Skip to content

PCPD e-Newsletter

Facebook Youtube

Privacy Commissioner Mr Stephen Wong delivered a keynote speech titled "Linkage of Data Governance Principles and PDPO" at the iBDG Big Data Governance Launch Event organised by the Institute of Big Data Governance (5 August 2019)

Download the speech

PCPD's website won the Silver Award of " Website Awards 2019"   (22 July 2019)

The PCPD website ( is awarded the Silver Award under the Non-Commercial SME Category of “ Website Awards 2019”. Organised by the Hong Kong Internet Corporation Registration Limited, the Award aims to recognise the remarkable achievements of outstanding ‘.hk’ websites based on the website quality, security and users' experience by assessing the webpage design, innovation and technology used.

Privacy Commissioner responds to media reports on open letter issued by purported PCPD staff (14 August 2019)

Read the statement

China launches new tool to help apps spot privacy flaws

China’s authorities launched an online privacy compliance assessment tool, which offers free online services including corporate privacy policy assessment for mobile apps and self-assessment for personal information protection compliance.

Read more

Study finds most EU cookie ‘consent’ notices are meaningless or manipulative

Many websites have not complied with Europe’s General Data Protection Regulation in obtaining consent before tracking visitors' activities. Even though some of the websites responded by popping up legal disclaimers, people got confused how cookies function.

Read more

EU may extend 'passenger name records' to rail and sea

Governments of the EU member states are considering extending mandatory record-keeping of air passenger data to high-speed rail travel and sea traffic.

Read more

New study suggests parents need to give their kids privacy

A new research found that technology serves parents better if it provides summaries, rather than full access to information the trackers often provide.

Read more

PCPD e-Newsletter readers' survey
Let us know your thoughts and feedback on the contents of the e-newsletter so that we can do better. Please take a few minutes to answer the questions by clicking the button below and email the completed form to We look forward to receiving your valuable feedback  for continuous improvement.

Leave your comment



Professional Workshops on Data Protection (August - December 2019) are now open for enrolment!

The Professional Workshops organised by the PCPD are specifically designed for various practitioners to get up to speed on how to comply with the requirements under the Personal Data (Privacy) Ordinance in handling personal data.

Course details



Data Protection in Direct Marketing Activities (29 August 2019)

Direct marketing is widely adopted by different types of organisations in promoting their products and services. In Hong Kong, the use of personal data in direct marketing activities is governed by the Personal Data (Privacy) Ordinance. Since the new direct marketing regime took effect on 1 April 2013, some companies have been convicted of failing to comply with the requirements, presenting risks to the companies' reputation.

This workshop provides a practical approach to the compliance of the requirements under the Ordinance in direct marketing activities and provides hands-on solutions to problems that marketers face in devising direct marketing activities. Conviction cases will also be shared with the participants.

Enrol now!



Practical Workshop on Data Protection Law (9 September 2019)

The numerous massive data breach incidents involving various sectors in 2018 and this year once again remind us of the importance of understanding the Personal Data (Privacy) Ordinance and the compliance with it. For those who are charged with the responsibility in advising on compliance with the Personal Data (Privacy) Ordinance, or simply would like to find out more about it, this is the workshop you should go for. Data Protection Principles, court cases such as Chan Yim Wah Wallace v New World First Ferry Services Limited [HCPI 820/2013] and recent Administrative Appeals Board cases would be discussed.

Enrol now!

Seminar on Data Protection in Human Resource Management
Limited seats available!

With the courtesy of the Chinese Manufacturers' Association of Hong Kong, a very limited number of seats of the captioned seminar are reserved free of charge exclusively for DPOC members.  Please refer to the details below:

Date: 26 August 2019 (Monday)
Time: 7:00pm – 9:00pm
Venue: 23/F, CMA Building, 64 Connaught Road Central, Hong Kong
Language: Cantonese
Speaker: PCPD representative
Outline: - A general introduction to the the Personal Data (Privacy) Ordinance 
             - Data protection in human resource management

Please enrol by sending your name, name of organisation and DPOC membership number to on or before 23 August 2019.  Seats are offered on a first-come-first-served basis.

