- Chapter: 486 PERSONAL DATA (PRIVACY) ORDINANCE
- PART I PRELIMINARY
- Section: 1 Short title and commencement
- Section: 2 Interpretation
- Section: 3 Application
- Section: 4 Data protection principles
- PART II ADMINISTRATION
- Section: 5 Establishment, etc. of Privacy Commissioner for Personal Data
- Section: 6 Commissioner to hold no other office
- Section: 7 Filling of temporary vacancy
- Section: 8 Functions and powers of Commissioner
- Section: 9 Staff of Commissioner, etc.
- Section: 10 Delegations by Commissioner
- Section: 11 Establishment of Personal Data (Privacy) Advisory Committee
- PART III CODES OF PRACTICE
- Section: 12 Approval of codes of practice by Commissioner
- Section: 13 Use of approved codes of practice in proceedings under this Ordinance
- PART IV DATA USER RETURNS AND REGISTER OF DATA USERS
- Section: 14 Data user returns
- Section: 15 Register of data users
- Section: 16 Inspection of register
- Section: 17 Register shall not limit, etc. operation of this Ordinance
- PART V ACCESS TO AND CORRECTION OF PERSONAL DATA
- Section: 18 Data access request
- Section: 19 Compliance with data access request
- Section: 20 Circumstances in which data user shall or may refuse to comply with data access request
- Section: 21 Notification of refusal to comply with data access request
- Section: 22 Data correction request
- Section: 23 Compliance with data correction request
- Section: 24 Circumstances in which data user shall or may refuse to comply with data correction request
- Section: 25 Notification of refusal to comply with data correction request,etc.
- Section: 26 Erasure of personal data no longer required
- Section: 27 Log book to be kept by data user
- Section: 28 Imposition of fees by data user
- Section: 29 Service and language of certain notices
- PART VI MATCHING PROCEDURES AND TRANSFERS OF PERSONAL DATA, ETC.
- Section: 30 Matching procedure not to be carried out except with consentof data subject, etc.
- Section: 31 Matching procedure request
- Section: 32 Determination of matching procedure request
- Section: 33 Prohibition against transfer of personal data to place outside Hong Kong except in specified circumstances
- Section: 34 Use of personal data in direct marketing
- Section: 35 Repeated collections of personal data in same circumstances
- PART VII INSPECTIONS, COMPLAINTS AND INVESTIGATIONS
- Section: 36 Inspections of personal data systems
- Section: 37 Complaints
- Section: 38 Investigations by Commissioner
- Section: 39 Restrictions on investigations initiated by complaints
- Section: 40 Commissioner may carry out or continue investigation initiated by complaint not withstanding withdrawal ofcomplaint
- Section: 41 Commissioner to inform relevant data user of inspection or investigation
- Section: 42 Power of entry on premises for the purposes of an inspection or investigation
- Section: 43 Proceedings of Commissioner
- Section: 44 Evidence
- Section: 45 Protection of witnesses, etc.
- Section: 46 Commissioner, etc. to maintain secrecy
- Section: 47 Persons to be informed of result of inspection or investigation
- Section: 48 Reports by Commissioner
- Section: 49 Cases in which sections 47 and 48 shall not apply
- Section: 50 Enforcement notices
- PART VIII Cap 486 - PERSONAL DATA (PRIVACY) ORDINANCE 30EXEMPTIONS
- Section: 51 Interpretation
- Section: 52 Domestic purposes
- Section: 53 Employment - staff planning
- Section: 54 Employment - transitional provisions
- Section: 55 Relevant process
- Section: 56 Personal references
- Section: 57 Security, etc. in respect of Hong Kong
- Section: 58 Crime, etc.
- Section: 58A Protected product and relevant records under Interception of Communications and Surveillance Ordinance
- Section: 59 Health
- Section: 60 Legal professional privilege
- Section: 61 News
- Section: 62 Statistics and research
- Section: 63 Exemption from section 18(1)(a)
- Section: 63A Human embryos, etc.
- PART IX OFFENCES AND COMPENSATION
- Section: 64 Offences
- Section: 65 Liability of employers and principals
- Section: 66 Compensation
- PART X MISCELLANEOUS
- Section: 67 Power of Commissioner to specify forms
- Section: 68 Service of notices
- Section: 69 Regulations - fees
- Section: 70 Regulations - general
- Section: 71 Amendment of Schedules 2, 4 and 6
- Section: 72 (Omitted as spent)
- Section: 73 (Omitted as spent)
- Schedule: 1 DATA PROTECTION PRINCIPLES
- Schedule: 2 FINANCES, ETC. OF COMMISSIONER
- Schedule: 3 PRESCRIBED INFORMATION
- Schedule: 4 PROVISIONS OF ORDINANCES UNDER WHICH MATCHING PROCEDURES ARE REQUIRED ORPERMITTED
- Schedule: 5 PRESCRIBED MATTERS
- Schedule: 6
Chapter: | 486 | PERSONAL DATA (PRIVACY) ORDINANCE | Gazette Number | Version Date |
---|
Long title | 30/06/1997 |
---|
An Ordinance to protect the privacy of individuals in relation to personal data, and to provide for matters incidental
thereto or connected therewith. | ||||
---|---|---|---|---|
(Enacted 1995) | ||||
[Part II, section 71 (as affects Schedule 2) and Schedule 2 | } | 1 August 1996 | L.N. 343 of 1996 | |
The other provisions,excluding sections 30 and 33 | } | 20 December 1996 | L.N. 514 of 1996 | |
Section 30 | } | 1 August 1997 | L.N. 409 of 1997] |
(Originally 81 of 1995)
Section: | 1 | Short title and commencement | L.N. 130 of 2007 | 01/07/2007 |
---|
Remarks: For the saving and transitional provisions relating to the amendments made by the Resolution of the Legislative Council (L.N. 130 of 2007), see paragraph (12) of that Resolution.
PART I
PRELIMINARY
- (1) This Ordinance may be cited as the Personal Data (Privacy) Ordinance.
- (2) This Ordinance shall come into operation on a day to be appointed by the Secretary for Constitutional and
Mainland Affairs by notice in the Gazette. (Amended L.N. 130 of 2007) (Enacted 1995)
Section: | 2 | Interpretation | L.N. 204 of 2006 | 01/12/2006 |
---|
(1) In this Ordinance, unless the context otherwise requires"act" (作為) includes a deliberate omission; "adverse action" (不利行動), in relation to an individual, means any action that may adversely affect the individual's
rights, benefits, privileges, obligations or interests (including legitimate expectations); "appointed day" (指定日) means the day appointed under section 1(2); "approved code of practice" (核准實務守則) means a code of practice approved under section 12; "code of practice" (實務守則) includes
- (a) a standard;
- (b) a specification; and
(c) any other documentary form of practical guidance; "Commissioner" (專員) means the Privacy Commissioner for Personal Data established under section 5(1); "Committee" (諮詢委員會) means the Personal Data (Privacy) Advisory Committee established under section 11(1); "complainant" (投訴人) means the individual, or the relevant person on behalf of an individual, who has made a
complaint; "complaint" (投訴) means a complaint under section 37; "correction" (改正), in relation to personal data, means rectification, erasure or completion;
"daily penalty" (每日罰款) means a penalty for each day on which the offence is continued after conviction therefor; "data" (資料) means any representation of information (including an expression of opinion) in any document, and
includes a personal identifier; "data access request" (查閱資料要求) means a request under section 18; "data correction request" (改正資料要求) means a request under section 22(1); "data protection principle" (保障資料原則) means any of the data protection principles set out in Schedule 1; "data subject" (資料當事人), in relation to personal data, means the individual who is the subject of the data; "data user" (資料使用者), in relation to personal data, means a person who, either alone or jointly or in common
with other persons, controls the collection, holding, processing or use of the data; "data user return" (資料使用者申報表) means a data user return referred to in section 14(4); "disclosing" (披露), in relation to personal data, includes disclosing information inferred from the data; "document" (文件) includes, in addition to a document in writing-
- (a) a disc, tape or other device in which data other than visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced from the disc, tape or other device; and
- (b) a film, tape or other device in which visual images are embodied so as to be capable, with or without
the aid of some other equipment, of being reproduced from the film, tape or other device; "employment" (僱用) means employment under-
(a) a contract of service or of apprenticeship; or
(b) a contract personally to execute any work or labour,
and related expressions shall be construed accordingly;
"enforcement notice" (執行通知) means a notice under section 50(1); "financial regulator" (財經規管者) means any of
- (a) the Monetary Authority appointed under section 5A of the Exchange Fund Ordinance (Cap 66);
- (b) the Securities and Futures Commission referred to in section 3(1) of the Securities and Futures Ordinance (Cap 571); (Replaced 5 of 2002 s. 407)
- (c) a recognized clearing house, a recognized exchange company, a recognized exchange controller or a recognized investor compensation company within the meaning of section 1 of Part 1 of Schedule 1 to the Securities and Futures Ordinance (Cap 571); (Replaced 5 of 2002 s. 407)
- (d) a person authorized under Part III of the Securities and Futures Ordinance (Cap 571) to provide automated trading services as defined in Schedule 5 to that Ordinance; (Replaced 5 of 2002 s. 407) (e)-(ea) (Repealed 5 of 2002 s. 407)
- (f) the Insurance Authority appointed under section 4 of the Insurance Companies Ordinance (Cap 41);
- (g) the Registrar of Occupational Retirement Schemes appointed under section 5 of the Occupational Retirement Schemes Ordinance (Cap 426); (ga) the Mandatory Provident Fund Schemes Authority established by section 6 of the Mandatory Provident Fund Schemes Ordinance (Cap 485); (Added 4 of 1998 s. 14)
(gb) the Financial Reporting Council established by section 6(1) of the Financial Reporting Council Ordinance (Cap 588); (Added 18 of 2006 s. 84)
(h) a person specified in a notice under subsection (7) to be a regulator for the purposes of this definition; "inaccurate" (不準確), in relation to personal data, means the data is incorrect, misleading, incomplete or obsolete; "inspection" (視察) means an inspection under section 36; "investigation" (調查) means an investigation under section 38; "log book" (紀錄簿), in relation to a data user, means the log book kept and maintained by the data user under section
27(1);
"matching procedure" (核對程序) means any procedure whereby personal data collected for 1 or more purposes in respect of 10 or more data subjects are compared (except by manual means) with personal data collected for any other purpose in respect of those data subjects where the comparison-
- (a) is (whether in whole or in part) for the purpose of producing or verifying data that; or
- (b) produces or verifies data in respect of which it is reasonable to believe that it is practicable that the data,
may be used (whether immediately or at any subsequent time) for the purpose of taking adverse action against any of those data subjects;
"matching procedure request" (核對程序要求) means a request under section 31(1);
"personal data" (個人資料) means any data-
- (a) relating directly or indirectly to a living individual;
- (b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and
- (c) in a form in which access to or processing of the data is practicable;
"personal data system" (個人資料系統) means any system, whether or not automated, which is used, whether in whole or in part, by a data user for the collection, holding, processing or use of personal data, and includes any document and equipment forming part of the system;
"personal identifier" (個人身分標識符) means an identifier-
(a) that is assigned to an individual by a data user for the purpose of the operations of the user; and
(b) that uniquely identifies that individual in relation to the data user, but does not include an individual's name used to identify that individual; "practicable" (切實可行) means reasonably practicable; "prescribed officer" (訂明人員) means a person employed or engaged under section 9(1); "processing" (處理), in relation to personal data, includes amending, augmenting, deleting or rearranging the data, whether by automated means or otherwise;
"register" (登記冊) means the register of data users kept and maintained by the Commissioner under section 15(1); "relevant data user" (有關資料使用者), in relation to-
- (a) an inspection, means the data user who uses the personal data system which is the subject of the inspection;
- (b) a complaint, means the data user specified in the complaint;
- (c) an investigation
- (i) in the case of an investigation initiated by a complaint, means the data user specified in the complaint;
- (ii) in any other case, means the data user the subject of the investigation;
(d) an enforcement notice, means the data user on whom the notice is served; "relevant person" (有關人士), in relation to an individual (howsoever the individual is described), means
- (a) where the individual is a minor, a person who has parental responsibility for the minor;
- (b) where the individual is incapable of managing his own affairs, a person who has been appointed by a court to manage those affairs;
- (c) in any other case, a person authorized in writing by the individual to make a data access request, a data
correction request, or both such requests, on behalf of the individual; "requestor" (提出要求者), in relation to-
(a) a data access request or data correction request, means the individual, or the relevant person on behalf of an individual, who has made the request;
- (b) a matching procedure request, means the data user who has made the request; "specified" (指明), in relation to a form, means specified under section 67; "third party" (第三者), in relation to personal data, means any person other than-
- (a) the data subject;
- (b) a relevant person in the case of the data subject;
- (c) the data user; or
- (d) a person authorized in writing by the data user to collect, hold, process or use the data-
- (ii) on behalf of the data user; "use" (使用), in relation to personal data, includes disclose or transfer the data; "would be likely to prejudice" (相當可能損害) includes would prejudice.
- (2) For the avoidance of doubt, it is hereby declared that paragraph (c) of the definition of "relevant person" shall not be construed-
- (a)
- to entitle a person who has only been authorized to make a data access request on behalf of an individual to make a data correction request on behalf of the individual;
- (b)
- to entitle a person who has only been authorized to make a data correction request on behalf of an individual to make a data access request on behalf of the individual.
- (3)
- Where under this Ordinance an act may be done with the prescribed consent of a person (and howsoever the person is described), such consent-
- (a)
- means the express consent of the person given voluntarily;
- (b)
- does not include any consent which has been withdrawn by notice in writing served on the person to whom the consent has been given (but without prejudice to so much of that act that has been done pursuant to the consent at any time before the notice is so served).
