Direct Marketing and Privacy Related to Personal Data

by Stephen Lau, Privacy Commissioner for Personal Data at the Direct Marketing Asia '98 Conference, July 13 - 15, 1998 Singapore

Hong Kong Personal Data (Privacy) Ordinance

The purpose of the Ordinance is to protect the privacy interests of living individuals in relation to personal data. It also contributes to Hong Kong's continued economic well being by safeguarding the free flow of personal data to Hong Kong from restrictions by countries that already have data protection laws.

This Hong Kong Ordinance, which came into effect in December 1996 is quite a progressive law, in that:

1. it covers both automatic and manual data;
2. it covers both the public and private sectors; and
3. it establishes an independent statutory body which has wide-ranging investigation and enforcement powers to be exercised when and where appropriate to ensure compliance.

Personal Data

"Data" is defined in the Ordinance as any representation of information (including an expression of opinion) in any document, and includes a personal identifier, and Personal Data" is defined as any data -

1. relating directly or indirectly to a living individual;
2. from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and
3. in a form in which access to or processing of the data is practicable.

Data Protection Principles

Six personal data protection principles, which are in line with international practice and are based on the OECD guidelines, are enshrined in the Ordinance:

Principle 1 - Purpose and manner of collection - this provides for the lawful and fair collection of personal data and sets out the information a data user must give to a data subject when collecting personal data from that subject.

Principle 2 - Accuracy and duration of retention - this provides that personal data should be accurate, up-to-date and kept no longer than necessary.

Principle 3 - Use of personal data - this provides that unless the data subject gives consent otherwise personal data should be used for the purposes for which they were collected or a directly related purpose.

Principle 4 - Security of personal data - this requires appropriate security measures to be applied to personal data (including data in a form in which access to or processing of the data is not practicable).

Principle 5 - Information to be generally available - this provides for openness by data users about the kinds of personal data they hold and the main purposes for which personal data are used.

Principle 6 - Access to personal data - this provides for data subjects to have rights of access to and correction of their personal data.

Exemptions

These principles are reasonable, logical and sensible. But they are not applicable in all cases. The privacy right of an individual is not absolute. It has to be considered in the context of the overall interest of the society, viz public interest.

The Ordinance therefore provides specific exemptions from the requirements of the Ordinance. They include:

• a broad exemption from the provisions of the Ordinance for personal data held for domestic or recreational purposes;
• exemptions from the requirements on subject access for certain employment-related personal data; and
• exemptions from the subject access and use limitation requirements of the Ordinance where their application is likely to prejudice certain competing public or social interests, such as: security, defence and international relations; prevention or detection of crime; assessment or collection of any tax or duty; news activities; and health.