Information Centre
speeches and Articles
| Date: September 17 - 19, 1997 |
|
The Asian Status with respect to the observance of the OECD Guidelines and the EU Directive (cont.) OECD Openness Principle There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller. Hong Kong: Data Protection Principle 5 requires that all practical steps shall be taken to ensure a person can access and ascertain a data user's policies and practices in relation to personal data, be informed of the kinds of personal data held, and the main purposes personal data are used by a data user. Data Protection Principle 1 also requires at the time of data collection, the data subject be informed of his access rights and the name and address of the individual (data controller) to whom such requests may be made Observation: General conformance. Taiwan: Article 10 requires government agencies and non-government agencies to gazette or publicly announce details including the purpose of personal data systems, the scope and classification of personal data held, name and address of agency or person responsible for data access and correction requests. Observation: General conformance. Japan: Article 8(1) requires the co-ordinating authority, the Management & Coordination Agency, to "make public in the official gazette at least once a year" details of personal data files held by data users, such details including the file holding purposes, record items, data transferees, and the name and location of the organisation which accepts data access and correction requests. Observation: General conformance. OECD Individual Participation Principle An individual should have the right: (a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; (b) to have communicated to him, data relating to him (i) within a reasonable time; (ii) at a charge, if any, that is not excessive; (iii) in a reasonable manner; and (iv) in a form that is readily intelligible to him; (c) to be given reasons if a request made under sub-paragraphs (a) and (b) is denied, and to be able to challenge such denial; and (d) to challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed or amended. Hong Kong: The requirements of this OECD principle are almost verbatim contained in the Data Protection Principle 6 of the Hong Kong law. The request must be responded within 40 days from the date of the request. Observation: General conformance. Taiwan: The rights of the data subject are specified in the law, including request for review, request to make copies and correction, and request to discontinue processing (Article 4). The request should be "handled" within 30 days (Article 15). A service fee may be prescribed by the data user (Articles 16 and 26). Denial of the data subject's right or failure to response within 30 days by the data user could be challenged by the data subject through petitioning the agencies' supervisory authorities (Articles 31 and 32). Observation: General conformance, though there is no qualification to the level of service fee to be charged; and there is no provision on the "intelligible format" of data to be supplied in response to an access request; however the right to "request to discontinue processing personal data" goes beyond this OECD principle. Japan: Article 13(1) endows access rights to the data subject which requires a response from the data user within 30 days from the request date [Article 15(1)]. The data subject is required to pay fees "in accordance with the provision of cabinet order" [Article 16(1)] plus postage for mailing [Article 16(2)]. Denial of access request requires the data user to provide reasons for such denial in writing [Article 14(2)]. The data subject can complain to the "head" of the data user "concerning use, providing or disclosure of the processed data, or applications for correction etc." (Article 20). Observation: General conformance, though there is no provision of the "intelligible format" of data supplied in response to an access request, and no qualification on the level of fee charges. OECD Accountability Principle A data controller should be accountable for conforming with measures which give effect to the principles stated above. Hong Kong: The Hong Kong Ordinance (Article 4) requires a data user not to do an act, or engage in a practice, that contravenes the data protection principles unless the act or practice is exempted from such principles under this Ordinance. Data users who breach the provisions in the Ordinance commit an offence and are liable on conviction to a fine and/or imprisonment up to 2 years. Furthermore, an individual who suffers damage by reason of a contravention of a requirement under the Ordinance by a data user is entitled to compensation from that data user for that damage, which includes injury to feelings. Observation: General conformance. Taiwan: The law, through Articles 27 - 41, prescribes a whole range of damages, compensation and penalties including imprisonment for a wide spectrum of infringement of rights, improper profiteering, unlawful gains etc. Observation: General conformance. Japan: Article 21 requires the "head" of a data user to submit, if requested by the Management and Coordination Agency (MCA), "materials and to give explanation with regard to the operation of functions concerning computer processing etc. of the personal data handled" by the data user. The MCA may also "give an opinion to the Prime Minister" or the heads of the data user "with regard to dealing with computer processed personal data" in order to achieve the purpose of this law (Article 22). Observation: Apart from administrative accountability, there are no provision for penalties for non-compliance of the