- (4)
- Subject to section 64(10), it is hereby declared that any reference in this Ordinance to the effect that a data user (howsoever described)- (a) has contravened a requirement under this Ordinance; or
- (b)
- is contravening a requirement under this Ordinance, includes-
- (i)
- where paragraph (a) is applicable, any case where the data user has done an act, or engaged in a practice, in contravention of a data protection principle;
- (ii)
- where paragraph (b) is applicable, any case where the data user is doing an act, or engaging in a practice, in contravention of a data protection principle.
- (5)
- Notwithstanding any other provisions of this Ordinance, a complaint may be made (and an investigation, if any, initiated by the complaint may be carried out) in relation to a person who has ceased to be a data user except any such person who has not at any time been a data user during the period of 2 years immediately preceding the date on which the Commissioner receives the complaint and, accordingly, a person in relation to whom such a complaint is made shall for the purposes of such complaint (and an investigation, if any, initiated by such complaint) be deemed to be a data user, and the other provisions of this Ordinance shall be construed accordingly.
- (6)
- Any reference in this Ordinance to a data protection principle followed by a number is a reference to the principle bearing that number set out in Schedule 1.
- (7)
- The Chief Executive may, by notice in the Gazette, specify a person to be a regulator for the purposes of the definition of "financial regulator". (Amended 34 of 1999 s. 3)
- (8)
- It is hereby declared that a notice under subsection (7) is subsidiary legislation.
- (9)
- Where a person-
- (a)
- holds any office, engages in any profession or carries on any occupation; and
- (b)
- is required by any law, or by any rules made under or by virtue of any law, to be a fit and proper person (or words to the like effect) to hold that office, engage in that profession or carry on that occupation,
then, for the purposes of this Ordinance, any conduct by that person by virtue of which he ceases, or would cease, to be such a fit and proper person shall be deemed to be seriously improper conduct.
- (10)
- Subsection (9) shall not operate to prevent seriously improper conduct including, for the purposes of this Ordinance, conduct by virtue of which a person ceases, or would cease, to be a fit and proper person notwithstanding that the conduct is not conduct to which that subsection applies.
- (11)
- Words and expressions importing the neuter gender in relation to any data user shall include the masculine and feminine genders.
- (12)
- A person is not a data user in relation to any personal data which the person holds, processes or uses solely on behalf of another person if, but only if, that first-mentioned person does not hold, process or use, as the case may be, those data for any of his own purposes.
- (13)
- For the avoidance of doubt, it is hereby declared that, for the purposes of this Ordinance, any conduct by a person by virtue of which he has or could become a disqualified person or a suspended person under the Rules of Racing and Instructions by the Stewards of the Hong Kong Jockey Club, as in force from time to time, is seriously improper conduct. (Amended 34 of 1999 s. 3)
(Enacted 1995)
- (1)
- This Ordinance binds the Government.
- (2)
- (*Not adopted as the laws of HKSAR)
(Enacted 1995)
Note:
* See Decision of the Standing Committee of the National People's Congress on Treatment of the Laws Previously in Force in Hong Kong in accordance with Article 160 of the Basic Law of the Hong Kong Special Administrative Region of the People's Republic of China, which is published in Volume 1, p. 13/1.
Section: | 4 | Data protection principles | 30/06/1997 |
---|
A data user shall not do an act, or engage in a practice, that contravenes a data protection principle unless the act or practice, as the case may be, is required or permitted under this Ordinance. (Enacted 1995)
Section: | 5 | Establishment, etc. of Privacy Commissioner for Personal Data | 34 of 1999 | 01/07/1997 |
---|
Remarks:
Adaptation amendments retroactively made - see 34 of 1999 s. 3
PART II
ADMINISTRATION
- (1)
- For the purposes of this Ordinance, there is hereby established an office by the name of the Privacy Commissioner for Personal Data. (2) The Commissioner shall be a corporation sole with perpetual succession and-
- (a)
- shall have and may use a seal; and
- (b)
- shall be capable of suing and being sued.
- (3)
- The Chief Executive shall, by notice in the Gazette, appoint a person to be the Commissioner. (Amended 34 of 1999 s. 3)
- (4)
- Subject to subsection (5), the person appointed to be the Commissioner shall hold office for a period of 5 years and shall be eligible for reappointment for not more than 1 further period of 5 years.
- (5)
- The person appointed to be the Commissioner may
- (a)
- at any time resign from his office by notice in writing to the Chief Executive; or
- (b)
- be removed from office by the Chief Executive with the approval by resolution of the Legislative Council on the ground of
- (i)
- inability to perform the functions of his office; or
- (ii)
- misbehaviour. (Amended 34 of 1999 s. 3)
- (6)
- The Chief Executive shall determine- (Amended 34 of 1999 s. 3)
- (b)
- the terms and conditions of appointment, of the person appointed to be the Commissioner. (7) The provisions of Schedule 2 shall have effect with respect to the Commissioner.
- (8)
- Subject to subsection (9), the Commissioner shall not be regarded as a servant or agent of the Government or as enjoying any status, immunity or privilege of the Government.
(9) The person appointed to be the Commissioner shall be deemed to be a public servant-
- (a)
- within the meaning of section 2 of the Prevention of Bribery Ordinance (Cap 201); and
- (b)
- for the purposes of that Ordinance. (Enacted 1995)
Section: | 6 | Commissioner to hold no other office | 34 of 1999 | 01/07/1997 |
---|
Remarks:
Adaptation amendments retroactively made - see 34 of 1999 s. 3
Cap 486 - PERSONAL DATA (PRIVACY) ORDINANCE
The person appointed to be the Commissioner shall not, without the specific approval of the Chief Executive- (Amended 34 of 1999 s. 3)
- (a)
- hold any office of profit other than his office as Commissioner; or
- (b)
- engage in any occupation for reward outside the functions of his office. (Enacted 1995)
Remarks:
Adaptation amendments retroactively made - see 34 of 1999 s. 3
(1) Where the person appointed to be the Commissioner-
- (a)
- dies;
- (b)
- resigns;
- (c)
- is removed from office;
- (d)
- is absent from Hong Kong; or
- (e)
- is for any other reason unable to perform the functions of his office, then the Chief Executive may, by notice in writing, appoint a person to act as the Commissioner until, as the case requires-(Amended 34 of 1999 s. 3)
- (i)
- a new Commissioner is appointed under section 5(3); or
- (ii)
- the Commissioner resumes his office.
- (b)
- may exercise the powers, of the Commissioner under this Ordinance.
(3) Section 6 shall apply to a person appointed under subsection (1) to act as the Commissioner as if that person
were the Commissioner. (Enacted 1995)
Remarks:
Adaptation amendments retroactively made - see 34 of 1999 s. 3
(1) The Commissioner shall-
- (a)
- monitor and supervise compliance with the provisions of this Ordinance;
- (b)
- promote and assist bodies representing data users to prepare, for the purposes of section 12, codes of practice for guidance in complying with the provisions of this Ordinance, in particular the data protection principles;
- (c)
- promote awareness and understanding of, and compliance with, the provisions of this Ordinance, in particular the data protection principles;
- (d)
- examine any proposed legislation (including subsidiary legislation) that the Commissioner considers may affect the privacy of individuals in relation to personal data and report the results of the examination to the person proposing the legislation;
- (e)
- carry out inspections, including inspections of any personal data systems used by data users which are departments of the Government or statutory corporations;
- (f)
- for the better performance of his other functions, undertake research into, and monitor developments in, the processing of data and computer technology in order to take account of any likely adverse effects such developments may have on the privacy of individuals in relation to personal data;
- (g)
- liaise and co-operate with any person in any place outside Hong Kong
- (i)
- performing in that place any functions which, in the opinion of the Commissioner, are similar (whether in whole or in part) to any of the Commissioner's functions under this Ordinance; and
- (ii)
- in respect of matters of mutual interest concerning the privacy of individuals in relation to personal data; and
- (h)
- perform such other functions as are imposed on him under this Ordinance or any other enactment.
- (2) The Commissioner may do all such things as are necessary for, or incidental or conducive to, the better performance of his functions and in particular but without prejudice to the generality of the foregoing, may-
- (a) acquire and hold property of any description if in the opinion of the Commissioner such property is necessary for-
- (i) the accommodation of the Commissioner or of any prescribed officer; or
- (ii) the performance of any function which the Commissioner may perform, and, subject to the terms and conditions upon which such property is held, dispose of it;
- (b) enter into, carry out, assign or accept the assignment of, vary or rescind, any contract, agreement or other obligation;
- (c) undertake and execute any lawful trust which has as an object the furtherance of any function which the Commissioner is required or is permitted by this Ordinance to perform or any other similar object;
- (d) accept gifts and donations, whether subject to any trust or not;
- (e) with the prior approval of the Chief Executive, become a member of or affiliate to any international body concerned with (whether in whole or in part) the privacy of individuals in relation to personal data; (Amended 34 of 1999 s. 3)
- (f) exercise such other powers as are conferred on him under this Ordinance or any other enactment.
- (3) The Commissioner may make and execute any document in the performance of his functions or the exercise of his powers or in connection with any matter reasonably incidental to or consequential upon the performance of his functions or the exercise of his powers.
- (4) Any document purporting to be executed under the seal of the Commissioner shall be admitted in evidence and shall, in the absence of evidence to the contrary, be deemed to have been duly executed.
- (5) The Commissioner may from time to time cause to be prepared and published by notice in the Gazette, for the guidance of data users, guidelines not inconsistent with this Ordinance, indicating the manner in which he proposes to perform any of his functions, or exercise any of his powers, under this Ordinance.
(Enacted 1995)
(1) The Commissioner may
(a) employ such persons (including technical and professional persons); and
(b) engage, other than by way of employment, such technical and professional persons, as he thinks fit to assist him in the performance of his functions, and the exercise of his powers, under this Ordinance.
- (2) The Commissioner shall determine-
- (a) the remuneration and terms and conditions of employment of any person, or any person belonging to a class of persons, who may be employed under subsection (1)(a);
- (b) the remuneration and terms and conditions of engagement of any person, or any person belonging to a class of persons, who may be engaged under subsection (1)(b).
- (3) The Commissioner may
- (a) grant, or make provision for the grant of, pensions, gratuities and retirement benefits to employees;
- (b) provide other benefits for the welfare of employees and their dependants;
- (c) authorize payments, whether or not legally due, to the personal representatives of a deceased employee or to any person who was dependent on such employee at his death.
- (4) The Commissioner may
- (a) establish, manage and control; or
- (b) enter into an arrangement with any company or association for the establishment, management and
control by that company or association either alone or jointly with the Commissioner of, any fund or scheme for the purpose of providing for the pensions, gratuities, benefits and payments referred to in subsection (3).
(5) The Commissioner may make contributions to and may require employees to make contributions to any fund or scheme referred to in subsection (4).
(6) In this section "employees" (僱員) includes any class of employee which the Commissioner specifies and
in subsection (3) includes former employees. (Enacted 1995)
Section: | 10 | Delegations by Commissioner | 30/06/1997 |
---|
(1) Subject to subsection (2), the Commissioner may delegate in writing any of his functions or powers under this Ordinance to any prescribed officer subject to such terms and conditions, if any, as he thinks fit and specified in the delegation.
- (2)
- The Commissioner shall not delegate any of his functions or powers under-
- (a)
- subsection (1);
- (b)
- any provisions of any regulations made under this Ordinance which are specified in the regulations as provisions which shall not be subject to subsection (1);
- (c)
- any provisions of Schedule 2 which are specified in that Schedule as provisions which shall not be subject to subsection (1).
- (3)
- A delegate of the Commissioner-
- (a)
- shall perform the delegated functions and may exercise the delegated powers as if the delegate were the Commissioner; and
- (b)
- shall be presumed to be acting in accordance with the relevant delegation in the absence of evidence to
the contrary. (Enacted 1995)
Section: | 11 | Establishment of Personal Data (Privacy) Advisory Committee | L.N. 130 of 2007 | 01/07/2007 |
---|
Remarks: For the saving and transitional provisions relating to the amendments made by the Resolution of the Legislative Council (L.N. 130 of 2007), see paragraph (12) of that Resolution.
- (1)
- There is hereby established a committee by the name of the Personal Data (Privacy) Advisory Committee for the purpose of advising the Commissioner upon any matter relevant to the privacy of individuals in relation to personal data or otherwise relevant to the operation of this Ordinance. (2) The Committee shall consist of-
- (a)
- the Commissioner, who shall be the chairman; and
- (b)
- not less than 4 or more than 8 other persons, appointed by the Secretary for Constitutional and Mainland Affairs, of whom-
- (i)
- not less than 1 shall have not less than 5 years' experience in the processing of data; and
- (ii)
- not more than 1 shall be a public officer.
- (3)
- The members of the Committee appointed under subsection (2)(b) shall hold office for such period and upon such terms as the Secretary for Constitutional and Mainland Affairs specifies in their respective appointments or from time to time.
- (4)
- A member of the Committee appointed under subsection (2)(b) may resign at any time by notice in writing delivered to the Secretary for Constitutional and Mainland Affairs.
(5) The Committee may regulate its procedure. (Enacted 1995. Amended L.N. 130 of 2007)
Section: | 12 | Approval of codes of practice by Commissioner | 30/06/1997 |
---|
PART III
CODES OF PRACTICE
- (1)
- Subject to subsections (8) and (9), for the purpose of providing practical guidance in respect of any requirements under this Ordinance imposed on data users, the Commissioner may
- (a)
- approve and issue such codes of practice (whether prepared by him or not) as in his opinion are suitable for that purpose; and
- (b)
- approve such codes of practice issued or proposed to be issued otherwise than by him as in his opinion are suitable for that purpose.
