The Personal Data (Privacy) (Amendment) Ordinance 2012 came into force on 6 July 2012. The amendments will be introduced in three phases. The following is a summary of the major amendments:
Phase 1 – Provisions unrelated to direct marketing or the legal assistance scheme has taken effect from 1 October 2012, for example:
1. Outsourcing Personal Data Processing
If a data user engages a data processor, whether within or outside Hong Kong, to process personal data on the data user’s behalf, the data user is required to adopt contractual or other means (i) to prevent any personal data transferred to the data processor from being kept longer than is necessary for processing of the data; and (ii) to prevent unauthorized or accidental access, processing, erasure, loss or use of the data transferred to the data processor for processing.
2. Disclosure of Personal Data Obtained Without Data User’s Consent
It is an offence for a person to disclose any personal data of a data subject obtained from a data user without the data user’s consent and with an intent (i) to obtain gain for himself or another person, or (ii) to cause loss to the data subject. It is also an offence if the unauthorised disclosure, irrespective of its intent, causes psychological harm to the data subject. The maximum penalty for these two new offences is a fine of $1,000,000 and imprisonment for 5 years.
3. New exemptions
Subject to specified conditions, personal data may be exempted from the relevant provisions of the data protection principles in connection with the following:
- Due diligence exercises
- Legal proceedings
- Performance of judicial functions
- Provision of identity and location data on health grounds
- Care and guardianship of minors
- Transfer of records to the Government Records Services
- Emergency situations
4. Data Access Requests
A data user is required to comply with a data subject’s request to access his personal data but may refuse to do so on certain specified grounds. Furthermore, a data user is required to respond to a data access request in writing within 40 days even if he does not hold the requested personal data.
5. Time limit for laying information for prosecution
The time limit for laying information for prosecution of an offence under the Personal Data (Privacy) Ordinance (Cap.486) (“PDPO”) has been extended from 6 months to 2 years from the date of commission of the offence.
6. Strengthening the Privacy Commissioner’s enforcement power
The Privacy Commissioner may now serve an enforcement notice irrespective of whether the contravention will continue or be repeated. A heavier penalty for a second or subsequent conviction for contravening an enforcement notice has been introduced.
Phase 2 – Provisions relating to direct marketing shall (tentatively) take effect from 1 April 2013
7. Direct Marketing
A data user who intends to use a data subject’s personal data in direct marketing for his own purposes must provide the data subject with the prescribed information orally or in writing and obtain the data subject’s reply indicating his consent or no objection. If the reply is given orally, the data user must before using the personal data in direct marketing confirm in writing to the data subject within 14 days from the date of receipt of the reply, the permitted kind of personal data and the permitted class of marketing subjects.
A data user can only use or provide a data subject’s personal data to others for use in direct marketing if he has provided the prescribed information and a response channel to the data subject in writing and received a reply in writing from the data subject indicating that the data subject consents or does not object to the data user doing so.
The prescribed information includes the kinds of personal data to be used or provided, the classes of marketing subjects in relation to which the data is to be used for direct marketing and where appropriate the classes of persons to which the data is to be provided for direct marketing purposes. If the personal data is to be provided for gain, the data subject must be so informed.
When using the personal data in direct marketing for the first time, the data user must notify the data subject of his right to require the data user to cease to use or provide his personal data to others for use in direct marketing.
The requirements for a data user to notify the data subject of his intention to use the data subject’s personal data in direct marketing under the new regulatory regime will not apply to the personal data which the data user has, before the commencement of the new provisions, used in direct marketing in compliance with the existing requirements under the PDPO.
Phase 3 – Provisions relating to the legal assistance scheme shall take effect on another subsequent date to be announced
8. Legal assistance to aggrieved individuals
The Privacy Commissioner may grant legal assistance to an aggrieved individual seeking compensation from a data user for damages suffered as a result of the data user’s contravention of a requirement under the PDPO in relation to his personal data.
For details of the amendments and the guidance notes issued by the Office of the Privacy Commissioner, please click here.