| This is the text of the Hong Kong Personal Data (Privacy) Ordinance, with hypertext (click and jump) links to all paragraph and section cross references, and to the definitions of all terms defined in the Ordinance. For information about the conventions adopted in setting this out, please refer to the separate page. |  |
 |
 |  Schedule |  | |
SCHEDULE 1
DATA PROTECTION PRINCIPLES
1. Principle 1 — purpose and manner of
collection of personal data
(1) Personal data shall not be collected unless—
(a) the data are collected for a lawful purpose directly related
to a function or activity of the data user who is to use the
data;
(b) subject to paragraph (c), the collection of the data is
necessary for or directly related to that purpose; and
(c) the data are adequate but not excessive in relation to that
purpose.
(2) Personal data shall be collected by means which are—
(a) lawful; and
(b) fair in the circumstances of the case.
(3) Where the person from whom personal data are or are to be
collected is the data subject all practicable steps shall be taken to
ensure that—
(a) he is explicitly or implicitly informed, on or before
collecting the data, of—
(i) whether it is obligatory or voluntary for him to
supply the data; and
(ii) where it is obligatory for him to supply the data, the
consequences for him if he fails to supply the data;
and
(b) he is explicitly informed—
(i) on or before collecting the data, of—
(A) the purpose (in general or specific terms) for
which the data are to be used; and
(B) the classes of persons to whom the data may be
transferred; and
(ii) on or before first use of the data for the purpose for
which they were collected, of—
(A) his rights to request access to and to request the
correction of the data; and
(B) the name and address of the individual to whom any
such request may be made,
unless to comply with the provisions of this subsection would be likely
to prejudice the purpose for which the data were collected and that
purpose is specified in Part VIII of this Ordinance as a purpose in
relation to which personal data are exempt from the provisions of data
protection principle 6.
2. Principle 2 — accuracy and duration of
retention of personal data
(1) All practicable steps shall be taken to ensure that—
(a) personal data are accurate having regard to the purpose
(including any directly related purpose) for which the;
personal data are or are to be used
(b) where there are reasonable grounds for believing that
personal data are inaccurate having regard to the purpose
(including any directly related purpose) for which the data
are or are to be used—
(i) the data are not used for that purpose unless and
until those grounds cease to be
applicable to the data, whether by the rectification
of the data or otherwise, or
(ii) the data are erased;
(c) where it is practicable in all the circumstances of the case
to know that—
(i) personal data disclosed on or after the appointed day
to a third party are materially inaccurate having
regard to the purpose (including any directly
related purpose) for which the data are or are to be
used by the third party; and
(ii) that data were inaccurate at the time of such
disclosure.
that the third party—
(A) is informed that the data are inaccurate; and
(B) is provided with such particulars as will enable the
third party to rectify the data having regard to that
purpose.
(2) Personal data shall not be kept longer than is necessary for the
fulfillment of the purpose (including any directly related purpose) for
which the data are or are to be used.
3. Principle 3 — use of personal data
Personal data shall not, without the prescribed consent of the data
subject, be used for any purpose other than—
(a) the purpose for which the data were to be used at the time
of the collection of the data, or
(b) a purpose directly related to the purpose referred to in
paragraph (a).
4. Principle 4 — security of personal data
All practicable steps shall be taken to ensure that personal data
(including data in a form in which access to or processing of the data
is not practicable) held by a data user are protected against
unauthorized or accidental access, processing, erasure or other use
having particular regard to—
(a) the kind of data and the harm that could result if any of
those things should occur;
(b) the physical location where the data are stored;
(c) any security measures incorporated (whether by automated
means or otherwise) into any equipment in which the data are
stored;
(d) any measures taken for ensuring the integrity, prudence and
competence of persons having access to the data; and
(e) any measures taken for ensuring the secure transmission of
the data.
5. Principle 5 — information to be generally available
All practicable steps shall be taken to ensure that a person can—
(a) ascertain a data user's policies and practices in relation
to personal data;
(b) be informed of the kind of personal data held by a data user;
(c) be informed of the main purposes for which personal data
held by a data user are or are to be used.
6. Principle 6 — access to personal data
A data subject shall be entitled to—
(a) ascertain whether a data user holds personal data of which
he is the data subject;
(b) request access to personal data—
(i) within a reasonable time;
(ii) at a fee, if any, that is not excessive;
(iii) in a reasonable manner; and
(iv) in a form that is intelligible;
(c) be given reasons if a request referred to in paragraph (b)
is refused;
(d) object to a refusal referred to in paragraph (c);
(e) request the correction of personal data;
(f) be given reasons if a request referred to in paragraph (e)
is refused; and
(g) object to a refusal referred to in paragraph (f).
|  Schedule | | |
Contents
[Prelim. & definitions]
[Admin.] [Codes of practice]
[Returns & register]
[Data access & correction]
[Matching & transfers]
[Complaints, etc.] [Exemptions]
[Offences] [Forms, fees, etc.]
[Sched 1: Data protection principles]
[Sched 2: Finances]
[Sched 3: Prescribed information]
[Sched 4: Other ordinances]
[Sched 5: Prescribed matters]
[Sched 6: Warrants]
|
For consulting on compliance with the Personal Data (Privacy) Ordinance or creative help with business planning, information technology, project management and the Internet please contact us. |