Legislative Texts
PERSONAL DATA (PRIVACY) ORDINANCE
Chapter 486
Long title
An Ordinance to protect the privacy of individuals in relation to personal data, and to provide for
Short title and commencement
(1) This Ordinance may be cited as the Personal Data (Privacy) Ordinance.
(2) This Ordinance shall come into operation on a day to be appointed by the Secretary for Home Affairs by notice in the Gazette.
(Enacted 1995)
Section 2 Interpretation
(1) In this Ordinance, unless the context otherwise requires“act” includes a deliberate omission; “adverse action”, in relation to an individual, means any action that may adversely affect the
individual’s rights, benefits, privileges, obligations or interests (including legitimate expectations); “appointed day” means the day appointed under section 1(2) ; “approved code of practice” means a code of practice approved under section 12 ; “code of practice” includes - (a)
- a standard;
- (b)
- a specification; and
- (c)
- any other documentary form of practical guidance;
Legislative Texts
“Commissioner” means the Privacy Commissioner for Personal Data established under section 5(1) ;
“Committee” means the Personal Data (Privacy) Advisory Committee established under section 11(1) ;
“complainant” means the individual, or the relevant person on behalf of an individual, who has made a complaint;
“complaint” means a complaint under section 37 ;
“correction”, in relation to personal data, means rectification, erasure or completion;
“daily penalty” means a penalty for each day on which the offence is continued after conviction therefor;
“data” means any representation of information (including an expression of opinion) in any document, and includes a personal identifier;
“data access request” means a request under section 18 ;
“data correction request” means a request under section 22(1) ;
“data protection principle” means any of the data protection principles set out in Schedule 1;
“data subject”, in relation to personal data, means the individual who is the subject of the data;
“data user”, in relation to personal data, means a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data;
“data user return” means a data user return referred to in section 14(4) ;
“disclosing”, in relation to personal data, includes disclosing information inferred from the data;
“document” includes, in addition to a document in writing - (a) �
- a disc, tape or other device in which data other than visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced from the disc, tape or other device; and
- (b) �
- a film, tape or other device in which visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced from the film, tape or other device;
“employment” means employment under
- (a) �
- a contract of service or of apprenticeship; or
(b) a contract personally to execute any work or labour; and related expressions shall be construed accordingly;
“enforcement notice” means a notice under section 50(1) ;
“financial regulator” means any of - (a) �
- the Monetary Authority appointed under section 5A of the Exchange Fund Ordinance (Cap 66);
- (b) �
- the Securities and Futures Commission established by section 3 of the Securities and Futures Commission Ordinance (Cap 24);
Legislative Texts - (c) �
- a clearing house within the meaning of section 2(1) of the Commodities Trading Ordinance (Cap 250) or a recognized clearing house within the meaning of the Securities and Futures (Clearing Houses) Ordinance (Cap 420);
- (d) �
- the Exchange Company within the meaning of section 2(1) of the Commodities Trading Ordinance (Cap 250);
- (e) �
- the Exchange Company within the meaning of section 2(1) of the Stock Exchanges Unification Ordinance (Cap 361);
- (f) �
- the Insurance Authority appointed under section 4 of the Insurance Companies Ordinance (Cap 41);
- (g) �
- the Registrar of Occupational Retirement Schemes appointed under section 5 of the Occupational Retirement Schemes Ordinance (Cap 426);
(ga) �the Mandatory Provident Fund Schemes Authority established by section 6 of the Mandatory Provident Fund Schemes Ordinance (Cap 485); (Added 4 of 1998 s. 14)
- (h) �
- a person specified in a notice under subsection (7) to be a regulator for the purposes of this definition;
“inaccurate”, in relation to personal data, means the data is incorrect, misleading, incomplete or obsolete;
“inspection” means an inspection under section 36 ;
“investigation” means an investigation under section 38 ;
“log book”, in relation to a data user, means the log book kept and maintained by the data user under section 27(1) ;
“matching procedure” means any procedure whereby personal data collected for 1 or more purposes in respect of 10 or more data subjects are compared (except by manual means) with personal data collected for any other purpose in respect of those data subjects where the comparison - (a) �
- is (whether in whole or in part) for the purpose of producing or verifying data that; or
- (b) �
- produces or verifies data in respect of which it is reasonable to believe that it is practicable that the data,
may be used (whether immediately or at any subsequent time) for the purpose of taking adverse action against any of those data subjects;
“matching procedure request” means a request under section 31(1) ;
“personal data” means any data - (a) �
- relating directly or indirectly to a living individual;
- (b) �
- from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and
- (c) �
- in a form in which access to or processing of the data is practicable;
“personal data system” means any system, whether or not automated, which is used, whether in whole or in part, by a data user for the collection, holding, processing or use of personal data, and includes any document and equipment forming part of the system;
“personal identifier” means an identifier-
Legislative Texts
(a) �that is assigned to an individual by a data user for the purpose of the operations of the user; and
