Background

3.1

In the HKSAR the concept of personal privacy is generally appreciated, if not always well understood. The PCPD is responsible for upholding the Personal Data (Privacy) Ordinance ("the Ordinance") which concentrates on one aspect of privacy, personal data privacy. In this capacity the PCPD has adopted the principle that the legal provisions of the Ordinance are applicable both online and offline. This means that those provisions, and related Data Protection Principles ("DPP" - please refer to Annex), should be complied with by providers operating in the E-Business environment. The DPP enshrine what have become the mainstays of best privacy practice, and form the backbone of legislation in an increasing number of jurisdictions. Essentially they establish the principles to be applied to the collection, accuracy, use, security and access to personal data. These principles have proved invaluable in the real world, and the PCPD are committed to applying them to the management of personal data in cyberspace.

3.2

The DPP confer the following rights upon individuals.

• The Right to be Informed of Use
  This right to be informed of the purposes for which an individual's personal data are to be used and the classes of persons to whom that personal data may be transferred.
• The Right to Fair and Lawful Collection
  The individual's right to have personal data collected by means that are fair and lawful and for purposes that are directly related to the functions and activities of the body collecting the data.
• The Right to Give only Necessary Data
  The right to give no more personal data than are necessary for the purposes for which the data are collected.
• The Right to Consent to a Change of Use
  The right to be asked for consent before an individual's personal data are used for purposes other than the purposes for which they were collected, or directly related purposes.
• The Right to Accuracy and Security
  The right to expect that personal data are kept accurate, up-to-date, secure and for no longer than necessary.
• The Right to Transparency
  The right to ask a data user (a data user is any party that controls the collection, holding, processing or use of personal information) to disclose its personal data policies and practices, the kind of personal data held, and the main purposes for which they are used.
• The Right of Access to Personal Data
  The right to obtain confirmation, and request for a copy of personal data held by a data user. The data user should comply with that request within 40 days.
• The Right to Request Correction of Personal Data
  The right of the individual to request for correction of inaccurate personal data within 40 days of when the request is made.

3.3

The PCPD has been monitoring developments in E-Business notably since the government announced its policy of making Hong Kong a centre of excellence in this respect. Through its network of contacts in the international privacy community, consultation with government departments and agencies, and its involvement with business and the community, the PCPD has been able to identify E-Privacy risks and related personal data issues. These issues must be confronted if trust and confidence are to prevail in the provider-consumer relationship. Current wisdom suggests that until the hallmarks of trust and confidence are reflected in community perceptions, E-Business will be impeded in the realisation of its full potential.