Data Protection Law in Hong Kong
Hong Kong’s Data Protection Law offers protection for individuals against an array of privacy-related matters, such as interference with their family, home and correspondence, unlawful collection and use of their personal data for direct marketing, distress or anxiety; disseminating that personal data without their consent or exchange for consideration with third parties without consideration – individuals found breaking these rules could face fines or imprisonment for their transgression.
Businesses must comply with the law by collecting personal data with valid intentions and only processing activities necessary for that purpose. This may prove challenging when multiple business processes use personal data in different ways – especially where these processes may not all connect directly.
Personal data is defined broadly, and must only be collected legally for legitimate reasons, such as providing goods or services or conducting research. According to law, the information gathered must be adequate but not excessive for its original purpose, and accurate and up-to-date. Furthermore, should it be used for other than its initial intended use after being originally gathered then any person whose information it comprises must be informed on or prior to being collected of those other purposes involving his/her data.
An information user must expressly inform data subjects prior to collecting their personal data of its purpose and to whom it may be passed along, in accordance with applicable law. They also have an obligation under this legislation to inform them of their rights of access, correction, deletion and lodgement of a complaint with an independent supervisory authority should any infringement occur.
Direct marketing practices remain a focus for the Data Privacy Commissioner, who conducts investigations and prosecutions related to such practices frequently. A recent example saw an estate agent charged for using their database to send direct marketing material directly to those listed as addresses in their address book.
Data transfers between businesses are commonplace, and companies must understand the regulations surrounding such data transfers to lower business risk and facilitate efficient compliance across their organisations. Padraig Walsh of Tanner De Witt’s Data Privacy practice group discusses some key points regarding personal data transfers.