(b) �that uniquely identifies that individual in relation to the data user, but does not include an individual’s name used to identify that individual; “practicable” means reasonably practicable; “prescribed officer” means a person employed or engaged under section 9(1) ; “processing”, in relation to personal data, includes amending, augmenting, deleting or rearranging the data, whether by automated means or otherwise; “register” means the register of data users kept and maintained by the Commissioner under
section 15(1) ; “relevant data user”, in relation to - (a) �
- an inspection, means the data user who uses the personal data system which is the subject of the inspection;
- (b) �
- a complaint, means the data user specified in the complaint;
- (c) �
- an investigation
- (i) �
- in the case of an investigation initiated by a complaint, means the data user specified in the complaint;
- (ii) �
- in any other case, means the data user the subject of the investigation;
- (d)
- an enforcement notice, means the data user on whom the notice is served;
�“relevant person”, in relation to an individual (howsoever the individual is described), means - (a) �
- where the individual is a minor, a person who has parental responsibility for the minor;
� - (b) �
- where the individual is incapable of managing his own affairs, a person who has been appointed by a court to manage those affairs;
- (c) �
- in any other case, a person authorized in writing by the individual to make a data access request, a data correction request, or both such requests, on behalf of the individual;
“requestor”, in relation to
- (a) �
- a data access request or data correction request, means the individual, or the relevant person on behalf of an individual, who has made the request;
- (b)
- a matching procedure request, means the data user who has made the request;
�“specified”, in relation to a form, means specified under section 67 ;
�“third party”, in relation to personal data, means any person other than - (a) �
- the data subject;
- (b) �
- a relevant person in the case of the data subject;
- (c) �
- the data user; or
- (d) �
- a person authorized in writing by the data user to collect, hold, process or use the data
- (i) �
- under the direct control of the data user; or
- (ii) �
- on behalf of the data user;
Legislative Texts
“use”, in relation to personal data, includes disclose or transfer the data;
“would be likely to prejudice” includes would prejudice. - (2)
- For the avoidance of doubt, it is hereby declared that paragraph (c) of the definition of “relevant person” shall not be construed
- (a) �
- to entitle a person who has only been authorized to make a data access request on behalf of an individual to make a data correction request on behalf of the individual;
- (b) �
- to entitle a person who has only been authorized to make a data correction request on behalf of an individual to make a data access request on behalf of the individual.
- (3)
- Where under this Ordinance an act may be done with the prescribed consent of a person (and howsoever the person is described), such consent
- (a) �
- means the express consent of the person given voluntarily;
- (b) �
- does not include any consent which has been withdrawn by notice in writing served on the person to whom the consent has been given (but without prejudice to so much of that act that has been done pursuant to the consent at any time before the notice is so served).
- (4)
- Subject to section 64(10) , it is hereby declared that any reference in this Ordinance to the effect that a data user (howsoever described)
- (a) �
- has contravened a requirement under this Ordinance; or
- (b) �
- is contravening a requirement under this Ordinance, includes
- (i) �
- where paragraph (a) is applicable, any case where the data user has done an act, or engaged in a practice, in contravention of a data protection principle;
- (ii) �
- where paragraph (b) is applicable, any case where the data user is doing an act, or engaging in a practice, in contravention of a data protection principle.
- (5)
- Notwithstanding any other provisions of this Ordinance, a complaint may be made (and an investigation, if any, initiated by the complaint may be carried out) in relation to a person who has ceased to be a data user except any such person who has not at any time been a data user during the period of 2 years immediately preceding the date on which the Commissioner receives the complaint and, accordingly, a person in relation to whom such a complaint is made shall for the purposes of such complaint (and an investigation, if any, initiated by such complaint) be deemed to be a data user, and the other provisions of this Ordinance shall be construed accordingly.
- (6)
- Any reference in this Ordinance to a data protection principle followed by a number is a reference to the principle bearing that number set out in Schedule 1.
- (7)
- The Chief Executive may, by notice in the Gazette, specify a person to be a regulator for the purposes of the definition of “financial regulator”. (Amended 34 of 1999 s. 3)
- (8)
- It is hereby declared that a notice under subsection (7) is subsidiary legislation.
- (9)
- Where a person
- (a) �
- holds any office, engages in any profession or carries on any occupation; and
- (b) �
- is required by any law, or by any rules made under or by virtue of any law, to be a fit and proper person (or words to the like effect) to hold that office, engage in that profession or carry on that occupation,
Legislative Texts
then, for the purposes of this Ordinance, any conduct by that person by virtue of which he ceases, or would cease, to be such a fit and proper person shall be deemed to be seriously improper conduct. - (10)
- Subsection (9) shall not operate to prevent seriously improper conduct including, for the purposes of this Ordinance, conduct by virtue of which a person ceases, or would cease, to be a fit and proper person notwithstanding that the conduct is not conduct to which that subsection applies.
