Skip to content

PCPD e-Newsletter

Facebook Youtube

Uphold unique and irreplaceable attributes of “One Country, Two Systems”, advocate privacy accountability and data ethics - Privacy Commissioner speaks at IAPP Asia Privacy Forum in Singapore (15 July 2019)

Read the statement

Privacy Commissioner's response to the display of police officers' personal data in public places
(11 July 2019)

Read the statement

Privacy Commissioner Mr Stephen Wong delivered a presentation titled “How to Address the Challenge of Privacy Posed by Digital Technology?” to the Small and Medium Law Firms Association of Hong Kong (9 July 2019)

Download presentation material (Chinese only)

Privacy Commissioner Mr Stephen Wong delivered a presentation titled "Data Security, Privacy & Trust: The Three Cornerstones of Digital Ecosystem" in “Data Trust & Security Summit” at the Mobile World Congress Shanghai 2019 (28 June 2019)

Download presentation material

UK Information Commissioner’s Office proposed hefty GDPR fines for British Airways and Marriott data breaches

The Information Commissioner’s Office of UK announced its intent to fine British Airways £183,390 million and its intent to fine Marriott International more than £99 million for violations of the General Data Protection Regulation arising out of data breaches.

Read more

Data protection: how privacy can be a benefit, not a burden

With the growing number of data breaches, consumers are becoming increasingly concerned about how their data is used. Organisations can take advantage of this trend by treating data protection and users' privacy as product features.

Read more

Mainland China's buildings are watching how people shop, cook and steal

After Fintech which changes the way people borrow, invest and pay for things, we now have property technology, or proptech - the use of new technologies like big data and machine learning to help individuals and companies buy, sell and manage real estate.

Read more

In life sciences research, 'informed consent' is not enough

The recently issued European Data Protection Board Opinion 3/2019 stipulates that “informed consent” from clinical trial participants for life science research purposes typically does not satisfy requirements for consent as a legal basis for processing personal data under the European Union General Data Protection Regulation.

Read more



A new series of Professional Workshops on Data Protection (July - December 2019) is now open for enrolment!

The Professional Workshops organised by the PCPD are specifically designed for various practitioners to get up to speed on how to comply with the requirements under the Personal Data (Privacy) Ordinance in handling personal data.

Pioneering in this new series is a new workshop - Data Protection in Property Management Practices (26 November 2019). Property management professionals and property owners can upgrade their know-how on responsible and lawful handling of personal data. 

Course details Enrol now!

Professional Workshop on Data Protection in Banking/Financial Services (22 July 2019) Final call!

This workshop is designed for banking and financial personnel who wish to acquire knowledge on the requirements under the Personal Data (Privacy) Ordinance in different aspects of the banking and financial services and the practical ways to deal with them effectively in their daily operation.

Highlights of Course Outline:

  • Code of Practice on Consumer Credit Data
  • Accuracy of customers' contact information
  • Outsourcing the processing of personal data
Enrol now!

Professional Workshop on Recent Court and Administrative Appeals Board Decisions (30 July 2019)

This workshop examines some recent decisions of the Hong Kong Court and Administrative Appeals Board which serve as legal authorities and practical examples in solving problems frequently encountered in compliance work. There will be in-depth discussion and up-to-date knowledge transferred to participants on the interpretation of commonly used provisions of the Personal Data (Privacy) Ordinance.

Highlights of Course Outline:

The workshop offers a thorough discussion of the following decisions made by the High Court of Hong Kong and the Administrative Appeals Board:

  • HKSAR v Hong Kong Broadband Network Limited (HCMA 624/2015)
  • HKSAR v Leung Chun-kit Brandon (HCMA 49/2016)
  • AAB 17/2015 and AAB 18/2016
  • AAB 42/2016
  • AAB 40/2016
Enrol now!

Introduction to the Personal Data (Privacy) Ordinance Seminar
July - December 2019 seminars are now open for enrolment!

Sign up now for free for the introductory seminar on the Personal Data (Privacy) Ordinance to find out more about your obligations as data users and your rights as data subjects. The seminar would walk you through the essence including:

  • A general introduction to the Ordinance
  • The six data protection principles
  • Direct Marketing
  • Offences & Compensation
Enrol now!

