Comments on Proposed Legislation by the PCPD

Mandatory Provident Fund Schemes (Amendment) Bill

The Bill proposed to set up a public register of approved trustees and a register of scheme members who have unclaimed benefits. It was proposed to confer upon the Mandatory Provident Fund Schemes Authority ("the Authority") power to determine "such information" to be contained in the registers. As personal data might be involved, the Commissioner advised the Secretary for Financial Services and the Treasury ("the Secretary") to provide for a clear purpose statement in the Bill for the setting up of these registers and to limit as far as practicable the kind and amount of personal data to be collected and made available for public inspection through these registers. The Secretary was also asked to consider the imposition of sanction in the Bill on misuse of the data. Appropriate administrative measures should also be undertaken to prevent bulk inspection which might increase the privacy risks of the personal data available for public inspection.

Similar wide power was also proposed under the Bill to be conferred upon the Authority to specify the kind of information to be supplied in the statutory declaration to be given by the employee and the information to be contained in the registers. Specific power to require production of records for inspection from employer, self employed person or any other persons was also conferred upon the Authority. The Secretary was asked to reconsider specifying the kind of personal data in clearer terms so as to ensure that no unnecessary or excessive personal data are collected.

The Bill also proposed to permit the Authority to disclose information which has been made publicly available. The Commissioner advised that the Ordinance does not contain provisions exempting the use of personal data in public domain and a data user has to comply with the use limitation principle under DPP3. Due regard must be given to ensure that the use of the personal data was for a purpose consistent with the purpose of collection.

In response, the Secretary promised to spell out in clear terms the purpose of collection of information under the various registers, to limit the kind of personal data to be collected by way of guidelines issued for such purpose and confirmed the Government's commitment to comply with the provisions of the Ordinance in handling personal data.

Mandatory Provident Fund Schemes (Amendment) (No.2) Bill

Under the proposed provision, an employer in paying contributions to the Mandatory Provident Fund Scheme Authority ("the Authority") shall accompany it with a statement including the name and HKID number of the relevant employee. The Commissioner asked the Secretary for Financial Services and the Treasury ("the Secretary") to take heed of the circumstances for collection of HKID number prescribed under the Code of Practice on the Identity Card Number and other Personal Identifiers issued by the Commissioner in order to comply with DPP1.

The Commissioner also repeated his concerns on the wide power proposed to be conferred upon the Authority to specify "such other information" to be included in the statement accompanying the contributions paid to the Authority and the power to specify and approve the various forms required to be submitted under the Mandatory Provident Fund Schemes Ordinance. The provision of a clear collection statement in the enabling provision and the duty to comply with DPP1 and DPP3 were highlighted by the Commissioner.

The Secretary agreed to incorporate clear collection purpose statement in the enabling provision of the Bill and would specify the kinds of information to be included in the various forms in the guidelines to be issued after consultation with stakeholders.

Independent Police Complaints Council Bill

The previous draft of the Bill empowered the Independent Police Complaints Council ("the Council") to interview any person for the purpose of considering an investigation report submitted by the Commissioner of Police, to keep a record of every interview and such record must not be used for any purpose other than for performing the functions of the Council under the Bill.

The Commissioner noted that personal data would normally be obtained during an interview, but the Bill did not specify a period beyond which the Council should not retain the personal data in compliance with DPP2(2). Furthermore, given that the functions of the Council under the Bill were much wider than its power to consider an investigation report, the Commissioner was concerned if the Council used the personal data for purposes other than for considering an investigation report.

The Commissioner, therefore, urged the Security Bureau to reconsider prescribing in the Bill an ascertainable retention period and limiting the scope of permitted use of the record of interview under the Bill.

Having considered the Commissioner's concern, the Secretary for Security amended the draft Bill to the effect that interview records must be kept by the Council only for such period as may be necessary and must not be used by it for any purpose other than what is necessary for performing its functions.

The Bill was passed on 12 July 2008 but has not come into operation.

West Kowloon Cultural District Authority Bill

The Authority to be established under the Bill ("the Authority") was to be conferred with power to determine the class and details of interest to be disclosed by Board or Committee members who may be individuals. The Commissioner advised the Secretary for Home Affairs ("the Secretary") of the need to comply with the data collection principle in DPP1 for the scope of personal data to be delimited and defined as clearly as practicable and that an express purpose statement should be spelt out in the enabling provision.

Since a register of "name" and "particulars of disclosure" would be maintained by the Authority and be open for public inspection, the Secretary was reminded of the duty to comply with DPP3 to prevent unnecessary disclosure of personal data which were not required for the purpose of maintaining the register. The Secretary was also advised to include a clear purpose statement for the setting up of the register to guard against indiscriminate or improper use of the data. Sanction might be imposed as a means of effective enforcement.

There was no further development during the reporting period.