Skip to content

PCPD e-Newsletter

Facebook Youtube

Protecting Online Privacy – Be Smart on Social Networks 

Don't forget about data security when sending heartwarming messages to your beloved ones via social media platforms. Find out more about how to be smart on social networks from this leaflet published by the PCPD.

Read the leaflet

Privacy Commissioner Responds to Privacy Issues Arising from Mandatory Quarantine Measures and Provides Updates on Doxxing (12 February 2020)

Read media statement

Doxxing of Medical Personnel is Illegal and Unethical (4 February 2020)

Read media statement
Read media responses

Metro Radio Programme (智識做老闆) - Interview with Privacy Commissioner for Personal Data: Privacy issues arising from ICT developments (8 February 2020) (Cantonese Programme)


Listen to the programme

Hong Kong Lawyer February 2020 issue : The Evolving Personal Information Regulatory Framework in mainland China - by Mr Stephen Wong, Privacy Commissioner for Personal Data, Hong Kong 

Mainland China has been stepping up its regulation on the protection of personal information in recent years. This article highlights the  key regulations adopted in the mainland, enabling the readers to get a quick understanding of the relevant regulatory regime.  

Read the article

Self-training module on Protection of Personal Data for Medical Practitioners

It is a one-stop portal for medical practitioners in different work contexts to familiarise themselves with the requirements under the Personal Data (Privacy) Ordinance.

Start now

World Health Organisation CIO on healthcare data, privacy, trust, and ethics

This article states the importance of building trust between the public and data users. The use of personal data should be moved from blanket consent to dynamic consent. Dynamic consent helps build trust in the system.

Read more

Five data ethics considerations for 2020

During the past two years, data theft and privacy concerns have emerged as a heavy counterweight to the benefits of big data and data analytics. Data ethics, the right or wrong conduct related to handling data, is in daily public discourse. In this article, the writer opines that curation, processing, dissemination, algorithms and transparency are five data points which data users should take into consideration.

Read more

US Democrat adds another proposal to update kids' privacy law

A bill proposed by US politicians would allow parents to sue online companies that track their children. That law bans companies from collecting personal information, including IP addresses, data stored on tracking cookies and other information used for advertisement targeting, from children under 13, without parental permission.

Read more

Welfare surveillance system violates human rights, Dutch court rules

A scoring system deployed by the Dutch state trying to predict the likelihood that social security claimants will commit benefits or tax fraud is a breach of human rights law, a court in the Netherlands has ruled.

Read more

Q: What is online tracking?

A: Website operators/owners often collect information regarding their users' online interaction with the websites. Information such as user's identity, display and/or language preference, web pages visited, items purchased, and transactions performed may be collected and recorded.

Q: What are the main reasons that online behavioural tracking may be a concern for website users?

A: The reasons are:

  • Website users' information or browsing habits are often collected by the website operators/owners without website users' knowledge or consent;
  • Website users' information or browsing habits may even be collected by a third party without website users' knowledge or consent;
  • The collected information may be transferred to other parties by the website operators/owners or the third party without website users' knowledge or consent;
  • Information about a website user collected from one website may be combined with information collected from other websites or sources about that user, thus building his/her profile without his/her knowledge;
  • The purpose of collecting the information is not made clear to the website users. Even if this has been made clear, website users are not offered the option to opt out of the use.

Q: What are the recommended practices to organisations on using cookies?

A: Where cookies are used to collect behavioural information, the following additional best practices are recommended:

  • To pre-set a reasonable expiry date for cookies;
  • To encrypt the contents of cookies whenever appropriate; and
  • Not to deploy techniques such as Flash/zombie/super cookies that ignore browser settings on cookies unless organisations can offer an option to website users to disable or reject such cookies.

Extended Reading:

Information Leaflet on Online Behavioural Tracking

Data Protection Principle 6 - Access to personal data

A data subject submitted a request to Organisation B for accessing his personal data originated from Organisation A

The Complaint

With the consent of the complainant, Organisation A provided a copy of a report in relation to the complainant to Organisation B. The complainant later submitted a data access request to Organisation B for accessing the report. However, in the written reply of Organisation B they only stated that the report was not composed by them and suggested the complainant to request the same from Organisation A. The complainant hence complained to this office against Organisation B for not complying with his data access request.


Section 19(1) of the Personal Data (Privacy) Ordinance (the Ordinance) requires a data user to comply with a data access request within 40 days after receiving it, unless there is a ground of refusal permissible under section 20 of the Ordinance. Under section 2(1) of the Ordinance, “data user” means a person who controls the collection, holding, processing or use of the personal data.

According to sections 20(3)(d) and 21(1)(c) of the Ordinance, if a data user has imposed restriction on another data user on further disclosure when personal data was transferred from the first-mentioned “data user” to the second-mentioned “data user” in the first place, the second-mentioned “data user” may use this as a reason to refuse compliance with a data subject’s data access request, as long as the second-mentioned “data user” has provided the name and address of the first-mentioned “data user” to the data subject.

In response to our inquiries, Organisation B confirmed that they were neither an agent nor a data processor appointed by Organisation A (i.e. Organisation B is an independent “data user”). Organisation B further confirmed that no restriction on further disclosure was imposed on them when they obtained the report from Organisation A.

Not being the composer of the report is not a reason permissible under the Ordinance to refuse compliance with a data access request. As long as no restriction of disclosure was imposed on Organisation B and there is no other reason of refusal permissible under the Ordinance, Organisation B as a “data user” of the report in question has a duty to provide the complainant with a copy of his personal data contained therein.

This office explained relevant provisions under the Ordinance to Organisation B, which had subsequently complied with the complainant’s data access request.

Extended Reading:

Proper Handling of Data Access Request and Charging of Data Access Request Fee by Data Users


Online Resources Centre

Visit our Online Resources Centre and look for useful guidance notes, information leaflets and other materials by topics.


Tips on Maintenance of Devices

Understand what precautions to take before handing over a device for repair/sale/disposal.


For enquiry, please contact us.
Address: Room 1303, 13/F, Sunlight Tower, 248 Queen's Road East, Wan Chai, Hong Kong         Tel: (852) 2877 7179

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.



The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.