- (11)
- Words and expressions importing the neuter gender in relation to any data user shall include the masculine and feminine genders.
- (12)
- A person is not a data user in relation to any personal data which the person holds, processes or uses solely on behalf of another person if, but only if, that first-mentioned person does not hold, process or use, as the case may be, those data for any of his own purposes.
- (13)
- For the avoidance of doubt, it is hereby declared that, for the purposes of this Ordinance, any conduct by a person by virtue of which he has or could become a disqualified person or a suspended person under the Rules of Racing and Instructions by the Stewards of the Hong Kong Jockey Club, as in force from time to time, is seriously improper conduct. (Amended 34 of 1999 s. 3)
(Enacted 1995)
Section 4 Data protection principles
A data user shall not do an act, or engage in a practice, that contravenes a data protection principle unless the act or practice, as the case may be, is required or permitted under this Ordinance.
(Enacted 1995)
PART II ADMINISTRATION
Section 5 Establishment, etc. of Privacy Commissioner for Personal Data
* See Decision of the Standing Committee of the National People's Congress on Treatment of the Laws Previously in Force in Hong Kong in accordance with Article 160 of the Basic Law of the Hong Kong Special Administrative Region of the People's Republic of China, which is published in volume 1, p. 11/1.
Legislative Texts
Remarks:
Adaptation amendments retroactively made—see 34 of 1999 s. 3 - (1)
- For the purposes of this Ordinance, there is hereby established an office by the name of the Privacy Commissioner for Personal Data.
- (2)
- The Commissioner shall be a corporation sole with perpetual succession and
- (a) �
- shall have and may use a seal; and
- (b) �
- shall be capable of suing and being sued.
- (3)
- The Chief Executive shall, by notice in the Gazette, appoint a person to be the Commissioner. (Amended 34 of 1999 s. 3)
- (4)
- Subject to subsection (5) , the person appointed to be the Commissioner shall hold office for a period of 5 years and shall be eligible for reappointment for not more than 1 further period of 5 years.
- (5)
- The person appointed to be the Commissioner may
- (a) �
- at any time resign from his office by notice in writing to the Chief Executive; or
- (b) �
- be removed from office by the Chief Executive with the approval by resolution of the Legislative Council on the ground of
- (i) �
- inability to perform the functions of his office; or
- (ii) �
- misbehaviour. (Amended 34 of 1999 s. 3)
- (6)
- The Chief Executive shall determine- (Amended 34 of 1999 s. 3)
- (a) �
- the emoluments; and
- (b)
- the terms and conditions of appointment, of the person appointed to be the Commissioner.
(7) The provisions of Schedule 2 shall have effect with respect to the Commissioner.
- (8)
- Subject to subsection (9) , the Commissioner shall not be regarded as a servant or agent of the Government or as enjoying any status, immunity or privilege of the Government.
- (9)
- The person appointed to be the Commissioner shall be deemed to be a public servant
- (a) �
- within the meaning of section 2 of the Prevention of Bribery Ordinance (Cap 201); and
- (b) �
- for the purposes of that Ordinance. (Enacted 1995)
Section 6
�Commissioner to hold no other office
�
Remarks:
Adaptation amendments retroactively made—see 34 of 1999 s. 3
The person appointed to be the Commissioner shall not, without the specific approval of the Chief Executive- (Amended 34 of 1999 s. 3)
Legislative Texts (a) | hold any office of profit other than his office as Commissioner; or | |
(b) | engage in any occupation for reward outside the functions of his office. | |
| | (Enacted 1995) |
Section 7
�Filling of temporary vacancy
�
Remarks:
Adaptation amendments retroactively made—see 34 of 1999 s. 3 - (1)
- Where the person appointed to be the Commissioner
- (a)
- dies;
- (b)
- resigns;
- (c)
- is removed from office;
- (d)
- is absent from Hong Kong; or
- (e)
- is for any other reason unable to perform the functions of his office,
then the Chief Executive may, by notice in writing, appoint a person to act as the Commissioner until, as the case requires-(Amended 34 of 1999 s. 3) - (i)
- a new Commissioner is appointed under section 5(3) ; or
- (ii)
- the Commissioner resumes his office.
- (2)
- A person appointed under subsection (1) to act as the Commissioner, whilst he is so appointed
(a) shall perform the functions; and
- (b)
- may exercise the powers, of the Commissioner under this Ordinance.
- (3)
- Section 6 shall apply to a person appointed under subsection (1) to act as the Commissioner as if that person were the Commissioner.
