst others, (i) personal data is collected and used for domestic purposes (which exempt the data user from all DPPs); (ii) personal data is used for employment (staff planning) purpose (which exempts a data user from DPP6 only); (iii) crime prevention (which exempts the data user from DPPs 3 and 6); and (iv) personal data held for news activity or disclosed to a data user engaging in news activities (which exempts the data user from DPPs 3 and 6).
Q: What kind of data is subject to protection under data privacy laws?
A: Only personal data is subject to protection under the PDPO. Personal data is defined under the PDPO as any data (a) relating directly or indirectly to a living individual; (b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained (i.e. data which can be used to identify a person); and; and (c) in a form in which access to or processing of the data is practicable (i.e. data which can be reasonably retrievable).
That is to say, data which is not relating to a living individual (e.g. data relating to a corporation) is not personal data and is not subject to protection under the PDPO.
Q: What are the main data privacy legal obligations CSOs have to comply with?
A: CSOs, whether alone or jointly with other persons, which control the collection, holding, processing or use of personal data are regarded as ‘data users’ under the PDPO. A ‘data subject’ is the individual who is the subject of the personal data.
The main data protection obligations of a data user are set out in 6 Data Protection Principles (“DPP(s)”) under Schedule 1 to the PDPO. In summary, the key requirements are:
DPP 1 – Collection of personal data – Only relevant personal data should be collected
Personal data must be collected on a fully-informed basis and in a fair manner, with due consideration towards minimizing the amount of personal data collected. Data users should ensure that (1) the data is collected for a lawful purpose directly related to a function or activity of the data user who is to use the data; (2) the collection of the data is necessary for or directly related to that purpose; and (3) the data is adequate but not excessive in relation to that purpose.
It is important to note that the term ‘collection’ is not defined in the PDPO but covers both the creation of personal data and the acquisition of pre-recorded data.
DPP 2 – Retention of accurate personal data – Personal data is accurate and is not retained for longer than is necessary
Accuracy of information
Personal data must not be inaccurate having regard to the purposes for which the data is being used, and must not be kept longer than is necessary for the fulfillment of the purpose for which the data is being used.
Under the PDPO, ‘inaccurate’ means:
- incorrect (i.e. factual errors);
- misleading (i.e. biased opinion data);
- incomplete; or
Under this DPP 2, the duty to ensure accuracy of the personal data is not absolute but does require all reasonably practicable steps be taken to ensure personal data is accurate. ‘Reasonable steps’ to prevent the inaccuracy of personal data includes taking positive steps to:
- ensure that the source of the data is reliable;
- verify the data;
- implement safeguards regarding the inputting of computer data; and
- follow procedures when inaccurate data becomes apparent.
Retention of information
Data users should also take all practicable steps to ensure that personal data is not kept for longer than is necessary for the fulfillment of the purpose for which the data is used. The PDPO imposes a positive duty to erase data when it is no longer required. Data users should therefore take all practicable steps to erase personal data that is no longer required for the purpose for which the data is used, unless erasure is prohibited by law or is not in the public interest.
Changes have also been proposed to the PDPO to require data users to formulate a retention policy which specifies a retention period for the personal data collected.
DPP 3 – Use of personal data – Consent is required to use personal data for a new purpose
Use of personal data should be limited, or related, to the original purpose for collecting such personal data (“original purpose”). A data user cannot use personal data for any new purpose which is unrelated to the original purpose, unless the data subject gives their express and voluntary consent.
Under the PDPO, a new purpose means any purpose other than the original purpose, i.e.:
- the purpose for which the data was to be used at the time that the data was collected; or
- a purpose directly related to that purpose.
In addition, data users must obtain a data subject’s informed consent before the personal data is used for direct marketing (whether used by the data user or a third party for direct marketing purposes).
The direct marketing provisions under the PDPO are relevant to NGOs because “direct marketing” is defined under the PDPO as (a) the offering, or advertising of the availability, of goods, facilities or services; or (b) the solicitation of donations or contributions for charitable, cultural, philanthropic, recreational, political or other purposes, through direct marketing means.