law by the data users nor compensation to the data subjects for infringement of their rights. However, data subjects seeking data access "by deceit or other unjust means shall be liable to a correctional fees of not more than 100,000 yen" (Article 25). European Union Directive Adopted by the Council in July 1995, the European Union Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data is another milestone in the global initiative towards the protection of personal data. While enshrining a set of data protection principles as in the OECD guidelines, it goes beyond the OECD guidelines in a number of significant aspects, including the specifications of desirable standards requirements for a legal and administrative framework for member countries, coverage of both public and private sectors without differentiating distinction, operational areas where exemptions applied with regard to the data protection principles etc. Apart from the harmonisation of privacy laws in member countries, the prohibition of the transfer of personal data from member countries to other countries which do not have adequate data protection laws could have a far reaching impact on bilateral relationship in trade and commerce between the member countries and other countries. A number of significant requirements of the Directive are selected for discussion viz-a-viz the data protection law in Hong Kong, Taiwan and Japan:
EU Directive- Scope Coverage The Directive covers both the public and private sectors with no distinction in the rules governing both sectors. Hong Kong: Article 3 states that the law "binds the Government". Observation: General conformance. The public sector is covered by the law by virtue of Article 3. The private sector is included by virtue of the common law system in that the private sector needs to conform with all laws unless its specific exclusion is explicitly provisioned in a law. Taiwan: The law covers "Government agencies at the central government or local government level"; as well as "non-government agencies" which explicitly include "credit search businesses", and "groups or individuals whose major line of business is to collect or process personal data by computers", "hospital, schools, telecommunication, financial, securities, insurance and mass communications industries", and "other businesses groups or individuals designated by the Ministry of Justice". Observation: General conformance in terms of coverage as all public sector is covered as well the most obvious industries in the private sector, together with the authority to include other private sector entities as the government sees fit. However, there are differences in treatment for the two sectors. Japan: The law only applies to "national administrative organs" (federal agencies), though "local government and public corporations shall take into account the national measures under the provisions of this Act, and strive to take necessary actions to secure proper dealing with personal data" (Articles 26 and 27). Observation: Partial conformance. The law does not cover the private sector. |
End of Page
[Media Statement] [Speeches, Articles & Papers] [Exhibition Materials] [Other Related Websites] [Archive] [Other Resources] [On-line Self Training] [Submissions to Public Consultation] [Privacy Commissioner's response following former Deputy Commissioner's conviction] [Response to the loss of medical data by Department of Health] [Privacy Commissioner commits himself to securing patients' data] [Privacy Commissioner commences inspection against Hospital Authority] [Response to data leakage by Immigration Department] [Response to data loss by HSBC] [Privacy is Your Business International Privacy Video Competition] [Privacy Commissioner strives to promote protection of personal data privacy] [Response following former Deputy Commissioner's conviction] [The Privacy Commissioner's clarification on criminalizing data leakage] [The Privacy Commissioner responds to media report today that] [Response to data leakage by the Police] [Progress of Inspection Against Hospital Authority] [The Director of Immigration Department signed formal undertaking] [Speech by Privacy Commissioner at the special meeting of Legislative Council Panel on Home Affairs] [Response to data loss incidents by The Hongkong and Shanghai Banking Corporation Limited] [The Privacy Commissioner completes the Inspection of the Hospital Authority's Personal Data System] [Privacy Commissioner Publishes Inspection Report on Hospital Authority] [Privacy Commissioner explains recommendations on the protection of patients' data privacy] [Privacy Commissioner accepts an Undertaking by HSBC] [Privacy is Your Business International Privacy Video Competition Prize Presentation Ceremony] [Response to Judgment of judicial review application by Cathay Pacific] [Privacy Commissioner welcomes HA's effort to enhance patient data privacy] [Statement by the Privacy Commissioner Following the Judgment made in HCAL 50/2008] [PCPD received a letter from CX Flight Attendants Union] [Impact of Technology on Data Privacy] [Privacy Commissioner responds to taxi industry's proposal of installing CCTVs in taxis] [United Christian Hospital's loss of patients' data] [Privacy Commissioner hosts the 31st APPA Forum] [Privacy Commissioner urges job seekers to be careful when providing personal data] [Launch of a booklet on protection of personal data] [Investigation Report: Employer Collecting Employees' Fingerprint Data for Attendance Purpose] [The Recruitment of Deputy Privacy Commissioner (DPC)] [Response to Media Report on the Use of Fingerprint Recognition System by a School] [Privacy Commissioner Responds to