Legitimate processing of PII

Legitimate processing – grounds

Does the law require that the holding of PII be legitimised on specific grounds, for example to meet the owner’s legal obligations or if the individual has provided consent?

Yes. A data user may collect personal data from data subjects only if:

  • the personal data is collected for a lawful purpose directly related to a function or activity of the data user who is to use the personal data;
  • the collection of personal data is necessary for and directly related to that purpose; and
  • the personal data is adequate, but not excessive concerning that purpose.

 

When collecting personal data directly from a data subject, the data user is also subject to certain notification requirements, unless an exemption applies.

Also, consent is required if the personal data will be used or transferred for direct marketing purposes, or for any other purpose that is not covered by the original collection purpose (as notified to the individual at the time of collection) or a directly related purpose unless an exemption applies.

Legitimate processing – types of PII

Does the law impose more stringent rules for specific types of PII?

There is no concept of sensitive personal data in the Personal Data (Privacy) Ordinance and there are no additional restrictions specifically imposed on sensitive personal data. However, the Privacy Commissioner for Personal Data has published guidelines regarding the collection and use of certain personal data that will require special attention. These include Hong Kong identity cards, biometric data and consumer credit data. These guidelines generally highlight the need for caution when handling these categories of personal data and set out practical guidance on the proper collection and use of such data.

In addition, there are certain industry-specific requirements imposed by the relevant regulators in respect of customer data held by regulated entities. For instance, the Hong Kong Monetary Authority has issued several circulars and guidelines relating to the protection and confidentiality of customer data that apply to all licensed banks regulated under the Banking Ordinance (Cap 155). Similar guidelines have also been issued by regulators in other sectors of the financial industry such as the Insurance Authority and the Securities and Futures Commission.

Data handling responsibilities of owners of PII

Notification

Does the law require owners of PII to notify individuals whose PII they hold? What must the notice contain and when must it be provided?

Yes. Notification obligations apply where personal data is collected directly from a data subject. On or before the collection of personal data from a data subject, the data user must:

  • inform the data subject as to whether the data subject is obligated to supply the personal data and, if the data subject is obligated to supply it, the consequences of him or her failing to supply the personal data;
  • inform the data subject on or before collecting the personal data as to the purpose for collecting the personal data and the classes of persons to whom the data may be transferred; and
  • inform the data subject of his or her right to request and receive access to the data collected, and the name or job title and address of the individual who is to handle any such data access or correction request.

 

Additional notification requirements will apply if the personal data will be used for direct marketing purposes.

Exemption from notification

When is notice not required?

Notice is not required if the personal data was not collected directly from the data subject or the data was anonymised and it is not possible to re-identify the data subject (since such data will not constitute personal data under the Personal Data (Privacy) Ordinance (PDPO)).

Where personal data is collected directly from the data subject for certain stipulated purposes, notice is also not required if the provision of such notice would likely prejudice these purposes. These exempted purposes include:

  • identifying an individual who is reasonably suspected to be, or is, involved in a life-threatening situation;
  • emergency relief;
  • prevention or detection of crime;
  • apprehension or collection of any tax or duty;
  • prevention or remedying of unlawful or seriously improper conduct or dishonesty by persons; and
  • ascertaining whether the character or activities of the data subject are likely to have a significantly adverse impact on anything to which the discharge of statutory functions by the data user relates.
Control of use

Must owners of PII offer individuals any degree of choice or control over the use of their information? In which circumstances?

In general, there is no express requirement under the PDPO for data users to offer data subjects a degree of choice or control over the use of their personal data, save that:

  • the data subjects’ consent must be obtained if their personal data will be used for a new purpose not directly related to the original purpose of the collection;
  • where personal data is used for direct marketing purposes for the first time, the data user has to inform the data subjects of their right to opt-out at any time and the means to do so; and
  • data subjects have the right, at any time, to ask a data user to cease using or transferring their personal data for direct marketing purposes, and the data user must comply with such requests.
Data accuracy

Does the law impose standards in relation to the quality, currency and accuracy of PII?

The PDPO requires data users to take all practicable steps to ensure that personal data is accurate regarding the purpose for which it is to be used. Data subjects also have the right to request correction of their personal data held by a data user. If personal data is found to be inaccurate, data users should either rectify or erase the data.

Amount and duration of data holding

Does the law restrict the amount of PII that may be held or the length of time it may be held?

Under the PDPO, data users must take all practicable steps to ensure that personal data is not held longer than is necessary to fulfil the purpose (or a directly related purpose) for which the personal data was collected, and is erased when no longer required for such purposes unless any such erasure of the personal data is prohibited by law or the retention of the data is in the public interest (for instance, historical interest).

Also, where data users engage data processors, they must adopt contractual or other means to prevent their data processors from keeping personal data longer than is necessary for processing the data.

While the PDPO does not stipulate any retention periods for personal data, data users should refer to the requirements under other statutes and various guidelines issued by the Privacy Commissioner for Personal Data (PCPD) and other industry-specific regulators. For instance, the PCPD’s Code of Practice on Human Resource Management provides that employers may retain the personal data of an employee for up to seven years after the end of the employee’s employment unless there is a subsisting reason that requires the employer to hold the data for a longer period, or the data is necessary for the employer to comply with contractual or legal obligations.

On the other hand, the PDPO does not restrict the amount of personal data that may be held by a data user as long as the amount of personal data collected fulfils the threshold requirements for data collection. A data user may collect personal data from data subjects only if:

  • the personal data is collected for a lawful purpose directly related to a function or activity of the data user who is to use the personal data;
  • the collection of personal data is necessary for and directly related to that purpose; and
  • the personal data is adequate, but not excessive concerning that purpose.
Finality principle

Are the purposes for which PII can be used by owners restricted? Has the ‘finality principle’ been adopted?

Yes. Personal data may not be used for any purpose other than the data user’s stated purpose (or a directly related purpose) for which the personal data was to be used at the time of collection unless the data subject’s express consent is obtained.

Use for new purposes

If the finality principle has been adopted, how far does the law allow for PII to be used for new purposes? Are there exceptions or exclusions from the finality principle?

Yes. Any use of personal data for new purposes requires the prescribed consent of the data subject concerned.

There are certain exceptions to the consent requirement. These exceptions include:

  • where the personal data will be used for one of the following purposes and obtaining consent will likely prejudice such purpose:
    • the prevention or detection of a crime;
    • the apprehension, prosecution or detention of offenders;
    • the assessment or collection of any tax or duty;
    • the prevention, preclusion or remedying (including punishment) of unlawful or seriously improper conduct or dishonesty or malpractice by individuals;
    • the prevention or preclusion of significant financial loss arising from imprudent business practices or activities of persons, or the unlawful or seriously improper conduct or dishonesty or malpractice by persons; or
    • the determination of whether the data subject’s character or activities are likely to have a significantly adverse impact on anything to which the discharge of statutory functions by the data user relates;
  • where the personal data relates to a data subject’s identity, physical or mental health or location and obtaining consent would likely cause serious harm to the data subject’s physical or mental health or that of another individual;
  • where the personal data is required in connection with any legal proceedings in Hong Kong or to establish, exercise or defend any legal rights in Hong Kong; or
  • where the personal data will be transferred or disclosed by a data user for due diligence relating to a business transaction for the transfer of the business or property of or shares in the data user, or an amalgamation of the data user with another body; this is subject to the primary purpose of the proposed business transaction not being the transfer, disclosure or provision of personal data for gain, as well as other requirements imposed by the PDPO.

Law stated date

Correct on

Give the date on which the information above is accurate.

26 May 2021.