Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Collection and storage of data

Collection and management
In what circumstances can personal data be collected, stored and processed?

Personal data can be collected only for lawful purposes that are directly related to a data user’s function or activity. The personal data that is collected must not exceed that which is necessary for such purpose or a directly related purpose.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

Data users should retain personal data for no longer than is necessary to fulfil the original collection purpose or a directly related purpose, unless any deletion of the personal data is prohibited by law or it is in the public interest for the personal data to be retained (eg, historical interest).

While there is no retention period specified under the Personal Data (Privacy) Ordinance (Chapter 486), data users should take into account the privacy commissioner’s various guidelines on data retention and the data retention requirements imposed under other statutes or by industry-specific regulators. For example, under the Code of Practice on Human Resource Management (issued by the privacy commissioner in April 2016), employee personal data should be retained for no longer than seven years from the date on which the employment ended. In addition, any personal data pertaining to job applicants should be retained for no longer than two years from the date on which the applicant was rejected.

Data users often retain personal data up to the statute of limitation period for which a claim can be brought by or against them in relation to the data subject – any longer may be difficult for a data user to justify.

Do individuals have a right to access personal information about them that is held by an organisation?

Individuals have the right to request access to their personal data to determine whether an organisation holds their personal data. Individuals also have the right to obtain a copy of the personal data (subject to certain exceptions).

Do individuals have a right to request deletion of their data?

There is no express right under the Personal Data (Privacy) Ordinance (Chapter 486) for individuals to request deletion of their personal data. However, individuals have the right to request the correction of their personal data held by a data user, and data users must not retain personal data for longer than is necessary to fulfil the original collection purpose or a directly related purpose. In addition, individuals have the right to request that data users cease using their personal data for certain purposes (eg, direct marketing purposes), which the data user must comply with.

Consent obligations
Is consent required before processing personal data?

Prior express consent is required before personal data can be processed if the personal data will be used or transferred for direct marketing purposes.

If the personal data will be used for any other purpose, consent is required only if the personal data will be used or transferred in a manner that is not covered by the original collection purpose (as communicated to the individual at the time of collection) or a directly related purpose, unless an exemption applies.

If consent is not provided, are there other circumstances in which data processing is permitted?

Personal data can be processed and used without consent if one of the following exemptions applies:

  • The personal data will be used for one of the following purposes and obtaining consent will likely prejudice such purpose:
    • the prevention or detection of a crime;
    • the apprehension, prosecution or detention of offenders;
    • the assessment or collection of any tax or duty;
    • the prevention, preclusion or remedying (including punishment) of unlawful or seriously improper conduct or dishonesty or malpractice by individuals;
    • the prevention or preclusion of significant financial loss arising from imprudent business practices or activities of persons, or the unlawful or seriously improper conduct or dishonesty or malpractice by persons; or
    • the determination of whether the data subject’s character or activities are likely to have a significantly adverse impact on anything to which the discharge of statutory functions by the data user relates;
  • The personal data relates to a data subject’s identity, physical or mental health or location and obtaining consent would likely cause serious harm to the data subject’s physical or mental health or that of another individual;
  • The personal data is required in connection with any legal proceedings in Hong Kong or to establish, exercise or defend any legal rights in Hong Kong; or
  • The personal data will be transferred or disclosed by a data user for the purposes of due diligence relating to a business transaction for the transfer of the business or property of or shares in the data user, or an amalgamation of the data user with another body. However, this is subject to the primary purpose of the proposed business transaction not being the transfer, disclosure or provision of personal data for gain, as well as other requirements imposed by the Personal Data (Privacy) Ordinance (Chapter 486).

What information must be provided to individuals when personal data is collected?

On or before the collection of an individual’s personal data, data users must notify the individual of:

  • the purpose for which the individual’s data is to be collected and used;
  • the classes of person to which the data may be transferred;
  • whether the provision of the individual’s personal data is mandatory or voluntary and, if mandatory, the consequences of failure to do so;
  • the individual’s right to request access to and correction of the personal data; and
  • the name or job title and address of the person whom the individual should contact to request access to or correction of the personal data.

