Skip to content

DPOC e-Newsletter

Facebook Youtube

New York Governor orders probe into Facebook access to data from other apps

On 22 February, New York Governor Andrew Cuomo ordered two state agencies to investigate a media report that Facebook Inc may be accessing far more personal information than previously known from smartphone users, including health and other sensitive data.

Read more

Scott McNealy : Consumers should own their data and choose who can use it

Personalisation of marketing communications should be driven only from what is proactively shared by consumers with their consent. We should have the expectation as consumers to own our own data, and choose who can use it.

Read more

Supreme Court finds teacher who used camera pen guilty of voyeurism

The Supreme Court of Canada says, teacher who secretly filmed female students' chests with a camera pen is guilty of voyeurism — a ruling that could have an impact on future privacy-related cases.

Read more

Lack of rules leaves experts puzzled about data ownership after death

From photos to personal posts and private messages, social media users leave a long digital trail behind them. But who owns that data when they die?

Read more

Introduction to the Personal Data (Privacy) Ordinance Seminar
Limited seats available for Mar - Jun 2019 seminars!

Sign up now for the introductory seminar on the Personal Data (Privacy) Ordinance to find out more about your obligations as data users and your rights as data subjects. The seminar would walk you through the essence including:

  • A general introduction to the Personal Data (Privacy) Ordinance
  • The six data protection principles
  • Direct marketing
  • Offences & compensation
Enrol now!

Professional Workshop on Data Protection and Data Access Request
(7 Mar 2019)

Are you aware that you can make a request to obtain a copy of your personal data held by an organisation? If you are a data user, do you know the legal obligation in relation to such a request?

This workshop will examine in detail those requirements and offer guidance on how to handle Data Access Requests. Participants will learn how to avoid pitfalls.

Enrol now!

Professional Workshop on Privacy Management Programme
(12 Mar 2019)

The results of recent incidents of the massive data breach by different organisations revealed that it is of paramount importance for organisations to adopt holistic and encompassing Privacy Management Programme to ensure that robust privacy policies and procedures are in place.

This workshop will guide you through the key features of “Privacy Management Programme – A Best Practice Guide”. Participants will be able to understand the baseline fundamentals and components of a Privacy Management Programme  and how to maintain and improve it on an ongoing basis.

Enrol now!

Personal Data Protection Training for Government

Promoting compliance by organisations and the “Protect, Respect Personal Data” culture has always been a key priority for the PCPD. A series of training workshops has been organised recently for staff members of government departments to keep them abreast of the latest development in personal data protection.

Introductory workshops and tailor-made seminars were organised for different departments and grades including law enforcement agencies, clerical and secretarial staff, etc. The most recent one was organised for the Immigration Department, covering various data privacy protection issues and application of the key concepts of the Personal Data (Privacy) Ordinance. Besides, a number of workshops on Privacy Management Programme (PMP) were held for bureaux and departments to equip them with the know-how on how to draw up a PMP manual that suits their needs.

Companies and organisations from both private and public sectors are welcome to contact us for any training need. Simply fill in the form and let us know how we can assist.



DPOC has always been an effective platform where members can share good practices and learn from each other. Recently, HSBC has shared with us its various measures for protecting personal data privacy. Click here to know more!

We cordially invite members to share your strategies and practices in data protection by contributing articles and/or photos of your successful initiatives to us. Please click the below "Share with us" box to let us know your good practice!

Share with us!

"European Union General Data Protection Regulation 2016" booklet

Check out this handy booklet if you want to know how GDPR has put individuals in more control of their data, and how it compares with some of the major requirements under the Personal Data (Privacy) Ordinance.

Read the booklet

Q: Must an employer obtain consent from an employee or ex-employee before giving an employment reference to another employer?

A: Yes, an employer should obtain the prescribed consent (i.e. express consent given voluntarily) from an employee or ex-employee (preferably in writing) before giving an employment reference as disclosure of the employee’s or ex-employee’s employment records (including performance assessment) to another person would constitute a change in the purpose of use of the data, i.e. not directly related to the original employment purpose.

