Personal Data (Privacy) Ordinance, Cap. 486

Personal Data (Privacy) Ordinance, Cap. 486 Personal Data

1. ‘Personal Data’ as defined under the Ordinance means any data - (a) relating directly or indirectly to a living individual;

(b) from which it is practicable for the identity of the individual to be directly and indirectly ascertained; and

(c) in a form in which access to or processing of the data is practicable.

Personal data held by a school may generally be classified into factual or evaluative data. Both types of data will be subject to data access, save for the exemptions provided in Part VIII of the Ordinance.

Data Protection Principles (section 4 of and Schedule 1 to the Ordinance)

2. The Ordinance places a statutory duty on data users to comply with the requirements of the six Data Protection Principles contained in Schedule 1 to the Ordinance. These principles represent the guiding spirit of the Ordinance. The Ordinance provides that a data user shall not do an act, or engage in a practice, that contravenes a data protection principle unless the act or practice, as the case may be, is required or permitted under the Ordinance. It also gives data subjects certain rights, including the right to be informed of whether any data user holds their personal data;

to be supplied with a copy of such data; and to request correction of any data they consider to be inaccurate. Non-compliance with a data protection principle may lead to a complaint to the Privacy Commissioner for Personal Data. A claim for compensation may also be made by a data subject who suffers damage by reason of a contravention of a requirement under the Ordinance. All school personnels who have responsibility for handling personal data should therefore familiarise themselves with the six principles as reproduced at Appendix I.

Exemptions (sections 51 to 63 of the Ordinance)

3. The Ordinance provides 11 situations where personal data are exempt from the data protection principles and other provisions of the Ordinance. Schools are required to determine whether personal data held by them are exempt from the requirement on subject access and correction by virtue of an exemption from Part VIII of the Ordinance. Before a data access or data correction request is complied with, school are advised to refer to this Part of the Ordinance to ensure that the personal data to be released do not come under any of the applicable exemptions. Legal advice

should be sought, if and when necessary, to confirm that the data concerned are covered by such an exemption. The 11 situations are outlined in Appendix II.

Complaints and Appeals

4. As contravention of a requirement of the Ordinance may lead to a complaint to the Privacy Commissioner for Personal Data, any request for data access or correction must be addressed promptly and appropriately.

The Right of Subject Access (section 18 of the Ordinance)

5. The Ordinance provides for an individual to request access to personal data of which he or she is the subject. An individual, or a relevant person on behalf of an individual, may make a request -

(a) to ascertain whether the school holds personal data of which he/she is the data subject; and

(b) if the school holds such data, to be supplied with a copy of that data.

(The individual or the relevant person properly authorised by that individual is referred to as the ‘requestor’ in the following paragraphs.)

Compliance with Data Access Request (section 19 of the Ordinance)

6. In handling a request, the following guidelines are to be observed :

(a) All data access requests should be made in writing in either Chinese or English. Verbal requests should not be entertained.

(b) All requests received should be dealt with expeditiously. The receiving staff should date-chop all requests immediately upon receipt and pass them to the staff responsible for processing and responding to data access and data correction request.

(c) All requests must be complied within 40 days. If it is unable to comply with the request, in whole or in part, within the prescribed period, the school must within such period inform the requestor in writing that it is unable to do so and give the reasons why this is so. The school must also fully comply with the request as soon as reasonably practicable after the expire of the 40-day reply period;

(d) The school may charge the requestor an appropriate fee to cover the cost of making copies of the personal data.

(e) Refusals to comply with a data access must be authorised by the school head personally.

Log Book (section 27 of the Ordinance)

7. Each school shall keep and maintain a log book of refusals to comply with data access and correction requests. The particulars in the log book must be kept for a minimum period of 4 years. The school must enter into the log book details of reasons for refusing a data access or correction request in each case. The intention is to allow the Privacy Commissioner for Personal Data or his/her authorised representative to inspect and copy the log book at any reasonable time. A sample page of the log book is at Appendix III.

