PERSONAL DATA (PRIVACY) ORDINANCE - CHAPTER 486 PERSONAL DATA (PRIVACY) ORDINANCE - LONG TITLE Long title VerDate:30/06/1997 An Ordinance to protect the privacy of individuals in relation to personal data, and to provide for matters incidental thereto or connected therewith. (Enacted 1995) [Part II, section 71 (as affects Schedule 2) and Schedule 2 The other provisions,excluding sections 30 and 33 Section 30 } 1 August 1996 L.N. 343 of 1996 } 20 December 1996 L.N. 514 of 1996 } 1 August 1997 L.N. 409 of 1997] (Originally 81 of 1995) PERSONAL DATA (PRIVACY) ORDINANCE - SECT 1 Short title and commencement VerDate:01/07/2007 For the saving and transitional provisions relating to the amendments made by the Resolution of the Legislative Council (L.N. 130 of 2007), see paragraph (12) of that Resolution. PART I PRELIMINARY (1) This Ordinance may be cited as the Personal Data (Privacy) Ordinance. (2) This Ordinance shall come into operation on a day to be appointed by the Secretary for Constitutional and Mainland Affairs by notice in the Gazette. (Amended L.N. 130 of 2007) (Enacted 1995) PERSONAL DATA (PRIVACY) ORDINANCE - SECT 1 Short title and commencement VerDate:30/06/1997 PART I PRELIMINARY (1) This Ordinance may be cited as the Personal Data (Privacy) Ordinance. (2) This Ordinance shall come into operation on a day to be appointed by the Secretary for Home Affairs by notice in the Gazette. (Enacted 1995) PERSONAL DATA (PRIVACY) ORDINANCE - SECT 2 Interpretation VerDate:01/12/2006 (1) In this Ordinance, unless the context otherwise requires- "act" (作為) includes a deliberate omission; "adverse action" (不利行動), in relation to an individual, means any action that may adversely affect the individual's rights, benefits, privileges, obligations or interests (including legitimate expectations); "appointed day" (指定日) means the day appointed under section 1(2); "approved code of practice" (核准實務守則) means a code of practice approved under section 12; "code of practice" (實務守則) includes- (a) a standard; (b) a specification; and (c) any other documentary form of practical guidance; "Commissioner" (專員) means the Privacy Commissioner for Personal Data established under section 5(1); "Committee" (諮詢委員會) means the Personal Data (Privacy) Advisory Committee established under section 11(1); "complainant" (投訴人) means the individual, or the relevant person on behalf of an individual, who has made a complaint; "complaint" (投訴) means a complaint under section 37; "correction" (改正), in relation to personal data, means rectification, erasure or completion; "daily penalty" (每日罰款) means a penalty for each day on which the offence is continued after conviction therefor; "data" (資料) means any representation of information (including an expression of opinion) in any document, and includes a personal identifier; "data access request" (查閱資料要求) means a request under section 18; "data correction request" (改正資料要求) means a request under section 22(1); "data protection principle" (保障資料原則) means any of the data protection principles set out in Schedule 1; "data subject" (資料當事人), in relation to personal data, means the individual who is the subject of the data; "data user" (資料使用者), in relation to personal data, means a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data; "data user return" (資料使用者申報表) means a data user return referred to in section 14(4); "disclosing" (披露), in relation to personal data, includes disclosing information inferred from the data; "document" (文件) includes, in addition to a document in writing- (a) a disc, tape or other device in which data other than visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced from the disc, tape or other device; and (b) a film, tape or other device in which visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced from the film, tape or other device; "employment" (僱用) means employment under- (a) a contract of service or of apprenticeship; or (b) a contract personally to execute any work or labour, and related expressions shall be construed accordingly; "enforcement notice" (執行通知) means a notice under section 50(1); "financial regulator" (財經規管者) means any of- (a) the Monetary Authority appointed under section 5A of the Exchange Fund Ordinance (Cap 66); (b) the Securities and Futures Commission referred to in section 3(1) of the Securities and Futures Ordinance (Cap 571); (Replaced 5 of 2002 s. 407) (c) a recognized clearing house, a recognized exchange company, a recognized exchange controller or a recognized investor compensation company within the meaning of section 1 of Part 1 of Schedule 1 to the Securities and Futures Ordinance (Cap 571); (Replaced 5 of 2002 s. 407) (d) a person authorized under Part III of the Securities and Futures Ordinance (Cap 571) to provide automated trading services as defined in Schedule 5 to that Ordinance; (Replaced 5 of 2002 s. 407) (e)-(ea) (Repealed 5 of 2002 s. 407) (f) the Insurance Authority appointed under section 4 of the Insurance Companies Ordinance (Cap 41); (g) the Registrar of Occupational Retirement Schemes appointed under section 5 of the Occupational Retirement Schemes Ordinance (Cap 426); (ga) the Mandatory Provident Fund Schemes Authority established by section 6 of the Mandatory Provident Fund Schemes Ordinance (Cap 485); (Added 4 of 1998 s. 14) (gb) the Financial Reporting Council established by section 6(1) of the Financial Reporting Council Ordinance (Cap 588); (Added 18 of 2006 s. 84) (h) a person specified in a notice under subsection (7) to be a regulator for the purposes of this definition; "inaccurate" (不準確), in relation to personal data, means the data is incorrect, misleading, incomplete or obsolete; "inspection" (視察) means an inspection under section 36; "investigation" (調查) means an investigation under section 38; "log book" (紀錄簿), in relation to a data user, means the log book kept and maintained by the data user under section 27(1); "matching procedure" (核對程序) means any procedure whereby personal data collected for 1 or more purposes in respect of 10 or more data subjects are compared (except by manual means) with personal data collected for any other purpose in respect of those data subjects where the comparison- (a) is (whether in whole or in part) for the purpose of producing or verifying data that; or (b) produces or verifies data in respect of which it is reasonable to believe that it is practicable that the data, may be used (whether immediately or at any subsequent time) for the purpose of taking adverse action against any of those data subjects; "matching procedure request" (核對程序要求) means a request under section 31(1); "personal data" (個人資料) means any data- (a) relating directly or indirectly to a living individual; (b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and (c) in a form in which access to or processing of the data is practicable; "personal data system" (個人資料系統) means any system, whether or not automated, which is used, whether in whole or in part, by a data user for the collection, holding, processing or use of personal data, and includes any document and equipment forming part of the system; "personal identifier" (個人身分標識符) means an identifier- (a) that is assigned to an individual by a data user for the purpose of the operations of the user; and (b) that uniquely identifies that individual in relation to the data user, but does not include an individual's name used to identify that individual; "practicable" (切實可行) means reasonably practicable; "prescribed officer" (訂明人員) means a person employed or engaged under section 9(1); "processing" (處理), in relation to personal data, includes amending, augmenting, deleting or rearranging the data, whether by automated means or otherwise; "register" (登記冊) means the register of data users kept and maintained by the Commissioner under section 15(1); "relevant data user" (有關資料使用者), in relation to- (a) an inspection, means the data user who uses the personal data system which is the subject of the inspection; (b) a complaint, means the data user specified in the complaint; (c) an investigation- (i) in the case of an investigation initiated by a complaint, means the data user specified in the complaint; (ii) in any other case, means the data user the subject of the investigation; (d) an enforcement notice, means the data user on whom the notice is served; "relevant person" (有關人士), in relation to an individual (howsoever the individual is described), means- (a) where the individual is a minor, a person who has parental responsibility for the minor; (b) where the individual is incapable of managing his own affairs, a person who has been appointed by a court to manage those affairs; (c) in any other case, a person authorized in writing by the individual to make a data access request, a data correction request, or both such requests, on behalf of the individual; "requestor" (提出要求者), in relation to- (a) a data access request or data correction request, means the individual, or the relevant person on behalf of an individual, who has made the request; (b) a matching procedure request, means the data user who has made the request; "specified" (指明), in relation to a form, means specified under section 67; "third party" (第三者), in relation to personal data, means any person other than- (a) the data subject; (b) a relevant person in the case of the data subject; (c) the data user; or (d) a person authorized in writing by the data user to collect, hold, process or use the data- (i) under the direct control of the data user; or (ii) on behalf of the data user; "use" (使用), in relation to personal data, includes disclose or transfer the data; "would be likely to prejudice" (相當可能損害) includes would prejudice. (2) For the avoidance of doubt, it is hereby declared that paragraph (c) of the definition of "relevant person" shall not be construed- (a) to entitle a person who has only been authorized to make a data access request on behalf of an individual to make a data correction request on behalf of the individual; (b) to entitle a person who has only been authorized to make a data correction request on behalf of an individual to make a data access request on behalf of the individual. (3) Where under this Ordinance an act may be done with the prescribed consent of a person (and howsoever the person is described), such consent- (a) means the express consent of the person given voluntarily; (b) does not include any consent which has been withdrawn by notice in writing served on the person to whom the consent has been given (but without prejudice to so much of that act that has been done pursuant to the consent at any time before the notice is so served). (4) Subject to section 64(10), it is hereby declared that any reference in this Ordinance to the effect that a data user (howsoever described)- (a) has contravened a requirement under this Ordinance; or (b) is contravening a requirement under this Ordinance, includes- (i) where paragraph (a) is applicable, any case where the data user has done an act, or engaged in a practice, in contravention of a data protection principle; (ii) where paragraph (b) is applicable, any case where the data user is doing an act, or engaging in a practice, in contravention of a data protection principle. (5) Notwithstanding any other provisions of this Ordinance, a complaint may be made (and an investigation, if any, initiated by the complaint may be carried out) in relation to a person who has ceased to be a data user except any such person who has not at any time been a data user during the period of 2 years immediately preceding the date on which the Commissioner receives the complaint and, accordingly, a person in relation to whom such a complaint is made shall for the purposes of such complaint (and an investigation, if any, initiated by such complaint) be deemed to be a data user, and the other provisions of this Ordinance shall be construed accordingly. (6) Any reference in this Ordinance to a data protection principle followed by a number is a reference to the principle bearing that number set out in Schedule 1. (7) The Chief Executive may, by notice in the Gazette, specify a person to be a regulator for the purposes of the definition of "financial regulator". (Amended 34 of 1999 s. 3) (8) It is hereby declared that a notice under subsection (7) is subsidiary legislation. (9) Where a person- (a) holds any office, engages in any profession or carries on any occupation; and (b) is required by any law, or by any rules made under or by virtue of any law, to be a fit and proper person (or words to the like effect) to hold that office, engage in that profession or carry on that occupation, then, for the purposes of this Ordinance, any conduct by that person by virtue of which he ceases, or would cease, to be such a fit and proper person shall be deemed to be seriously improper conduct. (10) Subsection (9) shall not operate to prevent seriously improper conduct including, for the purposes of this Ordinance, conduct by virtue of which a person ceases, or would cease, to be a fit and proper person notwithstanding that the conduct is not conduct to which that subsection applies. (11) Words and expressions importing the neuter gender in relation to any data user shall include the masculine and feminine genders. (12) A person is not a data user in relation to any personal data which the person holds, processes or uses solely on behalf of another person if, but only if, that first-mentioned person does not hold, process or use, as the case may be, those data for any of his own purposes. (13) For the avoidance of doubt, it is hereby declared that, for the purposes of this Ordinance, any conduct by a person by virtue of which he has or could become a disqualified person or a suspended person under the Rules of Racing and Instructions by the Stewards of the Hong Kong Jockey Club, as in force from time to time, is seriously improper conduct. (Amended 34 of 1999 s. 3) (Enacted 1995) "act" (作為) "adverse action" (不利行動) "appointed day" (指定日) "approved code of practice" (核准實務守則) "code of practice" (實務守則) "Commissioner" (專員) "Committee" (諮詢委員會) "complainant" (投訴人) "complaint" (投訴) "correction" (改正) "daily penalty" (每日罰款) "data" (資料) "data access request" (查閱資料要求) "data correction request" (改正資料要求) "data protection principle" (保障資料原則) "data subject" (資料當事人) "data user" (資料使用者) "data user return" (資料使用者申報表) "disclosing" (披露) "document" (文件) "employment" (僱用) "enforcement notice" (執行通知) "financial regulator" (財經規管者) "inaccurate" (不準確) "inspection" (視察) "investigation" (調查) "log book" (紀錄簿) "matching procedure" (核對程序) "matching procedure request" (核對程序要求) "personal data" (個人資料) "personal data system" (個人資料系統) "personal identifier" (個人身分標識符) "practicable" (切實可行) "prescribed officer" (訂明人員) "processing" (處理) "register" (登記冊) "relevant data user" (有關資料使用者) "relevant person" (有關人士) "requestor" (提出要求者) "specified" (指明) "third