- (2)
- Where a code of practice is approved under subsection (1), the Commissioner shall, by notice in the Gazette-
- (a) identify the code concerned and specify the date on which its approval is to take effect; and
- (b) specify for which of the requirements under this Ordinance the code is so approved.
(3) The Commissioner may
- (a) from time to time revise the whole or any part of any code of practice prepared by him under this section; and
- (b) approve any revision or proposed revision of the whole or any part of any code of practice for the time
being approved under this section, and the provisions of subsection (2) shall, with the necessary modifications, apply in relation to the approval of any revision under this subsection as they apply in relation to the approval of a code of practice under subsection (1).
- (4) The Commissioner may at any time withdraw his approval from any code of practice approved under this section.
- (5) Where under subsection (4) the Commissioner withdraws his approval from a code of practice approved under this section, he shall, by notice in the Gazette, identify the code concerned and specify the date on which his approval of it is to cease to have effect.
- (6) References in this Ordinance to an approved code of practice are references to that code as it has effect for the time being by virtue of any revision of the whole or any part of it approved under this section.
- (7) The power of the Commissioner under subsection (1)(b) to approve a code of practice issued or proposed to be issued otherwise than by him shall include power to approve a part of such a code and, accordingly, in this Ordinance "code of practice" (實務守則) may be read as including a part of such a code.
- (8) The Commissioner shall, not later than 6 months after the day on which this section comes into operation (or within such further period, not exceeding 6 months, as the Secretary for Home Affairs may allow), approve a code of practice under subsection (1) in respect of all or any requirements referred to in that subsection in so far as such requirements relate to personal data which are personal identifiers.
- (9) The Commissioner shall, before approving a code of practice under subsection (1) or any revision or proposed revision of the code under subsection (3), consult with (a) such bodies representative of data users to which the code or the code as so revised, as the case may be, will apply (whether in whole or in part); and
- (b) such other interested persons, as he thinks fit.
- (10)
- For the avoidance of doubt, it is hereby declared that different codes of practice may be approved under subsection (1) (including any code of practice referred to in subsection (8)) for different classes of data users, and may be so approved for the same or different requirements referred to in subsection (1). (Enacted 1995)
- (1) A failure on the part of any data user to observe any provision of an approved code of practice shall not of itself render the data user liable to any civil or criminal proceedings but where in any proceedings under this Ordinance a data user is alleged to have contravened a requirement under this Ordinance, being a requirement for which there was an approved code of practice at the time of the alleged contravention, subsection (2) shall have effect with respect to such code in relation to those proceedings.
- (2) Any provision of a code of practice which appears to a specified body to be relevant to a requirement under this Ordinance alleged to have been contravened shall be admissible in evidence in the proceedings under this Ordinance concerned and if it is proved that there was at any material time a failure to observe any provision of the code which appears to that body to be relevant to any matter which it is necessary to prove in order to establish a contravention of such requirement, that matter shall be taken as proved in the absence of evidence that such requirement was in respect of that matter complied with otherwise than by way of observance of that provision.
- (3) In any proceedings under this Ordinance, a code of practice which appears to a specified body to be the subject of a notice under section 12 shall be taken to be the subject of such notice in the absence of evidence to the contrary.
(4) In this section-
"proceedings under this Ordinance" (根據本條例進行的法律程序) includes any criminal proceedings where a data user is alleged to have committed an offence by reason of a contravention of a requirement under this Ordinance; "specified body" (指明當局) means
- (a) a magistrate;
- (b) a court; or
- (c) the Administrative Appeals Board. (Enacted 1995)
Remarks: For the saving and transitional provisions relating to the amendments made by the Resolution of the Legislative Council (L.N. 130 of 2007), see paragraph (12) of that Resolution.
PART IV
DATA USER RETURNS AND REGISTER OF DATA USERS
- (1) Subject to subsection (2), the Commissioner may, by notice in the Gazette, specify a class of data users to which this section shall apply.
- (2) The Commissioner shall, before specifying a class of data users in a notice under subsection (1), consult with- (a) such bodies representative of data users belonging to that class; and
- (b) such other interested persons, as he thinks fit.
- (3) This section shall not apply to a data user except a data user belonging to a class of data users specified in a notice under subsection (1) which is in force.
- (4) A data user shall submit to the Commissioner a data user return-
- (a) in the specified form;
- (b) containing the prescribed information required by the return in relation to the data user;
- (c) in the case of-
- (i) a data user which belongs to the class of data users concerned on the day on which the notice under subsection (1) specifying that class commences, not earlier than 3 months before, and not later than, each anniversary of that day;
- (ii) a data user which first belongs to the class of data users concerned on a day after the day on which the notice under subsection (1) specifying that class commences, not earlier than 3 months before, and not later than, each anniversary of that first-mentioned day; and
- (d) accompanied by the prescribed fee.
- (5) The Commissioner shall cause a notice to be published not less than once during every period of 6 months-
- (a) in-
- (i) the Gazette; and
- (ii) not less than 1 Chinese language newspaper (and in the Chinese language) and not less than 1 English language newspaper (and in the English language), each of which shall be a newspaper circulating generally in Hong Kong; and
- (b) subject to subsection (6), specifying the places at which and the hours during which data user returns are available to be obtained by data users for the purposes of this section.
- (6) The Commissioner shall not exercise his power under subsection (5)(b) to specify places which are Government offices unless and until he has the approval in writing of the Secretary for Constitutional and Mainland Affairs to do so. (Amended L.N. 130 of 2007) (7) The Commissioner shall cause data user returns to be available to be obtained by data users-
- (a) free of charge; and
- (b) at the places and during the hours specified in the last notice published under subsection (5).
- (8) Where any prescribed information contained in a data user return submitted under subsection (4) to the Commissioner by a data user changes subsequent to the submission, then the data user shall serve a notice in writing on the Commissioner specifying such change-
- (a) if, but only if-
- (i) such information is specified in the return as information to which this subsection applies; and
- (ii) the return contains, or has annexed to it
- (A) a copy of this subsection; or
- (B) a statement summarizing the requirement imposed by this subsection on the data user; and
- (b) not later than 30 days after such change.
- (9) It is hereby declared that
- (a) a notice under subsection (1) is subsidiary legislation;
- (b) where a data user belongs to 2 or more classes of data users specified in 2 or more notices under subsection (1) which are in force, then, for the purposes of this section, that data user shall be deemed to belong only to that class of data users specified in the first of those notices to be published in the Gazette; and
- (c) subsection (3) shall not operate to prejudice the generality of section 67(4)(c).
- (10)
- In this section and section 15, "prescribed information" (訂明資訊) means any information specified in
Schedule 3. (Enacted 1995)
(1) The Commissioner shall use
(a) data user returns submitted to him under section 14(4); and
- (b) any notices served on him under section 14(8), to keep and maintain a register of data users which have submitted such returns. (2) The register shall-
- (a) be in the form of a database; and
- (b) contain, in respect of each data user who has submitted a data user return under section 14(4), such particulars of the information supplied in that return as the Commissioner thinks fit.
- (3) The Commissioner may, by notice in writing served on a data user, require the data user to submit a notice in the prescribed form containing such prescribed information in relation to the data user as the Commissioner may reasonably require in order to keep and maintain the register in so far as it relates to that data user, and the data user shall so submit the second-mentioned notice within such period (being a period of not less than 30 days after service of the first-mentioned notice) and in such manner as the Commissioner requires in the first-mentioned notice.
- (4) Where any prescribed information submitted to the Commissioner under subsection (3) by a data user changes subsequent to the submission, then the data user shall serve a notice in writing on the Commissioner specifying such change-
- (a) if, but only if-
- (i) such information is specified in the notice concerned under that subsection as information to which this subsection applies; and
- (ii) the notice referred to in subparagraph (i) contains, or has annexed to it
- (A) a copy of this subsection; or
- (B) a statement summarizing the requirement imposed by this subsection on the data user; and
- (b) not later than 30 days after such change.
- (5) If the Commissioner is satisfied that a person has ceased to be a data user, he may delete from the register any particulars contained therein relating to that person in that person's capacity as a data user.
- (6) A person who has ceased to be a data user may, by notice in the specified form served on the Commissioner, request the Commissioner to delete from the register the particulars contained therein relating to that person in that person's capacity as a data user, and the Commissioner shall, not later than 3 months after the date on which he receives that notice, comply with that request unless it has been withdrawn by that person. (Enacted 1995)
- (1) The Commissioner shall provide facilities for making the particulars contained in the register available for inspection-
- (a) by any person;
- (b) in visible and legible form;
- (c)
- during ordinary office hours; and
- (d)
- free of charge.
- (b)
- on payment of the prescribed fee, provide a copy in writing of the particulars contained in the register in respect of the data user, or the class of data users, specified in the application.
(Enacted 1995)
Section: | 17 | Register shall not limit, etc. operation of this Ordinance | 30/06/1997 |
---|
(1) For the avoidance of doubt, it is hereby declared that-
(a) whether or not the register contains any particulars;
(b) any particulars contained in the register, in respect of a data user shall not of itself-
- (i)
- limit, restrict or qualify the operation of any of the provisions of this Ordinance (including section 2(5) and the data protection principles) in relation to the data user;
- (ii)
- exempt the data user from the operation of any of the provisions of this Ordinance.
(2) Subsection (1) shall not prejudice the operation of any limitation, restriction, qualification or exemption
provided for in the other provisions of this Ordinance. (Enacted 1995)
Section: | 18 | Data access request | 30/06/1997 |
---|
PART V
ACCESS TO AND CORRECTION OF PERSONAL DATA
(1) An individual, or a relevant person on behalf of an individual, may make a request-
- (a)
- to be informed by a data user whether the data user holds personal data of which the individual is the data subject;
- (b)
- if the data user holds such data, to be supplied by the data user with a copy of such data.
- (2)
- A data access request under both paragraphs of subsection (1) shall be treated as being a single request, and the provisions of this Ordinance shall be construed accordingly.
- (3)
- A data access request under paragraph (a) of subsection (1) may, in the absence of evidence to the contrary, be treated as being a data access request under both paragraphs of that subsection, and the provisions of this Ordinance (including subsection (2)) shall be construed accordingly.
(4) A data user who, in relation to personal data-
- (a)
- does not hold the data; but
- (b)
- controls the use of the data in such a way as to prohibit the data user who does hold the data from
complying (whether in whole or in part) with a data access request which relates to the data, shall be deemed to hold those data, and the provisions of this Ordinance (including this section) shall be construed accordingly.
(Enacted 1995)
Section: | 19 | Compliance with data access request | 30/06/1997 |
---|
- (1)
- Subject to subsection (2) and sections 20 and 28(5), a data user shall comply with a data access request not later than 40 days after receiving the request.
- (2)
- A data user who is unable to comply with a data access request within the period specified in subsection (1) shall-
(a) before the expiration of that period-
- (i)
- by notice in writing inform the requestor that the data user is so unable and of the reasons why the data user is so unable; and
- (ii)
- comply with the request to the extent, if any, that the data user is able to comply with the request;
and
(b) as soon as practicable after the expiration of that period, comply or fully comply, as the case may be, with the request.
- (3)
- A copy of the personal data to be supplied by a data user in compliance with a data access request shall
- (a)
- be supplied by reference to the data at the time when the request is received except that the copy may take account of-
- (i)
- any processing of the data-
- (A)
- made between that time and the time when the copy is supplied; and
- (B)
- that would have been made irrespective of the receipt of the request; and
- (ii)
- subject to subsection (5), any correction to the data made between that time and the time when the copy is supplied;
- (b)
- where any correction referred to paragraph (a)(ii) has been made to the data, be accompanied by a notice stating that the data have been corrected pursuant to that paragraph (or words to the like effect); and
- (c)
- as far as practicable, be-
- (i)
- intelligible unless the copy is a true copy of a document which
- (A)
- contains the data; and
- (B)
- is unintelligible on its face;
- (ii)
- readily comprehensible with any codes used by the data user adequately explained; and
- (A)
- subject to sub-subparagraph (B), the language specified in the request or, if no language is so specified, the language in which the request is made (which may be the Chinese or English language in either case);
- (B)
- a language other than the language specified in the request or, if no language is so specified, the language in which the request is made, if, but only if-
- (I)
- the language in which the data are held is not the language specified in the request or, if no language is so specified, the language in which the request is made, as the case may be; and
- (II)
- subject to section 20(2)(b), the copy is a true copy of a document which contains the data;
- (iv)
- without prejudice to the generality of subparagraph (iii) but subject to subsection (4), be in the form, or one of the forms, if any, specified in the request;
- (v)
- where subparagraph (iv) is not applicable, in such form as the data user thinks fit.
- (4)
- Where
- (a)
- a data access request specifies the form or forms in which a copy of the personal data to be supplied in compliance with the request is or are sought; and
- (b)
- the data user concerned is unable to supply the copy in that form or any of those forms, as the case
may be, because it is not practicable for the data user to do so, then the data user shall
- (i)
- where there is only one form in which it is practicable for the data user to supply the copy, supply the copy in that form accompanied by a notice in writing informing the requestor that that form is the only form in which it is practicable for the data user to supply the copy;
- (ii)
- in any other case
- (A)
- as soon as practicable, by notice in writing inform the requestor-
- (I)
- that it is not practicable for the data user to supply the copy in the form or any of the forms, as the case may be, specified in the request;
- (II)
- of the forms in which it is practicable for the data user to supply the copy; and
- (B)
- as soon as practicable, supply the copy
- (I)
- in the form specified in the response, if any, to the notice referred to in subparagraph (A);
- (II)
- if there is no such response within the period specified in subparagraph (A)(III), supply the copy in any one of the forms referred to in subparagraph (A)(II) as the data user thinks fit.