Form

8. The school may provide a copy of the data in the form* (see note below) specified by the data requestor if it is practical to do so, for example, a copy in computerised form. If the data to be supplied is not held in the form sought by the requestor, the school must inform him/her in writing that it is not practical to supply the data in the form requested.

*(Note : Form includes any size of paper (A3, A4 or other), floppy, electronic means etc.)

Content

9. The copy of personal data to be supplied must be such personal data as held at the time when the request is made. There is no requirement to stop normal data processing activities (including amending, augmenting, deleting or rearranging) because a data request has been received. A copy of the personal data to be supplied should be intelligible. If the personal data contain any codes or abbreviations, these should be explained in a manner that is comprehensible to the requestor.

Language

10. If the relevant personal data are held in one language and the copy to be supplied is a true copy of the document containing such data, the school is not required to provide a copy of such data in any language. The choice of English and Chinese, if available, should be made in accordance with any specific request by the data subject for one or the other. In the absence of such a request, the choice should be made in accordance with the language used in the request. If the data access request is in a language other than Chinese or English, subject access may be refused.

Non-compliance with Data Access Request (section 20 of the Ordinance)

11. A data access request shall be refused if :-

(a) the requestor is unable to provide sufficient information to identify himself/herself or the person so authorised;

(b) the data sought comprise personal data of another individual, unless the other individual has consented to the disclosure of the data.

12. A data access request may also be refused if :-

(a) the request is not in writing, or it is not in Chinese or English;

(b) sufficient information is not provided to locate the personal data that are being requested;

(c) the request follows two or more similar requests made by the requestor or a relevant person on his or her behalf and it is unreasonable for the school to comply;

(d) another data user (e.g. the Education Department) controls the use of the personal data concerned in such a way that prohibits the school from complying with the request;

(e) the data access request is not made in a form which has been specified by the Privacy Commissioner for Personal Data under section 67 of the Ordinance if such a form has been specified; or

(f) there is an applicable exemption from subject access provided for in Part VIII of the Ordinance. (Appendix II refers)

Notification of Non-compliance with the Data Request (section 21 of the Ordinance)

13. If the school declines to comply with a data access request for any of the reasons set out in paragraphs 12 and 13 above, the requestor must be informed in writing within 40 days of receipt of the request of the reason(s) for the refusal. If the reason for the refusal is that another data user (e.g. the Education Department) controls the use of the data as to prohibit the school from complying with the request, then the school is required in the notice to the requestor, to provide the name and address of the other data user concerned, be it a Government department or not.

14. If the refusal is due to an applicable exemption relating to security etc.

(section 57) or crime, etc. (section 58) and the data are also exempt from the requirement to confirm whether or not the school as the data user holds the personal data relating to that data subject because the interest protected by that exemption

would likely be prejudiced by such disclosure of the existence or non-existence of the data (section 63), the school may in the notice to the requestor adopt wording along the lines of “I have no personal data the existence of which is required to disclose to you”. Before giving such refusal, schools are advised to refer for details to Appendix II on Exemptions or to the related provisions in the Ordinance.

The Right of Data Correction (section 22 of the Ordinance)

15. Following the supply by the school of a copy of personal data in compliance with a data access request, the requestor is entitled to ask for correction of the personal data concerned if he/she considers that the data are inaccurate. This is done by means of a data correction request to the school. Such a request may also be made by a properly authorised relevant person.

16. If the school, following the receipt of a data correction request but before complying or not with the request, discloses to a third party the personal data to which the request relates, it is the responsibility of the school to, if it is practicable to do so, advise the third party concerned that the data are being considered for correction.

Compliance with Data Correction Request (section 23 of the Ordinance)

17. The steps in compliance with data correction requests are those set out in para 7. If it is satisfied that personal data which are subject to a data correction request are inaccurate, the school shall make the necessary correction and supply the data subject with a copy of the corrected personal data within 40 days of receipt of the request. If it is unable to comply with a data correction request in whole or in part within the 40-day reply period, the school must within such period inform the requestor in writing that it is unable to do so and give the reasons. The school must then fully comply with the request as soon as reasonably practicable after the expiry of the 40-day reply period.

