Incorporated Owners installing door access system with face recognition function
The Enquiry
Whether the Incorporated Owners can require owners to provide facial recognition data for installing door access system with face recognition function.
Our Response
Data Protection Principle (DPP) 1 of Schedule 1 to the Ordinance provides that personal data shall only be collected for a lawful purpose directly related to a function or activity of the data user. The data collected should be necessary and adequate but not excessive for such purpose. The means of collection should be lawful and fair. In addition, when collecting personal data from a data subject directly, the data user shall inform the data subject whether it is obligatory to provide the data, the purpose of collection, the classes of transferees of the data, and the right and means to request access to and correction of their data.
Given the sensitive nature of biometric data, data users who intend to collect biometric data, including building management bodies, should first consider whether such collection is necessary at all. For example, occupants may enter the buildings either by entering the security gate passwords or by using an access card. A data user must have overriding reasons to justify the collection of biometric data instead of, or in addition to the less intrusive measures. Even if the biometric data collected from data subjects is “adequate but not excessive”, the means of collection must be fair, and the data user should provide data subjects with free and informed choice.
The PCPD has issued “Guidance on Collection and Use of Biometric Data”, assisting data users to comply with the requirements under the Ordinance when collecting biometric data. Data users should read this Guidance before deciding whether to collect biometric data or not.
(Uploaded in February 2026)