(5) Subparagraph (ii) of paragraph (a) and paragraph (b) of subsection (3) shall expire on the 1st anniversary of
the appointed day.
(Enacted 1995)
- (1)
- A data user shall refuse to comply with a data access request-
- (a)
- if the data user is not supplied with such information as the data user may reasonably require-
- (i)
- in order to satisfy the data user as to the identity of the requestor;
- (ii)
- where the requestor purports to be a relevant person, in order to satisfy the data user-
- (A)
- as to the identity of the individual in relation to whom the requestor purports to be such a person; and
- (B)
- that the requestor is such a person in relation to that individual;
- (b)
- subject to subsection (2), if the data user cannot comply with the request without disclosing personal data of which any other individual is the data subject unless the data user is satisfied that the other individual has consented to the disclosure of the data to the requestor; or
- (c)
- in any other case, if compliance with the request is for the time being prohibited under this Ordinance.
- (2)
- Subsection (1)(b) shall not operate-
- (a)
- so that the reference in that subsection to personal data of which any other individual is the data subject includes a reference to information identifying that individual as the source of the personal data to which the data access request concerned relates unless that information names or otherwise explicitly identifies that individual;
- (b)
- so as to excuse a data user from complying with the data access request concerned to the extent that the request may be complied with without disclosing the identity of the other individual, whether by the omission of names, or other identifying particulars, or otherwise.
- (3)
- A data user may refuse to comply with a data access request if-
- (a)
- the request is not in writing in the Chinese or English language;
- (b)
- the data user is not supplied with such information as the data user may reasonably require to locate the personal data to which the request relates;
- (c)
- the request follows 2 or more similar requests made by
- (i)
- the individual who is the data subject in respect of the personal data to which the request relates;
- (ii)
- one or more relevant persons on behalf of that individual; or
- (d)
- subject to subsection (4), any other data user controls the use of the data in such a way as to prohibit the first-mentioned data user from complying (whether in whole or in part) with the request;
- (e)
- the form in which the request shall be made has been specified under section 67 and the request is not made in that form; or
- (f)
- in any other case, compliance with the request may for the time being be refused under this Ordinance, whether by virtue of an exemption under Part VIII or otherwise.
and it is unreasonable in all the circumstances for the data user to comply with the request;
(4) Subsection (3)(d) shall not operate so as to excuse a data user from complying with the data access request concerned-
- (a)
- in so far as the request relates to section 18(1)(a), to any extent;
- (b)
- in so far as the request relates to section 18(1)(b), to any extent that the data user can comply with the
request without contravening the prohibition concerned. (Enacted 1995)
- (1)
- Subject to subsection (2), a data user who pursuant to section 20 refuses to comply with a data access request shall, as soon as practicable but, in any case, not later than 40 days after receiving the request, by notice in writing inform the requestor-
- (a)
- of the refusal;
- (b)
- subject to subsection (2), of the reasons for the refusal; and
- (c)
- where section 20(3)(d) is applicable, of the name and address of the other data user concerned.
- (b)
- the refusal also relates to section 18(1)(a) by virtue of section 63, then the data user may, in the notice under subsection (1) concerned, in place of the matters of which the data user is required to inform the requestor under that subsection, inform the requestor that the data user has no personal data the existence of which he is required to disclose to the requestor (or words to the like effect).
(Enacted 1995)
(1) Subject to subsection (2), where
- (a)
- a copy of personal data has been supplied by a data user in compliance with a data access request; and
- (b)
- the individual, or a relevant person on behalf of the individual, who is the data subject considers that
the data are inaccurate, then that individual or relevant person, as the case may be, may make a request that the data user make the necessary correction to the data.
(2) A data user who, in relation to personal data-
- (a)
- does not hold the data; but
- (b)
- controls the processing of the data in such a way as to prohibit the data user who does hold the data from complying (whether in whole or in part) with section 23(1) in relation to a data correction request which relates to the data,
shall be deemed to be a data user to whom such a request may be made, and the provisions of this Ordinance (including subsection (1)) shall be construed accordingly.
- (3)
- Without prejudice to the generality of sections 23(1)(c) and 25(2), if a data user, subsequent to the receipt of a data correction request but before complying with the request pursuant to section 24 or refusing to comply with the request pursuant to section 25, discloses to a third party the personal data to which the request relates, then the user shall take all practicable steps to advise the third party that the data are the subject of a data correction request still under consideration by the user (or words to the like effect). (Enacted 1995)
- (1)
- Subject to subsection (2) and section 24, a data user who is satisfied that personal data to which a data correction request relates are inaccurate shall, not later than 40 days after receiving the request-
- (a)
- make the necessary correction to those data;
- (b)
- supply the requestor with a copy of those data as so corrected; and
- (c)
- subject to subsection (3), if-
- (i)
- those data have been disclosed to a third party during the 12 months immediately preceding the day on which the correction is made; and
- (ii)
- the data user has no reason to believe that the third party has ceased using those data for the purpose (including any directly related purpose) for which the data were disclosed to the third party,
take all practicable steps to supply the third party with a copy of those data as so corrected accompanied by a notice in writing stating the reasons for the correction.
- (2)
- A data user who is unable to comply with subsection (1) in relation to a data correction request within the period specified in that subsection shall-
- (a)
- before the expiration of that period-
- (i)
- by notice in writing inform the requestor that the data user is so unable and of the reasons why the data user is so unable; and
- (ii)
- comply with that subsection to the extent, if any, that the data user is able to comply with that subsection; and
- (b)
- as soon as practicable after the expiration of that period, comply or fully comply, as the case may be, with that subsection.
- (3)
- A data user is not required to comply with subsection (1)(c) in any case where the disclosure concerned of the personal data to the third party consists of the third party's inspection of a register or other like document- (a) in which the data are entered or otherwise recorded; and
- (b) which is available for inspection by the public, but this subsection shall not apply if the third party has been supplied with a copy, certified by or under the authority of the data user to be correct, of the data. (Enacted 1995)
- (1) Subject to subsection (2), a data user shall refuse to comply with section 23(1) in relation to a data correction request if the data user is not supplied with such information as the data user may reasonably require-
- (a) in order to satisfy the data user as to the identity of the requestor;
- (b) where the requestor purports to be a relevant person, in order to satisfy the data user-
- (i) as to the identity of the individual in relation to whom the requestor purports to be such a person; and
- (ii) that the requestor is such a person in relation to that individual.
- (2) Subsection (1) shall not apply to a data correction request where the requestor is the same person as the requestor in respect of the data access request which gave rise to the data correction request. (3) A data user may refuse to comply with section 23(1) in relation to a data correction request if
- (a) the request is not in writing in the Chinese or English language;
- (b) the data user is not satisfied that the personal data to which the request relates are inaccurate;
- (c) the data user is not supplied with such information as the data user may reasonably require to ascertain in what way the personal data to which the request relates are inaccurate;
- (d) the data user is not satisfied that the correction which is the subject of the request is accurate; or
- (e) subject to subsection (4), any other data user controls the processing of the personal data to which the request relates in such a way as to prohibit the first-mentioned data user from complying (whether in whole or in part) with that section.
- (4) Subsection (3)(e) shall not operate so as to excuse a data user from complying with section 23(1) in relation to the data correction request concerned to the extent that the data user can comply with that section without contravening the prohibition concerned. (Enacted 1995)
- (1) A data user who pursuant to section 24 refuses to comply with section 23(1) in relation to a data correction request shall, as soon as practicable but, in any case, not later than 40 days after receiving the request, by notice in writing inform the requestor-
- (a) of the refusal and the reasons for the refusal; and
- (b) where section 24(3)(e) is applicable, of the name and address of the other data user concerned.
- (b) the data user concerned is not satisfied that the opinion is inaccurate, then the data user shall
- (i) make a note, whether annexed to that data or elsewhere-
- (A) of the matters in respect of which the opinion is considered by the requestor to be inaccurate; and
- (B) in such a way that those data cannot be used by a person (including the data user and a third party) without the note being drawn to the attention of, and being available for inspection by, that person; and
- (ii) attach a copy of the note to the notice referred to in subsection (1) which relates to that request.
- (a) is unverifiable; or
- (b) in all the circumstances of the case, is not practicable to verify. (Enacted 1995)
- (1)
- A data user shall erase personal data held by the data user where the data are no longer required for the purpose (including any directly related purpose) for which the data were used unless
- (a)
- any such erasure is prohibited under any law; or
- (b)
- it is in the public interest (including historical interest) for the data not to be erased.
Section: | 26 | Erasure of personal data no longer required | 30/06/1997 |
---|
(2) For the avoidance of doubt, it is hereby declared that-
- (a)
- a data user shall erase personal data in accordance with subsection (1) notwithstanding that any other data user controls (whether in whole or in part) the processing of the data;
- (b)
- the first-mentioned data user shall not be liable in an action for damages at the suit of the second-
mentioned data user in respect of any such erasure. (Enacted 1995)
Section: | 27 | Log book to be kept by data user | 30/06/1997 |
---|
- (1)
- A data user shall keep and maintain a log book
- (a)
- for the purposes of this Part;
- (b)
- in the Chinese or English language; and
- (c)
- such that any particulars entered in the log book pursuant to this section are not erased therefrom before the expiration of
- (i)
- subject to subparagraph (ii), 4 years after the day on which they were so entered;
- (ii)
- such longer or shorter period as may be prescribed, either generally or in any particular case, by regulations made under section 70.
- (2)
- A data user shall in accordance with subsection (3) enter in the log book
- (a)
- where pursuant to section 20 the data user refuses to comply with a data access request, particulars of the reasons for the refusal;
- (b)
- where pursuant to section 21(2) the data user does not comply with section 21(1), particulars of the prejudice that would be caused to the interest protected by the exemption concerned under Part VIII if the existence or non-existence of the personal data to which the data access request concerned relates were disclosed;
- (c)
- where pursuant to section 24 the data user refuses to comply with section 23(1) in relation to a data correction request, particulars of the reasons for the refusal;
- (d)
- any other particulars required by regulations made under section 70 to be entered in the log book.
- (3)
- The particulars required by subsection (2) to be entered by a data user in the log book shall be so entered-
- (a)
- in the case of particulars referred to in paragraph (a) of that subsection, on or before the notice under section 21(1) is served in respect of the refusal to which those particulars relate;
- (b)
- in the case of particulars referred to in paragraph (b) of that subsection, on or before the notice under section 21(1) is served in respect of the refusal to which those particulars relate;
- (c)
- in the case of particulars referred to in paragraph (c) of that subsection, on or before the notice under section 25(1) is served in respect of the refusal to which those particulars relate;
- (d)
- in the case of particulars referred to in paragraph (d) of that subsection, within the period specified in regulations made under section 70 in respect of those particulars.
- (4)
- A data user shall-
- (a)
- permit the Commissioner to inspect and copy the log book (or any part thereof) at any reasonable time; and
- (b)
- without charge, afford the Commissioner such facilities and assistance as the Commissioner may
reasonably require for the purposes of such inspection and copying. (Enacted 1995)
Section: | 28 | Imposition of fees by data user | 30/06/1997 |
---|
- (1)
- A data user shall not impose a fee for complying or refusing to comply with a data access request or data correction request unless the imposition of the fee is expressly permitted by this section.
- (2)
- Subject to subsections (3) and (4), a data user may impose a fee for complying with a data access request.
- (3)
- No fee imposed for complying with a data access request shall be excessive.
- (4)
- Where pursuant to section 19(3)(c)(iv) or (v) or (4)(ii)(B)(II) a data user may comply with a data access request by supplying a copy of the personal data to which the request relates in one of 2 or more forms, the data user shall not, and irrespective of the form in which the data user complies with the request, impose a fee for complying with the request which is higher than the lowest fee the data user imposes for complying with the request in any of those forms.
- (5)
- A data user may refuse to comply with a data access request unless and until any fee imposed by the data user for complying with the request has been paid.
Cap 486 - PERSONAL DATA (PRIVACY) ORDINANCE
(6) Where
- (a)
- a data user has complied with a data access request by supplying a copy of the personal data to which the request relates; and
- (b)
- the data subject, or a relevant person on behalf of the data subject, requests the data user to supply a
further copy of those data, then the data user may, and notwithstanding the fee, if any, that the data user imposed for complying with that data access request, impose a fee for supplying that further copy which is not more than the administrative and other costs incurred by the data user in supplying that further copy.
(Enacted 1995)
Without prejudice to the generality of section 68, where pursuant to a data access request or data correction request a data user is required to, or may, inform a requestor of any matter by notice in writing, then the requestor shall be deemed not to be so informed unless and until the requestor is served with the notice-
- (a)
- in the language in which the request is made if that language is Chinese or English;
- (b)
- in any other case, in the Chinese or English language as the data user thinks fit. (Enacted 1995)
PART VI
MATCHING PROCEDURES AND TRANSFERS OF PERSONAL DATA, ETC.
- (1)
- A data user shall not carry out, whether in whole or in part, a matching procedure
- (a)
- unless and until each individual who is a data subject of the personal data the subject of that procedure has given his prescribed consent to the procedure being carried out;
- (b)
- unless and until the Commissioner has consented under section 32 to the procedure being carried out;
- (c)
- unless the procedure
- (i)
- belongs to a class of matching procedures specified in a notice under subsection (2); and
- (ii)
- is carried out in accordance with the conditions, if any, specified in the notice; or
- (d)
- unless it is required or permitted under any provision of any Ordinance specified in Schedule 4.
- (2)
- For the purposes of this section, the Commissioner may, by notice in the Gazette, specify-
- (a)
- a class of matching procedures;
- (b)
- subject to subsection (3), the conditions, if any, subject to which a matching procedure belonging to that class shall be carried out.