18. If the personal data which are the subject of a data correction request have been disclosed to a third party during the past 12 months before the day of correction of the data and the school has no reason to believe that such a third party has ceased using those data, the school should supply such a third party with a copy of the corrected personal data and a written notice of the reasons for the correction. This requirement does not apply where the third party has obtained the data concerned by inspection of a public register without receipt of a certified copy.

Non-compliance with data Correction Request (section 24 of the Ordinance)

19. The school shall refuse to comply with a data correction request if the requestor is unable to provide sufficient information to identify himself/herself or the person so authorised.

20. The school may also refuse to comply with a data correction request if - (a) the request is not in writing, or it is not in Chinese or English;

(b) he/she is not satisfied that the personal data are inaccurate;

(c) he/she is not provided with sufficient information to ascertain that the personal data are inaccurate;

(d) he/she is not satisfied that the correction provided in the request is accurate; or

(e) any other data user controls the processing of the personal data concerned in such a way that prohibits the school from complying with the request.

Notification of Non-compliance with Data Correction Request (section 25 of the Ordinance)

21. If the school does not comply with a data correction request for any of the reasons set out above, it must inform the data subject concerned by notice in writing with reasons for the refusal within 40 days of receipt of the request. Where a refusal is made under paragraph 21(e), the notice of refusal must include the name and address of the other data user concerned, be it a Government department or not.

22. If a data correction request involves the correction of personal data which is an expression of opinion or an unverifiable fact and the school is not satisfied that the opinion or unverifiable fact is inaccurate, the correction request may be refused. In such circumstances, the school should make a note of the requestor’s proposed “correction”. This should be annexed to the data concerned in such a way that it is drawn to the attention of, or made available for inspection by, any person (including the data user or a third party) who may use such data in future. A copy of the note to the notice of refusal must also be attached.

23. Refusal to comply with a data correction request and the reason(s) for so doing must be entered into the log book.

Erasure of Personal Data no longer required (section 26 of the Ordinance)

24. The school shall erase personal data held where such data are no longer required for the purpose for which they have been used unless the erasure is prohibited under any law or it is in the public interest (including historical interest) for the data not to be erased.

Log Book (section 27 of the Ordinance)

25. The school shall keep and maintain a log book of refusals to comply with data access and correction requests.

26. To enable you to better understand the Ordinance, a set of questions and answers is attached at Appendix IV.

Appendix 1

Data Protection Principles (schedule 1 of the Ordinance)

1. Principle 1 - purpose and manner of collection of personal data (1) Personal data shall not be collected unless -

(a) the data are collected for a lawful purpose directly related to a function or activity of the data user who is to use the data;

(b) subject to paragraph (c), the collection of the data is necessary for or directly related to that purpose; and

(c) the data are adequate but not excessive in relation to that purpose.

(2) Personal data shall be collected by means which are - (a) lawful; and

(b) fair in the circumstances of the case.

(3) Where the person from whom personal data are or are to be collected is the data subject, all practicable steps shall be taken to ensure that -

(a) he is explicitly or implicitly informed, on or before collecting the data, of -

(i) whether it is obligatory or voluntary for him to supply the data;

and

(ii) where it is obligatory for him to supply the data, the consequences for him if he fails to supply the data; and

(b) he is explicitly informed -

(i) on or before collecting the data, of -

(A) the purpose (in general or specific terms) for which the data are to be used; and

(B) the classes of persons to whom the data may be transferred; and

(ii) on or before first use of the data for the purpose for which they were collected, of -

(A) his rights to request access to and to request the correction of the data; and

(B) the name and address of the individual to whom any such request may be made,

unless to comply with the provisions of this subsection would be likely to prejudice the purpose for which the data were collected and that purpose is specified in Part VIII of this Ordinance as a purpose in relation to which personal data are exempt from the provisions of data protection principle 6.

