Compliance Actions

Data User Registration Scheme

Pursuant to Part IV of the Ordinance, the Privacy Commissioner has a power to specify classes of data users required to submit data user returns containing information specified in Schedule 3 to the Ordinance, e.g. descriptions of the kinds of personal data held by the data user concerned and the purposes for which they are used. The Ordinance leaves to the discretion of the Privacy Commissioner the scope and timing of the introduction of this requirement.

Since the enactment of the Ordinance, awareness of personal data privacy rights is firmly established in the community. The complaints and enquiries received by the PCPD also indicate an increasing public expectation on the responsibilities of organizations that collect and use their personal data.

Many precedent privacy or data protection laws, particularly in the European Union ("EU"), have included a registration regime whereby organizations collecting, holding and using personal data are required to register with a supervisory authority, declaring the nature of the personal data they hold as well as setting out how individuals can go about exercising their rights such as access and correction.

A survey by way of questionnaires to 22 EU countries on how the registration systems are operated was recently conducted. Learning from the positive experience of the EU countries, the Privacy Commissioner considers that the time is now ripe for the implementation of a Data User Registration Scheme ("DURS") which will induce organizations to adopt systems that are more open and transparent in informing data subjects on how their personal data are being collected, processed and used.

In May 2007, the PCPD issued a discussion paper to the Hong Kong Government proposing the activation of the provisions of data user returns and a consequential public register of such returns under sections 14 to 16 of the Ordinance.

An exercise is being planned to brief and consult the target sectors and report the outcome to the Legislative Council. It is envisaged that the DURS will be launched in 2008.

Privacy Compliance Assessment

Privacy compliance is a corporate governance issue. To ensure that an organization's privacy compliance frameworks satisfy the standards established by the Ordinance, and to provide the organization with an opinion on its privacy compliance status, Privacy Compliance Assessment ("PCA") should be initiated.

In March 2007, the Privacy Commissioner accepted an invitation from the Immigration Department ("ImmD") to act as an independent party to conduct a PCA on the Smart Identity Card System ("SMARTICS"). SMARTICS was implemented by the ImmD in 2003 to supersede the old Registration of Persons System. To ensure that all personal data held by the ImmD are handled in accordance with the provisions of the Ordinance, the Hong Kong Government undertook to the Legislative Council ("LegCo") to draw up a code of practice in consultation with the Privacy Commissioner setting out the rules on the collection, use of and access to smart identity card data, to conduct a PCA on the SMARTICS and to provide a copy of the PCA report to LegCo.

To minimize the potential conflicts between the Privacy Commissioner's role in carrying out the PCA and its regulatory role under the Ordinance, a Memorandum of Understanding has been drawn up so that the Privacy Commissioner's statutory power to act as a competent authority and his dual capacity as a commercial contracting party can be expressly acknowledged in writing.

A Code of Practice on Smart Identity Card Data ("COP") written by the ImmD will form the basis of the PCA to be conducted by the PCPD. At the conclusion of the PCA, any observations and recommendations for improvement will be factored into the COP which can then be formalized and approved by the Privacy Commissioner in accordance with section 12 of the Ordinance.

The Privacy Commissioner expects that the PCA will be carried out in the first half of 2008.