party" (第三者) "use" (使用) "would be likely to prejudice" (相當可能損害) PERSONAL DATA (PRIVACY) ORDINANCE - SECT 2 Interpretation VerDate:01/04/2003 (1) In this Ordinance, unless the context otherwise requires- "act" (作為) includes a deliberate omission; "adverse action" (不利行動), in relation to an individual, means any action that may adversely affect the individual's rights, benefits, privileges, obligations or interests (including legitimate expectations); "appointed day" (指定日) means the day appointed under section 1(2); "approved code of practice" (核准實務守則) means a code of practice approved under section 12; "code of practice" (實務守則) includes- (a) a standard; (b) a specification; and (c) any other documentary form of practical guidance; "Commissioner" (專員) means the Privacy Commissioner for Personal Data established under section 5(1); "Committee" (諮詢委員會) means the Personal Data (Privacy) Advisory Committee established under section 11(1); "complainant" (投訴人) means the individual, or the relevant person on behalf of an individual, who has made a complaint; "complaint" (投訴) means a complaint under section 37; "correction" (改正), in relation to personal data, means rectification, erasure or completion; "daily penalty" (每日罰款) means a penalty for each day on which the offence is continued after conviction therefor; "data" (資料) means any representation of information (including an expression of opinion) in any document, and includes a personal identifier; "data access request" (查閱資料要求) means a request under section 18; "data correction request" (改正資料要求) means a request under section 22(1); "data protection principle" (保障資料原則) means any of the data protection principles set out in Schedule 1; "data subject" (資料當事人), in relation to personal data, means the individual who is the subject of the data; "data user" (資料使用者), in relation to personal data, means a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data; "data user return" (資料使用者申報表) means a data user return referred to in section 14(4); "disclosing" (披露), in relation to personal data, includes disclosing information inferred from the data; "document" (文件) includes, in addition to a document in writing- (a) a disc, tape or other device in which data other than visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced from the disc, tape or other device; and (b) a film, tape or other device in which visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced from the film, tape or other device; "employment" (僱用) means employment under- (a) a contract of service or of apprenticeship; or (b) a contract personally to execute any work or labour, and related expressions shall be construed accordingly; "enforcement notice" (執行通知) means a notice under section 50(1); "financial regulator" (財經規管者) means any of- (a) the Monetary Authority appointed under section 5A of the Exchange Fund Ordinance (Cap 66); (b) the Securities and Futures Commission referred to in section 3(1) of the Securities and Futures Ordinance (Cap 571); (Replaced 5 of 2002 s. 407) (c) a recognized clearing house, a recognized exchange company, a recognized exchange controller or a recognized investor compensation company within the meaning of section 1 of Part 1 of Schedule 1 to the Securities and Futures Ordinance (Cap 571); (Replaced 5 of 2002 s. 407) (d) a person authorized under Part III of the Securities and Futures Ordinance (Cap 571) to provide automated trading services as defined in Schedule 5 to that Ordinance; (Replaced 5 of 2002 s. 407) (e)-(ea) (Repealed 5 of 2002 s. 407) (f) the Insurance Authority appointed under section 4 of the Insurance Companies Ordinance (Cap 41); (g) the Registrar of Occupational Retirement Schemes appointed under section 5 of the Occupational Retirement Schemes Ordinance (Cap 426); (ga) the Mandatory Provident Fund Schemes Authority established by section 6 of the Mandatory Provident Fund Schemes Ordinance (Cap 485); (Added 4 of 1998 s. 14) (h) a person specified in a notice under subsection (7) to be a regulator for the purposes of this definition; "inaccurate" (不準確), in relation to personal data, means the data is incorrect, misleading, incomplete or obsolete; "inspection" (視察) means an inspection under section 36; "investigation" (調查) means an investigation under section 38; "log book" (紀錄簿), in relation to a data user, means the log book kept and maintained by the data user under section 27(1); "matching procedure" (核對程序) means any procedure whereby personal data collected for 1 or more purposes in respect of 10 or more data subjects are compared (except by manual means) with personal data collected for any other purpose in respect of those data subjects where the comparison- (a) is (whether in whole or in part) for the purpose of producing or verifying data that; or (b) produces or verifies data in respect of which it is reasonable to believe that it is practicable that the data, may be used (whether immediately or at any subsequent time) for the purpose of taking adverse action against any of those data subjects; "matching procedure request" (核對程序要求) means a request under section 31(1); "personal data" (個人資料) means any data- (a) relating directly or indirectly to a living individual; (b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and (c) in a form in which access to or processing of the data is practicable; "personal data system" (個人資料系統) means any system, whether or not automated, which is used, whether in whole or in part, by a data user for the collection, holding, processing or use of personal data, and includes any document and equipment forming part of the system; "personal identifier" (個人身分標識符) means an identifier- (a) that is assigned to an individual by a data user for the purpose of the operations of the user; and (b) that uniquely identifies that individual in relation to the data user, but does not include an individual's name used to identify that individual; "practicable" (切實可行) means reasonably practicable; "prescribed officer" (訂明人員) means a person employed or engaged under section 9(1); "processing" (處理), in relation to personal data, includes amending, augmenting, deleting or rearranging the data, whether by automated means or otherwise; "register" (登記冊) means the register of data users kept and maintained by the Commissioner under section 15(1); "relevant data user" (有關資料使用者), in relation to- (a) an inspection, means the data user who uses the personal data system which is the subject of the inspection; (b) a complaint, means the data user specified in the complaint; (c) an investigation- (i) in the case of an investigation initiated by a complaint, means the data user specified in the complaint; (ii) in any other case, means the data user the subject of the investigation; (d) an enforcement notice, means the data user on whom the notice is served; "relevant person" (有關人士), in relation to an individual (howsoever the individual is described), means- (a) where the individual is a minor, a person who has parental responsibility for the minor; (b) where the individual is incapable of managing his own affairs, a person who has been appointed by a court to manage those affairs; (c) in any other case, a person authorized in writing by the individual to make a data access request, a data correction request, or both such requests, on behalf of the individual; "requestor" (提出要求者), in relation to- (a) a data access request or data correction request, means the individual, or the relevant person on behalf of an individual, who has made the request; (b) a matching procedure request, means the data user who has made the request; "specified" (指明), in relation to a form, means specified under section 67; "third party" (第三者), in relation to personal data, means any person other than- (a) the data subject; (b) a relevant person in the case of the data subject; (c) the data user; or (d) a person authorized in writing by the data user to collect, hold, process or use the data- (i) under the direct control of the data user; or (ii) on behalf of the data user; "use" (使用), in relation to personal data, includes disclose or transfer the data; "would be likely to prejudice" (相當可能損害) includes would prejudice. (2) For the avoidance of doubt, it is hereby declared that paragraph (c) of the definition of "relevant person" shall not be construed- (a) to entitle a person who has only been authorized to make a data access request on behalf of an individual to make a data correction request on behalf of the individual; (b) to entitle a person who has only been authorized to make a data correction request on behalf of an individual to make a data access request on behalf of the individual. (3) Where under this Ordinance an act may be done with the prescribed consent of a person (and howsoever the person is described), such consent- (a) means the express consent of the person given voluntarily; (b) does not include any consent which has been withdrawn by notice in writing served on the person to whom the consent has been given (but without prejudice to so much of that act that has been done pursuant to the consent at any time before the notice is so served). (4) Subject to section 64(10), it is hereby declared that any reference in this Ordinance to the effect that a data user (howsoever described)- (a) has contravened a requirement under this Ordinance; or (b) is contravening a requirement under this Ordinance, includes- (i) where paragraph (a) is applicable, any case where the data user has done an act, or engaged in a practice, in contravention of a data protection principle; (ii) where paragraph (b) is applicable, any case where the data user is doing an act, or engaging in a practice, in contravention of a data protection principle. (5) Notwithstanding any other provisions of this Ordinance, a complaint may be made (and an investigation, if any, initiated by the complaint may be carried out) in relation to a person who has ceased to be a data user except any such person who has not at any time been a data user during the period of 2 years immediately preceding the date on which the Commissioner receives the complaint and, accordingly, a person in relation to whom such a complaint is made shall for the purposes of such complaint (and an investigation, if any, initiated by such complaint) be deemed to be a data user, and the other provisions of this Ordinance shall be construed accordingly. (6) Any reference in this Ordinance to a data protection principle followed by a number is a reference to the principle bearing that number set out in Schedule 1. (7) The Chief Executive may, by notice in the Gazette, specify a person to be a regulator for the purposes of the definition of "financial regulator". (Amended 34 of 1999 s. 3) (8) It is hereby declared that a notice under subsection (7) is subsidiary legislation. (9) Where a person- (a) holds any office, engages in any profession or carries on any occupation; and (b) is required by any law, or by any rules made under or by virtue of any law, to be a fit and proper person (or words to the like effect) to hold that office, engage in that profession or carry on that occupation, then, for the purposes of this Ordinance, any conduct by that person by virtue of which he ceases, or would cease, to be such a fit and proper person shall be deemed to be seriously improper conduct. (10) Subsection (9) shall not operate to prevent seriously improper conduct including, for the purposes of this Ordinance, conduct by virtue of which a person ceases, or would cease, to be a fit and proper person notwithstanding that the conduct is not conduct to which that subsection applies. (11) Words and expressions importing the neuter gender in relation to any data user shall include the masculine and feminine genders. (12) A person is not a data user in relation to any personal data which the person holds, processes or uses solely on behalf of another person if, but only if, that first-mentioned person does not hold, process or use, as the case may be, those data for any of his own purposes. (13) For the avoidance of doubt, it is hereby declared that, for the purposes of this Ordinance, any conduct by a person by virtue of which he has or could become a disqualified person or a suspended person under the Rules of Racing and Instructions by the Stewards of the Hong Kong Jockey Club, as in force from time to time, is seriously improper conduct. (Amended 34 of 1999 s. 3) (Enacted 1995) "act" (作為) "adverse action" (不利行動) "appointed day" (指定日) "approved code of practice" (核准實務守則) "code of practice" (實務守則) "Commissioner" (專員) "Committee" (諮詢委員會) "complainant" (投訴人) "complaint" (投訴) "correction" (改正) "daily penalty" (每日罰款) "data" (資料) "data access request" (查閱資料要求) "data correction request" (改正資料要求) "data protection principle" (保障資料原則) "data subject" (資料當事人) "data user" (資料使用者) "data user return" (資料使用者申報表) "disclosing" (披露) "document" (文件) "employment" (僱用) "enforcement notice" (執行通知) "financial regulator" (財經規管者) "inaccurate" (不準確) "inspection" (視察) "investigation" (調查) "log book" (紀錄簿) "matching procedure" (核對程序) "matching procedure request" (核對程序要求) "personal data" (個人資料) "personal data system" (個人資料系統) "personal identifier" (個人身分標識符) "practicable" (切實可行) "prescribed officer" (訂明人員) "processing" (處理) "register" (登記冊) "relevant data user" (有關資料使用者) "relevant person" (有關人士) "requestor" (提出要求者) "specified" (指明) "third party" (第三者) "use" (使用) "would be likely to prejudice" (相當可能損害) PERSONAL DATA (PRIVACY) ORDINANCE - SECT 2 Interpretation VerDate:06/03/2000 (1) In this Ordinance, unless the context otherwise requires- "act" (作為) includes a deliberate omission; "adverse action" (不利行動), in relation to an individual, means any action that may adversely affect the individual's rights, benefits, privileges, obligations or interests (including legitimate expectations); "appointed day" (指定日) means the day appointed under section 1(2); "approved code of practice" (核准實務守則) means a code of practice approved under section 12; "code of practice" (實務守則) includes- (a) a standard; (b) a specification; and (c) any other documentary form of practical guidance; "Commissioner" (專員) means the Privacy Commissioner for Personal Data established under section 5(1); "Committee" (諮詢委員會) means the Personal Data (Privacy) Advisory Committee established under section 11(1); "complainant" (投訴人) means the individual, or the relevant person on behalf of an individual, who has made a complaint; "complaint" (投訴) means a complaint under section 37; "correction" (改正), in relation to personal data, means rectification, erasure or completion; "daily penalty" (每日罰款) means a penalty for each day on which the offence is continued after conviction therefor; "data" (資料) means any representation of information (including an expression of opinion) in any document, and includes a personal