Date:28 August 2020
Universal Community Testing Programme Complies with
Requirements of the Personal Data (Privacy) Ordinance
In relation to concerns on personal data privacy arising from the Universal Community Testing Programme for COVID-19 (the Programme), the office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD), responds as follows:
In response to the Government’s earlier enquiry, the PCPD provided views from the perspective of protecting personal data privacy relating to the Programme.
The PCPD notes that there are some concerns in the community on the protection of personal data privacy relating to the Programme. Having examined available information relating to the Programme, the PCPD considers that the Programme complies with the requirements of the Personal Data (Privacy) Ordinance (PDPO) in terms of the collection, holding, processing or use of personal data. In particular: -
o The personal data (including names, Hong Kong Identity Card numbers / birth registration numbers and local mobile phone numbers) collected in the Programme for administration of the testing and notifying participants of the test results is necessary but not excessive, in line with the principle of personal data minimisation and is commensurate with and proportionate to the purpose;
o As regards the use of personal data, the use of personal data in the Programme is subject to the consent of the participants and is consistent with the principles of purpose specification and use limitation;
o The Programme aims to conduct testing for COVID-19. There is no information showing that the testing itself involves the analysis of the individuals’ DNA information. The PCPD also notes that the Government has stated that the test kits cannot be used for DNA identification or sequencing and no DNA information of the participants is collected during the testing process;
o The Government has stated that the personal data collected will be encrypted and stored in the servers of the Government Data Centre. The personal data will be handled on a “need-to-know” basis to ensure that it is protected against unauthorised access, processing or loss. This practice is in line with the principle of protecting data security.
o The Government has also stated that all personal data (including specimens and test results) will not be transferred outside Hong Kong. Having examined available information relating to the Programme, the PCPD notes that there is no information suggesting otherwise; and
o While the PDPO does not require data users to specify the maximum retention period of personal data, the PCPD is pleased to note that the Government has stated that personal data collected (including specimens and test results) will be erased one month after completion of the Programme.