- (3)
- The Commissioner shall, before specifying any conditions in a notice under subsection (2), consult with
(a) such bodies representative of data users to which the conditions will apply (whether in whole or in part); and
- (b)
- such other interested persons, as he thinks fit. (4) It is hereby declared that a notice under subsection (2) is subsidiary legislation.
- (5)
- Subject to subsection (6), a data user shall not take adverse action against an individual in consequence (whether in whole or in part) of the carrying out of a matching procedure-
- (a)
- unless the data user has served a notice in writing on the individual-
- (i) specifying the adverse action it proposes to take and the reasons therefor; and
- (ii) stating that the individual has 7 days after the receipt of the notice within which to show cause why that action should not be taken; and
- (b) until the expiration of those 7 days.
- (6) Subsection (5) shall not operate to prevent a data user from taking adverse action against an individual if compliance with the requirements of that subsection would prejudice any investigation into the commission of an offence or the possible commission of an offence.
(Enacted 1995)
Section: | 31 | Matching procedure request | 30/06/1997 |
---|
(1) A data user proposing to carry out, whether in whole or in part, a matching procedure may make a request-
- (a) in the specified form;
- (b) to the Commissioner; and
- (c) seeking the Commissioner's consent under section 32 to the carrying out of that procedure.
- (2) Where 2 or more data users may each make a matching procedure request in respect of the same matching procedure, then any of those data users may make such a request on behalf of all those data users, and the provisions of this Ordinance (including subsection (1)) shall be construed accordingly.
- (3) Without prejudice to the generality of subsection (2), it is hereby declared that a matching procedure request may be made in relation to 2 or more matching procedures, or a series of matching procedures, and the other provisions of this Ordinance (including section 32) shall be construed accordingly.
(Enacted 1995)
Section: | 32 | Determination of matching procedure request | 30/06/1997 |
---|
(1) The Commissioner shall determine a matching procedure request-
- (a) not later than 45 days after receiving the request; and
- (b) by taking into account the prescribed matters applicable to the request and-
- (i) where he is satisfied as to those matters, serving a notice in writing on the requestor stating that he consents to the carrying out of the matching procedure to which the request relates subject to the conditions, if any, specified in the notice;
- (ii) where he is not so satisfied, serving a notice in writing on the requestor stating-
- (A) that he refuses to consent to the carrying out of the matching procedure to which the request relates; and
- (B) such of those matters in respect of which he is not so satisfied and the reasons why he is not so satisfied.
(2) For the avoidance of doubt, it is hereby declared that a consent in a notice under subsection (1)(b)(i) to the carrying out of a matching procedure to which a matching procedure request relates shall not operate to prevent a data user who is neither the requestor nor, where section 31(2) applies to the request, any data user on whose behalf such request was made, from carrying out, whether in whole or in part, the procedure.
- (3) An appeal may be made to the Administrative Appeals Board-
- (a) against-
- (i) any conditions specified in a notice under subsection (1) (b)(i); or
- (ii) any refusal specified in a notice under subsection (1) (b)(ii); and
- (b) by the requestor on whom the notice was served or any data user on whose behalf the matching procedure request concerned was made.
- (4) In this section, "prescribed matter" (訂明事宜) means a matter specified in Schedule 5. (Enacted 1995)
Section: | 33 | Prohibition against transfer of personal data to place outside Hong Kong except in specified circumstances |
---|
Remarks: not yet in operation
Cap 486 - PERSONAL DATA (PRIVACY) ORDINANCE
- (1) This section shall not apply to personal data other than personal data the collection, holding, processing or use of which-
- (a) takes place in Hong Kong; or
- (b) is controlled by a data user whose principal place of business is in Hong Kong.
- (a) the place is specified for the purposes of this section in a notice under subsection (3);
- (b) the user has reasonable grounds for believing that there is in force in that place any law which is substantially similar to, or serves the same purposes as, this Ordinance;
- (c) the data subject has consented in writing to the transfer;
- (d) the user has reasonable grounds for believing that, in all the circumstances of the case
- (i) the transfer is for the avoidance or mitigation of adverse action against the data subject;
- (ii) it is not practicable to obtain the consent in writing of the data subject to that transfer; and
- (e) the data are exempt from data protection principle 3 by virtue of an exemption under Part VIII; or
- (f) the user has taken all reasonable precautions and exercised all due diligence to ensure that the data will not, in that place, be collected, held, processed or used in any manner which, if that place were Hong Kong, would be a contravention of a requirement under this Ordinance.
- (3) Where the Commissioner has reasonable grounds for believing that there is in force in a place outside Hong Kong any law which is substantially similar to, or serves the same purposes as, this Ordinance, he may, by notice in the Gazette, specify that place for the purposes of this section.
- (4) Where the Commissioner has reasonable grounds for believing that in a place specified in a notice under subsection (3) there is no longer in force any law which is substantially similar to, or serves the same purposes as, this Ordinance, he shall, either by repealing or amending that notice, cause that place to cease to be specified for the purposes of this section.
- (5) For the avoidance of doubt, it is hereby declared that-
- (a) for the purposes of subsection (1)(b), a data user which is a company incorporated in Hong Kong is a data user whose principal place of business is in Hong Kong;
- (b) a notice under subsection (3) is subsidiary legislation; and
- (c) this section shall not operate to prejudice the generality of section 50. (Enacted 1995)
- (1) A data user who
- (b) uses the data for direct marketing purposes, shall-
- (i) the first time he so uses those data after this section comes into operation, inform the data subject that the data user is required, without charge to the data subject, to cease to so use those data if the data subject so requests;
- (ii) if the data subject so requests, cease to so use those data without charge to the data subject.
- (2) In this section-"direct marketing" (直接促銷) means
- (a) the offering of goods, facilities or services;
- (b) the advertising of the availability of goods, facilities or services; or
- (c) the solicitation of donations or contributions for charitable, cultural, philanthropic, recreational,
political or other purposes,
by means of
- (i) information or goods sent to any person by mail, facsimile transmission, electronic mail, or other similar means of communication, where the information or goods are addressed to a specific person or specific persons by name; or
- (ii) telephone calls made to specific persons. (Enacted 1995)
Section: | 35 | Repeated collections of personal data in same circumstances | 30/06/1997 |
---|
(1) A data user who
- (a)
- has complied with the provisions of data protection principle 1(3) in respect of the collection of any personal data from the data subject ("first collection"); and
- (b)
- on any subsequent occasion again collects personal data from the data subject ("subsequent
collection"), is not required to comply with those provisions in respect of the subsequent collection if, but only if
- (i)
- to comply with those provisions in respect of that subsequent collection would be to repeat, without any material difference, what was done to comply with that principle in respect of the first collection; and
- (ii)
- not more than 12 months have elapsed between the first collection and the subsequent collection.
(2) For the avoidance of doubt, it is hereby declared that subsection (1) shall not operate to prevent a subsequent collection from becoming a first collection if, but only if, the data user concerned has complied with the provisions of data protection principle 1(3) in respect of the subsequent collection.
(Enacted 1995)
Section: | 36 | Inspections of personal data systems | 30/06/1997 |
---|
PART VII
INSPECTIONS, COMPLAINTS AND INVESTIGATIONS
Without prejudice to the generality of section 38, the Commissioner may carry out an inspection of
(a) any personal data system used by a data user; or
(b) any personal data system used by a data user belonging to a class of data users, for the purposes of ascertaining information to assist the Commissioner in making recommendations-
- (i)
- to-
- (A)
- where paragraph (a) is applicable, the relevant data user;
- (B)
- where paragraph (b) is applicable, the class of data users to which the relevant data user belongs; and
- (ii)
- relating to the promotion of compliance with the provisions of this Ordinance, in particular the data protection principles, by the relevant data user, or the class of data users to which the relevant data user belongs, as the case may be.
(Enacted 1995)
Section: | 37 | Complaints | 30/06/1997 |
---|
- (1)
- An individual, or a relevant person on behalf of an individual, may make a complaint to the Commissioner about an act or practice-
- (a)
- specified in the complaint; and
- (b)
- that-
- (i)
- has been done or engaged in, or is being done or engaged in, as the case may be, by a data user specified in the complaint;
- (ii)
- relates to personal data of which the individual is or, in any case in which the data user is relying upon an exemption under Part VIII, may be, the data subject; and
- (2)
- Where 2 or more individuals may each make a complaint about the same act or practice, then any of those individuals, or any relevant person on behalf of any of those individuals, may make such a complaint on behalf of all those individuals, and the provisions of this Ordinance (including subsection (1)) shall be construed accordingly. (3) A complaint shall be-
- (a)
- in writing in the Chinese or English language; or
- (b)
- in such other form as the Commissioner may accept.
- (4)
- It shall be the duty of the Commissioner and each prescribed officer who has been employed under section 9(1)(a) to provide appropriate assistance to an individual, or a relevant person on behalf of an individual, who wishes
to make a complaint and requires assistance to formulate the complaint.
(Enacted 1995)
Where the Commissioner
- (a)
- receives a complaint; or
- (b)
- has reasonable grounds to believe that an act or practice-
- (i)
- has been done or engaged in, or is being done or engaged in, as the case may be, by a data user;
- (ii)
- relates to personal data; and
(iii) may be a contravention of a requirement under this Ordinance, then-
- (i)
- where paragraph (a) is applicable, the Commissioner shall, subject to section 39, carry out an investigation in relation to the relevant data user to ascertain whether the act or practice specified in the complaint is a contravention of a requirement under this Ordinance;
- (ii)
- where paragraph (b) is applicable, the Commissioner may carry out an investigation in relation to the relevant data user to ascertain whether the act or practice referred to in that paragraph is a contravention of a requirement under this Ordinance.
(Enacted 1995)
(1) Notwithstanding the generality of the powers conferred on the Commissioner by this Ordinance, the Commissioner may refuse to carry out or continue an investigation initiated by a complaint if-
- (a)
- the complainant (or, if the complainant is a relevant person, the individual in respect of whom the complainant is such a person) has had actual knowledge of the act or practice specified in the complaint for more than 2 years immediately preceding the date on which the Commissioner received the complaint, unless the Commissioner is satisfied that in all the circumstances of the case it is proper to carry out or continue, as the case may be, the investigation;
- (b)
- the complaint is made anonymously;
- (c)
- the complainant cannot be identified or traced;
- (d)
- none of the following conditions is fulfilled in respect of the act or practice specified in the complaint-
(i) either-
- (A)
- the complainant (or, if the complainant is a relevant person, the individual in respect of whom the complainant is such a person) was resident in Hong Kong; or
- (B)
- the relevant data user was able to control, in or from Hong Kong, the collection, holding,
processing or use of the personal data concerned, at any time the act or practice was done or engaged in, as the case may be;
(ii) the complainant (or, if the complainant is a relevant person, the individual in respect of whom the complainant is such a person) was in Hong Kong at any time the act or practice was done or engaged in, as the case may be;
(iii) in the opinion of the Commissioner, the act or practice done or engaged in, as the case may be, may prejudice the enforcement of any right, or the exercise of any privilege, acquired or accrued in Hong Kong by the complainant (or, if the complainant is a relevant person, the individual in respect of whom the complainant is such a person); or
(e) the Commissioner is satisfied that the relevant data user has not been a data user for a period of not less than 2 years immediately preceding the date on which the Commissioner received the complaint.
- (2)
- The Commissioner may refuse to carry out or continue an investigation initiated by a complaint if he is of the opinion that, having regard to all the circumstances of the case
- (a)
- the complaint, or a complaint of a substantially similar nature, has previously initiated an investigation as a result of which the Commissioner was of the opinion that there had been no contravention of a requirement under this Ordinance;
- (b)
- the act or practice specified in the complaint is trivial;
- (c)
- the complaint is frivolous or vexatious or is not made in good faith; or
- (d)
- any investigation or further investigation is for any other reason unnecessary.
- (3)
- Where the Commissioner refuses under this section to carry out or continue an investigation initiated by a complaint, he shall, as soon as practicable but, in any case, not later than 45 days after receiving the complaint, by notice in writing served on the complainant accompanied by a copy of subsection (4), inform the complainant-
- (a)
- of the refusal; and
- (b)
- of the reasons for the refusal.
(4) An appeal may be made to the Administrative Appeals Board-
- (a)
- against any refusal specified in a notice under subsection (3); and
- (b)
- by the complainant on whom the notice was served (or, if the complainant is a relevant person, the
individual in respect of whom the complainant is such a person, or either). (Enacted 1995)
Section: | 40 | Commissioner may carry out or continue investigation initiated by complaint notwithstanding withdrawal of complaint | 30/06/1997 |
---|
Where the Commissioner is of the opinion that it is in the public interest so to do, he may carry out or continue an investigation initiated by a complaint notwithstanding that the complainant has withdrawn the complaint and, in any such case, the provisions of this Ordinance shall apply to the complaint and the complainant as if the complaint had not been withdrawn.
(Enacted 1995)
Section: | 41 | Commissioner to inform relevant data user of inspection or investigation | 30/06/1997 |
---|
(1) The Commissioner shall, before carrying out an inspection or, subject to subsection (2), an investigation, by notice in writing served on the relevant data user, inform the data user of his intention to carry out the inspection or investigation, as the case may be.
(2) The Commissioner is not required to comply with subsection (1) in the case of any investigation in respect
of which he has reasonable grounds to believe that to so comply may prejudice the purposes of the investigation. (Enacted 1995)
Section: | 42 | Power of entry on premises for the purposes of an inspection or investigation | 30/06/1997 |
---|
- (1)
- Subject to subsections (3) and (8), the Commissioner may, for the purposes of an inspection-
- (a)
- where the personal data system, or any part thereof, the subject of the inspection is situated in-
- (i)
- non-domestic premises, enter the premises at any reasonable time;
- (ii)
- domestic premises, enter the premises with the consent of any person (other than a minor) resident therein;
- (b)
- carry out in the premises the inspection.