identifier; "data access request" (查閱資料要求) means a request under section 18; "data correction request" (改正資料要求) means a request under section 22(1); "data protection principle" (保障資料原則) means any of the data protection principles set out in Schedule 1; "data subject" (資料當事人), in relation to personal data, means the individual who is the subject of the data; "data user" (資料使用者), in relation to personal data, means a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data; "data user return" (資料使用者申報表) means a data user return referred to in section 14(4); "disclosing" (披露), in relation to personal data, includes disclosing information inferred from the data; "document" (文件) includes, in addition to a document in writing- (a) a disc, tape or other device in which data other than visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced from the disc, tape or other device; and (b) a film, tape or other device in which visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced from the film, tape or other device; "employment" (僱用) means employment under- (a) a contract of service or of apprenticeship; or (b) a contract personally to execute any work or labour, and related expressions shall be construed accordingly; "enforcement notice" (執行通知) means a notice under section 50(1); "financial regulator" (財經規管者) means any of- (a) the Monetary Authority appointed under section 5A of the Exchange Fund Ordinance (Cap 66); (b) the Securities and Futures Commission established by section 3 of the Securities and Futures Commission Ordinance (Cap 24); (c) a clearing house within the meaning of section 2(1) of the Commodities Trading Ordinance (Cap 250) or a recognized clearing house within the meaning of the Securities and Futures (Clearing Houses) Ordinance (Cap 420); (d) the Exchange Company within the meaning of section 2(1) of the Commodities Trading Ordinance (Cap 250); (e) the Exchange Company within the meaning of section 2(1) of the Stock Exchanges Unification Ordinance (Cap 361); (ea) a recognized exchange controller within the meaning of section 2(1) of the Exchanges and Clearing Houses (Merger) Ordinance (Cap 555); (Added 12 of 2000 s. 23) (f) the Insurance Authority appointed under section 4 of the Insurance Companies Ordinance (Cap 41); (g) the Registrar of Occupational Retirement Schemes appointed under section 5 of the Occupational Retirement Schemes Ordinance (Cap 426); (ga) the Mandatory Provident Fund Schemes Authority established by section 6 of the Mandatory Provident Fund Schemes Ordinance (Cap 485); (Added 4 of 1998 s. 14) (h) a person specified in a notice under subsection (7) to be a regulator for the purposes of this definition; "inaccurate" (不準確), in relation to personal data, means the data is incorrect, misleading, incomplete or obsolete; "inspection" (視察) means an inspection under section 36; "investigation" (調查) means an investigation under section 38; "log book" (紀錄簿), in relation to a data user, means the log book kept and maintained by the data user under section 27(1); "matching procedure" (核對程序) means any procedure whereby personal data collected for 1 or more purposes in respect of 10 or more data subjects are compared (except by manual means) with personal data collected for any other purpose in respect of those data subjects where the comparison- (a) is (whether in whole or in part) for the purpose of producing or verifying data that; or (b) produces or verifies data in respect of which it is reasonable to believe that it is practicable that the data, may be used (whether immediately or at any subsequent time) for the purpose of taking adverse action against any of those data subjects; "matching procedure request" (核對程序要求) means a request under section 31(1); "personal data" (個人資料) means any data- (a) relating directly or indirectly to a living individual; (b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and (c) in a form in which access to or processing of the data is practicable; "personal data system" (個人資料系統) means any system, whether or not automated, which is used, whether in whole or in part, by a data user for the collection, holding, processing or use of personal data, and includes any document and equipment forming part of the system; "personal identifier" (個人身分標識符) means an identifier- (a) that is assigned to an individual by a data user for the purpose of the operations of the user; and (b) that uniquely identifies that individual in relation to the data user, but does not include an individual's name used to identify that individual; "practicable" (切實可行) means reasonably practicable; "prescribed officer" (訂明人員) means a person employed or engaged under section 9(1); "processing" (處理), in relation to personal data, includes amending, augmenting, deleting or rearranging the data, whether by automated means or otherwise; "register" (登記冊) means the register of data users kept and maintained by the Commissioner under section 15(1); "relevant data user" (有關資料使用者), in relation to- (a) an inspection, means the data user who uses the personal data system which is the subject of the inspection; (b) a complaint, means the data user specified in the complaint; (c) an investigation- (i) in the case of an investigation initiated by a complaint, means the data user specified in the complaint; (ii) in any other case, means the data user the subject of the investigation; (d) an enforcement notice, means the data user on whom the notice is served; "relevant person" (有關人士), in relation to an individual (howsoever the individual is described), means- (a) where the individual is a minor, a person who has parental responsibility for the minor; (b) where the individual is incapable of managing his own affairs, a person who has been appointed by a court to manage those affairs; (c) in any other case, a person authorized in writing by the individual to make a data access request, a data correction request, or both such requests, on behalf of the individual; "requestor" (提出要求者), in relation to- (a) a data access request or data correction request, means the individual, or the relevant person on behalf of an individual, who has made the request; (b) a matching procedure request, means the data user who has made the request; "specified" (指明), in relation to a form, means specified under section 67; "third party" (第三者), in relation to personal data, means any person other than- (a) the data subject; (b) a relevant person in the case of the data subject; (c) the data user; or (d) a person authorized in writing by the data user to collect, hold, process or use the data- (i) under the direct control of the data user; or (ii) on behalf of the data user; "use" (使用), in relation to personal data, includes disclose or transfer the data; "would be likely to prejudice" (相當可能損害) includes would prejudice. (2) For the avoidance of doubt, it is hereby declared that paragraph (c) of the definition of "relevant person" shall not be construed- (a) to entitle a person who has only been authorized to make a data access request on behalf of an individual to make a data correction request on behalf of the individual; (b) to entitle a person who has only been authorized to make a data correction request on behalf of an individual to make a data access request on behalf of the individual. (3) Where under this Ordinance an act may be done with the prescribed consent of a person (and howsoever the person is described), such consent- (a) means the express consent of the person given voluntarily; (b) does not include any consent which has been withdrawn by notice in writing served on the person to whom the consent has been given (but without prejudice to so much of that act that has been done pursuant to the consent at any time before the notice is so served). (4) Subject to section 64(10), it is hereby declared that any reference in this Ordinance to the effect that a data user (howsoever described)- (a) has contravened a requirement under this Ordinance; or (b) is contravening a requirement under this Ordinance, includes- (i) where paragraph (a) is applicable, any case where the data user has done an act, or engaged in a practice, in contravention of a data protection principle; (ii) where paragraph (b) is applicable, any case where the data user is doing an act, or engaging in a practice, in contravention of a data protection principle. (5) Notwithstanding any other provisions of this Ordinance, a complaint may be made (and an investigation, if any, initiated by the complaint may be carried out) in relation to a person who has ceased to be a data user except any such person who has not at any time been a data user during the period of 2 years immediately preceding the date on which the Commissioner receives the complaint and, accordingly, a person in relation to whom such a complaint is made shall for the purposes of such complaint (and an investigation, if any, initiated by such complaint) be deemed to be a data user, and the other provisions of this Ordinance shall be construed accordingly. (6) Any reference in this Ordinance to a data protection principle followed by a number is a reference to the principle bearing that number set out in Schedule 1. (7) The Chief Executive may, by notice in the Gazette, specify a person to be a regulator for the purposes of the definition of "financial regulator". (Amended 34 of 1999 s. 3) (8) It is hereby declared that a notice under subsection (7) is subsidiary legislation. (9) Where a person- (a) holds any office, engages in any profession or carries on any occupation; and (b) is required by any law, or by any rules made under or by virtue of any law, to be a fit and proper person (or words to the like effect) to hold that office, engage in that profession or carry on that occupation, then, for the purposes of this Ordinance, any conduct by that person by virtue of which he ceases, or would cease, to be such a fit and proper person shall be deemed to be seriously improper conduct. (10) Subsection (9) shall not operate to prevent seriously improper conduct including, for the purposes of this Ordinance, conduct by virtue of which a person ceases, or would cease, to be a fit and proper person notwithstanding that the conduct is not conduct to which that subsection applies. (11) Words and expressions importing the neuter gender in relation to any data user shall include the masculine and feminine genders. (12) A person is not a data user in relation to any personal data which the person holds, processes or uses solely on behalf of another person if, but only if, that first-mentioned person does not hold, process or use, as the case may be, those data for any of his own purposes. (13) For the avoidance of doubt, it is hereby declared that, for the purposes of this Ordinance, any conduct by a person by virtue of which he has or could become a disqualified person or a suspended person under the Rules of Racing and Instructions by the Stewards of the Hong Kong Jockey Club, as in force from time to time, is seriously improper conduct. (Amended 34 of 1999 s. 3) (Enacted 1995) "act" (作為) "adverse action" (不利行動) "appointed day" (指定日) "approved code of practice" (核准實務守則) "code of practice" (實務守則) "Commissioner" (專員) "Committee" (諮詢委員會) "complainant" (投訴人) "complaint" (投訴) "correction" (改正) "daily penalty" (每日罰款) "data" (資料) "data access request" (查閱資料要求) "data correction request" (改正資料要求) "data protection principle" (保障資料原則) "data subject" (資料當事人) "data user" (資料使用者) "data user return" (資料使用者申報表) "disclosing" (披露) "document" (文件) "employment" (僱用) "enforcement notice" (執行通知) "financial regulator" (財經規管者) "inaccurate" (不準確) "inspection" (視察) "investigation" (調查) "log book" (紀錄簿) "matching procedure" (核對程序) "matching procedure request" (核對程序要求) "personal data" (個人資料) "personal data system" (個人資料系統) "personal identifier" (個人身分標識符) "practicable" (切實可行) "prescribed officer" (訂明人員) "processing" (處理) "register" (登記冊) "relevant data user" (有關資料使用者) "relevant person" (有關人士) "requestor" (提出要求者) "specified" (指明) "third party" (第三者) "use" (使用) "would be likely to prejudice" (相當可能損害) PERSONAL DATA (PRIVACY) ORDINANCE - SECT 2 Interpretation VerDate:03/08/1999 (1) In this Ordinance, unless the context otherwise requires- "act" (作為) includes a deliberate omission; "adverse action" (不利行動), in relation to an individual, means any action that may adversely affect the individual's rights, benefits, privileges, obligations or interests (including legitimate expectations); "appointed day" (指定日) means the day appointed under section 1(2); "approved code of practice" (核准實務守則) means a code of practice approved under section 12; "code of practice" (實務守則) includes- (a) a standard; (b) a specification; and (c) any other documentary form of practical guidance; "Commissioner" (專員) means the Privacy Commissioner for Personal Data established under section 5(1); "Committee" (諮詢委員會) means the Personal Data (Privacy) Advisory Committee established under section 11(1); "complainant" (投訴人) means the individual, or the relevant person on behalf of an individual, who has made a complaint; "complaint" (投訴) means a complaint under section 37; "correction" (改正), in relation to personal data, means rectification, erasure or completion; "daily penalty" (每日罰款) means a penalty for each day on which the offence is continued after conviction therefor; "data" (資料) means any representation of information (including an expression of opinion) in any document, and includes a personal identifier; "data access request" (查閱資料要求) means a request under section 18; "data correction request" (改正資料要求) means a request under section 22(1); "data protection principle" (保障資料原則) means any of the data protection principles set out in Schedule 1; "data subject" (資料當事人), in relation to personal data, means the individual who is the subject of the data; "data user" (資料使用者), in relation to personal data, means a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data; "data user return" (資料使用者申報表) means a data user return referred to in section 14(4); "disclosing" (披露), in relation to personal data, includes disclosing information inferred from the data; "document" (文件) includes, in addition to a document in writing- (a) a disc, tape or other device in which data other than visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced from the disc, tape or other device; and (b) a film, tape or other device in which visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced from the film, tape or other device; "employment" (僱用) means employment under- (a) a contract of service or of apprenticeship; or (b) a contract personally to execute any work or labour, and related expressions shall be construed accordingly; "enforcement notice" (執行通知) means a notice under section 50(1); "financial regulator" (財經規管者) means any of- (a) the Monetary Authority appointed under section 5A of the