2. Principle 2 - accuracy and duration of retention of personal data (1) All practicable steps shall be taken to ensure that -

(a) personal data are accurate having regard to the purpose (including any directly related purpose) for which the personal data are or are to be used;

(b) where there are reasonable grounds for believing that personal data are inaccurate having regard to the purpose (including any directly related purpose) for which the data are or are to be used;

(i) the data are not used for that purpose unless and until those grounds cease to be applicable to the data, whether by the rectification of the data or otherwise; or

(ii) the data are erased;

(c) where it is practicable in all the circumstances of the case to know that -

(i) personal data disclosed on or after the appointed day to a third party are materially inaccurate having regard to the purpose (including any directly related purpose) for which the data are or are to be used by the third party; and

(ii) that data were inaccurate at the time of such disclosure;

that the third party -

(A) is informed that the data are inaccurate; and

(B) is provided with such particulars as will enable the third party to rectify the data having regard to that purpose.

(2) Personal data shall not be kept longer than is necessary for the fulfillment of the purpose (including any directly related purpose) for which the data are or are to be used.

3. Principle 3 - use of personal data

Personal data shall not, without the prescribed consent of the data subject, be used for any purpose other than -

(a) the purpose for which the data were to be used at the time of the collection of the data; or

(b) a purpose directly related to the purpose referred to in paragraph (a).

4. Principle 4 - security of personal data

All practicable steps shall be taken to ensure that personal data (including data in a form in which access to or processing of the data is not practicable) held by a data user are protected against unauthorised or accidental access, processing, erasure or other use having particular regard to -

(a) the kind of data and the harm that could result if any of those things should occur;

(b) the physical location where the data are stored;

(c) any security measures incorporated (whether by automated means or otherwise) into any equipment in which the data are stored;

(d) any measures taken for ensuring the integrity, prudence and competence of persons having access to the data; and

(e) any measures taken for ensuring the secure transmission of the data.

5. Principle 5 - information to be generally available

All practicable steps shall be taken to ensure that a person can -

(a) ascertain a data user’s policies and practices in relation to personal data;

(b) be informed of the kind of personal data held by a data user;

(c) be informed of the main purposes for which personal data held by a data user are or are to be used.

6. Principle 6 - access to personal data A data subject shall be entitled to -

(a) ascertain whether a data user holds personal data of which he is the data subject;

(b) request access to personal data - (i) within a reasonable time;

(ii) at a fee, if any, that is not excessive;

(iii) in a reasonable manner; and (iv) in a form that is intelligible.

(c) be given reasons if a request referred to in paragraph (b) is refused;

(d) object to a refusal referred to in paragraph (c);

(e) request the correction of personal data;

(f) be given reasons if a request referred to in paragraph (e) is refused; and (g) object to refusal referred to in paragraph (f).

Appendix II Exemptions

1. Domestic Purposes

Personal data held by an individual and concerned only with the management of his personal, family or household affairs or for recreational purposes are exempt from the provisions of the data protection principles.

2. Staff Planning

Personal data which consist of information relevant to any staff planning proposal to fill two or more positions or cease the employment of two or more individuals are exempt from subject access until decision have been made on the proposals.

3. Transitional Employment Provisions

Employment-related personal data held by a data user - who is the employer of the data subject immediately before the appointed day, and

provided by an individual on the implicit or explicit condition that the subject would not have access to the data

are exempt from subject access up to and including 2 August 2002.

This exemption may apply only to personal data of serving staff. It is not applicable to personal data of staff who have retired, resigned or otherwise left the school.

4. Relevant Process

Personal data which is the subject of an evaluative process are exempt from subject access until the completion of that process. As a consequence, a data access or correction request cannot be made in respect of personal data held for the purposes of an employment-related evaluative process (including, for example, a recruitment exercise, promotion, renewal of agreement and disciplinary proceedings). A data access request may be made as soon as the evaluative process has been completed.

5. Personal References

Personal data consisting of a reference given by an individual other than in the normal course of his occupation and relevant to another individual’s suitability or otherwise to fill a particular position are exempt from subject access until the individual has been notified in writing of the outcome of his application, unless the referee has given

into operation is exempted from subject access indefinitely, unless the individual who gave the reference has consented to its disclosure.

