Information Centre
archive_1
| Date: September 17 - 19, 1997 |
|
The Asian Status with respect to the observance of the OECD Guidelines and the EU Directive by Stephen Lau, Privacy Commissioner for Personal Data
Hong Kong Introduction The Organisation for Economic Co-operation and Development (OECD), membership of which include many European countries and USA, Australia, New Zealand and Japan, is primarily concerned with the economic development of its member states. In an effort to reconcile fundamental but competing values such as privacy and the free flow of information, OECD recommended in September 1980 to member countries to take into account in their domestic regulation, the principles concerning the protection of privacy and individual liberties set forth in a set of guidelines governing the protection of privacy and transborder flow of personal data. Within these guidelines are eight basic principles in the protection of information privacy. These principles, and variations thereof, have been the universal basis for the formulation of national legislation in privacy and personal data protection in many countries. Asian Situation With the increasing tempo of global trade and service activities in Asia with the rest of the world coupled with the recognition and expectations of increasingly affluent Asian communities for the respects of human rights including privacy, the issue of information privacy is receiving significant attention by Asian governments. As of today, there are three jurisdictions in Asia which have generic law for the protection of personal data. They are: Japan: The Act for Protection of Computer Processed Personal Data held by Administrative Organs (enacted December 1988) Key Aspects: it only covers the federal agencies, and only computer processing systems with personal data Taiwan: Law Governing Protection of Personal Data Processed by Computers (enacted July 1995) Key Aspects: it covers both the public and private sectors, but only computer processing systems with personal data Hong Kong: The Personal Data (Privacy) Ordinance (enacted September 1995) Key Aspects: it covers both the public and private sectors, and the processing of both automated and manual data. It also creates an independent supervisory body with significant enforcement powers. The provisions of these three laws are reviewed in terms of conformance to the OECD principles. OECD Collection Limitation Principle There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject. Hong Kong: Data Protection Principle 1 states that personal data shall be collected by means which are lawful and fair in the circumstances of the case, and that the data subject is explicitly or implicitly informed, on or before collecting the data, of whether it is obligatory or voluntary for him to supply the data, and the data collected are adequate but not excessive in relation to the purpose of collection. Observation: General conformance. Taiwan: Article 6 requires that "The collection or utilisation of personal data shall respect the rights and interests of the principal and such personal data shall be handled in accordance with the principles of honesty and credibility so as not to exceed the scope of the specific purpose". Observation: Limit to collection of data is explicit. Lawful collection is implied in "respecting the rights" of the data subject, and fairness is implied in "the principles of honesty and credibility". General conformance. Japan: Article 4 (1) requires the data user "in holding a personal data file shall confine itself to the extent necessary to perform the competent function provided by law", where "holding" is explicitly defined as "compiling or obtaining and maintaining". Observation: Article 4 embodies the essence of collection limitation, though there is no explicit statement regarding the lawful and fair means of data collection. OECD Data Quality Principle Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date. Hong Kong: Data Protection Principle 2 requires that all practical steps shall be taken to ensure that personal data are accurate and personal data shall not be kept longer than is necessary for the fulfilment of the purpose. "Inaccurate data" are defined in the law as data which are "incorrect, misleading, incomplete or obsolete". Observation: The requirement for accuracy is conformed and the relevancy of personal data with regard to the specified purpose is conformed through requirements of deletion, when appropriate, and the limits in data collection. Taiwan: The law requires a data user to "maintain the accuracy of personal data" (Article 13) and when the specific purpose for use no longer exists, a data user shall delete the data. Observation: General conformance though there is no definition of "accuracy". Japan: Article 4(2) requires "data recorded in personal data files shall not exceed the limit necessary for accomplishing the purpose of holding the personal data file". Article 5(2) requires the data user to "strive to ensure that the processed data should correspond with past and present facts". Observation: The relevancy of personal data is implicitly conformed through Article 4(2), and accuracy implicitly conformed through Article 5(2). OECD Purpose Specification Principle The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose. Hong Kong: Data Protection Principle 1 states that the data subject is explicitly informed, on or before collecting the data, of the purpose for which the data are to be used. Observation: General conformance. In addition, on or before data collection, the data subject is explicitly informed of the class of persons to whom the data may be transferred and of his rights to request access to and to request the correction of the data. Taiwan: Data shall not be collected by a data user unless "it has