Exchange Fund Ordinance (Cap 66); (b) the Securities and Futures Commission established by section 3 of the Securities and Futures Commission Ordinance (Cap 24); (c) a clearing house within the meaning of section 2(1) of the Commodities Trading Ordinance (Cap 250) or a recognized clearing house within the meaning of the Securities and Futures (Clearing Houses) Ordinance (Cap 420); (d) the Exchange Company within the meaning of section 2(1) of the Commodities Trading Ordinance (Cap 250); (e) the Exchange Company within the meaning of section 2(1) of the Stock Exchanges Unification Ordinance (Cap 361); (f) the Insurance Authority appointed under section 4 of the Insurance Companies Ordinance (Cap 41); (g) the Registrar of Occupational Retirement Schemes appointed under section 5 of the Occupational Retirement Schemes Ordinance (Cap 426); (ga) the Mandatory Provident Fund Schemes Authority established by section 6 of the Mandatory Provident Fund Schemes Ordinance (Cap 485); (Added 4 of 1998 s. 14) (h) a person specified in a notice under subsection (7) to be a regulator for the purposes of this definition; "inaccurate" (不準確), in relation to personal data, means the data is incorrect, misleading, incomplete or obsolete; "inspection" (視察) means an inspection under section 36; "investigation" (調查) means an investigation under section 38; "log book" (紀錄簿), in relation to a data user, means the log book kept and maintained by the data user under section 27(1); "matching procedure" (核對程序) means any procedure whereby personal data collected for 1 or more purposes in respect of 10 or more data subjects are compared (except by manual means) with personal data collected for any other purpose in respect of those data subjects where the comparison- (a) is (whether in whole or in part) for the purpose of producing or verifying data that; or (b) produces or verifies data in respect of which it is reasonable to believe that it is practicable that the data, may be used (whether immediately or at any subsequent time) for the purpose of taking adverse action against any of those data subjects; "matching procedure request" (核對程序要求) means a request under section 31(1); "personal data" (個人資料) means any data- (a) relating directly or indirectly to a living individual; (b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and (c) in a form in which access to or processing of the data is practicable; "personal data system" (個人資料系統) means any system, whether or not automated, which is used, whether in whole or in part, by a data user for the collection, holding, processing or use of personal data, and includes any document and equipment forming part of the system; "personal identifier" (個人身分標識符) means an identifier- (a) that is assigned to an individual by a data user for the purpose of the operations of the user; and (b) that uniquely identifies that individual in relation to the data user, but does not include an individual's name used to identify that individual; "practicable" (切實可行) means reasonably practicable; "prescribed officer" (訂明人員) means a person employed or engaged under section 9(1); "processing" (處理), in relation to personal data, includes amending, augmenting, deleting or rearranging the data, whether by automated means or otherwise; "register" (登記冊) means the register of data users kept and maintained by the Commissioner under section 15(1); "relevant data user" (有關資料使用者), in relation to- (a) an inspection, means the data user who uses the personal data system which is the subject of the inspection; (b) a complaint, means the data user specified in the complaint; (c) an investigation- (i) in the case of an investigation initiated by a complaint, means the data user specified in the complaint; (ii) in any other case, means the data user the subject of the investigation; (d) an enforcement notice, means the data user on whom the notice is served; "relevant person" (有關人士), in relation to an individual (howsoever the individual is described), means- (a) where the individual is a minor, a person who has parental responsibility for the minor; (b) where the individual is incapable of managing his own affairs, a person who has been appointed by a court to manage those affairs; (c) in any other case, a person authorized in writing by the individual to make a data access request, a data correction request, or both such requests, on behalf of the individual; "requestor" (提出要求者), in relation to- (a) a data access request or data correction request, means the individual, or the relevant person on behalf of an individual, who has made the request; (b) a matching procedure request, means the data user who has made the request; "specified" (指明), in relation to a form, means specified under section 67; "third party" (第三者), in relation to personal data, means any person other than- (a) the data subject; (b) a relevant person in the case of the data subject; (c) the data user; or (d) a person authorized in writing by the data user to collect, hold, process or use the data- (i) under the direct control of the data user; or (ii) on behalf of the data user; "use" (使用), in relation to personal data, includes disclose or transfer the data; "would be likely to prejudice" (相當可能損害) includes would prejudice. (2) For the avoidance of doubt, it is hereby declared that paragraph (c) of the definition of "relevant person" shall not be construed- (a) to entitle a person who has only been authorized to make a data access request on behalf of an individual to make a data correction request on behalf of the individual; (b) to entitle a person who has only been authorized to make a data correction request on behalf of an individual to make a data access request on behalf of the individual. (3) Where under this Ordinance an act may be done with the prescribed consent of a person (and howsoever the person is described), such consent- (a) means the express consent of the person given voluntarily; (b) does not include any consent which has been withdrawn by notice in writing served on the person to whom the consent has been given (but without prejudice to so much of that act that has been done pursuant to the consent at any time before the notice is so served). (4) Subject to section 64(10), it is hereby declared that any reference in this Ordinance to the effect that a data user (howsoever described)- (a) has contravened a requirement under this Ordinance; or (b) is contravening a requirement under this Ordinance, includes- (i) where paragraph (a) is applicable, any case where the data user has done an act, or engaged in a practice, in contravention of a data protection principle; (ii) where paragraph (b) is applicable, any case where the data user is doing an act, or engaging in a practice, in contravention of a data protection principle. (5) Notwithstanding any other provisions of this Ordinance, a complaint may be made (and an investigation, if any, initiated by the complaint may be carried out) in relation to a person who has ceased to be a data user except any such person who has not at any time been a data user during the period of 2 years immediately preceding the date on which the Commissioner receives the complaint and, accordingly, a person in relation to whom such a complaint is made shall for the purposes of such complaint (and an investigation, if any, initiated by such complaint) be deemed to be a data user, and the other provisions of this Ordinance shall be construed accordingly. (6) Any reference in this Ordinance to a data protection principle followed by a number is a reference to the principle bearing that number set out in Schedule 1. (7) The Chief Executive may, by notice in the Gazette, specify a person to be a regulator for the purposes of the definition of "financial regulator". (Amended 34 of 1999 s. 3) (8) It is hereby declared that a notice under subsection (7) is subsidiary legislation. (9) Where a person- (a) holds any office, engages in any profession or carries on any occupation; and (b) is required by any law, or by any rules made under or by virtue of any law, to be a fit and proper person (or words to the like effect) to hold that office, engage in that profession or carry on that occupation, then, for the purposes of this Ordinance, any conduct by that person by virtue of which he ceases, or would cease, to be such a fit and proper person shall be deemed to be seriously improper conduct. (10) Subsection (9) shall not operate to prevent seriously improper conduct including, for the purposes of this Ordinance, conduct by virtue of which a person ceases, or would cease, to be a fit and proper person notwithstanding that the conduct is not conduct to which that subsection applies. (11) Words and expressions importing the neuter gender in relation to any data user shall include the masculine and feminine genders. (12) A person is not a data user in relation to any personal data which the person holds, processes or uses solely on behalf of another person if, but only if, that first-mentioned person does not hold, process or use, as the case may be, those data for any of his own purposes. (13) For the avoidance of doubt, it is hereby declared that, for the purposes of this Ordinance, any conduct by a person by virtue of which he has or could become a disqualified person or a suspended person under the Rules of Racing and Instructions by the Stewards of the Hong Kong Jockey Club, as in force from time to time, is seriously improper conduct. (Amended 34 of 1999 s. 3) (Enacted 1995) "act" (作為) "adverse action" (不利行動) "appointed day" (指定日) "approved code of practice" (核准實務守則) "code of practice" (實務守則) "Commissioner" (專員) "Committee" (諮詢委員會) "complainant" (投訴人) "complaint" (投訴) "correction" (改正) "daily penalty" (每日罰款) "data" (資料) "data access request" (查閱資料要求) "data correction request" (改正資料要求) "data protection principle" (保障資料原則) "data subject" (資料當事人) "data user" (資料使用者) "data user return" (資料使用者申報表) "disclosing" (披露) "document" (文件) "employment" (僱用) "enforcement notice" (執行通知) "financial regulator" (財經規管者) "inaccurate" (不準確) "inspection" (視察) "investigation" (調查) "log book" (紀錄簿) "matching procedure" (核對程序) "matching procedure request" (核對程序要求) "personal data" (個人資料) "personal data system" (個人資料系統) "personal identifier" (個人身分標識符) "practicable" (切實可行) "prescribed officer" (訂明人員) "processing" (處理) "register" (登記冊) "relevant data user" (有關資料使用者) "relevant person" (有關人士) "requestor" (提出要求者) "specified" (指明) "third party" (第三者) "use" (使用) "would be likely to prejudice" (相當可能損害) PERSONAL DATA (PRIVACY) ORDINANCE - SECT 2 Interpretation VerDate:01/07/1997 Adaptation amendments retroactively made - see 34 of 1999 s. 3 (1) In this Ordinance, unless the context otherwise requires- "act" (作為) includes a deliberate omission; "adverse action" (不利行動), in relation to an individual, means any action that may adversely affect the individual's rights, benefits, privileges, obligations or interests (including legitimate expectations); "appointed day" (指定日) means the day appointed under section 1(2); "approved code of practice" (核准實務守則) means a code of practice approved under section 12; "code of practice" (實務守則) includes- (a) a standard; (b) a specification; and (c) any other documentary form of practical guidance; "Commissioner" (專員) means the Privacy Commissioner for Personal Data established under section 5(1); "Committee" (諮詢委員會) means the Personal Data (Privacy) Advisory Committee established under section 11(1); "complainant" (投訴人) means the individual, or the relevant person on behalf of an individual, who has made a complaint; "complaint" (投訴) means a complaint under section 37; "correction" (改正), in relation to personal data, means rectification, erasure or completion; "daily penalty" (每日罰款) means a penalty for each day on which the offence is continued after conviction therefor; "data" (資料) means any representation of information (including an expression of opinion) in any document, and includes a personal identifier; "data access request" (查閱資料要求) means a request under section 18; "data correction request" (改正資料要求) means a request under section 22(1); "data protection principle" (保障資料原則) means any of the data protection principles set out in Schedule 1; "data subject" (資料當事人), in relation to personal data, means the individual who is the subject of the data; "data user" (資料使用者), in relation to personal data, means a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data; "data user return" (資料使用者申報表) means a data user return referred to in section 14(4); "disclosing" (披露), in relation to personal data, includes disclosing information inferred from the data; "document" (文件) includes, in addition to a document in writing- (a) a disc, tape or other device in which data other than visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced from the disc, tape or other device; and (b) a film, tape or other device in which visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced from the film, tape or other device; "employment" (僱用) means employment under- (a) a contract of service or of apprenticeship; or (b) a contract personally to execute any work or labour, and related expressions shall be construed accordingly; "enforcement notice" (執行通知) means a notice under section 50(1); "financial regulator" (財經規管者) means any of- (a) the Monetary Authority appointed under section 5A of the Exchange Fund Ordinance (Cap 66); (b) the Securities and Futures Commission established by section 3 of the Securities and Futures Commission Ordinance (Cap 24); (c) a clearing house within the meaning of section 2(1) of the Commodities Trading Ordinance (Cap 250) or a recognized clearing house within the meaning of the Securities and Futures (Clearing Houses) Ordinance (Cap 420); (d) the Exchange Company within the meaning of section 2(1) of the Commodities Trading Ordinance (Cap 250); (e) the Exchange Company within the meaning of section 2(1) of the Stock Exchanges Unification Ordinance (Cap 361); (f) the Insurance Authority appointed under section 4 of the Insurance Companies Ordinance (Cap 41); (g) the Registrar of Occupational Retirement Schemes appointed under section 5 of the Occupational Retirement Schemes Ordinance (Cap 426); (h) a person specified in a notice under subsection (7) to be a regulator for the purposes of this definition; "inaccurate" (不準確), in relation to personal data, means the data is incorrect, misleading, incomplete or obsolete; "inspection" (視察) means an inspection under section 36; "investigation" (調查) means an investigation under section 38; "log book" (紀錄簿), in relation to a data user, means the log book kept and maintained by the data user under section 27(1); "matching procedure" (核對程序) means any procedure whereby personal data collected for 1 or more purposes in respect of 10 or more data subjects are compared (except by manual means) with personal