Skip to content

The Ordinance at a Glance

The Ordinance at a Glance

The objective of the Personal Data (Privacy) Ordinance (Cap. 486) (pdf format) is to protect the privacy rights of a person in relation to personal data (Data Subject).

Personal Data

(1) The information which relates to a living person and can be used to identify that person. (2) It exists in a form in which access or processing is practicable.

Examples of personal data protected by the Ordinance include names, phone numbers, addresses, identity card numbers, photos, medical records and employment records.

Data User

A person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data. The Data User is liable as the principal for the wrongful act of its authorised data processor.

Six Data Protection Principles

Everyone who is responsible for handling data (Data User) should follow the Six Data Protection Principles ("DPPs") which represents the core of the Ordinance covering the life cycle of a piece of personal data:

DPP1 - Data Collection Principle

Personal data must be collected in a lawful and fair way, for a purpose directly related to a function /activity of the data user.

Data subjects must be notified of the purpose and the classes of persons to whom the data may be transferred.

Data collected should be necessary but not excessive.

DPP2- Accuracy & Retention Principle

Practicable steps shall be taken to ensure personal data is accurate and not kept longer than is necessary to fulfil the purpose for which it is used.

DPP3 - Data Use Principle

Personal data must be used for the purpose for which the data is collected or for a directly related purpose, unless voluntary and explicit consent with a new purpose is obtained from the data subject.

DPP4 - Data Security Principle

A data user needs to take practicable steps to safeguard personal data from unauthorised or accidental access, processing , erasure, loss or use.

DPP5 - Openness Principle

A data user must take practicable steps to make personal data policies and practices known to the public regarding the types of personal data it holds and how the data is used.

DPP6 - Data Access & Correction Principle

A data subject must be given access to his/her personal data and allowed to make corrections if it is inaccurate.

Offences and Compensation

  • Non-compliance with Data Protection Principles does not constitute a criminal offence directly. The Commissioner may serve an Enforcement Notice to direct the data user to remedy the contravention and/ or instigate the prosecution action.
  • Contravention of an enforcement notice is an offence which could result in a maximum fine of HK$50,000 and imprisonment for 2 years.
  • An individual who suffers damage, including injured feelings, by reason of a contravention of the Ordinance in relation to his or her personal data may seek compensation from the data user concerned.
  • The Ordinance also criminalises misuse or inappropriate use of personal data in direct marketing activities (Part VI); non-compliance with Data Access Request (section 19); unauthorised disclosure of personal data obtained without data user's consent (section 64) etc.


The Ordinance provides:

  • General exemption for personal data held for domestic or recreational purposes ;
  • Exemptions from access requirement for certain employment related personal data and relevant process; and
  • Exemptions from access and use limitation requirements for data which are likely to prejudice security, defence and international relations; crime prevention or detection; assessment or collection of any tax or duty; news activities; health; legal proceeding; due diligence exercise; archiving; handling life-threatening emergency situation etcnon-exhausive.

*Should there be any discrepencies between the contents of this page and that of the Ordinance, the latter shall prevail.