Public Enquiries about the Issue of] [Investigation Report: Tutorial Centre Using a Student's Results Notice for Promotion without the Student's Consent] [Privacy Commissioner Welcomes Hospital Authority's New Measures on the Protection of Patients' Personal Data] [Investigation Report: Food Company Collecting Participants' Personal Data in Lucky Draw Activity] [Privacy Commissioner Responds to] [The need to ensure that individuals are identified by the correct personal identifiers: the case of identification of new born babies] [Public Consultation on Ordinance Review] [] [Response to Media Report on Searching for Others' Personal Data on the Internet] [Privacy Commissioner attended the 31st International Conference of Data Protection and Privacy Commissioners] [Response to Media Enquiries] [The "Value-for-money" Audit Report on PCPD issued by the Director of AuditThe] [Protective measures taken by the Hospital Authority which enhance the protection of new born babies and the accuracy of their personal data] [The Privacy Commissioner issued two investigation reports on data access request fee charged by data users and the proper handling of personal data transferred by data users to their debt collection agency] [A personal statement by Roderick Woo, the Privacy Commissioner] [Office of the Privacy Commissioner for Personal Data's Annual Report won international awards for three consecutive years] [Privacy Commissioner Launches Privacy Awareness Week 2010] [Response to recent discussion about third parties' requests for patients data] [Opinion Survey: Senior Citizens' Attitudes and Perceptions towards Personal Data Privacy] [Public Seminar on] [Privacy Campaign for Insurers] [Google collected Wi-Fi data] [Google collected Wi-Fi data in Hong Kong] [Google collected Wi-Fi data in Hong Kong] [Privacy Commissioner attended the 33rd Asia Pacific Privacy Authorities Forum] [Privacy Commissioner responds to a local magazine's editorial on privacy issues] [Privacy Commissioner Publishes Guidance Note on Data Breach Handling and the Giving of Breach Notifications] [Privacy Commissioner responds to an opinion survey report on Octopus cards and privacy issues] [Privacy Commissioner's Finding against HSBC was set aside by the Administrative Appeals Board] [The Personal Data (Privacy) Ordinance and Octopus Card System] [Privacy Commissioner initiates investigation on the Octopus] [Privacy Commissioner Publishes Information Leaflet on Privacy Impact Assessment] [Privacy Commissioner published new revised edition of a book to provide in-depth interpretation] [The Privacy Commissioner gives interim report on the investigation of Octopus] [The Privacy Commissioner Completed the Compliance Check on Google's Collection of Wi-Fi Payload Data] [The Privacy Commissioner has completed a Privacy Compliance Assessment Report on the Smart Identity Card System] [Collection of Visitors' Fingerprint Data by a Theme Park] [Investigation Report: Beauty Centre Transferring a Client's Personal Data to a Third Party without the Client's Consent] [Hong Kong Letter - Roderick Woo, Privacy Commissioner for Personal Data] [Mr. Allan Chiang took office as Privacy Commissioner] [A short video introducing the Personal Data (Privacy) Ordinance] [Privacy Commissioner reminds data users of the requirements of the Ordinance when engaging direct marketing activities] [PCPD joined APEC Cross-border Privacy Enforcement Arrangement] [Privacy Commissioner discussed organizations’ collection and use of personal data for direct marketing with a political commentary group] [Amended Data Access Request Form takes effect] [Response to media reports on the attendance records of the Personal Data (Privacy) Advisory Committee] [Privacy Commissioner completed investigation on Octopus Holdings Ltd] [Multi-media Information] [Investigation Report – Octopus Rewards Program] [Privacy Commissioner publishes Guidance on the Collection and Use of Personal Data in Direct Marketing] [Privacy Commissioner responds to Government's proposals on Review of the Personal Data (Privacy) Ordinance] [PCPD's Statement regarding investigations into the Octopus Group of Companies] [Hong Kong Letter - Allan Chiang, Privacy Commissioner for Personal Data] [Investigation Report: A Telecommunications Company Authorized Another Company to Conduct Telemarketing] [A Personal Statement by Mr. Allan CHIANG in response to media reports on his handling of a personal data privacy case when he was Postmaster General in 2005] [A Personal Statement by Mr. Allan CHIANG in response to media reports on his handling of personal data privacy cases when he was Postmaster General from 2003 to 2006] [Online Survey of the] [PCPD's Submission in response to Report on Public Consultation on Review of the Personal Data (Privacy) Ordinance] [The Sharing of Mortgage Data for Credit Assessment] [Public Forum on Proposed Revisions to the Code of Practice on Consumer Credit Data] [Privacy concerns about resumption of Google Street View car operation] [Public Consultation on the Sharing of Mortgage Data for Credit Assessment Ended] [Consumer Roadshow on Protection of Personal Data] [Consultation Report on the Sharing of Mortgage Data for Credit Assessment] [Amendments to Code of Practice on Consumer Credit Data To Take Effect]
[About PCPD] [The
Ordinance] [PCPD Activities]
[Information Centre]
[Personal Data Privacy Liberal Studies]
[Privacy
Zone for Youngsters]
[Publications & Videos]
[Enquiries & Complaints]
[Case Notes] [Contact
Us] [Search] [Site
Directory] [Graphical Version]
[Chinese Version]
Notice/Copyright 2001 Office of the Privacy Commissioner for Personal Data, Hong Kong. All rights reserved. Disclaimer