data collected for any other purpose in respect of those data subjects where the comparison- (a) is (whether in whole or in part) for the purpose of producing or verifying data that; or (b) produces or verifies data in respect of which it is reasonable to believe that it is practicable that the data, may be used (whether immediately or at any subsequent time) for the purpose of taking adverse action against any of those data subjects; "matching procedure request" (核對程序要求) means a request under section 31(1); "personal data" (個人資料) means any data- (a) relating directly or indirectly to a living individual; (b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and (c) in a form in which access to or processing of the data is practicable; "personal data system" (個人資料系統) means any system, whether or not automated, which is used, whether in whole or in part, by a data user for the collection, holding, processing or use of personal data, and includes any document and equipment forming part of the system; "personal identifier" (個人身分標識符) means an identifier- (a) that is assigned to an individual by a data user for the purpose of the operations of the user; and (b) that uniquely identifies that individual in relation to the data user, but does not include an individual's name used to identify that individual; "practicable" (切實可行) means reasonably practicable; "prescribed officer" (訂明人員) means a person employed or engaged under section 9(1); "processing" (處理), in relation to personal data, includes amending, augmenting, deleting or rearranging the data, whether by automated means or otherwise; "register" (登記冊) means the register of data users kept and maintained by the Commissioner under section 15(1); "relevant data user" (有關資料使用者), in relation to- (a) an inspection, means the data user who uses the personal data system which is the subject of the inspection; (b) a complaint, means the data user specified in the complaint; (c) an investigation- (i) in the case of an investigation initiated by a complaint, means the data user specified in the complaint; (ii) in any other case, means the data user the subject of the investigation; (d) an enforcement notice, means the data user on whom the notice is served; "relevant person" (有關人士), in relation to an individual (howsoever the individual is described), means- (a) where the individual is a minor, a person who has parental responsibility for the minor; (b) where the individual is incapable of managing his own affairs, a person who has been appointed by a court to manage those affairs; (c) in any other case, a person authorized in writing by the individual to make a data access request, a data correction request, or both such requests, on behalf of the individual; "requestor" (提出要求者), in relation to- (a) a data access request or data correction request, means the individual, or the relevant person on behalf of an individual, who has made the request; (b) a matching procedure request, means the data user who has made the request; "specified" (指明), in relation to a form, means specified under section 67; "third party" (第三者), in relation to personal data, means any person other than- (a) the data subject; (b) a relevant person in the case of the data subject; (c) the data user; or (d) a person authorized in writing by the data user to collect, hold, process or use the data- (i) under the direct control of the data user; or (ii) on behalf of the data user; "use" (使用), in relation to personal data, includes disclose or transfer the data; "would be likely to prejudice" (相當可能損害) includes would prejudice. (2) For the avoidance of doubt, it is hereby declared that paragraph (c) of the definition of "relevant person" shall not be construed- (a) to entitle a person who has only been authorized to make a data access request on behalf of an individual to make a data correction request on behalf of the individual; (b) to entitle a person who has only been authorized to make a data correction request on behalf of an individual to make a data access request on behalf of the individual. (3) Where under this Ordinance an act may be done with the prescribed consent of a person (and howsoever the person is described), such consent- (a) means the express consent of the person given voluntarily; (b) does not include any consent which has been withdrawn by notice in writing served on the person to whom the consent has been given (but without prejudice to so much of that act that has been done pursuant to the consent at any time before the notice is so served). (4) Subject to section 64(10), it is hereby declared that any reference in this Ordinance to the effect that a data user (howsoever described)- (a) has contravened a requirement under this Ordinance; or (b) is contravening a requirement under this Ordinance, includes- (i) where paragraph (a) is applicable, any case where the data user has done an act, or engaged in a practice, in contravention of a data protection principle; (ii) where paragraph (b) is applicable, any case where the data user is doing an act, or engaging in a practice, in contravention of a data protection principle. (5) Notwithstanding any other provisions of this Ordinance, a complaint may be made (and an investigation, if any, initiated by the complaint may be carried out) in relation to a person who has ceased to be a data user except any such person who has not at any time been a data user during the period of 2 years immediately preceding the date on which the Commissioner receives the complaint and, accordingly, a person in relation to whom such a complaint is made shall for the purposes of such complaint (and an investigation, if any, initiated by such complaint) be deemed to be a data user, and the other provisions of this Ordinance shall be construed accordingly. (6) Any reference in this Ordinance to a data protection principle followed by a number is a reference to the principle bearing that number set out in Schedule 1. (7) The Chief Executive may, by notice in the Gazette, specify a person to be a regulator for the purposes of the definition of "financial regulator". (Amended 34 of 1999 s. 3) (8) It is hereby declared that a notice under subsection (7) is subsidiary legislation. (9) Where a person- (a) holds any office, engages in any profession or carries on any occupation; and (b) is required by any law, or by any rules made under or by virtue of any law, to be a fit and proper person (or words to the like effect) to hold that office, engage in that profession or carry on that occupation, then, for the purposes of this Ordinance, any conduct by that person by virtue of which he ceases, or would cease, to be such a fit and proper person shall be deemed to be seriously improper conduct. (10) Subsection (9) shall not operate to prevent seriously improper conduct including, for the purposes of this Ordinance, conduct by virtue of which a person ceases, or would cease, to be a fit and proper person notwithstanding that the conduct is not conduct to which that subsection applies. (11) Words and expressions importing the neuter gender in relation to any data user shall include the masculine and feminine genders. (12) A person is not a data user in relation to any personal data which the person holds, processes or uses solely on behalf of another person if, but only if, that first-mentioned person does not hold, process or use, as the case may be, those data for any of his own purposes. (13) For the avoidance of doubt, it is hereby declared that, for the purposes of this Ordinance, any conduct by a person by virtue of which he has or could become a disqualified person or a suspended person under the Rules of Racing and Instructions by the Stewards of the Hong Kong Jockey Club, as in force from time to time, is seriously improper conduct. (Amended 34 of 1999 s. 3) (Enacted 1995) "act" (作為) "adverse action" (不利行動) "appointed day" (指定日) "approved code of practice" (核准實務守則) "code of practice" (實務守則) "Commissioner" (專員) "Committee" (諮詢委員會) "complainant" (投訴人) "complaint" (投訴) "correction" (改正) "daily penalty" (每日罰款) "data" (資料) "data access request" (查閱資料要求) "data correction request" (改正資料要求) "data protection principle" (保障資料原則) "data subject" (資料當事人) "data user" (資料使用者) "data user return" (資料使用者申報表) "disclosing" (披露) "document" (文件) "employment" (僱用) "enforcement notice" (執行通知) "financial regulator" (財經規管者) "inaccurate" (不準確) "inspection" (視察) "investigation" (調查) "log book" (紀錄簿) "matching procedure" (核對程序) "matching procedure request" (核對程序要求) "personal data" (個人資料) "personal data system" (個人資料系統) "personal identifier" (個人身分標識符) "practicable" (切實可行) "prescribed officer" (訂明人員) "processing" (處理) "register" (登記冊) "relevant data user" (有關資料使用者) "relevant person" (有關人士) "requestor" (提出要求者) "specified" (指明) "third party" (第三者) "use" (使用) "would be likely to prejudice" (相當可能損害) PERSONAL DATA (PRIVACY) ORDINANCE - SECT 2 Interpretation VerDate:30/06/1997 (1) In this Ordinance, unless the context otherwise requires- "act" (作為) includes a deliberate omission; "adverse action" (不利行動), in relation to an individual, means any action that may adversely affect the individual's rights, benefits, privileges, obligations or interests (including legitimate expectations); "appointed day" (指定日) means the day appointed under section 1(2); "approved code of practice" (核准實務守則) means a code of practice approved under section 12; "code of practice" (實務守則) includes- (a) a standard; (b) a specification; and (c) any other documentary form of practical guidance; "Commissioner" (專員) means the Privacy Commissioner for Personal Data established under section 5(1); "Committee" (諮詢委員會) means the Personal Data (Privacy) Advisory Committee established under section 11(1); "complainant" (投訴人) means the individual, or the relevant person on behalf of an individual, who has made a complaint; "complaint" (投訴) means a complaint under section 37; "correction" (改正), in relation to personal data, means rectification, erasure or completion; "daily penalty" (每日罰款) means a penalty for each day on which the offence is continued after conviction therefor; "data" (資料) means any representation of information (including an expression of opinion) in any document, and includes a personal identifier; "data access request" (查閱資料要求) means a request under section 18; "data correction request" (改正資料要求) means a request under section 22(1); "data protection principle" (保障資料原則) means any of the data protection principles set out in Schedule 1; "data subject" (資料當事人), in relation to personal data, means the individual who is the subject of the data; "data user" (資料使用者), in relation to personal data, means a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data; "data user return" (資料使用者申報表) means a data user return referred to in section 14(4); "disclosing" (披露), in relation to personal data, includes disclosing information inferred from the data; "document" (文件) includes, in addition to a document in writing- (a) a disc, tape or other device in which data other than visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced from the disc, tape or other device; and (b) a film, tape or other device in which visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced from the film, tape or other device; "employment" (僱用) means employment under- (a) a contract of service or of apprenticeship; or (b) a contract personally to execute any work or labour, and related expressions shall be construed accordingly; "enforcement notice" (執行通知) means a notice under section 50(1); "financial regulator" (財經規管者) means any of- (a) the Monetary Authority appointed under section 5A of the Exchange Fund Ordinance (Cap 66); (b) the Securities and Futures Commission established by section 3 of the Securities and Futures Commission Ordinance (Cap 24); (c) a clearing house within the meaning of section 2(1) of the Commodities Trading Ordinance (Cap 250) or a recognized clearing house within the meaning of the Securities and Futures (Clearing Houses) Ordinance (Cap 420); (d) the Exchange Company within the meaning of section 2(1) of the Commodities Trading Ordinance (Cap 250); (e) the Exchange Company within the meaning of section 2(1) of the Stock Exchanges Unification Ordinance (Cap 361); (f) the Insurance Authority appointed under section 4 of the Insurance Companies Ordinance (Cap 41); (g) the Registrar of Occupational Retirement Schemes appointed under section 5 of the Occupational Retirement Schemes Ordinance (Cap 426); (h) a person specified in a notice under subsection (7) to be a regulator for the purposes of this definition; "inaccurate" (不準確), in relation to personal data, means the data is incorrect, misleading, incomplete or obsolete; "inspection" (視察) means an inspection under section 36; "investigation" (調查) means an investigation under section 38; "log book" (紀錄簿), in relation to a data user, means the log book kept and maintained by the data user under section 27(1); "matching procedure" (核對程序) means any procedure whereby personal data collected for 1 or more purposes in respect of 10 or more data subjects are compared (except by manual means) with personal data collected for any other purpose in respect of those data subjects where the comparison- (a) is (whether in whole or in part) for the purpose of producing or verifying data that; or (b) produces or verifies data in respect of which it is reasonable to believe that it is practicable that the data, may be used (whether immediately or at any subsequent time) for the purpose of taking adverse action against any of those data subjects; "matching procedure request" (核對程序要求) means a request under section 31(1); "personal data" (個人資料) means any data- (a) relating directly or indirectly to a living individual; (b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and (c) in a form in which access to or processing of the data is practicable; "personal data system" (個人資料系統) means any system, whether or not automated, which is used, whether in whole or in part, by a data user for the collection, holding, processing or use of personal data, and includes any document and equipment forming part of the system; "personal identifier" (個人身分標識符) means an identifier- (a) that is assigned to an individual by a data user for the purpose of the operations of the user; and (b) that uniquely identifies that individual in relation to the data user, but does not include an individual's name used to identify that individual; "practicable" (切實可行) means reasonably practicable; "prescribed officer" (訂明人員) means a person employed or engaged under section 9(1); "processing" (處理), in relation to personal data, includes amending, augmenting, deleting or rearranging the data, whether by automated means or otherwise; "register" (登記冊) means the register of data users kept and maintained by the Commissioner under section 15(1); "relevant