Hong Kong Lawyer  August 2019 issue: Data Security

Data security is of great concern in data privacy. Businesses have the added pressure, if not responsibilities, to keep personal data secure by taking "all practicable steps" as required by the law.

Read the article

Guidance on Use of Personal Data Obtained from the Public Domain

Personal data can be accessed and obtained from the public domain through different channels, e.g. a public search engine or a public directory. A data user may do so for compiling information about an individual whom it targets or seeks to identify. This guidance note is intended to assist data users to comply with the requirements under the Personal Data (Privacy) Ordinance when collecting and using personal data from the public domain.

Read publication

Q: What is cloud computing?

A: As mentioned in the "Cloud Computing" Information Leaflet published by the PCPD, "cloud computing" is referred to as a pool of on-demand, shared and configurable computing resources that can be rapidly provided to customers with minimal management efforts or service provider interaction. The cost model is usually based on usage and rental, without any capital investment.

Q: What are the personal data privacy concerns for data users in the use of cloud computing and how to address them?

A: The personal data privacy concerns for data users in the use of cloud computing are largely related to the loss or lack of control over the use, retention/erasure and security of personal data entrusted to cloud providers. Specifically, four control-related characteristics of the cloud computing business model are of particular concern with regard to personal data privacy protection, namely: 1) rapid transborder data flow, 2) loose outsourcing arrangements, 3) standard services and contracts, and 4) service and deployment models. Data users using cloud services are advised to obtain satisfactory assurance from the cloud providers to address these concerns before they entrust personal data to them.

Extended Reading:
Information Leaftlet: Cloud Computing

Data Protection Principle 3 - Use of personal data

A property management company should not have referred a resident to a mental health service organisation by disclosing the resident’s personal data without consent

The Complaint

The Complainant had received a home visit from a mental health service organisation (the organisation), during which he agreed to join the organisation as a member and use its services. The organisation later wrote a report on the Complainant's mental condition. As the report mentioned the details of disputes between the Complainant and his neighbour, the Complainant believed that the data was supplied to the organisation by the management company of his housing estate. Hence, the Complainant complained to the PCPD against the management company for disclosing his personal data to the organisation without his consent.

According to the management company, as the Complainant had a number of disputes with his neighbour, it believed that the organisation might provide appropriate service to the Complainant. Hence, it referred the Complainant to the organisation, which then paid the Complainant a visit at his home. The management company admitted that it had, without the Complainant’s prescribed consent, supplied the Complainant’s background information to the organisation when making the referral.


In view of the disputes between the Complainant and his neighbour, the management company wishfully assumed that the organisation could intervene to provide the Complainant with appropriate assistance and hence improve the situation. However, the management company had not considered the Complainant’s will before referring him and disclosing his personal data to the organisation. The Privacy Commissioner was of the view that the referral did not relate to the original purpose of collection of the Complainant’s personal data by the management company (i.e. for handling disputes among residents of the housing estate), and the management company had not obtained the Complainant’s prescribed consent before disclosure, thus the act of the management company violated Data Protection Principle 3 of the Personal Data (Privacy) Ordinance.

After the PCPD’s intervention, the management company gave written guidelines and verbal instructions to its staff, requiring them to obtain written consent from residents before transferring or releasing residents’ personal data to any third party.

Extended Reading:

Guidance on Property Management Practices


Doing Business Online

How to make sure your organisation complies with the Data Protection Principles of the Personal Data (Privacy) Ordinance while doing business online?

Learn More

Industry-specific Resources 

A number of compliance resources and good practice materials have been developed for specific industries.

Learn More

For enquiry, please contact us.
Address: Room 1303, 13/F, Sunlight Tower, 248 Queen's Road East, Wan Chai, Hong Kong         Tel: (852) 2877 7179

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.



The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.