some specific purpose" (Articles 6 and 18). Observation: That there is a purpose at the time of collection is implied. The law goes further to specify the purpose criteria within which the data user can collect and process data, e.g. "it is within the scope of job functions provided by law and regulations", "there is no possibility that it shall infringe upon the rights and interests of the individual" etc. Japan: Article 4(1) requires the data user "in holding a personal data file, shall specify the purpose of such holding as much as possible". Observation: As "holding" includes "compiling and obtaining", the purpose of collection is implicitly specified at or before the time of collection. OECD Use Limitation Principle Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with the Purpose Specification Principle except : (a) with the consent of the data subject; or (b) by the authority of law. Hong Kong: Data Protection Principle 3 requires prescribed consent from the data subject before personal data can be used for a different purpose from the one specified at the time of collection. There are exemptions to this principle, as defined in the Ordinance which takes into account the authority of law. Observation: Prescribed consent is required and there are specific conditions for change of use without consent from the data subject, e.g. national defence, prevention of crime, taxation assessment, health, etc. Taiwan: A data user "shall utilise personal data within the scope of the specific purposes", and it may also utilise these data for other purposes with "written consent" of the data subject, "provided for in the laws and regulations", and other conditions without the consent of the data subject, including "safeguarding national security", "improve pubic interests", "preventing the rights and interests of another from being seriously damaged", "benefit the rights and interests" of the data subject, etc. Observation: Prescribed (written) consent is required; and there are broad and general conditions for change of use without the data subjects' consent. Japan: Article 9(1) states that "data shall not be used or provided for any purpose other than the file holding purpose". Exceptions to this provision include "when there is a consent of the data subject", and when permitted by law. Observation: General conformance. OECD Security Safeguards Principle Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data. Hong Kong: Data Protection Principle 4 requires all practical steps shall be taken to ensure personal data held by a data user are protected against unauthorised access, processing, erasure or other uses, with particular regard to physical location, data sensitivity, automatic systems security, data integrity and people competence and data transmission. Observation: General conformance. Taiwan: Article 17 requires the data user to "appoint a full time employee to handle matters relevant to the security and maintenance of said files to prevent personal data from being stolen, altered without authorisation, damaged, lost or disclosed". Observation: General conformance. Japan: Article 5(1) requires the data user and its current and former staff engaged in data processing to "strive to take measures necessary for prevention of leakage, loss, destruction of personal data or other proper managements". Observation: General conformance. |
End of Page
[Media Statement] [Speeches, Articles & Papers] [Exhibition Materials] [Other Related Websites] [Archive] [Other Resources] [On-line Self Training] [Submissions to Public Consultation] [Privacy Commissioner's response following former Deputy Commissioner's conviction] [Response to the loss of medical data by Department of Health] [Privacy Commissioner commits himself to securing patients' data] [Privacy Commissioner commences inspection against Hospital Authority] [Response to data leakage by Immigration Department] [Response to data loss by HSBC] [Privacy is Your Business International Privacy Video Competition] [Privacy Commissioner strives to promote protection of personal data privacy] [Response following former Deputy Commissioner's conviction] [The Privacy Commissioner's clarification on criminalizing data leakage] [The Privacy Commissioner responds to media report today that] [Response to data leakage by the Police] [Progress of Inspection Against Hospital Authority] [The Director of Immigration Department signed formal undertaking] [Speech by Privacy Commissioner at the special meeting of Legislative Council Panel on Home Affairs] [Response to data loss incidents by The Hongkong and Shanghai Banking Corporation Limited] [The Privacy Commissioner completes the Inspection of the Hospital Authority's Personal Data System] [Privacy Commissioner Publishes Inspection Report on Hospital Authority] [Privacy Commissioner explains recommendations on the protection of patients' data privacy] [Privacy Commissioner accepts an Undertaking by HSBC] [Privacy is Your Business International Privacy Video Competition Prize Presentation Ceremony] [Response to Judgment of judicial review application by Cathay Pacific] [Privacy Commissioner welcomes HA's effort to enhance patient data privacy] [Statement by the Privacy Commissioner Following the Judgment made in HCAL 50/2008] [PCPD received a letter from CX Flight Attendants Union] [Impact of Technology on Data Privacy] [Privacy Commissioner responds to taxi industry's proposal of installing CCTVs in taxis] [United Christian Hospital's loss of patients' data] [Privacy Commissioner hosts the 31st APPA Forum] [Privacy Commissioner urges job seekers to be careful when providing personal data] [Launch of a booklet on protection of personal data] [Investigation Report: Employer Collecting Employees' Fingerprint Data for Attendance Purpose] [The Recruitment of Deputy