Skip to content

PCPD e-Newsletter

Facebook Youtube



Introduction to the Personal Data (Privacy) Ordinance (PDPO) Seminar

The PCPD will conduct this introductory seminar with details as follows:

Date: 23 April (Thursday)
Time: 3:00pm - 4:30pm
Venue: Lecture Room, Office of the Privacy Commissioner for Personal Data, 12/F, Sunlight Tower, 248 Queen’s Road East, Wan Chai, Hong Kong

- A general introduction to the Ordinance
- The six data protection principles
- Offences & Compensation
- Direct Marketing
- Q & A session

Fee: Free of charge

Special seating arrangement will be made and the capacity will be limited to 30 persons, to help prevent the spread of COVID-19.

Enrol now!

Q: Can someone disclose the information about suspected COVID-19 patients to third parties including health authorities?

A: Generally speaking, the Data Protection Principle on the use of personal data (Data Protection Principle 3) in the Personal Data (Privacy) Ordinance (PDPO) provides that the use of personal data must be consistent with or directly related to the original purpose when collecting the data. However, Section 59(1) of the PDPO states that in circumstances where the application of the restrictions on the use of data would be likely to cause serious harm to the physical or mental health of the data subject or any other individual, the data user may disclose personal data relating to the physical or mental health of the data subject to a third party without the consent of the data subject. Section 59(2) also states that under the same circumstances mentioned above, the data user can also disclose the identity or location of a data subject to a third party without the consent of the data subject.

The PCPD emphasises that if members of the public intend to rely on the relevant exemption provisions, they must ensure that the sole purpose of using the personal data of the data subject is to protect public health and is in the public interest. At the same time, they must also respect the privacy of the data subject and adopt less privacy intrusive means to achieve the purpose, such as seeking assistance from relevant medical practitioners or the Department of Health.

Q: Can merchants require customers to register their real names when buying masks?

A: Merchants should collect customers' personal data in a lawful and fair manner, and should not collect excessive personal data. The purpose of the collection should be directly related to their business. Personal Information Collection Statement should also be provided when/before collecting customers’ personal data to inform customers of the data collected/used/processed and the purposes, and the classes of person to whom their data may be transferred.

Also, the merchant's use of the customer's personal data is limited to the purpose stated at the time of collection or directly related purposes. To use the data for a new purpose, voluntary and explicit consent of the data subject must be obtained in advance.

Extended Reading:
PCPD's Response to Personal Data Privacy Issues Arising from Novel Coronaviurs Infection

Privacy Commissioner Responds to Media Enquiries about Cathay Pacific Being Fined £500,000 by UK Information Commissioner’s Office (6 March 2020)

Read media statement

Privacy Commissioner Responds to Media Enquiry about an Individual’s Request to LCSD for CCTV Footage (Chinese version only) (5 March 2020)

Read media statement (Chinese only)

Response to media enquiry on collecting Hong Kong citizens' personal data by organisations during mask distribution in the mainland of China (3 March 2020)

Read media response (Chinese only)

Response to media enquiry on the media statement issued by the PCPD entitled “The Use of Information on Social Media for Tracking Potential Carriers of COVID-19” (3 March 2020)

Read media response

Response to media enquiry on investigation progress of two cases involving police officer checking Identity Card of Journalist (2 March 2020)

Read media response (Chinese only)

Hong Kong Lawyer- Mar 2020 issue "Application of Blockchain”

In this article, the Privacy Commissioner for Personal Data, Hong Kong (“Privacy Commissioner”), Mr Stephen Kai-yi WONG talked about privacy issues in relation to the latest development in blockchain applications in dispute resolution, motor insurance, cross-border money transfer, etc and how it is regulated in Hong Kong and mainland of China.

Read the article

“Introduction to the Regulations in the Mainland of China Concerning Personal Information and Cybersecurity Involved in Civil and Commercial Affairs”

The Privacy Commissioner published this Chinese booklet to provide an overview of related regulations regarding personal data protection in the mainland of China.

Read publication (Chinese only)

The coronavirus privacy dilemma

The scale and severity of the disease is not unprecedented but the level of panic around it seems to be. As a consequence, extreme measures to handle the situation appear to have become the norm in a very short period of time. Some of those measures have a direct impact on people's privacy.

Read more

Coronavirus mobile apps are surging in popularity in South Korea

South Korea is one of the world's most tech savvy countries. So when the deadly novel coronavirus outbreak reached the country, app developers there knew exactly how to react: They started coding.

Read more

'Systemic failures': Facebook facing legal action over Cambridge Analytica scandal in Australia

Australia's information and privacy commissioner has launched legal action against Facebook over the Cambridge Analytica scandal, accusing the social media giant of "serious and/or repeated interferences" with user privacy in breach of the law.

Read more

Data Protection Principle 4 (DPP4) – Data Security

Customers are advised to delete data after trying out smart products

The Complaint

The complainant tried out a smart phone at a telecommunications company. During the tryout, she logged into her Cloud storage account on the trial phone for a short period of time. A few months later, the complainant received a call from an unknown person, telling her that he was able to access her personal data in her Cloud storage account via such account of his. The complainant was worried about the security vulnerabilities of the relevant Cloud storage service, and hence made a complaint to the PCPD.


The PCPD’s investigation revealed that although the complainant had logged out of her Cloud storage account after trying out the smart phone, she did not delete the data synchronised to the trial phone (i.e. the data which had been automatically downloaded from the complainant’s Cloud storage to the trial phone after she had logged into her Cloud storage account) before logging out.

The PCPD had therefore sent a letter to the company, suggesting it to remind its customers (by posting notices or otherwise) not to use their online service accounts when trying out devices, and to ensure that data downloaded to the relevant device is deleted before leaving company.

Extended Reading:
Enforcing Data Protection - PCPD 2018-2019 Annual Report (p.75)

Teaching Resource Centre for Teachers and Students

The PCPD has set up a teaching resource centre on the "Children Privacy" thematic website, providing videos, leaflets/booklets, presentation materials and newspaper/publication columns on topics including the application of AI and its privacy impact, protection of personal data privacy, cyberbullying, etc.

Learn more

For enquiry, please contact us.
Address: Room 1303, 13/F, Sunlight Tower, 248 Queen's Road East, Wan Chai, Hong Kong         Tel: (852) 2877 7179

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.



The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.