What is personal data? What are the rules for processing personal data?

When you conduct your own business, you will most likely need to keep a considerable amount of personal information in your files. These can be names, credit card details and other account data that can identify your employees or customers. As this information is often used for meeting payroll, filling orders or performing any other necessary business functions, it is important that you understand that failing to adhere to your obligation to protect your customers’ personal information can lead to legal issues.

Definition of personal data

The law governing personal data and privacy in Hong Kong is the Personal Data (Privacy) Ordinance (Cap. 486). Section 2 defines “personal data” as any data “(a) relating directly or indirectly to a living individual; (b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and (c) in a form in which access to or processing of the data is practicable”. 

You also need to be aware of the six Data Protection Principles under Schedule 1 of the Personal Data (Privacy) Ordinance (Cap. 486) as they regulate the ways that personal data is collected, retained, used, secured, accessed and corrected.

Personal data that is subject to privacy regulations

There are some obvious examples of personal data used in our daily lives that are subject to privacy regulations in Hong Kong:

  • Names
  • Identity card numbers
  • Fingerprints
  • Photos
  • Phone numbers
  • Addresses
  • Sex
  • Age
  • Marital status
  • Occupation
  • Religious belief
  • Nationality
  • Medical records
  • Employment records

It is also practicable to ascertain an individual via a combination of data, e.g. address, telephone number, age and sex of the individual.

Non-personal data

On the other hand, non-personal data is electronic data that does not contain any information for the use of identifying a natural person. Hence, those data would either have no personal information at all (e.g. stock prices and weather data) or have personal data that is subsequently pseudo-anonymised (e.g. identifiable strings that are substituted with random strings) or anonymised (e.g. removing all personal data irreversibly).

The law

The Personal Data (Privacy) Ordinance (Cap. 486) applies to anyone who collects, processes, holds and uses personal data within both the private sector and the public sector, including any government department. Generally, the Ordinance governs the ways that personal data is collected and used, as well as prevents any abuse of data considered as an intrusion of an individual’s privacy.

According to section 2 of the Ordinance, “data user” refers to “a person who, either alone or jointly or in common with persons, controls the collection, holding, processing or use of (personal) data”, and “data subject” refers to “the individual who is the subject of the data”.

Under the Ordinance, there are six Data Protection Principles (contained in Schedule 1):

  • Principle 1 – Purpose and manner of collection: You, as a data user, should only collect personal data in a fair and lawful manner for a lawful purpose that is directly related to your activity or function. You should also inform your customers whether it is voluntary or obligatory to supply the data, the purpose of using their data and who their data might be transferred to if you collect personal data from them directly.
  • Principle 2 – Accuracy and duration of retention: You must take all practicable steps to make sure that all personal data is accurate and is not kept beyond the period necessary for the fulfilment of the purpose for which the data is used. Otherwise, it may constitute a criminal offence pursuant to section 26 of the Ordinance.
  • Principle 3 – Use of data: You are prohibited from using personal data for any new purpose that is not the original purpose or is unrelated to such purpose when collecting the data, unless your customers have provided voluntary and express consent. Your customers can also withdraw their previous consent by providing a written notice. In relation to the restrictions on the use of personal data, you must obtain informed consent from your customers prior to using their personal data for direct marketing (Part 6A of the Ordinance).
  • Principle 4 – Data security: You must take all practicable steps to protect all personal data held by them against accidental or unauthorised access, erasure, processing, use or loss. If a data processor is engaged to process the personal data held, contractual or other means must be adopted to ensure that the processor complies with the mentioned data security requirement.
  • Principle 5 – Openness and transparency: You must take all practicable steps to ensure the openness of your personal data practices and policies, the kind of personal data held and the major purposes of holding it.
  • Principle 6 – Access and correction: Your customers have the rights to request access to and to correct their own personal data. You must provide reasons if you refuse a customer’s request to access or correct their personal data. Part 5 of the Ordinance contains detailed provisions on data access and correction requests.
Key takeaways
  • Personal data is regulated by the Personal Data (Privacy) Ordinance (Cap. 486) in Hong Kong.
  • Personal data contain information that can be used to identify a person, whilst non-personal data do not contain such information.
  • The six data protection principles under the Ordinance regulate the ways that personal data is collected, retained, used, secured, accessed and corrected.

Bibliography:
PCPD, ‘The Personal Data (Privacy) Ordinance’: https://www.pcpd.org.hk/english/data_privacy_law/ordinance_at_a_Glance/ordinance.html