What laws apply to the collection and use of individuals’ personal information?
Data privacy laws have become more prominent in recent years. As the amount of personal information available online has grown substantially, there has been an enhanced focus on the processing of personal data, as well as the enforcement of such laws.
Hong Kong’s Personal Data (Privacy) Ordinance regulates data privacy law in Hong Kong and is based on six data protection principles:
- Purpose and manner of data collection – Collect data in a lawful and fair way for a directly related purpose of the data user; Notify data subjects as to why (i.e. the purpose) the data is being collected, whether it’s required or voluntary to provide the data, the data subject’s right and means to request access to and correct their data, along with the classes of persons the data may be transferred to (ex. HR teams); Collect data which is necessary and not excessive for the purpose.
- Accuracy and duration of retention – Take practical steps to ensure the personal data is accurate and that data is not kept longer than necessary to fulfill the purpose (i.e. data should be destroyed once it has fulfilled its purpose).
- Data use – Use personal data only for the purpose for which it was collected or a directly related purpose, unless you receive voluntary and explicit consent for the new purpose. Note that silence is not considered consent, and that data subjects can withdraw previous consent via written notice.
- Data security – Take practicable steps to safeguard personal information from unauthorized/accidental access, processing, erasure, loss or use.
- Openness and transparency – Take practicable steps to ensure the openness of the company’s personal data policies and practices, the types of collected data (ex. payroll data) and the main purpose(s) the data is used.
- Data access and correction – Give data subjects access to their personal data and allow them to make corrections if the information is inaccurate. If a data subject’s request is refused, provide the reason for the refusal.
In addition to the laws outlined by the Ordinance, the Privacy Commissioner has posted a Code of Practice on Human Resource Management. The code includes specific requirements relating to recruitment and other human resource matters in relation to prospective, current and former employees.
The current authority responsible for enforcement of data privacy law and regulations in Hong Kong is the:
Privacy Commissioner for Personal Data