Skip to content

PCPD e-Newsletter

Facebook Youtube

Criminal investigation procedures commenced on 430 cases of online disclosure of personal data in accordance with the law (26 July 2019)


Read the statement

Privacy Commissioner has started reviewing related websites and urges netizens to respect others’ privacy (24 July 2019)

Read the statement

Privacy Commissioner’s response to suspected disclosure of personal data of government officials, legislators and police officers at online discussion forums and instant messaging platforms  (19 July 2019)

Read the statement

Privacy Commissioner Mr Stephen Wong delivered a speech at the Fellowship & Honorary Award Presentation Ceremony and Project M.I. Kick-off Ceremony 2019 organised by Social Enterprise Research Academy
(29 July 2019)


Download the speech

Do businesses really need to be ethical with data?

The application of new technologies to data has the power to transform our lives, but there are also dystopian predictions about the advance of technology that raise complex questions for society. The answers can be found in the concept of data ethics, which is in essence the application of a value judgement to the use of data.

Read more

Top 10 digital transformation trends for 2020

2020 will be defined by a fresh new class of technologies ready to graduate from the sidelines to center stage. Among them: 5G, AI, advanced data analytics, but also some that may surprise you.

Read more

Singapore hopes to groom data protection officers with training framework

The Personal Data Protection Commission in Singapore has released a competency framework and skills roadmap detailing skillsets data protection officers need, and expects more than 500 such professionals to benefit from a year-long pilot training programme.

Read more

Dutch hospital fined under GDPR for medical records access lapses

The Dutch Data Protection Authority has levied a fine of 460,000 euros on Haga Hospital for insufficient security following an investigation revealing that dozens of hospital staff had unnecessarily checked the medical records of a well-known Dutch person.

Read more



Professional Workshops on Data Protection (August - December 2019) are now open for enrolment!

The Professional Workshops organised by the PCPD are specifically designed for various practitioners to get up to speed on how to comply with the requirements under the Personal Data (Privacy) Ordinance in handling personal data.

Pioneering in this series is a new workshop - Data Protection in Property Management Practices (26 November 2019). Property management professionals and property owners can upgrade their know-how on responsible and lawful handling of personal data. 

Course details Enrol now!



Professional Workshop on Data Protection and Data Access Request (7 August 2019) Final call!

There are stringent requirements for compliance with a Data Access Request ("DAR") under the Personal Data (Privacy) Ordinance. Dealing properly and effectively with a DAR is a challenge for many organisations. In this workshop, participants will learn how to deal with DAR and avoid pitfalls.

Highlights of Course Outline:

- What should a data user do in order to comply with a DAR
- Charges for a DAR
- Grounds for refusing to comply with a DAR
- Protection for third party data when complying with a DAR
- Consequences of breach of the DAR provisions

Enrol now!



Professional Workshop on Privacy Management Programme (15 August 2019)

Privacy and data protection cannot be managed effectively if they are merely treated as a legal compliance issue. Instead, organisational data users should embrace personal data privacy protection as part of their corporate governance responsibilities and apply them as a business imperative throughout the organisation. To this end, the formulation and maintenance of a comprehensive Privacy Management Programme (PMP) is of paramount importance.

Highlights of Course Outline:

- Baseline fundamentals of a PMP
- Ongoing assessment and revision
- How to develop your own PMP

Enrol now!

Seminar on Data Protection in Human Resource Management

By courtesy of the Chinese Manufacturers' Association of Hong Kong, very limited seats of the captioned seminar are reserved free of charge exclusively for members of the Data Protection Officers' Club (DPOC).  Please refer to the details below:

Date: 26 August 2019 (Monday)
Time: 7:00pm – 9:00pm
Venue: 23/F, CMA Building, 64 Connaught Road Central, Hong Kong
Language: Cantonese
Speaker: PCPD representative
Outline: - A general introduction to the the Personal Data (Privacy) Ordinance 
             - Data protection in human resource management

Please enrol by sending your name, name of organisation and DPOC membership number to on or before 10 August 2019.  Seats are offered on a first-come-first-served basis.

Hong Kong Lawyer  July 2019 issue: Blockchain and Data Protection

Blockchain is a technology platform that seeks to facilitate trusted transactions securely. Blockchain is rapidly gaining momentum in its development and acceptance. In this article, the Privacy Commissioner Mr Stephen WONG approaches the subject from a data protection perspective and identifies the possible privacy issues arising from the use of this new technology.

Read the article

"European Union General Data Protection Regulation 2016" booklet

This booklet aims at raising awareness amongst organisations / businesses in Hong Kong of the possible impact of the regulatory framework for data protection in the European Union, as well as comparing some of the major requirements with those set out in the Personal Data (Privacy) Ordinance.

Read publication

Q: Why is a Privacy Impact Assessment (PIA) useful?

A: A PIA is useful in:

  • enabling the decision-maker to adequately consider the impact on personal data privacy before undertaking the project
  • directly addressing the privacy problems identified in the process and providing solutions or safeguards at the design stage
  • providing benchmarks for future privacy compliance audit and control
  • being a cost-effective way of reducing privacy risks
  • providing a credible source of information to allay any privacy concerns from the public and the stakeholders

Q: When should a PIA be undertaken?

A: A PIA should be undertaken by data users in both the public and the private sectors to manage the privacy risks arising from a project that involves:

  • processing (whether by the data user itself or by an agent appointed by the data user) or the building up of a massive amount of personal data;
  • the implementation of privacy-intrusive technologies that might affect a large number of individuals; or
  • a major change in the organisational practices that may result in expanding the amount and scope of personal data to be collected, processed, or shared.

Q: What are the key components that a PIA includes?

A: A PIA generally includes the following key components:

  • Data processing cycle analysis;
  • Privacy risks analysis;
  • Avoiding or mitigating privacy risks; and
  • PIA reporting.

Extended Reading:
Information Leaflet: Privacy Impact Assessments

Data Protection Principle 6 - Requested data included data storing in paper file and computer system

The Complaint

The complainant was an applicant of an assistance scheme provided by an institution. He lodged a data access request with the institution for his personal data contained in the handling records of his application. Given that the institution had only provided the complainant with a copy of documents which was submitted by him at the time of application, he lodged a complaint with the PCPD against the institution for non-compliance with his data access request.


PCPD carried out an inspection to ascertain if the institution held any other records which should have been provided to the complainant. According to the institution, upon receipt of an application for the assistance scheme, they will file the hard copy of the application form and the supporting documents into a paper file. All processing records (e.g. notes of communications between the applicants and the institution, details of assessment made to the applications) will be input into the institution’s computer system. Since the institution had only made reference to the complainant’s paper file upon receipt of his data access request, they overlooked the requested data storing in their computer system and thus did not provide the same to the complainant.

Upon the PCPD’s intervention, the institution furnished the complainant with a printout of the requested data stored in their computer system and also a written apology for the oversight. Data user should bear in mind that the definition of “personal data” means any data “in a form in which access to or processing of the data is practicable” under the Ordinance. This would include both data stored in physical and electronic means. Extra attention should be paid when handling data access requests.

Extended Reading:

Proper Handling of Data Access Request and Charging of Data Access Request Fee by Data Users

Doing Business Online

How to make sure your organisation complies with the Data Protection Principles of the Personal Data (Privacy) Ordinance while doing business online?

Learn More

Industry-specific Resources 

A number of compliance resources and good practice materials have developed for specific industries.

Learn More

For enquiry, please contact us.
Address: Room 1303, 13/F, Sunlight Tower, 248 Queen's Road East, Wan Chai, Hong Kong         Tel: (852) 2877 7179

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.



The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.