Q: How long should an employer keep the personal data of ex-employees and unsuccessful job applicants?

A: Data Protection Principle 2(2) requires that all practical steps must be taken to ensure that personal data is not kept longer than is necessary to fulfil the purpose for which the data is to be used, or a directly related purpose. In addition, section 26 of the Personal Data (Privacy) Ordinance makes similar provision on erasure of personal data unless it is prohibited under a law or it is in the public interest (including historical interest) for the data not to be erased. In general, an employer should not retain the personal data of a former employee for more than seven years.

However, there may be exceptions that justify a longer period of retention, e.g. for managing any remaining duties in respect of ex-employees under a pension, supernumeration or mandatory provident fund scheme or to defend any legal action brought under the Employees’ Compensation Ordinance.

With regard to an unsuccessful job applicant, his personal data should not be retained for more than two years from the date of rejecting his application, bearing in mind the possible discrimination claims or complaints that may be lodged by an aggrieved applicant. The retention period may go beyond two years if there is a subsisting reason that obligates the employer to do so, or the applicant has given the prescribed consent (i.e. express consent given voluntarily) for the data to be retained beyond two years.

Q: Who is liable for a contravention of the Personal Data (Privacy) Ordinance in relation to employment-related personal data: the employer or the human resource manager?

A: The employer, being the legal person, is generally taken to be the one who has control over the collection, holding, processing and use of the personal data. Hence, the employer shall comply with the Personal Data (Privacy) Ordinance. The Privacy Commissioner may issue an enforcement notice against the employer requiring it to take necessary actions to remedy the breach.


Extended Reading:

Company using the group chat function of “WhatsApp Messenger” to send out a large number of commercial electronic messages to promote its tutor referral service

The Complaint

Summary of Facts

The Complainant’s mobile phone number (the “Number”) and some other mobile phone numbers with the same prefix as the Number were added to a WhatsApp group (the “Group”). The Group administrator then sent a message to the Group promoting tutor referral services. The Complainant was dissatisfied with the administrator for adding the Number to the Group and therefore complained to the PCPD.


Generally speaking, telephone number by itself does not constitute “personal data” under the Personal Data (Privacy) Ordinance because it is not practicable for the identity of an individual to be directly or indirectly ascertained from the telephone number alone. In the incident, it appeared that the administrator created the group by massively adding mobile phone numbers with the same prefix to the Group. It was therefore unlikely that the Group members’ identities were known to the administrator when the promotional message was sent. Hence there was no evidence indicating that this case might involve the use of “personal data” in direct marketing activities, the PCPD was unable to process the complaint further.


A complaint handled by the PCPD must be about an act or practice of a data user which relates to personal data, and may be a contravention of a requirement under the Personal Data (Privacy) Ordinance. The Ordinance does not have applications on cases not involving personal data.

On the other hand, complaints against persons sending commercial electronic messages may be relevant to the Unsolicited Electronic Messages Ordinance (CAP 593), which falls within the regulatory functions of the Office of the Communications Authority (“OFCA”). An individual may consider registering his/her telephone number onto the “Do-Not-Call Register” so as to stop the electronic commercial messages. If he/she still receives electronic commercial messages after registration, he/she may report the suspected contravention to OFCA.


Supporting Events

Know more about the latest supporting events of the PCPD.


Tips for Social Networking Safety

Understand what precautions to take to minimise the privacy risks and help protect yourself when you use social networks.


For enquiry, please contact us.
Address: Room 1303, 13/F, Sunlight Tower, 248 Queen's Road East, Wan Chai, Hong Kong         Tel: (852) 2877 7179

You are receiving our e-Newsletter because you are a current member of the DPOC and it is a membership privilege we provide. If you do not wish to receive the e-Newsletter, please click here to unsubscribe.




The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.