The Personal Data (Privacy) Ordinance (Cap 486) (“the Ordinance”) is
different from other ordinances in Hong Kong in that it is principle-based
and generally more instructive than prohibitive. Its core provisions are
encapsulated in the six data protection principles which are found in
Schedule 1 of the Ordinance. These principles are the cornerstones of the
Ordinance which aims to protect the privacy of individuals in relation to
their personal data.
The Ordinance was holistically amended upon the passing of the Personal
Data (Privacy) (Amendment) Ordinance in June 2012
and changes were
introduced to some of the data protection principles which took effect on
1 October 2012.
The intention behind the six data protection principles was the creation of
a new culture in effecting the handling of personal data during its whole
life cycle from collection to destruction. The principles do not regulate the
conduct of the data users in detail. In most cases, contraventions of the
principles do not constitute criminal offences. It is when a data user fails to
comply with the terms of an enforcement notice issued by the Privacy
Commissioner for Personal Data (“the Commissioner”) after a finding of a
contravention that he becomes liable to be punished under the Ordinance.
A data user will also commit an offence if he, having complied with an
enforcement notice, intentionally performs the same act or makes the
same omission in contravention of the requirement under the Ordinance as
specified in the enforcement notice. An enforcement notice issued by the
Commissioner to the offending data user after an investigation will direct
the data user to take steps to remedy and, if appropriate, prevent
recurrence of the contravention. Contravention of a data protection
principle can also form the basis of a civil suit against the data user by the
aggrieved individual for compensation of damage suffered
not an enforcement notice has been issued.
The Amendment Ordinance was gazetted on 6 July 2012.
Section 66 of the Ordinance.