data user" (有關資料使用者), in relation to- (a) an inspection, means the data user who uses the personal data system which is the subject of the inspection; (b) a complaint, means the data user specified in the complaint; (c) an investigation- (i) in the case of an investigation initiated by a complaint, means the data user specified in the complaint; (ii) in any other case, means the data user the subject of the investigation; (d) an enforcement notice, means the data user on whom the notice is served; "relevant person" (有關人士), in relation to an individual (howsoever the individual is described), means- (a) where the individual is a minor, a person who has parental responsibility for the minor; (b) where the individual is incapable of managing his own affairs, a person who has been appointed by a court to manage those affairs; (c) in any other case, a person authorized in writing by the individual to make a data access request, a data correction request, or both such requests, on behalf of the individual; "requestor" (提出要求者), in relation to- (a) a data access request or data correction request, means the individual, or the relevant person on behalf of an individual, who has made the request; (b) a matching procedure request, means the data user who has made the request; "specified" (指明), in relation to a form, means specified under section 67; "third party" (第三者), in relation to personal data, means any person other than- (a) the data subject; (b) a relevant person in the case of the data subject; (c) the data user; or (d) a person authorized in writing by the data user to collect, hold, process or use the data- (i) under the direct control of the data user; or (ii) on behalf of the data user; "use" (使用), in relation to personal data, includes disclose or transfer the data; "would be likely to prejudice" (相當可能損害) includes would prejudice. (2) For the avoidance of doubt, it is hereby declared that paragraph (c) of the definition of "relevant person" shall not be construed- (a) to entitle a person who has only been authorized to make a data access request on behalf of an individual to make a data correction request on behalf of the individual; (b) to entitle a person who has only been authorized to make a data correction request on behalf of an individual to make a data access request on behalf of the individual. (3) Where under this Ordinance an act may be done with the prescribed consent of a person (and howsoever the person is described), such consent- (a) means the express consent of the person given voluntarily; (b) does not include any consent which has been withdrawn by notice in writing served on the person to whom the consent has been given (but without prejudice to so much of that act that has been done pursuant to the consent at any time before the notice is so served). (4) Subject to section 64(10), it is hereby declared that any reference in this Ordinance to the effect that a data user (howsoever described)- (a) has contravened a requirement under this Ordinance; or (b) is contravening a requirement under this Ordinance, includes- (i) where paragraph (a) is applicable, any case where the data user has done an act, or engaged in a practice, in contravention of a data protection principle; (ii) where paragraph (b) is applicable, any case where the data user is doing an act, or engaging in a practice, in contravention of a data protection principle. (5) Notwithstanding any other provisions of this Ordinance, a complaint may be made (and an investigation, if any, initiated by the complaint may be carried out) in relation to a person who has ceased to be a data user except any such person who has not at any time been a data user during the period of 2 years immediately preceding the date on which the Commissioner receives the complaint and, accordingly, a person in relation to whom such a complaint is made shall for the purposes of such complaint (and an investigation, if any, initiated by such complaint) be deemed to be a data user, and the other provisions of this Ordinance shall be construed accordingly. (6) Any reference in this Ordinance to a data protection principle followed by a number is a reference to the principle bearing that number set out in Schedule 1. (7) The Governor may, by notice in the Gazette, specify a person to be a regulator for the purposes of the definition of "financial regulator". (8) It is hereby declared that a notice under subsection (7) is subsidiary legislation. (9) Where a person- (a) holds any office, engages in any profession or carries on any occupation; and (b) is required by any law, or by any rules made under or by virtue of any law, to be a fit and proper person (or words to the like effect) to hold that office, engage in that profession or carry on that occupation, then, for the purposes of this Ordinance, any conduct by that person by virtue of which he ceases, or would cease, to be such a fit and proper person shall be deemed to be seriously improper conduct. (10) Subsection (9) shall not operate to prevent seriously improper conduct including, for the purposes of this Ordinance, conduct by virtue of which a person ceases, or would cease, to be a fit and proper person notwithstanding that the conduct is not conduct to which that subsection applies. (11) Words and expressions importing the neuter gender in relation to any data user shall include the masculine and feminine genders. (12) A person is not a data user in relation to any personal data which the person holds, processes or uses solely on behalf of another person if, but only if, that first-mentioned person does not hold, process or use, as the case may be, those data for any of his own purposes. (13) For the avoidance of doubt, it is hereby declared that, for the purposes of this Ordinance, any conduct by a person by virtue of which he has or could become a disqualified person or a suspended person under the Rules of Racing and Instructions by the Stewards of the Royal Hong Kong Jockey Club, as in force from time to time, is seriously improper conduct. (Enacted 1995) "act" (作為) "adverse action" (不利行動) "appointed day" (指定日) "approved code of practice" (核准實務守則) "code of practice" (實務守則) "Commissioner" (專員) "Committee" (諮詢委員會) "complainant" (投訴人) "complaint" (投訴) "correction" (改正) "daily penalty" (每日罰款) "data" (資料) "data access request" (查閱資料要求) "data correction request" (改正資料要求) "data protection principle" (保障資料原則) "data subject" (資料當事人) "data user" (資料使用者) "data user return" (資料使用者申報表) "disclosing" (披露) "document" (文件) "employment" (僱用) "enforcement notice" (執行通知) "financial regulator" (財經規管者) "inaccurate" (不準確) "inspection" (視察) "investigation" (調查) "log book" (紀錄簿) "matching procedure" (核對程序) "matching procedure request" (核對程序要求) "personal data" (個人資料) "personal data system" (個人資料系統) "personal identifier" (個人身分標識符) "practicable" (切實可行) "prescribed officer" (訂明人員) "processing" (處理) "register" (登記冊) "relevant data user" (有關資料使用者) "relevant person" (有關人士) "requestor" (提出要求者) "specified" (指明) "third party" (第三者) "use" (使用) "would be likely to prejudice" (相當可能損害) PERSONAL DATA (PRIVACY) ORDINANCE - SECT 3 Application VerDate:01/07/1997 (1) This Ordinance binds the Government. (2) (*Not adopted as the laws of HKSAR) (Enacted 1995) ___________________________________________________________________________ ______ Note: * See Decision of the Standing Committee of the National People's Congress on Treatment of the Laws Previously in Force in Hong Kong in accordance with Article 160 of the Basic Law of the Hong Kong Special Administrative Region of the People's Republic of China, which is published in Volume 1, p. 13/1. PERSONAL DATA (PRIVACY) ORDINANCE - SECT 3 Application VerDate:30/06/1997 (1) This Ordinance binds the Government. (2) Where there is any conflict or inconsistency between the provisions of this Ordinance and the provisions of any other Ordinance, then the provisions of this Ordinance shall, to the extent of that conflict or inconsistency, as the case may be, prevail over the provisions of that Ordinance. (Enacted 1995) PERSONAL DATA (PRIVACY) ORDINANCE - SECT 4 Data protection principles VerDate:30/06/1997 A data user shall not do an act, or engage in a practice, that contravenes a data protection principle unless the act or practice, as the case may be, is required or permitted under this Ordinance. (Enacted 1995) PERSONAL DATA (PRIVACY) ORDINANCE - SECT 5 Establishment, etc. of Privacy Commissioner for Personal Data VerDate:01/07/1997 Adaptation amendments retroactively made - see 34 of 1999 s. 3 PART II ADMINISTRATION (1) For the purposes of this Ordinance, there is hereby established an office by the name of the Privacy Commissioner for Personal Data. (2) The Commissioner shall be a corporation sole with perpetual succession and- (a) shall have and may use a seal; and (b) shall be capable of suing and being sued. (3) The Chief Executive shall, by notice in the Gazette, appoint a person to be the Commissioner. (Amended 34 of 1999 s. 3) (4) Subject to subsection (5), the person appointed to be the Commissioner shall hold office for a period of 5 years and shall be eligible for reappointment for not more than 1 further period of 5 years. (5) The person appointed to be the Commissioner may- (a) at any time resign from his office by notice in writing to the Chief Executive; or (b) be removed from office by the Chief Executive with the approval by resolution of the Legislative Council on the ground of- (i) inability to perform the functions of his office; or (ii) misbehaviour. (Amended 34 of 1999 s. 3) (6) The Chief Executive shall determine- (Amended 34 of 1999 s. 3) (a) the emoluments; and (b) the terms and conditions of appointment, of the person appointed to be the Commissioner. (7) The provisions of Schedule 2 shall have effect with respect to the Commissioner. (8) Subject to subsection (9), the Commissioner shall not be regarded as a servant or agent of the Government or as enjoying any status, immunity or privilege of the Government. (9) The person appointed to be the Commissioner shall be deemed to be a public servant- (a) within the meaning of section 2 of the Prevention of Bribery Ordinance (Cap 201); and (b) for the purposes of that Ordinance. (Enacted 1995) PERSONAL DATA (PRIVACY) ORDINANCE - SECT 5 Establishment, etc. of Privacy Commissioner for Personal Data VerDate:30/06/1997 PART II ADMINISTRATION (1) For the purposes of this Ordinance, there is hereby established an office by the name of the Privacy Commissioner for Personal Data. (2) The Commissioner shall be a corporation sole with perpetual succession and- (a) shall have and may use a seal; and (b) shall be capable of suing and being sued. (3) The Governor shall, by notice in the Gazette, appoint a person to be the Commissioner. (4) Subject to subsection (5), the person appointed to be the Commissioner shall hold office for a period of 5 years and shall be eligible for reappointment for not more than 1 further period of 5 years. (5) The person appointed to be the Commissioner may- (a) at any time resign from his office by notice in writing to the Governor; or (b) be removed from office by the Governor with the approval by resolution of the Legislative Council on the ground of- (i) inability to perform the functions of his office; or (ii) misbehaviour. (6) The Governor shall determine- (a) the emoluments; and (b) the terms and conditions of appointment, of the person appointed to be the Commissioner. (7) The provisions of Schedule 2 shall have effect with respect to the Commissioner. (8) Subject to subsection (9), the Commissioner shall not be regarded as a servant or agent of the Government or as enjoying any status, immunity or privilege of the Government. (9) The person appointed to be the Commissioner shall be deemed to be a public servant- (a) within the meaning of section 2 of the Prevention of Bribery Ordinance (Cap 201); and (b) for the purposes of that Ordinance. (Enacted 1995) PERSONAL DATA (PRIVACY) ORDINANCE - SECT 6 Commissioner to hold no other office VerDate:01/07/1997 Adaptation amendments retroactively made - see 34 of 1999 s. 3 The person appointed to be the Commissioner shall not, without the specific approval of the Chief Executive- (Amended 34 of 1999 s. 3) (a) hold any office of profit other than his office as Commissioner; or (b) engage in any occupation for reward outside the functions of his office. (Enacted 1995) PERSONAL DATA (PRIVACY) ORDINANCE - SECT 6 Commissioner to hold no other office VerDate:30/06/1997 The person appointed to be the Commissioner shall not, without the specific approval of the Governor- (a) hold any office of profit other than his office as Commissioner; or (b) engage in any occupation for reward outside the functions of his office. (Enacted 1995) PERSONAL DATA (PRIVACY) ORDINANCE - SECT 7 Filling of temporary vacancy VerDate:01/07/1997 Adaptation amendments retroactively made - see 34 of 1999 s. 3 (1) Where the person appointed to be the Commissioner- (a) dies; (b) resigns; (c) is removed from office; (d) is absent from Hong Kong; or (e) is for any other reason unable to perform the functions of his office, then the Chief Executive may, by notice in writing, appoint a person to act as the Commissioner until, as the case requires- (Amended 34 of 1999 s. 3) (i) a new Commissioner is appointed under section 5(3); or (ii) the Commissioner resumes his office. (2) A person appointed under subsection (1) to act as the Commissioner, whilst he is so appointed- (a) shall perform the functions; and (b) may exercise the powers, of the Commissioner under this Ordinance. (3) Section 6 shall apply to a person appointed under subsection (1) to act as the Commissioner as if that person were the Commissioner. (Enacted 1995) PERSONAL DATA (PRIVACY) ORDINANCE - SECT 7 Filling of temporary vacancy VerDate:30/06/1997 (1) Where the person appointed to be the Commissioner- (a) dies; (b) resigns; (c) is removed from office; (d) is absent from Hong Kong; or (e) is for any other reason unable to perform the functions of his office, then the Governor may, by notice in writing, appoint a person to act as the Commissioner until, as the case requires- (i) a new Commissioner is appointed under section 5(3); or (ii) the Commissioner resumes his office. (2) A person appointed under subsection (1) to act as the Commissioner, whilst he is so appointed- (a) shall perform the functions; and (b) may exercise the powers, of the Commissioner under this Ordinance. (3) Section 6 shall apply to a person appointed under subsection (1) to act as the Commissioner as if that person were the Commissioner. (Enacted 1995) PERSONAL DATA (PRIVACY) ORDINANCE - SECT 8 Functions and powers of Commissioner VerDate:01/07/1997 Adaptation amendments retroactively made - see 34 of 1999 s. 3 (1) The Commissioner shall- (a) monitor and supervise compliance with