6. Security, etc. in respect of Hong Kong

Personal data held by or on behalf of the Government for the purposes of safeguarding security, defence or international relations in respect of Hong Kong are exempt from the provisions of data protection principle 6 and section 18(1)(b) of the Ordinance where the application of those provisions to the data would be likely to prejudice any of the matters referred to in this subsection.

7. Exemption of Crime, etc.

Personal data held for the purpose of the prevention or detection of crime, the apprehension, prosecution or detention of offenders, the assessment or collection of any tax or duty, the prevention of unlawful or seriously improper conduct, etc. are exempt from the provisions of data protection principle 6 and section 18(1)(b) of the Ordinance where the application of those provisions to the data would be likely to (a) prejudice any of the matters referred to in this subsection, or

(b) directly or indirectly identify the person who is the source of the data.

8. Health

Personal data relating to the physical or mental health of the data subject are exempt from the provisions of either or both of -

(a) data protection principle 6 and section 18(1)(b) of the Ordinance;

(b) data protection principle 3,

in any case in which the application of those provision to the data would be likely to cause serious harm to the physical or mental health of the data subject or any other individual.

9. Professional Privilege

Personal data are exempt from the provisions of data protection principle 6 and section 18(1)(b) of the Ordinance if the data consist of information in respect of which a claim to legal professional privilege could be maintained in law.

10. News

Personal data held by a data user, whose business consists of a news activity, solely for the purpose of that activity are exempt from the provisions of data protection principle 6 and section 18(1)(b) of the Ordinance unless and until the data are published or broadcast.

Personal data are exempt from the provisions of data protection principles 3 in any case in which -

(a) the use of the data consists of disclosing the data to a data user referred; and

(b) such disclosure is made by a person who has reasonable grounds to believe that the publishing or broadcasting of the data is in the public interest.

11. Statistics and Research

Personal data are exempt from the provisions of data protection principle 3 where - (a) the data are to be used for preparing statistics or carrying out research;

(b) the data are not to be used for any other purposes; and

(c) the resulting statistics or results of the research are not made available in a form which identifies the data subjects or any of them.

Appendix III

Personal Data (Privacy) Ordinance Requests on Data Access/Correction

School Log Book

Request number

File reference

Date request received

Information or action requested

Name of Data Subject

Reply Date In case of refusal, state reason(s) here

Appendix IV

(The followings are for general reference only. In case of doubt. legal advice should be sought)

Questions and Answers

Q.1 How would access to personal data for minors be handled? If a separated parent requests information of their biological child whom they do not have custodian rights, should his/her request be acceded to?

Ans. If an individual is a minor (whose age is below 18), a person who has parental responsibility for the minor can request for data access/correction on behalf of the minor. Therefore, we may decline a separated parent’s request on information of their child whom they do not have custodian rights.

Q.2 As the Ordinance allows a relevant person who has parental responsibility for a minor to have access and the right to correct personal data of the minor, does it mean that a minor does not have the right to refuse the disclosure of his/her own data to his/her parent who is the relevant person?

Ans. If the minor objects to the disclosure of his/her data to his/her parents, it cannot be said that his/her parent is acting on behalf of the minor. Consent of the data subject is a change of the purpose that the data user collected it for.

Disclosure to the parents of a minor seems to be a change of the purpose because the data was presumably collected for education record of the minor.

Therefore, consent of the minor is required. The question of minors’ rights to confidentiality was addressed in a precedent case which concerns contraceptive advice and treatment given by a doctor to a female minor. The gist of the House of Lords’ decision is that the mature minor has a right of confidentiality when the exercise of that right is in her best interests. It must, however, be emphasised that, throughout the case, an obligation was firmly imposed on the doctor to attempt to persuade the girl to inform her parents or to allow him to do so. Applying the principles in this precedent case, if the minor objects to disclosure of his/her education records to his/her parents, we may decline the minor’s parents’ request for a copy of the minor’s records provided that the minor is competent and has sufficient understanding of what is involved and it is in the minor’s best interest not to grant his/her parents access to his/her education records, and we have made attempt to persuade the minor to agree to the release of his/her education record to his/her parents. Again, exemption is accorded under section 59 of the Ordinance where its application to the data would cause serious harm to the physical or mental health of the minor.