- (2)
- Subject to subsections (3) and (8), the Commissioner may, for the purposes of an investigation-
- (a)
- enter any premises
- (i)
- occupied by the relevant data user; or
- (ii)
- in which is situated the personal data system, or any part thereof, used by the relevant data user;
- (b)
- carry out in the premises the investigation.
- (3)
- Subject to subsections (4) and (5), the Commissioner shall, not less than 14 days before exercising his power under subsection (1) or (2) in respect of any premises, by notice in writing served on the relevant data user, inform the data user-
- (a)
- of the premises in respect of which he proposes to exercise that power; and
- (b)
- that the power will not be so exercised before the expiration of 14 days after service of the notice.
- (4)
- Without prejudice to the generality of subsection (5), where any domestic premises are specified in a notice under subsection (3) in respect of which the Commissioner proposes to exercise his power under subsection (2), then the Commissioner shall not exercise that power in respect of those premises unless and until a person (other than a minor) resident therein consents thereto before the expiration of 14 days after service of the notice.
(5) The Commissioner may, pursuant to a warrant issued under subsection (6), exercise his power under subsection (2) in respect of the premises specified in the warrant without complying with subsection (3).
- (6) A magistrate may, if satisfied by information upon oath by the Commissioner or any prescribed officer that there are reasonable grounds for believing that the purposes of any investigation may be substantially prejudiced if the Commissioner were required to comply with subsection (3) before exercising his power under subsection (2) in respect of any premises, issue a warrant-
- (a) in the form specified in Part 1 of Schedule 6; and
- (b) in respect of those premises.
- (7) A magistrate may, if satisfied by information upon oath by the Commissioner or any prescribed officer that there are reasonable grounds for believing that the purposes of an investigation may be substantially prejudiced if the Commissioner is prevented by the operation of subsection (4) from exercising his power under subsection (2) in respect of any domestic premises, issue a warrant
- (a) in the form specified in Part 2 of Schedule 6; and
- (b) authorizing the Commissioner to exercise that power in respect of those premises.
- (8) The Commissioner shall not exercise his power under subsection (1) or (2) in respect of any premises in such a way as to unduly disrupt any operations being carried out in the premises, whether by the relevant data user or any other person.
- (9) Where the Commissioner exercises his power under subsection (1) or (2), the relevant data user shall, without charge, afford the Commissioner such facilities and assistance as the Commissioner may reasonably require for the purposes of the inspection or investigation concerned.
- (10)
- Where the Commissioner, pursuant to a warrant issued under subsection (6), exercises his power under subsection (2) in respect of the premises specified in the warrant, he shall produce the warrant for inspection by any person found in those premises who questions his authority to exercise that power in respect of those premises.
- (11)
- In this section and Schedule 6- "domestic premises" (住宅處所) means any premises which are constructed or intended to be used for habitation; "non-domestic premises" (非住宅處所) means any premises other than domestic premises; "premises" (處所) means
- (a) any building where no part of the building is separately occupied, and includes any land appertaining to the building;
- (b) in any other case, any part of a building which is separately occupied, and includes any land
appertaining to such part. (Enacted 1995)
- (1) Subject to the provisions of this Ordinance, the Commissioner may, for the purposes of any investigation-
- (a) be furnished with any information, document or thing, from such persons, and make such inquiries, as he thinks fit; and
- (b) regulate his procedure in such manner as he thinks fit.
- (2) Any hearing for the purposes of an investigation shall be carried out in public unless
- (a) the Commissioner is of the opinion that, in all the circumstances of the case, the investigation should be carried out in private; or
- (b) if the investigation was initiated by a complaint, the complainant requests in writing that the investigation be carried out in private.
- (3) Counsel and solicitors shall not have any right of audience before the Commissioner at any hearing for the purposes of an investigation, but may appear before him if he thinks fit.
- (4) It shall not be necessary for the Commissioner to hold any hearing for the purposes of an investigation and no person shall be entitled to be heard by the Commissioner.
- (5) If at any time during the course of an investigation it appears to the Commissioner that there may be sufficient grounds for him to make any report or recommendation that may criticize or adversely affect any person he shall give to the person an opportunity to be heard.
(Enacted 1995)
Remarks:
Amendments retroactively made-see 25 of 1998 s. 2
(1) Subject to subsection (2) and section 45, the Commissioner may, for the purposes of any investigation, summon before him any person who
- (a)
- in the opinion of the Commissioner, is able to give any information relevant to those purposes;
- (b)
- where the investigation was initiated by a complaint, is the complainant (or, if the complainant is a
relevant person, the individual in respect of whom the complainant is such a person, or both), and may examine any such person and require him to furnish to the Commissioner any information and to produce any document or thing which, in the opinion of the Commissioner, is relevant to those purposes and which may be in the possession or under the control of any such person.
(2) Where
- (a)
- an investigation has been initiated by a complaint;
- (b)
- the complaint relates, whether in whole or in part, to personal data referred to in section 61(1);
- (c)
- the Commissioner has, for the purposes of that investigation, under subsection (1)(a) summoned before him a person; and
- (d)
- that person asserts, in response to any requirement under subsection (1) by the Commissioner to furnish him with information or to produce a document or thing, that-
(i) to comply with that requirement would directly or indirectly disclose the identity of the individual from whom those data were collected (whether in whole or in part); or
(ii) he is not required to comply with that requirement by virtue of any common law privilege, then-
- (i)
- notwithstanding any other provision of this Ordinance, the Commissioner shall not serve an enforcement notice on that person in relation to that requirement;
- (ii)
- the Commissioner may, not later than 28 days after that assertion is made known to him, make an application to the Court of First Instance for an order directing that person to comply with that requirement; (Amended 25 of 1998 s. 2)
(iii) the Court of First Instance may make the order if, but only if, it is satisfied, having regard to all the circumstances (including the circumstances of the complainant), that- (Amended 25 of 1998 s. 2)
- (A)
- if the act or practice specified in the complaint were proven to be a contravention of a requirement under this Ordinance, the contravention would be of sufficient gravity to warrant that person complying with the requirement referred to in paragraph (d);
- (B)
- that investigation would be substantially prejudiced if the requirement referred to in paragraph (d) were not compiled with;
- (C)
- it is in the public interest, having regard to the benefit likely to accrue to that investigation, that the requirement referred to in paragraph (d) be complied with; and
- (D)
- in any case to which paragraph (d)(ii) is applicable, the common law privilege asserted does not apply; and
(iv) on the hearing of the application, the Commissioner, that person and the complainant shall each be entitled to be heard on the application and to call, examine and cross-examine any witness.
(3) Where
- (a)
- a person has complied with a requirement referred to in subsection (2)(d) the subject of an assertion referred to in that subsection; and
- (b)
- the result (whether in whole or in part) of the investigation to which that requirement relates is that the Commissioner is of the opinion that the individual concerned referred to in subsection (2)(d)(i) has not contravened a requirement under this Ordinance in relation to the matter the subject of the complaint which initiated the investigation,
then, notwithstanding any other provision of this Ordinance, neither the Commissioner nor any prescribed officer shall disclose the identity of that individual to the complainant.
- (4)
- The Court of First Instance may, of its own volition or on an application made to it for the purpose, by order reverse, vary or discharge an order made under subsection (2)(iii) or suspend the operation of such an order. (Amended 25 of 1998 s. 2)
- (5)
- Provision may be made by rules of court-
- (a)
- with respect to applications to the Court of First Instance under subsection (2)(iii) or (4);
- (b)
- generally with respect to procedure before the Court of First Instance in relation to any such application. (Amended 25 of 1998 s. 2)
- (6)
- Subsection (5) is without prejudice to the generality of any existing power to make rules.
- (7)
- The Commissioner may administer an oath for the purposes of an examination under subsection (1) if he thinks fit. (8) It is hereby declared that
- (a)
- no obligation to maintain secrecy or other restriction, imposed by law, upon the disclosure of any information, document or other thing, that is or has been in the possession or under the control of any person referred to in subsection (1), shall apply to its disclosure for the purposes of an investigation; and
- (b)
- any requirement by the Commissioner that any such information, document or thing as is referred to in paragraph (a) be disclosed or produced for the purposes of an investigation shall be sufficient authority for its disclosure or production to the Commissioner.
- (9)
- The Commissioner may pay the reasonable expenses of complainants (including, if the complainant is a relevant person, the individual in respect of whom the complainant is such a person) and witnesses incurred during the course of an investigation.
(Enacted 1995)
Remarks:
Adaptation amendments retroactively made - see 25 of 1998 s. 2; 34 of 1999 s. 3
- (1)
- Every person shall have the same privileges in relation to the giving of information, the answering of questions, and the production of documents and things, for the purposes of an investigation, as witnesses have in civil proceedings in the High Court but any rule of law which authorizes or requires the withholding of any document or thing, or the refusal to answer any question, on the ground that the disclosure of the document or thing or the answering of the question, as the case may be, would be injurious to the public interest, shall not apply in respect of any investigation. (Amended 25 of 1998 s. 2)
- (2)
- Except on the trial of any person for perjury in respect of his sworn testimony, or for an offence under this Ordinance, no statement made or answer given by that or any other person in the course of any investigation shall be admissible in evidence against any person, before any magistrate or in any court or at any inquiry or in any other proceedings, and no evidence in respect of an investigation shall be given against any person.
- (3)
- Where the giving of any information or the answering of any question or the production of any document or thing would involve the disclosure, without the consent of the Chief Executive, of the deliberations of the Executive Council, the Commissioner shall not require the information or answer to be given or, as the case may be, the document or thing to be produced. (Amended 34 of 1999 s. 3) (Enacted 1995)
- (1)
- Subject to subsections (2) and (3), the Commissioner and every prescribed officer shall maintain secrecy in respect of all matters that come to their actual knowledge in the performance of their functions and the exercise of their powers under this Part.
- (2)
- Subsection (1) shall not operate so as to prevent the Commissioner or any prescribed officer from
- (a)
- disclosing in the course of proceedings-
- (i)
- for an offence under this Ordinance; and
- (ii)
- before any court or magistrate,
any matter relevant to those proceedings;
- (b)
- reporting evidence of any crime to such authority as he considers appropriate;
- (c)
- disclosing to a person any matter referred to in subsection (1) which, in the opinion of the Commissioner or prescribed officer, may be ground for a complaint by that person.
- (3)
- Subject to subsection (4), the Commissioner may disclose in any report made by him under this Ordinance
any matter that in his opinion ought to be disclosed in order to establish grounds for his findings and recommendations other than a matter the disclosure of which in his opinion would involve the disclosure of personal data that are exempt from data protection principle 6 by virtue of an exemption under Part VIII.
- (4)
- The Commissioner shall not publish a report under this Ordinance after completing an inspection or investigation unless-
- (a)
- a copy of the report in the form in which it is to be published has been supplied to the relevant data user;
- (b)
- that copy is accompanied by a notice in writing inviting the data user to advise the Commissioner, in writing and not later than 28 days after being served with the copy, whether-
- (i)
- in the opinion of the data user there is any matter in the copy the disclosure of which would involve the disclosure of personal data that are exempt from the provisions of data protection principle 6 by virtue of an exemption under Part VIII; and
- (ii)
- the data user objects to the disclosure of the matter; and
- (c)
- either-
- (i)
- the period referred to in paragraph (b) has expired without the Commissioner receiving any such advice; or
- (ii)
- such advice is received by the Commissioner and-
- (A)
- the Commissioner deletes from the report the matter the subject of the advice; or
- (B)
- the Commissioner decides not to delete that matter from the report and
- (I)
- the period referred to in subsection (6) expires without the data user making an appeal under that subsection against that decision; or
- (II)
- such an appeal is unsuccessful or withdrawn.
- (5)
- Where the Commissioner makes a decision referred to in subsection (4)(c)(ii)(B), he shall serve on the relevant data user who gave the advice concerned a notice in writing
- (a)
- stating his decision;
- (b)
- informing the data user that he may appeal under subsection (6) against that decision; and
- (c)
- accompanied by a copy of this section.
- (6)
- An appeal may be made to the Administrative Appeals Board against a decision of the Commissioner referred to in subsection (4)(c)(ii)(B) by the relevant data user not later than 14 days after the notice under subsection
- (5)
- stating that decision has been served on the data user. (Enacted 1995)
- (1)
- Where the Commissioner has completed an inspection, he shall, in such manner and at such time as he thinks fit, inform the relevant data user of-
- (a)
- the result of the inspection;
- (b)
- any recommendations arising from the inspection that the Commissioner thinks fit to make relating to the promotion of compliance with the provisions of this Ordinance, in particular the data protection principles, by the data user;
- (c)
- any report arising from the inspection that he proposes to publish under section 48; and
- (d)
- such other comments arising from the inspection as he thinks fit to make.
- (2)
- Where the Commissioner has completed an investigation, he shall, in such manner and at such time as he thinks fit, inform the relevant data user of-
- (a)
- the result of the investigation;
- (b)
- any recommendations arising from the investigation that the Commissioner thinks fit to make relating to the promotion of compliance with the provisions of this Ordinance, in particular the data protection principles, by the data user;
- (c)
- any report arising from the investigation that he proposes to publish under section 48;
- (d)
- whether or not he proposes to serve an enforcement notice on the data user in consequence of the investigation; and
- (e)
- such other comments arising from the investigation as he thinks fit to make.