the provisions of this Ordinance; (b) promote and assist bodies representing data users to prepare, for the purposes of section 12, codes of practice for guidance in complying with the provisions of this Ordinance, in particular the data protection principles; (c) promote awareness and understanding of, and compliance with, the provisions of this Ordinance, in particular the data protection principles; (d) examine any proposed legislation (including subsidiary legislation) that the Commissioner considers may affect the privacy of individuals in relation to personal data and report the results of the examination to the person proposing the legislation; (e) carry out inspections, including inspections of any personal data systems used by data users which are departments of the Government or statutory corporations; (f) for the better performance of his other functions, undertake research into, and monitor developments in, the processing of data and computer technology in order to take account of any likely adverse effects such developments may have on the privacy of individuals in relation to personal data; (g) liaise and co-operate with any person in any place outside Hong Kong- (i) performing in that place any functions which, in the opinion of the Commissioner, are similar (whether in whole or in part) to any of the Commissioner's functions under this Ordinance; and (ii) in respect of matters of mutual interest concerning the privacy of individuals in relation to personal data; and (h) perform such other functions as are imposed on him under this Ordinance or any other enactment. (2) The Commissioner may do all such things as are necessary for, or incidental or conducive to, the better performance of his functions and in particular but without prejudice to the generality of the foregoing, may- (a) acquire and hold property of any description if in the opinion of the Commissioner such property is necessary for- (i) the accommodation of the Commissioner or of any prescribed officer; or (ii) the performance of any function which the Commissioner may perform, and, subject to the terms and conditions upon which such property is held, dispose of it; (b) enter into, carry out, assign or accept the assignment of, vary or rescind, any contract, agreement or other obligation; (c) undertake and execute any lawful trust which has as an object the furtherance of any function which the Commissioner is required or is permitted by this Ordinance to perform or any other similar object; (d) accept gifts and donations, whether subject to any trust or not; (e) with the prior approval of the Chief Executive, become a member of or affiliate to any international body concerned with (whether in whole or in part) the privacy of individuals in relation to personal data; (Amended 34 of 1999 s. 3) (f) exercise such other powers as are conferred on him under this Ordinance or any other enactment. (3) The Commissioner may make and execute any document in the performance of his functions or the exercise of his powers or in connection with any matter reasonably incidental to or consequential upon the performance of his functions or the exercise of his powers. (4) Any document purporting to be executed under the seal of the Commissioner shall be admitted in evidence and shall, in the absence of evidence to the contrary, be deemed to have been duly executed. (5) The Commissioner may from time to time cause to be prepared and published by notice in the Gazette, for the guidance of data users, guidelines not inconsistent with this Ordinance, indicating the manner in which he proposes to perform any of his functions, or exercise any of his powers, under this Ordinance. (Enacted 1995) PERSONAL DATA (PRIVACY) ORDINANCE - SECT 8 Functions and powers of Commissioner VerDate:30/06/1997 (1) The Commissioner shall- (a) monitor and supervise compliance with the provisions of this Ordinance; (b) promote and assist bodies representing data users to prepare, for the purposes of section 12, codes of practice for guidance in complying with the provisions of this Ordinance, in particular the data protection principles; (c) promote awareness and understanding of, and compliance with, the provisions of this Ordinance, in particular the data protection principles; (d) examine any proposed legislation (including subsidiary legislation) that the Commissioner considers may affect the privacy of individuals in relation to personal data and report the results of the examination to the person proposing the legislation; (e) carry out inspections, including inspections of any personal data systems used by data users which are departments of the Government or statutory corporations; (f) for the better performance of his other functions, undertake research into, and monitor developments in, the processing of data and computer technology in order to take account of any likely adverse effects such developments may have on the privacy of individuals in relation to personal data; (g) liaise and co-operate with any person in any place outside Hong Kong- (i) performing in that place any functions which, in the opinion of the Commissioner, are similar (whether in whole or in part) to any of the Commissioner's functions under this Ordinance; and (ii) in respect of matters of mutual interest concerning the privacy of individuals in relation to personal data; and (h) perform such other functions as are imposed on him under this Ordinance or any other enactment. (2) The Commissioner may do all such things as are necessary for, or incidental or conducive to, the better performance of his functions and in particular but without prejudice to the generality of the foregoing, may- (a) acquire and hold property of any description if in the opinion of the Commissioner such property is necessary for- (i) the accommodation of the Commissioner or of any prescribed officer; or (ii) the performance of any function which the Commissioner may perform, and, subject to the terms and conditions upon which such property is held, dispose of it; (b) enter into, carry out, assign or accept the assignment of, vary or rescind, any contract, agreement or other obligation; (c) undertake and execute any lawful trust which has as an object the furtherance of any function which the Commissioner is required or is permitted by this Ordinance to perform or any other similar object; (d) accept gifts and donations, whether subject to any trust or not; (e) with the prior approval of the Governor, become a member of or affiliate to any international body concerned with (whether in whole or in part) the privacy of individuals in relation to personal data; (f) exercise such other powers as are conferred on him under this Ordinance or any other enactment. (3) The Commissioner may make and execute any document in the performance of his functions or the exercise of his powers or in connection with any matter reasonably incidental to or consequential upon the performance of his functions or the exercise of his powers. (4) Any document purporting to be executed under the seal of the Commissioner shall be admitted in evidence and shall, in the absence of evidence to the contrary, be deemed to have been duly executed. (5) The Commissioner may from time to time cause to be prepared and published by notice in the Gazette, for the guidance of data users, guidelines not inconsistent with this Ordinance, indicating the manner in which he proposes to perform any of his functions, or exercise any of his powers, under this Ordinance. (Enacted 1995) PERSONAL DATA (PRIVACY) ORDINANCE - SECT 9 Staff of Commissioner, etc. VerDate:30/06/1997 (1) The Commissioner may- (a) employ such persons (including technical and professional persons); and (b) engage, other than by way of employment, such technical and professional persons, as he thinks fit to assist him in the performance of his functions, and the exercise of his powers, under this Ordinance. (2) The Commissioner shall determine- (a) the remuneration and terms and conditions of employment of any person, or any person belonging to a class of persons, who may be employed under subsection (1)(a); (b) the remuneration and terms and conditions of engagement of any person, or any person belonging to a class of persons, who may be engaged under subsection (1)(b). (3) The Commissioner may- (a) grant, or make provision for the grant of, pensions, gratuities and retirement benefits to employees; (b) provide other benefits for the welfare of employees and their dependants; (c) authorize payments, whether or not legally due, to the personal representatives of a deceased employee or to any person who was dependent on such employee at his death. (4) The Commissioner may- (a) establish, manage and control; or (b) enter into an arrangement with any company or association for the establishment, management and control by that company or association either alone or jointly with the Commissioner of, any fund or scheme for the purpose of providing for the pensions, gratuities, benefits and payments referred to in subsection (3). (5) The Commissioner may make contributions to and may require employees to make contributions to any fund or scheme referred to in subsection (4). (6) In this section "employees" (僱員) includes any class of employee which the Commissioner specifies and in subsection (3) includes former employees. (Enacted 1995) "employees" (僱員) PERSONAL DATA (PRIVACY) ORDINANCE - SECT 10 Delegations by Commissioner VerDate:30/06/1997 (1) Subject to subsection (2), the Commissioner may delegate in writing any of his functions or powers under this Ordinance to any prescribed officer subject to such terms and conditions, if any, as he thinks fit and specified in the delegation. (2) The Commissioner shall not delegate any of his functions or powers under- (a) subsection (1); (b) any provisions of any regulations made under this Ordinance which are specified in the regulations as provisions which shall not be subject to subsection (1); (c) any provisions of Schedule 2 which are specified in that Schedule as provisions which shall not be subject to subsection (1). (3) A delegate of the Commissioner- (a) shall perform the delegated functions and may exercise the delegated powers as if the delegate were the Commissioner; and (b) shall be presumed to be acting in accordance with the relevant delegation in the absence of evidence to the contrary. (Enacted 1995) PERSONAL DATA (PRIVACY) ORDINANCE - SECT 11 Establishment of Personal Data (Privacy) Advisory Committee VerDate:01/07/2007 For the saving and transitional provisions relating to the amendments made by the Resolution of the Legislative Council (L.N. 130 of 2007), see paragraph (12) of that Resolution. (1) There is hereby established a committee by the name of the Personal Data (Privacy) Advisory Committee for the purpose of advising the Commissioner upon any matter relevant to the privacy of individuals in relation to personal data or otherwise relevant to the operation of this Ordinance. (2) The Committee shall consist of- (a) the Commissioner, who shall be the chairman; and (b) not less than 4 or more than 8 other persons, appointed by the Secretary for Constitutional and Mainland Affairs, of whom- (i) not less than 1 shall have not less than 5 years' experience in the processing of data; and (ii) not more than 1 shall be a public officer. (3) The members of the Committee appointed under subsection (2)(b) shall hold office for such period and upon such terms as the Secretary for Constitutional and Mainland Affairs specifies in their respective appointments or from time to time. (4) A member of the Committee appointed under subsection (2)(b) may resign at any time by notice in writing delivered to the Secretary for Constitutional and Mainland Affairs. (5) The Committee may regulate its procedure. (Enacted 1995. Amended L.N. 130 of 2007) PERSONAL DATA (PRIVACY) ORDINANCE - SECT 11 Establishment of Personal Data (Privacy) Advisory Committee VerDate:30/06/1997 (1) There is hereby established a committee by the name of the Personal Data (Privacy) Advisory Committee for the purpose of advising the Commissioner upon any matter relevant to the privacy of individuals in relation to personal data or otherwise relevant to the operation of this Ordinance. (2) The Committee shall consist of- (a) the Commissioner, who shall be the chairman; and (b) not less than 4 or more than 8 other persons, appointed by the Secretary for Home Affairs, of whom- (i) not less than 1 shall have not less than 5 years' experience in the processing of data; and (ii) not more than 1 shall be a public officer. (3) The members of the Committee appointed under subsection (2)(b) shall hold office for such period and upon such terms as the Secretary for Home Affairs specifies in their respective appointments or from time to time. (4) A member of the Committee appointed under subsection (2)(b) may resign at any time by notice in writing delivered to the Secretary for Home Affairs. (5) The Committee may regulate its procedure. (Enacted 1995) PERSONAL DATA (PRIVACY) ORDINANCE - SECT 12 Approval of codes of practice by Commissioner VerDate:30/06/1997 PART III CODES OF PRACTICE (1) Subject to subsections (8) and (9), for the purpose of providing practical guidance in respect of any requirements under this Ordinance imposed on data users, the Commissioner may- (a) approve and issue such codes of practice (whether prepared by him or not) as in his opinion are suitable for that purpose; and (b) approve such codes of practice issued or proposed to be issued otherwise than by him as in his opinion are suitable for that purpose. (2) Where a code of practice is approved under subsection (1), the Commissioner shall, by notice in the Gazette- (a) identify the code concerned and specify the date on which its approval is to take effect; and (b) specify for which of the requirements under this Ordinance the code is so approved. (3) The Commissioner may- (a) from time to time revise the whole or any part of any code of practice prepared by him under this section; and (b) approve any revision or proposed revision of the whole or any part of any code of practice for the time being approved under this section, and the provisions of subsection (2) shall, with the necessary modifications, apply in relation to the approval of any revision under this subsection as they apply in relation to the approval of a code of practice under subsection (1). (4) The Commissioner may at any time withdraw his approval from any code of practice approved under this section. (5) Where under subsection (4) the Commissioner withdraws his approval from a code of practice approved under this section, he shall, by notice in the Gazette, identify the code concerned and specify the date on which his approval of it is to cease to have effect. (6) References in