Q.3 There are occasions of suspected child abuse where the teacher may have to disclose or transfer the personal information to other parties (e.g. Social Welfare Department and Police etc.) without prior consent of the data subject and/or his/her guardian. Similarly, how would we respond to request by other departments (e.g. Police and Legal Department etc.) to have access to our students’ personal records?

Ans. The personal data should be used, disclosed or transferred for the purpose of a directly related purpose for which they were collected. Yet, the Ordinance provides specific exemptions from the requirements of the Ordinance where their application is likely to prejudice certain competing public or social interests, such as: security, defence and international relations; prevention or detection of crime; assessment or collection of any tax or duty; news activities; and health etc. Legal advice should however be sought if it is proposed to disclose personal data to a third party by applying any of these exemptions.

Q.4 For some referral cases, for example, the parents presumably know that they have to provide the necessary information in order that our staff can provide assistance to their children. Is it necessary and practicable for our staff to inform each parent clearly about the purpose and other information in relation to the collection of personal data in the brief encounter with parents?

Ans. The answer is “Yes”. The Ordinance requires us to provide the purpose and other relevant information to the parents before any personal data is collected from them. Measures should be taken to ensure that the information given is accurate and up-to-date at all times. Acceptable arrangements for informing parents of these matters include displaying notices prominently at the appropriate locations where the information is collected such as the counter at which forms are submitted, printing on forms to be filled by the parents, attaching a slip to the form, or other means of displaying the information in places where the parents can easily see when the personal data are collected from them.

Q.5 What is the rationale for refusing a data access request if two or more similar requests have been made previously?

Ans. We may refuse to comply with a data access request if it follows two or more similar requests made and it is unreasonable in all the circumstances for us to comply. For example, if there is no change in data, similar/repeated requests for data access within a short period of time may be regarded as unreasonable. In fact, the provision of the Ordinance aims to allow us a greater flexibility when performing our daily duties in compliance with the Ordinance. It is up to the subject officer to exercise his/her discretion on whether the data access request is ‘reasonable’ on a case by case basis.

Q.6 A data subject is entitled to correct personal data, however, it would seem unreasonable to give individuals the right to change the medical opinion given by doctors, or alter laboratory results. Is it appropriate to inform data subjects that they could request correction of personal particulars that they provide, but not the medical records under their names?

Ans. It is not advisable to inform data subjects that they could request correction of personal particulars but not all medical records under their names at the time of collection. In the Ordinance, data is defined to include expression of opinion and it is therefore the intention of legislature that opinion be also subject of the Ordinance. There are circumstances under which we may refuse a data correction request and section 59 also provides an exemption from the requirement of the Ordinance where its application to the data would cause serious harm to the physical or medical health of the data subject.

Therefore, it is advisable for us to deal with a data correction request as and when it is made and not generalize at the outset that medical records other than personal particulars could not be corrected. The correction request is of course made only when there is certification from the medical practitioners.

Q.7 With regard to the correction of personal data which have been disclosed to a third party, is there any discretion for not doing so depending on the purpose of such disclosure? e.g. those of a temporary nature. Also, in situations where the third party would have conducted its own collection of data, should it be up to the data subject to initiate correction if considered necessary e.g.

referral of students for other services?

Ans. If the data user has reason to believe that the third party has ceased using those data for the purpose (including any directly related purpose) for which the data were disclosed to the third party, the data user can exercise discretion for not notifying the third party of such correction. In addition, the Ordinance only requires the data user to give correction notification to a third party by the data user during the past 12 months. Therefore, it is not necessary to give correction notification to a third party if such data were, in the first place, not provided by the data user.

Q.8 If the data subject requests correction on personal particulars which were provided by the data subject in the first place, is the school required to supply the data subject with a copy of the corrected data? Is the copy to be provided free of charge?