- (3)
- Where the Commissioner has completed an investigation initiated by a complaint, he shall, in such manner and at such time as he thinks fit, inform the complainant of-
- (a)
- the result of the investigation;
- (b)
- any recommendations made to the relevant data user under subsection (2)(b);
- (c)
- any report arising from the investigation that he proposes to publish under section 48;
- (d)
- any comments made by or on behalf of the relevant data user on any such recommendations or report;
- (e)
- whether or not he has served, or proposes to serve, an enforcement notice on the relevant data user in consequence of the investigation;
- (f)
- if the Commissioner has not so served, and does not propose to so serve, such enforcement notice, his right to object thereto under subsection (4); and
- (g)
- such other comments arising from the investigation as he thinks fit to make.
- (4)
- The complainant (or, if the complainant is a relevant person, the individual in respect of whom the complainant is such a person, or either) may appeal to the Administrative Appeals Board against a decision of the Commissioner-
- (a)
- to the effect that he has not served, and does not propose to serve, an enforcement notice on the relevant data user in consequence of the investigation concerned; and
- (b)
- of which the complainant was informed in the notice concerned under subsection (3) served on him. (Enacted 1995)
- (1)
- Subject to subsection (3), the Commissioner may, after completing an inspection where section 36(b) is applicable, publish a report-
- (a)
- setting out any recommendations arising from the inspection that the Commissioner thinks fit to make relating to the promotion of compliance with the provisions of this Ordinance, in particular the data protection principles, by the class of data users to which the relevant data user belongs; and
- (b)
- in such manner as he thinks fit.
- (2)
- Subject to subsection (3), the Commissioner may, after completing an investigation and if he is of the opinion that it is in the public interest to do so, publish a report
- (a)
- setting out
- (i)
- the result of the investigation;
- (ii)
- any recommendations arising from the investigation that the Commissioner thinks fit to make relating to the promotion of compliance with the provisions of this Ordinance, in particular the data protection principles, by the class of data users to which the relevant data user belongs; and
- (b)
- in such manner as he thinks fit.
- (3)
- Subject to subsection (4), a report published under subsection (1) or (2) shall be so framed as to the prevent the identity of any individual being ascertained from it.
(4) Subsection (3) shall not apply to any individual who is-
- (a)
- the Commissioner or a prescribed officer;
- (b)
- the relevant data user. (Enacted 1995)
Where
- (a)
- the Commissioner has completed an investigation (and whether or not the investigation was initiated by a complaint);
- (b)
- the result of the investigation is that the act or practice the subject of the investigation is not a contravention of a requirement under this Ordinance because of an exemption under Part VIII; and
- (c)
- the interest protected by that exemption would be likely to be prejudiced if sections 47 and 48 applied
in relation to the investigation, then-
- (i)
- those sections shall not apply in relation to the investigation; and
- (ii)
- the Commissioner shall, in such manner and at such time as he thinks fit-
- (A)
- inform the relevant data user of the result of the investigation and such other comments arising from the investigation as he thinks fit;
- (B)
- if the investigation was initiated by a complaint, inform the complainant that the result of the
investigation is that he is satisfied that the act or practice the subject of the investigation is not a contravention of a requirement under this Ordinance (or words to the like effect).
(Enacted 1995)
(1) Where, following the completion of an investigation, the Commissioner is of the opinion that the relevant data user-
- (a)
- is contravening a requirement under this Ordinance; or
- (b)
- has contravened such a requirement in circumstances that make it likely that the contravention will
continue or be repeated, then the Commissioner may serve on the relevant data user a notice in writing
- (i)
- stating that he is of that opinion;
- (ii)
- specifying the requirement as to which he is of that opinion and the reasons why he is of that opinion;
(iii) directing the data user to take such steps as are specified in the notice to remedy the contravention or, as the case may be, the matters occassioning it within such period (ending not earlier than the period specified in subsection (7) within which an appeal against the notice may be made) as is specified in the notice; and
(iv) accompanied by a copy of this section.
- (2)
- In deciding whether to serve an enforcement notice the Commissioner shall consider whether the contravention or matter to which the notice relates has caused or is likely to cause damage or distress to any individual who is the data subject of any personal data to which the contravention or matter, as the case may be, relates.
- (3)
- The steps specified in an enforcement notice to remedy any contravention or matter to which the notice relates may be framed-
- (a)
- to any extent by reference to any approved code of practice;
- (b)
- so as to afford the relevant data user a choice between different ways of remedying the contravention or matter, as the case may be.
- (4)
- Subject to subsection (5), the period specified in an enforcement notice for taking the steps specified in it shall not expire before the end of the period specified in subsection (7) within which an appeal against the notice may be made and, if such an appeal is made, those steps need not be taken pending the determination or withdrawal of the appeal.
- (5)
- If the Commissioner is of the opinion that by reason of special circumstances the steps specified in an enforcement notice should be taken as a matter of urgency
- (a)
- he may include a statement to that effect in the notice together with the reasons why he is of that opinion;
- (b)
- where such a statement is so included, subsection (4) shall not apply but the notice shall not require those steps to be taken before the end of the period of 7 days beginning with the date on which the notice was served.
- (7)
- An appeal may be made to the Administrative Appeals Board against an enforcement notice by the relevant data user not later than 14 days after the notice was served.
(8) Where the Commissioner
- (a)
- forms an opinion referred to in subsection (1) in respect of the relevant data user at any time before the completion of an investigation; and
- (b)
- is also of the opinion that, by reason of special circumstances, an enforcement notice should be served
on the relevant data user as a matter of urgency, he may so serve such notice notwithstanding that the investigation has not been completed and, in any such case
- (i)
- the Commissioner shall, without prejudice to any other matters to be included in such notice, specify in the notice the reasons as to why he is of the opinion referred to in paragraph (b); and
- (ii)
- the other provisions of this Ordinance (including this section) shall be construed accordingly. (Enacted 1995)
PART VIII
EXEMPTIONS
Where any personal data are exempt from any provision of this Ordinance by virtue of this Part, then, in respect of those data and to the extent of that exemption, that provision neither confers any right nor imposes any requirement on any person, and the other provisions of this Ordinance which relate (whether directly or indirectly) to that provision shall be construed accordingly.
(Enacted 1995)
Section: | 52 | Domestic purposes | 30/06/1997 |
---|
Personal data held by an individual and
- (a) concerned only with the management of his personal, family or household affairs; or
- (b) so held only for recreational purposes,
are exempt from the provisions of the data protection principles, Parts IV and V and sections 36 and 38(b). (Enacted 1995)
Section: | 53 | Employment - staff planning | 30/06/1997 |
---|
Personal data which consist of information relevant to any staff planning proposal to-
- (a) fill any series of positions of employment which are presently, or may become, unfilled; or
- (b) cease any group of individuals' employment,
are exempt from the provisions of data protection principle 6 and section 18(1)(b). (Enacted 1995)
Section: | 54 | Employment - transitional provisions | 30/06/1997 |
---|
(1) Personal data-
- (a) held by a data user-
- (i) immediately before the appointed day;
- (ii) who is the employer of the data subject; and
- (b) provided by an individual on the implicit or explicit condition that the subject would not have access to
the data, are exempt from the provisions of data protection principle 6 and section 18(1)(b) until the expiration of 7 years immediately following the enactment of this Ordinance.
(2) Personal data-
- (a) to which subsection (1)(a) applies; or
- (b) held by a data user-
- (i) but not so held at any time before the appointed day;
- (ii) who is the employer of the data subject; and
(iii) relating to the employment of the subject,
are exempt from the provisions of data protection principle 6 and section 18(1)(b) until 1 July 1996. (Enacted 1995)
Section: | 55 | Relevant process | 30/06/1997 |
---|
- (1) Personal data the subject of a relevant process are exempt from the provisions of data protection principle 6 and section 18(1)(b) until the completion of that process.
- (2) In this section-"completion" (完成), in relation to a relevant process, means the making of the determination concerned referred to in
paragraph (a) of the definition of "relevant process"; "relevant process" (有關程序)-
(a) subject to paragraph (b), means any process whereby personal data are considered by one or more persons for the purpose of determining, or enabling there to be determined-
- (i)
- the suitability, eligibility or qualifications of the data subject for-
- (A)
- employment or appointment to office;
- (B)
- promotion in employment or office or continuance in employment or office;
- (C)
- removal from employment or office; or
- (D)
- the awarding of contracts, awards (including academic and professional qualifications), scholarships, honours or other benefits;
- (ii)
- whether any contract, award (including academic and professional qualifications), scholarship, honour or benefit relating to the data subject should be continued, modified or cancelled; or
(iii) whether any disciplinary action should be taken against the data subject for a breach of the terms of his employment or appointment to office;
(b) does not include any such process where no appeal, whether under an Ordinance or otherwise, may be
made against any such determination. (Enacted 1995)
Personal data held by a data user which consist of a personal reference-
- (a)
- given by an individual other than in the ordinary course of his occupation; and
- (b)
- relevant to another individual's suitability or otherwise to fill any position of employment or office
which is presently, or may become, unfilled, are exempt from the provisions of data protection principle 6 and section 18(1)(b)
- (i)
- in any case, unless the individual referred to in paragraph (a) has informed the data user in writing that he has no objection to the reference being seen by the individual referred to in paragraph (b) (or words to the like effect); or
- (ii)
- in the case of a reference given on or after the day on which this section comes into operation, until the individual referred to in paragraph (b) has been informed in writing that he has been accepted or rejected to fill that position or office (or words to the like effect),
whichever first occurs. (Enacted 1995)
Remarks:
Adaptation amendments retroactively made - see 34 of 1999 s. 3
(1) Personal data held by or on behalf of the Government for the purposes of safeguarding security, defence or international relations in respect of Hong Kong are exempt from the provisions of data protection principle 6 and section 18(1)(b) where the application of those provisions to the data would be likely to prejudice any of the matters referred to in this subsection.
(2) Personal data are exempt from the provisions of data protection principle 3 in any case in which-
- (a)
- the use of the data is for any of the purposes referred to in subsection (1) (and whether or not the data are held for any of those purposes); and
- (b)
- the application of those provisions in relation to such use would be likely to prejudice any of the
matters referred to in that subsection, and in any proceedings against any person for a contravention of any of those provisions it shall be a defence to show that he had reasonable grounds for believing that failure to so use the data would have been likely to prejudice any of those matters.
- (3)
- Any question whether an exemption under subsection (1) is or at any time was required in respect of any personal data may be determined by the Chief Executive or Chief Secretary for Administration; and a certificate signed by the Chief Executive or Chief Secretary for Administration certifying that the exemption is or at any time was so required shall be evidence of that fact. (Amended L.N. 362 of 1997; 34 of 1999 s. 3)
- (4)
- For the purposes of subsection (2), a certificate signed by the Chief Executive or Chief Secretary for Administration certifying that personal data are or have been used for any purpose referred to in subsection (1) shall be evidence of that fact. (Amended L.N. 362 of 1997; 34 of 1999 s. 3)
- (5) The Chief Executive or Chief Secretary for Administration may, in a certificate referred to in subsection (3) or (4), in respect of the personal data to which the certificate relates and for the reasons specified in that certificate, direct the Commissioner not to carry out an inspection or investigation and, in any such case, the Commissioner shall comply with the direction. (Amended L.N. 362 of 1997; 34 of 1999 s. 3)
- (6) A document purporting to be a certificate referred to in subsection (3) or (4) shall be received in evidence and, in the absence of evidence to the contrary, shall be deemed to be such a certificate.
- (7) In this section-"international relations" (國際關係) includes relations with any international organization; "security" (保安) includes the prevention or preclusion of persons (including persons detained in accordance with the
provisions of the Immigration Ordinance (Cap 115)) entering and remaining in Hong Kong who do not have the right to enter and remain in Hong Kong. (Enacted 1995)
(1) Personal data held for the purposes of-
- (a) the prevention or detection of crime;
- (b) the apprehension, prosecution or detention of offenders;
- (c) the assessment or collection of any tax or duty;
- (d) the prevention, preclusion or remedying (including punishment) of unlawful or seriously improper conduct, or dishonesty or malpractice, by persons;
- (e) the prevention or preclusion of significant financial loss arising from-
- (i) any imprudent business practices or activities of persons; or
- (ii) unlawful or seriously improper conduct, or dishonesty or malpractice, by persons;
- (f) ascertaining whether the character or activities of the data subject are likely to have a significantly adverse impact on any thing-
- (i) to which the discharge of statutory functions by the data user relates; or
- (ii) which relates to the discharge of functions to which this paragraph applies by virtue of subsection (3); or
(g) discharging functions to which this paragraph applies by virtue of subsection (3), are exempt from the provisions of data protection principle 6 and section 18(1)(b) where the application of those provisions to the data would be likely to
(i) prejudice any of the matters referred to in this subsection; or
- (ii) directly or indirectly identify the person who is the source of the data.
(1A) In subsection (1)(c), “tax” (稅項) includes any tax of a territory outside Hong Kong if - (a) arrangements having effect under section 49(1A) of the Inland Revenue Ordinance (Cap 112) are made with the government of that territory; and
- (b) that tax is the subject of a provision of the arrangements that requires disclosure of information concerning tax of that territory. (Added 1 of 2010 s. 9)
- (2) Personal data are exempt from the provisions of data protection principle 3 in any case in which-
- (a) the use of the data is for any of the purposes referred to in subsection (1) (and whether or not the data are held for any of those purposes); and
- (b) the application of those provisions in relation to such use would be likely to prejudice any of the
matters referred to in that subsection, and in any proceedings against any person for a contravention of any of those provisions it shall be a defence to show that he had reasonable grounds for believing that failure to so use the data would have been likely to prejudice any of those matters.