this Ordinance to an approved code of practice are references to that code as it has effect for the time being by virtue of any revision of the whole or any part of it approved under this section. (7) The power of the Commissioner under subsection (1)(b) to approve a code of practice issued or proposed to be issued otherwise than by him shall include power to approve a part of such a code and, accordingly, in this Ordinance "code of practice" (實務守則) may be read as including a part of such a code. (8) The Commissioner shall, not later than 6 months after the day on which this section comes into operation (or within such further period, not exceeding 6 months, as the Secretary for Home Affairs may allow), approve a code of practice under subsection (1) in respect of all or any requirements referred to in that subsection in so far as such requirements relate to personal data which are personal identifiers. (9) The Commissioner shall, before approving a code of practice under subsection (1) or any revision or proposed revision of the code under subsection (3), consult with- (a) such bodies representative of data users to which the code or the code as so revised, as the case may be, will apply (whether in whole or in part); and (b) such other interested persons, as he thinks fit. (10) For the avoidance of doubt, it is hereby declared that different codes of practice may be approved under subsection (1) (including any code of practice referred to in subsection (8)) for different classes of data users, and may be so approved for the same or different requirements referred to in subsection (1). (Enacted 1995) "code of practice" (實務守則) PERSONAL DATA (PRIVACY) ORDINANCE - SECT 13 Use of approved codes of practice in proceedings under this Ordinance VerDate:30/06/1997 (1) A failure on the part of any data user to observe any provision of an approved code of practice shall not of itself render the data user liable to any civil or criminal proceedings but where in any proceedings under this Ordinance a data user is alleged to have contravened a requirement under this Ordinance, being a requirement for which there was an approved code of practice at the time of the alleged contravention, subsection (2) shall have effect with respect to such code in relation to those proceedings. (2) Any provision of a code of practice which appears to a specified body to be relevant to a requirement under this Ordinance alleged to have been contravened shall be admissible in evidence in the proceedings under this Ordinance concerned and if it is proved that there was at any material time a failure to observe any provision of the code which appears to that body to be relevant to any matter which it is necessary to prove in order to establish a contravention of such requirement, that matter shall be taken as proved in the absence of evidence that such requirement was in respect of that matter complied with otherwise than by way of observance of that provision. (3) In any proceedings under this Ordinance, a code of practice which appears to a specified body to be the subject of a notice under section 12 shall be taken to be the subject of such notice in the absence of evidence to the contrary. (4) In this section- "proceedings under this Ordinance" (根據本條例進行的法律程序) includes any criminal proceedings where a data user is alleged to have committed an offence by reason of a contravention of a requirement under this Ordinance; "specified body" (指明當局) means- (a) a magistrate; (b) a court; or (c) the Administrative Appeals Board. (Enacted 1995) "proceedings under this Ordinance" (根據本條例進行的法律程序) "specified body" (指明當局) PERSONAL DATA (PRIVACY) ORDINANCE - SECT 14 Data user returns VerDate:01/07/2007 For the saving and transitional provisions relating to the amendments made by the Resolution of the Legislative Council (L.N. 130 of 2007), see paragraph (12) of that Resolution. PART IV DATA USER RETURNS AND REGISTER OF DATA USERS (1) Subject to subsection (2), the Commissioner may, by notice in the Gazette, specify a class of data users to which this section shall apply. (2) The Commissioner shall, before specifying a class of data users in a notice under subsection (1), consult with- (a) such bodies representative of data users belonging to that class; and (b) such other interested persons, as he thinks fit. (3) This section shall not apply to a data user except a data user belonging to a class of data users specified in a notice under subsection (1) which is in force. (4) A data user shall submit to the Commissioner a data user return- (a) in the specified form; (b) containing the prescribed information required by the return in relation to the data user; (c) in the case of- (i) a data user which belongs to the class of data users concerned on the day on which the notice under subsection (1) specifying that class commences, not earlier than 3 months before, and not later than, each anniversary of that day; (ii) a data user which first belongs to the class of data users concerned on a day after the day on which the notice under subsection (1) specifying that class commences, not earlier than 3 months before, and not later than, each anniversary of that first-mentioned day; and (d) accompanied by the prescribed fee. (5) The Commissioner shall cause a notice to be published not less than once during every period of 6 months- (a) in- (i) the Gazette; and (ii) not less than 1 Chinese language newspaper (and in the Chinese language) and not less than 1 English language newspaper (and in the English language), each of which shall be a newspaper circulating generally in Hong Kong; and (b) subject to subsection (6), specifying the places at which and the hours during which data user returns are available to be obtained by data users for the purposes of this section. (6) The Commissioner shall not exercise his power under subsection (5)(b) to specify places which are Government offices unless and until he has the approval in writing of the Secretary for Constitutional and Mainland Affairs to do so. (Amended L.N. 130 of 2007) (7) The Commissioner shall cause data user returns to be available to be obtained by data users- (a) free of charge; and (b) at the places and during the hours specified in the last notice published under subsection (5). (8) Where any prescribed information contained in a data user return submitted under subsection (4) to the Commissioner by a data user changes subsequent to the submission, then the data user shall serve a notice in writing on the Commissioner specifying such change- (a) if, but only if- (i) such information is specified in the return as information to which this subsection applies; and (ii) the return contains, or has annexed to it- (A) a copy of this subsection; or (B) a statement summarizing the requirement imposed by this subsection on the data user; and (b) not later than 30 days after such change. (9) It is hereby declared that- (a) a notice under subsection (1) is subsidiary legislation; (b) where a data user belongs to 2 or more classes of data users specified in 2 or more notices under subsection (1) which are in force, then, for the purposes of this section, that data user shall be deemed to belong only to that class of data users specified in the first of those notices to be published in the Gazette; and (c) subsection (3) shall not operate to prejudice the generality of section 67(4)(c). (10) In this section and section 15, "prescribed information" (訂明資 訊) means any information specified in Schedule 3. (Enacted 1995) "prescribed information" (訂明資訊) PERSONAL DATA (PRIVACY) ORDINANCE - SECT 14 Data user returns VerDate:30/06/1997 PART IV DATA USER RETURNS AND REGISTER OF DATA USERS (1) Subject to subsection (2), the Commissioner may, by notice in the Gazette, specify a class of data users to which this section shall apply. (2) The Commissioner shall, before specifying a class of data users in a notice under subsection (1), consult with- (a) such bodies representative of data users belonging to that class; and (b) such other interested persons, as he thinks fit. (3) This section shall not apply to a data user except a data user belonging to a class of data users specified in a notice under subsection (1) which is in force. (4) A data user shall submit to the Commissioner a data user return- (a) in the specified form; (b) containing the prescribed information required by the return in relation to the data user; (c) in the case of- (i) a data user which belongs to the class of data users concerned on the day on which the notice under subsection (1) specifying that class commences, not earlier than 3 months before, and not later than, each anniversary of that day; (ii) a data user which first belongs to the class of data users concerned on a day after the day on which the notice under subsection (1) specifying that class commences, not earlier than 3 months before, and not later than, each anniversary of that first-mentioned day; and (d) accompanied by the prescribed fee. (5) The Commissioner shall cause a notice to be published not less than once during every period of 6 months- (a) in- (i) the Gazette; and (ii) not less than 1 Chinese language newspaper (and in the Chinese language) and not less than 1 English language newspaper (and in the English language), each of which shall be a newspaper circulating generally in Hong Kong; and (b) subject to subsection (6), specifying the places at which and the hours during which data user returns are available to be obtained by data users for the purposes of this section. (6) The Commissioner shall not exercise his power under subsection (5)(b) to specify places which are Government offices unless and until he has the approval in writing of the Secretary for Home Affairs to do so. (7) The Commissioner shall cause data user returns to be available to be obtained by data users- (a) free of charge; and (b) at the places and during the hours specified in the last notice published under subsection (5). (8) Where any prescribed information contained in a data user return submitted under subsection (4) to the Commissioner by a data user changes subsequent to the submission, then the data user shall serve a notice in writing on the Commissioner specifying such change- (a) if, but only if- (i) such information is specified in the return as information to which this subsection applies; and (ii) the return contains, or has annexed to it- (A) a copy of this subsection; or (B) a statement summarizing the requirement imposed by this subsection on the data user; and (b) not later than 30 days after such change. (9) It is hereby declared that- (a) a notice under subsection (1) is subsidiary legislation; (b) where a data user belongs to 2 or more classes of data users specified in 2 or more notices under subsection (1) which are in force, then, for the purposes of this section, that data user shall be deemed to belong only to that class of data users specified in the first of those notices to be published in the Gazette; and (c) subsection (3) shall not operate to prejudice the generality of section 67(4)(c). (10) In this section and section 15, "prescribed information" (訂明資 訊) means any information specified in Schedule 3. (Enacted 1995) "prescribed information" (訂明資訊) PERSONAL DATA (PRIVACY) ORDINANCE - SECT 15 Register of data users VerDate:30/06/1997 (1) The Commissioner shall use- (a) data user returns submitted to him under section 14(4); and (b) any notices served on him under section 14(8), to keep and maintain a register of data users which have submitted such returns. (2) The register shall- (a) be in the form of a database; and (b) contain, in respect of each data user who has submitted a data user return under section 14(4), such particulars of the information supplied in that return as the Commissioner thinks fit. (3) The Commissioner may, by notice in writing served on a data user, require the data user to submit a notice in the prescribed form containing such prescribed information in relation to the data user as the Commissioner may reasonably require in order to keep and maintain the register in so far as it relates to that data user, and the data user shall so submit the second-mentioned notice within such period (being a period of not less than 30 days after service of the first-mentioned notice) and in such manner as the Commissioner requires in the first-mentioned notice. (4) Where any prescribed information submitted to the Commissioner under subsection (3) by a data user changes subsequent to the submission, then the data user shall serve a notice in writing on the Commissioner specifying such change- (a) if, but only if- (i) such information is specified in the notice concerned under that subsection as information to which this subsection applies; and (ii) the notice referred to in subparagraph (i) contains, or has annexed to it- (A) a copy of this subsection; or (B) a statement summarizing the requirement imposed by this subsection on the data user; and (b) not later than 30 days after such change. (5) If the Commissioner is satisfied that a person has ceased to be a data user, he may delete from the register any particulars contained therein relating to that person in that person's capacity as a data user. (6) A person who has ceased to be a data user may, by notice in the specified form served on the Commissioner, request the Commissioner to delete from the register the particulars contained therein relating to that person in that person's capacity as a data user, and the Commissioner shall, not later than 3 months after the date on which he receives that notice, comply with that request unless it has been withdrawn by that person. (Enacted 1995) PERSONAL DATA (PRIVACY) ORDINANCE - SECT 16 Inspection of register VerDate:30/06/1997 (1) The Commissioner shall provide facilities for making the particulars contained in the register available for inspection- (a) by any person; (b) in visible and legible form; (c) during ordinary office hours; and (d) free of charge. (2) The Commissioner shall- (a) on receipt of an application in the specified form from a person; and (b) on payment of the prescribed fee, provide a copy in writing of the particulars contained in the register in respect of the data user, or the class of data users, specified in the application. (Enacted 1995) PERSONAL DATA (PRIVACY) ORDINANCE - SECT 17 Register shall not limit, etc. operation of this Ordinance VerDate:30/06/1997 (1) For the avoidance of doubt, it is hereby declared that- (a) whether or not the register contains any particulars; (b) any particulars contained in the register, in respect of a data user shall not of itself- (i) limit, restrict or qualify the operation of any of the provisions of this Ordinance (including section 2(5) and the data protection principles) in relation to the data user; (ii) exempt the data