Privacy Commissioner (DPC)] [Response to Media Report on the Use of Fingerprint Recognition System by a School] [Privacy Commissioner Responds to Public Enquiries about the Issue of] [Investigation Report: Tutorial Centre Using a Student's Results Notice for Promotion without the Student's Consent] [Privacy Commissioner Welcomes Hospital Authority's New Measures on the Protection of Patients' Personal Data] [Investigation Report: Food Company Collecting Participants' Personal Data in Lucky Draw Activity] [Privacy Commissioner Responds to] [The need to ensure that individuals are identified by the correct personal identifiers: the case of identification of new born babies] [Public Consultation on Ordinance Review] [] [Response to Media Report on Searching for Others' Personal Data on the Internet] [Privacy Commissioner attended the 31st International Conference of Data Protection and Privacy Commissioners] [Response to Media Enquiries] [The "Value-for-money" Audit Report on PCPD issued by the Director of AuditThe] [Protective measures taken by the Hospital Authority which enhance the protection of new born babies and the accuracy of their personal data] [The Privacy Commissioner issued two investigation reports on data access request fee charged by data users and the proper handling of personal data transferred by data users to their debt collection agency] [A personal statement by Roderick Woo, the Privacy Commissioner] [Office of the Privacy Commissioner for Personal Data's Annual Report won international awards for three consecutive years] [Privacy Commissioner Launches Privacy Awareness Week 2010] [Response to recent discussion about third parties' requests for patients data] [Opinion Survey: Senior Citizens' Attitudes and Perceptions towards Personal Data Privacy] [Public Seminar on] [Privacy Campaign for Insurers] [Google collected Wi-Fi data] [Google collected Wi-Fi data in Hong Kong] [Google collected Wi-Fi data in Hong Kong] [Privacy Commissioner attended the 33rd Asia Pacific Privacy Authorities Forum] [Privacy Commissioner responds to a local magazine's editorial on privacy issues] [Privacy Commissioner Publishes Guidance Note on Data Breach Handling and the Giving of Breach Notifications] [Privacy Commissioner responds to an opinion survey report on Octopus cards and privacy issues] [Privacy Commissioner's Finding against HSBC was set aside by the Administrative Appeals Board] [The Personal Data (Privacy) Ordinance and Octopus Card System] [Privacy Commissioner initiates investigation on the Octopus] [Privacy Commissioner Publishes Information Leaflet on Privacy Impact Assessment] [Privacy Commissioner published new revised edition of a book to provide in-depth interpretation] [The Privacy Commissioner gives interim report on the investigation of Octopus] [The Privacy Commissioner Completed the Compliance Check on Google's Collection of Wi-Fi Payload Data] [The Privacy Commissioner has completed a Privacy Compliance Assessment Report on the Smart Identity Card System] [Collection of Visitors' Fingerprint Data by a Theme Park] [Investigation Report: Beauty Centre Transferring a Client's Personal Data to a Third Party without the Client's Consent] [Hong Kong Letter - Roderick Woo, Privacy Commissioner for Personal Data] [Mr. Allan Chiang took office as Privacy Commissioner] [A short video introducing the Personal Data (Privacy) Ordinance] [Privacy Commissioner reminds data users of the requirements of the Ordinance when engaging direct marketing activities] [PCPD joined APEC Cross-border Privacy Enforcement Arrangement] [Privacy Commissioner discussed organizations’ collection and use of personal data for direct marketing with a political commentary group] [Amended Data Access Request Form takes effect] [Response to media reports on the attendance records of the Personal Data (Privacy) Advisory Committee] [Privacy Commissioner completed investigation on Octopus Holdings Ltd] [Multi-media Information] [Investigation Report – Octopus Rewards Program] [Privacy Commissioner publishes Guidance on the Collection and Use of Personal Data in Direct Marketing] [Privacy Commissioner responds to Government's proposals on Review of the Personal Data (Privacy) Ordinance] [PCPD's Statement regarding investigations into the Octopus Group of Companies] [Hong Kong Letter - Allan Chiang, Privacy Commissioner for Personal Data] [Investigation Report: A Telecommunications Company Authorized Another Company to Conduct Telemarketing] [A Personal Statement by Mr. Allan CHIANG in response to media reports on his handling of a personal data privacy case when he was Postmaster General in 2005] [A Personal Statement by Mr. Allan CHIANG in response to media reports on his handling of personal data privacy cases when he was Postmaster General from 2003 to 2006] [Online Survey of the] [PCPD's Submission in response to Report on Public Consultation on Review of the Personal Data (Privacy) Ordinance] [The Sharing of Mortgage Data for Credit Assessment] [Public Forum on Proposed Revisions to the Code of Practice on Consumer Credit Data] [Privacy concerns about resumption of Google Street View car operation] [Public Consultation on the Sharing of Mortgage Data for Credit Assessment Ended] [Consumer Roadshow on Protection of Personal Data] [Consultation Report on the Sharing of Mortgage Data for Credit Assessment] [Amendments to Code of Practice on Consumer Credit Data To Take Effect]
[About PCPD] [The
Ordinance] [PCPD Activities]
[Information Centre]
[Personal Data Privacy Liberal Studies]
[Privacy
Zone for Youngsters]
[Publications & Videos]
[Enquiries & Complaints]
[Case Notes] [Contact
Us] [Search] [Site
Directory] [Graphical Version]
[Chinese Version]
Notice/Copyright 2001 Office of the Privacy Commissioner for Personal Data, Hong Kong. All rights reserved. Disclaimer