Comments on Proposed Legislation by the PCPD

Buildings (Amendment) Bill 2007

The Buildings Department sought comments from the Commissioner on its proposed clauses 3 and 8 of the draft Bill on the maintaining of registers insofar as the protection of personal data privacy is concerned. The Commissioner noted that the Buildings Department intends to collect and disclose the data subjects' personal data in the registers such as the Authorized Signatory of the Registered Contractor, the telephone number of the Registered Parties, and the type of works that the Registered Parties are willing to carry out, etc. As the collection of such personal data is optional, the Commissioner advised the Buildings Department that it should inform the data subjects in the Personal Information Collection Statement at the time of collection that it is entirely voluntary for them to supply such personal data. This is to ensure compliance with DPP1(3)(a) so that the data subjects know full well at the time of collection that they can choose whether or not to supply such data; and if supplied, such personal data would be disclosed in the registers.

The Commissioner also advised the Buildings Department to impose sanctions under the Bill against improper use of personal data contained in the registers to guard against possible contravention of DPP3 on the use of personal data beyond its specified purposes or directly related purposes, but such advice has not been incorporated into the Bill during the period under review.

Draft Unsolicited Electronic Messages Regulation

The Regulation was proposed by the Secretary for Commerce, Industry and Technology Bureau ("the Secretary") for the purpose of prescribing the detailed sender information that a commercial electronic message should contain and the conditions with which the unsubscribe facility should comply. It was proposed that the information should include the name, address and contact electronic address of the individual or organization who authorized the sending of the message. "Contact electronic address" was defined to mean the telephone number and electronic mail address in case the message was sent by electronic mail transmission and in any other case, the telephone number only.

The Commissioner reminded the Secretary that collection of personal data should be adequate but not excessive. Since the draft Regulation contained provision to allow the sender to elect not to include the address if it was a text message sent to a telephone number, it raised doubt as to whether the requirement for disclosure of the address of the sender in other cases was at all necessary for attaining the purpose of collection. The Secretary was asked to re-consider the necessity for such collection.

The Regulation was passed and came into effect on 22 December 2007. It makes clear under section 5(4) that address of the individual or organization can be omitted from a commercial electronic message sent in the form of an SMS message if the recipient is able to obtain the address by using the telephone number included in the message.

Communications Authority Bill

The Bill was put forward by the Secretary for Commerce, Industry and Technology ("the Secretary") to effect the transfer of and use of personal data from the Broadcasting Authority ("BA") and Telecommunications Authority ("TA") to the new regulator, namely, the Communications Authority ("CA").

The Commissioner had no objection in principle to the transfer and use of personal data necessitated by the proposed merger. He however reminded the Secretary that the Bill should expressly contain a saving provision so that the Commissioner's exercise of power under the Ordinance which he could have exercised against BA and TA would not be affected in respect of a breach or alleged breach of the Ordinance or the data protection principles immediately before the appointed date for the Bill. This serves to preserve the Commissioner's powers in dealing with antecedent breaches which is essential for safeguarding personal data privacy rights of individuals for acts done or practice engaged in by BA and TA before the merger took place.

Prevention and Control of Disease Bill

For attaining the objective of preventing the introduction into and spread of any disease or contamination in Hong Kong, the Bill sought to confer powers upon the Secretary for Food and Health ("the Secretary") to make regulations ("the Regulations") requiring notification of infectious diseases from medical practitioners, travellers and operators of conveyance as well as the power to disclose to the public any information that is relevant to a public health emergency.

The Commissioner raised the following issues of personal data privacy concerns with the Secretary: (i) that any collection of personal data, in particular, sensitive health data of the individuals shall be necessary, adequate but not excessive under DPP1; (ii) that only necessary personal data for attaining the statutory purpose be disclosed to the public; (iii) that any medical surveillance, examination and test to be conducted on individuals whereby personal data may be collected shall not be more intrusive than is necessary for ascertaining that person's health condition; (iv) that any information or samples to be submitted by these individuals for the purpose of examination and testing should as far as practicable be obtained with their prescribed consent; (v) that the personal data so collected should be safely kept and properly erased after use; (vi) that warrant should be obtained when exercising power of entry into non-residential premises; and (vii) that the proposed immunity of personal liability of health officers in purported exercise of the powers conferred under the Bill should not derogate their obligation to comply with the requirements of the Ordinance and the right of data subjects to claim damages under section 66 of the Ordinance.

For (i) and (ii), the Secretary confirmed that sufficient safeguards would be included in the Regulations to ensure that where personal data were involved, the provisions would comply with the requirements of the Ordinance. For (iii) and (iv), the wording of the Regulations had been amended to require that the medical surveillance, examination or test conducted "must not be more intrusive or invasive than is necessary for ascertaining the person's health condition".

For (v), the Secretary stated that the Department of Health had clear data protection policy and guidelines to cover collection, retention, use, etc. of personal data and assured the Commissioner that personal data collected would not be kept longer than is necessary and that relevant security measures are in place for safe custody of the personal data.

In relation to (vi), the Secretary maintained that quick response was required to contain or control the disease but added that the security of privacy interest was built in that (a) the exercise of such power must be based on "reasonable suspicion"; and (b) the entry into residential premises still required the obtaining of a warrant from Magistrate. In respect of the proposed immunity of liability, the Secretary confirmed that there was express provision in the Bill that such protection "does not affect any liability in tort of the Government for that act or omission". The right to claim for damage under section 66 against the Government was therefore not affected.