Further notification and consent requirements apply if the personal data will be used for direct marketing purposes. In order to obtain valid consent from an individual for the use or transfer of his or her personal data for direct marketing purposes, a data user must notify the individual of:

  • its intention to use or transfer the personal data for direct marketing purposes and the fact that it may not do so without the individual’s consent;
  • the type of personal data to be used or transferred;
  • the categories of goods, facilities or services that will be offered or advertised (or the purpose for which donations or contributions are being solicited); 
  • the classes of transferee that will be using the personal data for direct marketing purposes (if any), the categories of goods or services that may be marketed by the transferees and whether the data user is transferring the personal data in return for gain; and
  • how the individual can communicate his or her consent without any charge.

Data transfer and third parties

Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?

Prior express consent is required before personal data can be processed if the personal data will be used or transferred for direct marketing purposes.

If the personal data will be used for any other purpose, consent is required only if the personal data will be used or transferred in a manner that is not covered by the original collection purpose or a directly related purpose (as notified to the individual at the time of collection), unless an exemption applies.

On or before the collection of an individual’s personal data, data users must notify the individual of:

  • the purpose for which the individual’s data is to be collected and used;
  • the classes of person to which the data may be transferred;
  • whether the provision of the individual’s personal data is mandatory or voluntary and, if mandatory, the consequences of failure to do so;
  • the individual’s right to request access to and correction of the personal data; and
  • the name or job title and address of the person whom the individual should contact to request access to or correction of the personal data.

Further notification and consent requirements apply if the personal data will be used for direct marketing purposes. In order to obtain valid consent from an individual for the use or transfer of his or her personal data for direct marketing purposes, a data user must notify the individual of:

  • its intention to use or transfer the personal data for direct marketing purposes and the fact that it may not do so without the individual’s consent;
  • the type of personal data to be used or transferred;
  • the categories of goods, facilities or services that will be offered or advertised (or the purpose for which donations or contributions are being solicited);
  • the classes of transferee that will be using the personal data for direct marketing purposes (if any), the categories of goods or services that may be marketed by the transferees and whether the data user is transferring the personal data in return for gain; and
  • how the individual can communicate his or her consent without any charge.

The above rules apply in respect of a transfer of personal data to any third party, whether inside or outside Hong Kong.

No specific restrictions are currently in force regarding the transfer of personal data overseas. Section 33 of the Personal Data (Privacy) Ordinance (Chapter 486) – which restricts the transfer of personal data outside Hong Kong – is yet to be enacted.

In 2014 the privacy commissioner issued a non-mandatory guidance note on Personal Data Protection in Cross-border Data Transfers, which provides recommendations on the cross-border transfer of personal data outside Hong Kong, including how to obtain a data subject's consent.

Are there restrictions on the geographic transfer of data?

Please see above.

Third parties
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

If a data user engages a third party to process data on its behalf (ie, a data processor), the data user must adopt contractual or other means to prevent:

  • personal data that is transferred to the data processor from being kept for longer than is necessary for the processing of such personal data; and
  • any unauthorised or accidental access, processing, deletion, loss or use of the personal data that is transferred to the data processor.

In September 2012 the privacy commissioner also issued guidelines on Outsourcing the Processing of Personal Data to Data Processors. While the guidelines are non-mandatory, failure to comply may be taken into account by the privacy commissioner when assessing whether a breach of the Personal Data (Privacy) Ordinance (Chapter 486) has occurred.

The guidelines include recommendations on the provisions that should be included in the agreement between a data user and data processor. For example, the agreement should:

  • require the data processor to notify the data user in the event of any suspected unauthorised disclosure, use or loss of the personal data;
  • prohibit the data processor from using the personal data for any purpose other than the purpose for which it was provided; and
  • specify the security measures that the data processor must implement to protect the personal data.

Click here to view the full article.