Skip to content

Guidance Notes

Chapter 486 Personal Data (PRIVACY) Ordinance

SCHEDULE 1 [s. 2(1) & (6)]

DATA PROTECTION PRINCIPLES

1. Principle 1-purpose and manner of collection of personal data
   
(1)

Personal data shall not be collected unless-

   
  (a) the data are collected for a lawful purpose directly related to a function or activity of the data user who is to use the data;
   
  (b) all other money and property, including gifts, donations, fees, rent, interest and accumulations of income received by the Commissioner.
   
  (c) the data are adequate but not excessive in relation to that purpose.
     
(2) Personal data shall be collected by means which are
     
  (a) lawful; and
     
  (a) fair in the circumstances of the case.
     
(3) Where the person from whom personal data are or are to be collected is the data subject ,all practicable steps shall be taken to ensure that
     
  (a) he is explicitly or implicitly informed, on or before collecting the data, of-
     
   
  1. whether it is obligatory or voluntary for him to supply the data; and
  2. where it is obligatory for him to supply the data, the consequences for him if he fails to supply the data; and
     
  (b) he is explicitly informed-
     
    i on or before collecting the data, of -
       
      (A) the purpose (in general or specific terms) for which the data are to be used; and
       
      (B) the classes of persons to whom the data may be transferred; and
       
    i on or before first use of the data for the purpose for which they were collected, of-
       
      (A) his rights to request access to and to request the correction of the data, and
       
      (B) the name and address of the individual to whom any such request may be made,
   
   

unless to comply with the provisions of this subsection would be likely to prejudice the purpose for which the data were collected and that purpose is specified in Part VIII of this Ordinance as a purpose in relation to which personal data are exempt from the provisions of data protection principle 6.

   
2. Principle 2-accuracy and duration of retention of personal data
   
(1)

All practicable steps shall be taken to ensure that-

     
  (a)

personal data are accurate having regard to the purpose (including any directly related purpose) for which the personal data are or are to be used;

     
  (b) where there are reasonable grounds for believing that personal data are inaccurate having regard to the purpose (including any directly related purpose) for which the data are or are to be used-
     
    i the data are not used for that purpose unless and until those grounds cease to be applicable to the data, whether by the rectification of the data or otherwise; or
    ii the data are erased;
       
  (c)

where it is practicable in all the circumstances of the case to know that-

    i personal data disclosed on or after the appointed day to a third party are materially inaccurate having regard to the purpose (including any directly related purpose) for which the data are or are to be used by the third party, and
    ii that data were inaccurate at the time of such disclosure, that the third party-
         
(A) is informed that the data are inaccurate; and
   
(B) is provided with such particulars as will enable the third party to rectify the data having regard to that purpose.
   
(2)

Personal data shall not be kept longer than is necessary for the fulfillment of the purpose (including any directly related purpose) for which the data are or are to be used.

   
3. Principle 3-use of personal data
   
Personal data shall not, without the prescribed consent of the data subject, be used for any purpose other than-
   
(1) Subject to subsection (2), the Commissioner may invest money that is not immediately required to be expended.
   
  (a)

the purpose for which the data were to be used at the time of the collection of the data; or

     
  (b)

a purpose directly related to the purpose referred to in paragraph (a).


Previous Page | Next Page