(Enacted 1995)
Section 8 Functions and powers of Commissioner
Remarks:
Adaptation amendments retroactively made—see 34 of 1999 s. 3 - (1)
- The Commissioner shall
- (a)
- monitor and supervise compliance with the provisions of this Ordinance;
Legislative Texts - (b) �
- promote and assist bodies representing data users to prepare, for the purposes of section 12 , codes of practice for guidance in complying with the provisions of this Ordinance, in particular the data protection principles;
- (c) �
- promote awareness and understanding of, and compliance with, the provisions of this Ordinance, in particular the data protection principles;
- (d) �
- examine any proposed legislation (including subsidiary legislation) that the Commissioner considers may affect the privacy of individuals in relation to personal data and report the results of the examination to the person proposing the legislation;
- (e) �
- carry out inspections, including inspections of any personal data systems used by data users which are departments of the Government or statutory corporations;
- (f) �
- for the better performance of his other functions, undertake research into, and monitor developments in, the processing of data and computer technology in order to take account of any likely adverse effects such developments may have on the privacy of individuals in relation to personal data;
- (g) �
- liaise and co-operate with any person in any place outside Hong Kong
- (i) �
- performing in that place any functions which, in the opinion of the Commissioner, are similar (whether in whole or in part) to any of the Commissioner’s functions under this Ordinance; and
- (ii) �
- in respect of matters of mutual interest concerning the privacy of individuals in relation to personal data; and
- (h) �
- perform such other functions as are imposed on him under this Ordinance or any other enactment.
(2) The Commissioner may do all such things as are necessary for, or incidental or conducive to, the better performance of his functions and in particular but without prejudice to the generality of the foregoing, may - (a) �
- acquire and hold property of any description if in the opinion of the Commissioner such property is necessary for
- (i) �
- the accommodation of the Commissioner or of any prescribed officer; or
- (ii) �
- the performance of any function which the Commissioner may perform, and, subject to the terms and conditions upon which such property is held, dispose of it;
- (b) �
- enter into, carry out, assign or accept the assignment of, vary or rescind, any contract, agreement or other obligation;
- (c) �
- undertake and execute any lawful trust which has as an object the furtherance of any function which the Commissioner is required or is permitted by this Ordinance to perform or any other similar object;
- (d) �
- accept gifts and donations, whether subject to any trust or not;
- (e) �
- with the prior approval of the Chief Executive, become a member of or affiliate to any international body concerned with (whether in whole or in part) the privacy of individuals in relation to personal data; (Amended 34 of 1999 s. 3)
- (f) �
- exercise such other powers as are conferred on him under this Ordinance or any other enactment.
Legislative Texts - (3)
- The Commissioner may make and execute any document in the performance of his functions or the exercise of his powers or in connection with any matter reasonably incidental to or consequential upon the performance of his functions or the exercise of his powers.
- (4)
- Any document purporting to be executed under the seal of the Commissioner shall be admitted in evidence and shall, in the absence of evidence to the contrary, be deemed to have been duly executed.
- (5)
- The Commissioner may from time to time cause to be prepared and published by notice in the Gazette, for the guidance of data users, guidelines not inconsistent with this Ordinance, indicating the manner in which he proposes to perform any of his functions, or exercise any of his powers, under this Ordinance.
(Enacted 1995)
Section 9
�Staff of Commissioner, etc.
� - (1)
- The Commissioner may
- (a) �
- employ such persons (including technical and professional persons); and
- (b) �
- engage, other than by way of employment, such technical and professional persons, as he thinks fit to assist him in the performance of his functions, and the exercise of his powers, under this Ordinance.
- (2)
- The Commissioner shall determine
- (a) �
- the remuneration and terms and conditions of employment of any person, or any person belonging to a class of persons, who may be employed under subsection (1)(a) ;
- (b) �
- the remuneration and terms and conditions of engagement of any person, or any person belonging to a class of persons, who may be engaged under subsection (1)(b) .
- (3)
- The Commissioner may
- (a) �
- grant, or make provision for the grant of, pensions, gratuities and retirement benefits to employees;
- (b) �
- provide other benefits for the welfare of employees and their dependants;
- (c) �
- authorize payments, whether or not legally due, to the personal representatives of a deceased employee or to any person who was dependent on such employee at his death.
- (4)
- The Commissioner may
- (a) �
- establish, manage and control; or
- (b) �
- enter into an arrangement with any company or association for the establishment, management and control by that company or association either alone or jointly with the Commissioner of,
any fund or scheme for the purpose of providing for the pensions, gratuities, benefits and payments referred to in subsection (3) .
(5) The Commissioner may make contributions to and may require employees to make contributions to any fund or scheme referred to in subsection (4) .
Legislative Texts
(6) In this section “employees” includes any class of employee which the Commissioner specifies and in subsection (3) includes former employees.
(Enacted 1995)
Section 10
�Delegations by Commissioner