Information Leaflet: Bring Your Own Device (BYOD)

This leaflet highlights the personal data privacy risks that an organisation needs to be aware of when it develops a BYOD policy, and suggests best practices in allowing employees to use BYOD equipment.

Read publication

Q: Should a property manager record the HKID Card number of visitors?

A: For security reasons, a property manager needs to monitor the entry of visitors, who may visit the building only with permission. If it is not feasible for a property manager to monitor a visitor’s activities inside the building, the recording of his HKID Card number by the property manager at the entrance of the building is allowed under the Code of Practice on the Identity Card Number and other Personal Identifiers issued by the Privacy Commissioner for Personal Data. However, the property manager should, wherever practicable, give the visitor the option to adopt other less privacy-intrusive alternatives than providing his HKID Card number.

Examples of such alternatives include identification of the visitor by the flat occupant concerned. If the property manager has already ascertained the purpose of the visit through confirmation with the occupant (for example the visitor is picked up by the occupant at the lobby), it is not necessary to record the visitor’s HKID Card number as an additional security measure. If a visitor is going to undertake work in the building, the property manager may accept his staff card or work permit as proof of his identity. Collection of HKID Card number should be resorted to only after alternative means of verification is duly considered.

A clear Personal Information Collection Statement and notice of the alternatives to the provision of HKID Card number should be given to visitors.

Q: What should property management bodies consider before posting management notices?

A: Property management bodies should carefully consider and assess the necessity and extent of publishing information containing an individual’s personal data. An individual’s personal data, which is not necessary for the purpose of posting the notice must be edited out. 

While an owners’ corporation is obliged to display in a prominent place in the building a notice containing particulars of the legal proceedings to which the owners’ corporation is a party, it will generally be sufficient for the capacity of the other parties (rather than their names), the case number, the forum of the case, the nature of the case and the amount claimed or remedies sought under the action to be disclosed in such notice. No HKID Card number or contact information of an individual should be displayed in public place.

Excessive disclosure of personal data (e.g. a complaint letter against an owners’ corporation with the telephone number of the complainant) or displaying personal data with ulterior motives (e.g. a name list of owners who have not timely paid the management fee) may therefore contravene the requirements under Data Protection Principle 3(1).

An individual’s personal data is not to be published in management notices unnecessarily, and in particular, no HKID Card number or contact information of an individual is to be displayed in public.

Extended Reading:

Guidance on Property Management Practices

Data Protection Principle 4 - Security of personal data

A medical institution sending email to patients must ensure that the email does not contain other people's personal data

The Complaint

In an email sent to patients (including the Complainant) by a medical institution, a file containing the names, occupations, addresses, names and telephone numbers of emergency contact persons of a large number of patients (including the Complainant) (“the File”) was attached. Therefore, the Complainant filed a complaint with PCPD against the medical institution.

The medical institution explained that when sending electronic Christmas cards to patients using the data in the File, its staff had mistakenly sent the File which was placed together with the electronic Christmas cards on the desktop.


Apparently, by mistakenly sending the file, the medical institution disclosed patients' personal data to unrelated third parties. Following the recommendations of the Privacy Commissioner, the medical institution took the following steps:

(1) requesting through email that the relevant recipients destroy the email;
(2) reviewing the relevant internal guidelines, including using software to set passwords to all files containing patients' personal data;
(3) setting up an internal review procedure to ascertain whether certain data need to be sent; and
(4) applying specified penalties for non-compliance with the guidelines by its staff.

Online Resources Centre

Visit our Online Resources Centre and look for useful guidance notes, information leaflets and other materials by topics.

Learn More

Tips on Log-in Information

Understand what precautions to take to protect your user name and password.

Learn More

For enquiry, please contact us.
Address: Room 1303, 13/F, Sunlight Tower, 248 Queen's Road East, Wan Chai, Hong Kong         Tel: (852) 2877 7179

You are receiving our e-Newsletter because you are a current member of the DPOC and it is a membership privilege we provide. If you do not wish to receive the e-Newsletter, please click here to unsubscribe.



The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.