“Direct marketing means” is defined under the PDPO as (a) sending information or goods, addressed to specific persons by name, by mail, fax, electronic mail or other means of communication; or (b) making telephone calls to specific persons.
Please note that to qualify as “direct marketing” activities, the marketing mail, fax, electronic mail or telephone call should be addressed to specific persons by name. Therefore, if the addressee of the marketing materials or calls is not specified by name, such activities would not be regarded as direct marketing.
Data users must take certain steps when obtaining prescribed consent from data subjects (silence does not suffice but, for example, inviting a customer to tick a box specifying whether the customer would agree to their personal data being used for promotion by third party businesses might be sufficient). You may refer to the PCPD’s Guidance Note on direct marketing to understand the prescribed steps which must be taken by a data user to obtain data subjects’ consent to use their personal data in direct marketing.
It is important to note that a data subject can withdraw their consent by written notice at any time.
DPP 4 – Security of personal data – Protecting the integrity of personal data
Once collected, personal data should be processed in a secure manner. Data users should take all practicable steps to maintain the confidentiality of personal data and to protect the personal data they hold against unauthorized or accidental access, processing, erasure, corruption, loss or use.
DPP 5 – Information to be generally available – Protecting the integrity of personal data; maintaining openness and transparency
This principle is broad in scope and requires that any person shall be able to ascertain:
- a data user’s policies and practices;
- the kind of data held by the data user (i.e. the types or classes of data held); and
- the main purposes for the data user to be holding such data.
DPP 6 – Access to personal data – A right to ascertain whether a data user holds your personal data and to access your personal data
Data subjects have the right to (among other things):
- ascertain whether their personal data is held by a data user;
- request access to their personal data; and
- request a correction of their personal data.
Under the PDPO, a data user should give reasons when refusing a data subject’s request to access or correct their personal data. The PDPO also requires that data users, when granting a data subject access to their personal data, grant such access within a reasonable timeframe, in a reasonable manner and in an intelligible form. If a data subject is to be charged a fee for accessing their personal data, such fee must not be excessive.
Q: What is GDPR? Do CSOs in Hong Kong have to comply with GDPR? Is it true that if our organization complies with GDPR, then we are likely to be compliant with Hong Kong data privacy law?
A: The General Data Protection Regulation (“GDPR”) is a regulation on data protection and privacy in the European Union (“EU”) and the European Economic Area (“EEA”). It came into effect in May 2018 and replaced the Data Protection Directive 95/46/EC (“1995 DP Directive”).
The GDPR contains extra-territoriality provisions which serve to extend the application of the GDPR to organizations that are based outside of the EU but carry out data processing activities involving the personal data of EU individuals which meet one of a number of criteria, namely where the processing:
- is in the context of an establishment of a controller or a processor in the EU;
- relates to the offer of goods or services to individuals in the EU (e.g. via a website offering delivery to the EU); or
- relates to the monitoring of the behaviour of individuals in the EU (e.g. by using cookies to track an individual’s activity on the internet).
On (a) above, if the activities of a Hong Kong CSO are carried out in Hong Kong only and the CSO does not conduct any data activities in the context of any of its EU counterparts, it is unlikely that GDPR’s extra-territorial scope would be triggered.
On (b) and (c) above, to clarify, EU citizens who are ordinarily resident in Hong Kong are not considered as ‘individuals in the EU’ and hence collecting the personal data of an EU citizen who ordinarily resides in Hong Kong (and where such collection occurs only in Hong Kong) should not cause the GDPR to bite.
It is not true that compliance with GDPR equals compliance with Hong Kong data privacy laws. While there are similarities between the two regimes (given that Hong Kong PDPO was based on the 1995 DP Directive, the predecessor legislation to the GDPR) and in general the GDPR is considered as the ‘high watermark’ of data privacy laws (as the GDPR contains a higher threshold for obtaining consent from data subjects, enhanced the rights of data subjects, and requires more information to be provided to data subjects etc.), there are also significant differences between the PDPO and GDPR. For example:
- the GDPR allows a data controller (i.e. a data user) to rely on certain legal basis (other than consent form data subjects) to process personal data, whereas under the PDPO, there are no such other legal basis as long as the collection and use of personal data complies with the DPPs; and
- the direct marketing provisions under the PDPO are unique to Hong Kong data protection laws; the GDPR does not have equivalent provision but rather, under the GDPR, marketing activities are subject to the same general principles as all other processing activities.