Ans. The ordinance only requires the school to supply the data subject with a copy of the corrected data if the data correction request is made as a result of a data access request. The Ordinance has not specified any similar requirement for correction request initiated by the data subject on personal particulars which

are provided by them in the first place. Regarding the charges, a data user may impose a fee for complying with data access request on the condition that the fee imposed should not be excessive. However, a data user shall not impose a fee for complying/refusing a data correction request.

Q.9 At present, the exchange of information between schools/universities for providing academic records of students is without the prior consent of the students. Please advise how such practice can be continued but in compliance with the Ordinance.

Ans. The Ordinance requires us to take all practicable steps to inform the students of the purposes(s) of collection and to whom the data may be transferred to before any information is collected from them. We should of course make the corresponding arrangement to comply with such arrangement. Otherwise, the student’s consent must be obtained prior to the disclosure.

Q.10 As the Ordinance requires us to inform the data subject of the purpose(s) of collection and to whom the data may be transferred to prior to any information is collected from them, whether the data subject should also be informed of potential use of personal data collected?

Ans. The Ordinance requires us to inform the data subject of the purpose(s) of collection and to whom the data may be transferred to before any information is collected from them. Unless prior consent has been obtained from the data subject, the personal data should only be used, disclosed or transferred for the purposes or a directly related purposes for which they were collected. It is therefore advisable to inform the data subject of those potential uses of the data (can be in general or specific terms) as the class of person to whom the data may be transferred to would also be effected.

However, there are also circumstances that the requirement to inform the students of those potential uses does not apply if to inform him would prejudice the purpose for which the data were collected and that purpose is specified as one purpose for exemption from the requirement of the Ordinance. For example, the primary purpose of collecting personal data such as health condition of a student is for the attention of special care by the teachers. But if a student is found to have a disease that the student may refuse to supply his personal data if he is informed of possible disclosure to officers responsible for control of communicable diseases, which would prejudice continuation of care i.e. his health which is specified in Section 59 as a purpose in relation to which personal data are exempt from the Ordinance, the requirement to inform the student of the potential use does not apply.

Q.11 Are foreign workers covered by the provisions of the Personal Data (Privacy) Ordinance?

Ans. So long as a person is subject to Hong Kong law, the provisions of the Personal Data (Privacy) Ordinance will apply to such an individual. As the vast majority of foreign workers are governed by the law of Hong Kong, personal data held in respect of such workers is protected under the provisions of the Ordinance, By way of partial exception, personal data relating to foreign domestic helpers may be exempted under the domestic purposes exemption.

Q.12 What are the implications of unknowingly holding personal data which is inaccurate, which has been held for some time and which has not been updated by data subjects concerned?

Ans. Data protection principle 2 expressly requires that a data user must take all reasonably practicable steps to ensure that personal data is accurately held. In such circumstances, it is the responsibility of a data user, and not a data subject, to ensure that data remains accurate for the duration that it is held.

The duty to maintain accurate data is not absolute, in so far as a data user must take whatever steps that are reasonably practicable to ensure such accuracy. For example, personal data is liable to change frequently (e.g. data subject’s address) will need to be updated more frequently than data (e.g. data subject’s birth date) which is not liable to such change. Although the Personal Data (Privacy) Ordinance recognises certain limited defences which will negate the liability of data users for holding inaccurate data, the fact that a data user unknowingly holds inaccurate data is not an excuse.

Q.13 If data subject A authorises B to make a data access request on his behalf and B authorises C to collect the copy of personal data concerned, should the data user give the data to C?

Ans. Yes, assuming of course that the data user is satisfied that B and C have been duly authorised by A and B respectively.

C is merely a messenger in this case and in handing over the copies of personal data to him, the data user should ensure that C would not have access to the data (as distinct from the packet or envelop containing the data).

This may be done, for example, by putting the photocopies, tapes or diskettes containing the data in a sealed envelope. The example should be distinguished from another one where B, after being authorised by the subject A, in turn authorises C to make a data access request on behalf of A. In this case, C is not a “relevant person”, as defined in section 2(1), in relation to A and therefore, has no right to make the request on behalf of A. The data user should refuse C’s request.