Q: If we are conducting a general survey without asking the respondents’ names and emails, are we subject to the laws on personal data privacy applicable?
A: If the survey is conducted on a no-name basis, and you cannot identify the individual based on the answers provided by him/her in the survey, then the survey (and the information contained therein) is not subject to the PDPO (given that there is no collection of personal data).
Q: Can we share photos of our partners or beneficiaries’ faces or display their names and contact details on our website?
A: If you want to use (including disclose) the personal data (i.e. their photos) collected from your partners or beneficiaries (i.e. data subjects), you will need to check whether the data subjects have been informed of such proposed use of their personal data before their personal data was collected. In practice, this can be done by providing them with a personal information collection statement (“PICS”) before collecting their personal data.
If the data subjects have not been informed of such proposed use/disclosure of their personal data, you can only use their personal data for such new purpose after obtaining their consent.
Q: We store confidential and/or personal information using online cloud solutions, are there any data privacy issues we should be aware of?
A: The online cloud solutions providers are considered as your data processors, which is a person who processes personal data on behalf of another person (a data user), instead of for their own purpose(s).
Data processors are not directly regulated under the PDPO. However, if a data user engages a data processor, the data user should adopt contractual or other means to ensure that the data processor complies with the PDPO’s data retention (i.e. DPP 2) and data security (i.e. DPP 4) requirements mentioned above (see our responses to Question no. 3).
Q: We also keep confidential and/or personal information in hard copy format, how should we manage such information in order to comply with data privacy obligations?
A: The PDPO does not mandate the kind of security measures which must be taken to protect personal data.
The PDPO only requires that all practicable steps are taken to ensure that any personal data (including data in a form in which access to or processing of the data is not practicable) held by a data user is protected against unauthorized or accidental access, processing, erasure, corruption, loss or use.
The steps required of a data user to maintain security vary widely from case to case. However, the following precautionary steps are generally accepted as examples of the appropriate security measures that may be taken by data users for paper documents containing personal data or sensitive information:
- storage of data in paper files should be kept under lock and key or in a secure area with access only by authorized persons on a need-to-know basis.
- paper files should be shredded after use or when it is no longer necessary for them to be retained.
- implementation of a clear desk policy so that employees are required to lock up sensitive papers/documents when they are not immediately working on them.
- transmission of paper files should be via sealed envelope marked with “private and confidential”.
- no sensitive data should be visible through the envelope or envelope address window.
- where a fax machine is used for the transmission of paper files, the recipient should be notified of the incoming fax in advance and be mindful of always double checking the accuracy of the fax number before it is dialed.
Q: Are we allowed to destroy files and records (both hard copy of electronic data) in order to save storage space/ capacity? How should we manage this process and comply with relevant legal obligations?
A: Under the PDPO, personal data (including files and records containing personal data) should not be kept longer than is necessary for the fulfillment of the purpose for which the data is used. DPP2 under the PDPO provides that data users shall take all practicable steps to ensure that personal data is not kept longer than is necessary for fulfilment of the purpose (including any directly related purpose) for which the data is or is to be used. Section 26 of the PDPO provides that a data user must take all practicable steps to erase personal data held when the data is no longer required for the purpose (including any directly related purpose) for which it was used, unless any such erasure is prohibited under any law or it is in the public interest not to have the data erased.
In a consultation paper published in January 2020 for the Hong Kong Legislative Council, one of the proposed changes to the PDPO is to require data users to formulate a retention policy which specifies a retention period for the personal data collected.
However, please note that there are other Hong Kong legal requirements which should be considered when you determine the record keeping duration for different types of documents/ data (e.g. the Limitation Ordinance, employment laws, tax laws, company laws or applicable industry specific regulations). For example, as a tax law requirement, a person carrying on a trade, profession or business in Hong Kong must keep sufficient records for 7 years in the English or Chinese language regarding income and expenditure to enable the assessable profits to be readily ascertained.
You should determine the erasure method to be used for each type of records. The purpose of the erasure is to irreversibly delete or destroy the personal data so that it cannot be recovered. You may refer to the Guidance Note issued by the PCPD on personal data erasure and anonymization.
During the time that personal data is retained, you need to meet the DPPs requirements on data security and data subjects’ rights to request access and correction of their personal data.
Q: What are the practical steps our organization can take to comply with our data privacy obligations, including the collection, storage, use, access/ sharing and destruction of data subject to data privacy protection?
A: Personal data should be collected on a fully-informed basis, in a fair manner, and with due consideration towards minimizing the amount of personal data collected. Set out below are just some of the practical steps which can be taken to comply with the PDPO.
- Provide data subjects with a PICS: A personal information collection statement (“PICS”) is a statement given by a data user to a data subject on or before any personal data is collected from that data subject. The PDPO does not require that such notice be given in writing. However, it is good practice for a data user to provide the requisite information to data subjects in writing in the interests of transparency and to avoid any misunderstanding between the parties. A PICS may be contained in or attached to the application form. If personal data is being collected online, data users should include a hyperlink to their PICS and only allow a data subject to complete the form after reviewing the PICS, in the online form.
- Notify data subject if it is obligatory or voluntary to supply personal data: On or before collecting any personal data from a data subject, data users should inform the individual whether it is obligatory or voluntary for him/her to supply personal data. If obligatory, the data subject should be informed of the consequences of failure to supply their personal data.
- Declare the possible classes of persons to whom personal data may be transferred: Data users should declare the classes of persons to whom personal data may be transferred or disclosed (“transferees”). The classes of transferees should be clearly defined; data users should avoid using broad and general terms, such as “any person”, “any business partners”, “our affiliated companies” and “any other person under a duty of confidentiality to us”. For example, a data user can specify in its PICS “we may share your information with credit reference agencies” to show credit reference agencies as the class of possible transferees, or specify affiliated companies which are in a certain sector.
- Expressly state if personal data will not be shared with other: If personal data will not be shared, transferred or disclosed to third parties, it would be a good practice to mention this because it is usually viewed favorably by data subjects. For example, data users can provide assurance to customers by stating “The information we collect about you will not be disclosed by us to any other party without your prior consent”.
- Obtain consent before using personal data for direct marketing purposes: If personal data is intended to be used for direct marketing, or to be provided to third parties for use in direct marketing, data users must obtain consent from the data subject before using their personal data for direct marketing purposes, and the prescribed information under Chapter VIA of the PDPO must be provided to the data subjects in order to obtain valid consent from them for using their personal data in direct marketing. It is common practice for data users to embed the notification of such use, and the indication of express consent either by way of signature or a check-box, in the PICS.
- Statement of rights of access and correction and contact detail: Data subjects must be informed that he/she has the right to request access to and correction of their personal data that is held by the data user. Data subjects should also be informed of the name (or job title) and contact details of the individual who is responsible for handling any data access and data correction requests. These statements can also be included in the data user’s PICS. For example, “You have the right to request access to and correction of information held by us about you. If you wish to access or correct your personal data, please contact our data protection officer at [insert address] or [insert email address]”.
- Other recommended good practices regarding PICS: The purpose of collecting personal data, as stated in the PICS, should not be too vague nor the scope too wide. Data subjects should be to ascertain with a reasonable degree of certainty the purposes for which their personal data is being collected simply by reading the PICS. The language used in the PICS should be user-friendly in terms of length, complexity, font size and accessibility etc. It is also advisable to include a notice in the PICS about the security measures adopted by the data user in handling the personal data (i.e. if personal data is collected online, the specific security measures that are applied to online transactions such as collection of home or email addresses, places of employment, HKID numbers, credit card numbers, etc.)