(3) Paragraphs (f)(ii) and (g) of subsection (1) apply to any functions of a financial regulator-
- (a) for protecting members of the public against financial loss arising from
- (i) dishonesty, incompetence, malpractice or seriously improper conduct by persons-
- (A) concerned in the provision of banking, insurance, investment or other financial services;
- (B) concerned in the management of companies;
(BA) concerned in the administration of provident fund schemes registered under the Mandatory
Provident Fund Schemes Ordinance (Cap 485); (Added 4 of 1998 s. 14)
- (C) concerned in the management of occupational retirement schemes within the meaning of the Occupational Retirement Schemes Ordinance (Cap 426); or
- (D) who are shareholders in companies; or
- (ii) the conduct of discharged or undischarged bankrupts;
- (b) for maintaining or promoting the general stability or effective working of any of the systems which provide any of the services referred to in paragraph (a)(i)(A); or
- (c) specified for the purposes of this subsection in a notice under subsection (4).
- (4) For the purposes of subsection (3), the Chief Executive may, by notice in the Gazette, specify a function of a financial regulator. (Amended 34 of 1999 s. 3) (5) It is hereby declared that
- (a) subsection (3) shall not operate to prejudice the generality of the operation of paragraphs (a), (b), (c), (d) and (f)(i) of subsection (1) in relation to a financial regulator;
- (b) a notice under subsection (4) is subsidiary legislation. (Enacted 1995)
- (1) A personal data system is exempt from the provisions of this Ordinance to the extent that it is used by a data user for the collection, holding, processing or use of personal data which are, or are contained in, protected product or relevant records.
- (2) Personal data which are, or are contained in, protected product or relevant records are exempt from the provisions of this Ordinance.
- (3) In this section— "device retrieval warrant" (器材取出手令) has the meaning assigned to it by section 2(1) of the Interception of Communications and Surveillance Ordinance (Cap 589); "prescribed authorization" (訂明授權) has the meaning assigned to it by section 2(1) of the Interception of Communications and Surveillance Ordinance (Cap 589); "protected product" (受保護成果 ) has the meaning assigned to it by section 2(1) of the Interception of
Communications and Surveillance Ordinance (Cap 589); "relevant records" (有關紀錄) means documents and records relating to—
- (a) any application for the issue or renewal of any prescribed authorization or device retrieval warrant under the Interception of Communications and Surveillance Ordinance (Cap 589); or
- (b) any prescribed authorization or device retrieval warrant issued or renewed under that Ordinance (including anything done pursuant to or in relation to such prescribed authorization or device retrieval warrant).
(Added 20 of 2006 s. 68)
Personal data relating to the physical or mental health of the data subject are exempt from the provisions of either or both of-
(a) data protection principle 6 and section 18(1)(b);
(b) data protection principle 3, in any case in which the application of those provisions to the data would be likely to cause serious harm to the physical or mental health of-
- (i) the data subject; or
- (ii) any other individual. (Enacted 1995)
Section: | 60 | Legal professional privilege | 30/06/1997 |
---|
Personal data are exempt from the provisions of data protection principle 6 and section 18(1)(b) if the data consist of information in respect of which a claim to legal professional privilege could be maintained in law. (Enacted 1995)
Section: | 61 | News | 30/06/1997 |
---|
(1) Personal data held by a data user-
(a) whose business, or part of whose business, consists of a news activity; and
- (b) solely for the purpose of that activity (or any directly related activity), are exempt from the provisions of
- (i) data protection principle 6 and sections 18(1)(b) and 38(i) unless and until the data are published or broadcast (wherever and by whatever means);
- (ii) sections 36 and 38(b).
- (a) the use of the data consists of disclosing the data to a data user referred to in subsection (1); and
- (b) such disclosure is made by a person who has reasonable grounds to believe (and reasonably believes) that the publishing or broadcasting (wherever and by whatever means) of the data (and whether or not they are published or broadcast) is in the public interest.
- (3) In this section-"news activity" (新聞活動) means any journalistic activity and includes-
- (a) the-
- (i) gathering of news;
- (ii) preparation or compiling of articles or programmes concerning news; or
- (b) the dissemination to the public of
- (i) any article or programme of or concerning news; or
- (ii) observations on news or current affairs. (Enacted 1995)
for the purpose of dissemination to the public; or
Section: | 62 | Statistics and research | 30/06/1997 |
---|
Personal data are exempt from the provisions of data protection principle 3 where-
- (a) the data are to be used for preparing statistics or carrying out research;
- (b) the data are not to be used for any other purpose; and
- (c) the resulting statistics or results of the research are not made available in a form which identifies the
data subjects or any of them. (Enacted 1995)
Section: | 63 | Exemption from section 18(1)(a) | 30/06/1997 |
---|
Where a data access request relates to personal data which are or, if the data existed, would be exempt from section 18(1)(b) by virtue of section 57 or 58, then the data are also exempt from section 18(1)(a) if the interest protected by that exemption would be likely to be prejudiced by the disclosure of the existence or non-existence of those data.
(Enacted 1995)
Section: | 63A | Human embryos, etc. | L.N. 164 of 2007 | 01/08/2007 |
---|
(1) Personal data which consist of information showing that an identifiable individual was, or may have been, born in consequence of a reproductive technology procedure within the meaning of the Human Reproductive Technology Ordinance (Cap 561) are exempt from the provisions of data protection principle 6 and section 18(1)(b)
Cap 486 - PERSONAL DATA (PRIVACY) ORDINANCE
except so far as their disclosure under those provisions is made in accordance with section 33 of that Ordinance.
(2) Where a data access request relates to personal data which are or, if the data existed, would be exempt from section 18(1)(b) by virtue of subsection (1), then the data are also exempt from section 18(1)(a) if the interest protected by that exemption would be likely to be prejudiced by the disclosure of the existence or non-existence of the data.
(Added 47 of 2000 s. 48)
PART IX
OFFENCES AND COMPENSATION
(1) A data user who, in any
- (a)
- data user return submitted under section 14(4) to the Commissioner;
- (b)
- notice under section 14(8) served on the Commissioner; or
- (c)
- notice under section 15(3) or (4) submitted to or served on the Commissioner, knowingly or recklessly supplies any information- (i) which is false or misleading in a material particular; and
- (ii)
- in purported compliance with that section, commits an offence and is liable on conviction to a fine at level 3 and to imprisonment for 6 months. (2) A person who, in any data access request or data correction request, supplies any information- (a) which is false or misleading in a material particular; and
- (b)
- which is so supplied for the purpose of having the data user concerned comply with the request, commits an offence and is liable on conviction to a fine at level 3 and to imprisonment for 6 months.
(3) A person who, in any notice under section 15(6) served on the Commissioner, supplies any information
- (a)
- which is false or misleading in a material particular; and
- (b)
- which is so supplied for the purpose of having the Commissioner comply with the request to which the
notice relates, commits an offence and is liable on conviction to a fine at level 3 and to imprisonment for 6 months.
(4) A data user who, in any matching procedure request submitted to the Commissioner, supplies any information
- (a)
- which is false or misleading in a material particular; and
- (b)
- which is so supplied for the purpose of having the Commissioner consent to the matching procedure to
which the request relates, commits an offence and is liable on conviction to a fine at level 3 and to imprisonment for 6 months.
- (5)
- A data user (including a data user first-mentioned in section 32(2)) who contravenes any condition specified in a notice under section 30(2) or 32(1)(b)(i) commits an offence and is liable on conviction to a fine at level 3.
- (6)
- Any person who contravenes section 44(3) or 46(1) commits an offence and is liable on conviction to a fine at level 3 and to imprisonment for 6 months.
- (7)
- Subject to subsection (8), any relevant data user who contravenes an enforcement notice served on the data user commits an offence and is liable on conviction to a fine at level 5 and to imprisonment for 2 years and, in the case of a continuing offence, to a daily penalty of $1000.
- (8)
- It shall be a defence for a relevant data user charged with an offence under subsection (7) to show that the data user exercised all due diligence to comply with the enforcement notice concerned.
(9) Any person who-
- (a)
- without lawful excuse, obstructs, hinders or resists the Commissioner or any other person in the performance of his functions or the exercise of his powers under Part VII;
- (b)
- without lawful excuse, fails to comply with any lawful requirement of the Commissioner or any other person under that Part; or
- (c)
- makes a statement which he knows to be false or does not believe to be true, or otherwise knowingly misleads the Commissioner or any other person in the performance of his functions or the exercise of his powers under that Part,
commits an offence and is liable on conviction to a fine at level 3 and to imprisonment for 6 months.
(10) A data user who, without reasonable excuse, contravenes any requirement under this Ordinance (other than a contravention of a data protection principle) for which no other penalty is specified in this section commits an offence and is liable on conviction to a fine at level 3.
(Enacted 1995)
Section: | 65 | Liability of employers and principals | 30/06/1997 |
---|
- (1)
- Any act done or practice engaged in by a person in the course of his employment shall be treated for the purposes of this Ordinance as done or engaged in by his employer as well as by him, whether or not it was done or engaged in with the employer's knowledge or approval.
- (2)
- Any act done or practice engaged in by a person as agent for another person with the authority (whether express or implied, and whether precedent or subsequent) of that other person shall be treated for the purposes of this Ordinance as done or engaged in by that other person as well as by him.
- (3)
- In proceedings brought under this Ordinance against any person in respect of an act or practice alleged to have been done or engaged in, as the case may be, by an employee of his it shall be a defence for that person to prove that he took such steps as were practicable to prevent the employee from doing that act or engaging in that practice, or from doing or engaging in, in the course of his employment, acts or practices, as the case may be, of that description.
(4) For the avoidance of doubt, it is hereby declared that this section shall not apply for the purposes of any
criminal proceedings. (Enacted 1995)
Section: | 66 | Compensation | 30/06/1997 |
---|
(1) Subject to subsection (4), an individual who suffers damage by reason of a contravention
- (a)
- of a requirement under this Ordinance;
- (b)
- by a data user; and
- (c)
- which relates, whether in whole or in part, to personal data of which that individual is the data subject, shall be entitled to compensation from that data user for that damage.
- (2)
- For the avoidance of doubt, it is hereby declared that damage referred to in subsection (1) may be or include injury to feelings. (3) In any proceedings brought against any person by virtue of this section it shall be a defence to show that
- (a)
- he had taken such care as in all the circumstances was reasonably required to avoid the contravention concerned; or
- (b)
- in any case where the contravention concerned occurred because the personal data concerned were inaccurate, the data accurately record data received or obtained by the data user concerned from the data subject or a third party.
- (4)
- Where an individual suffers damage referred to in subsection (1) by reason of a contravention referred to in that subsection which occurred because the personal data concerned were inaccurate, then no compensation shall be payable under that subsection in respect of so much of that damage that has occurred at any time before the expiration of 1 year immediately following the day on which this section commences.
(Enacted 1995)
Section: | 67 | Power of Commissioner to specify forms | 30/06/1997 |
---|
PART X
MISCELLANEOUS
- (1)
- Subject to subsection (2), the Commissioner may specify the form of any document required under this Ordinance to be in the specified form and the form of such other documents required for the purposes of this Ordinance as he thinks fit.
- (2)
- The Commissioner's power under subsection (1) shall be subject to any express requirement under this Ordinance for a form, whether specified or otherwise, to comply with that requirement, but that requirement shall not restrict the exercise of that power in respect of that form to the extent that, in the opinion of the Commissioner, his exercise of that power in respect of that form does not contravene that requirement.
- (3)
- The Commissioner's power under subsection (1) may be exercised in such a way as to-
- (a)
- include in the specified form of any document referred to in that subsection a statutory declaration-
- (i)
- to be made by the person completing the form; and
- (ii)
- as to whether the particulars contained in the form are true and correct to the best of that person's knowledge and belief;
- (b)
- specify 2 or more forms of any document referred to in that subsection, whether as alternatives, or to provide for particular circumstances or particular cases, as the Commissioner thinks fit.
- (4)
- A form specified under this section shall be-
- (a)
- completed in accordance with such directions and instructions as are specified in the form;
- (b)
- accompanied by such documents as are specified in the form; and
- (c)
- if the completed form is required to be provided to
- (i)
- the Commissioner;
- (ii)
- another person on behalf of the Commissioner; or
(iii) any other person,
so provided in the manner, if any, specified in the form. (Enacted 1995)
A notice (howsoever described) which is required to be served under this Ordinance, or which may be served under this Ordinance, on a person (howsoever described) shall, in the absence of evidence to the contrary, be deemed to be so served if-
- (a)
- in the case of an individual, it is-
- (i)
- delivered to him;
- (ii)
- left at his last known address for service, or at his last known place of residence or business, in Hong Kong;
- (b)
- in the case of a company, it is-
- (i)
- given to or served on an officer of the company;
- (ii)
- left at the company's last known address for service, or at its last known place of business, in Hong Kong;
- (c)
- in the case of a partnership, it is-
- (i)
- delivered, left or sent in accordance with paragraph (a) in respect of any partner who is an individual; or
- (ii)
- given, served, left or sent in accordance with paragraph (b) in respect of any partner which is a company;
- (d)
- in the case of a person ("attorney") holding a power of attorney under which the attorney is authorized to accept service in respect of another person, it is-
- (i)
- delivered, left or sent in accordance with paragraph (a) where the attorney is an individual;
- (ii)
- given, served, left or sent in accordance with paragraph (b) where the attorney is a company;
(iii) delivered, left or sent in accordance with paragraph (a) in respect of any partner who is an individual where the attorney is a partnership; or
(iv) given, served, left or sent in accordance with paragraph (b) in respect of any partner which is a
company where the attorney is a partnership. (Enacted 1995)
Section: | 69 | Regulations - fees | 30/06/1997 |
---|
- (1)
- The Commissioner may make regulations to prescribe the fees to be paid in respect of any matter, service or facility in respect of which a prescribed fee is payable to the Commissioner under this Ordinance.
- (2)
- The amount of any fee prescribed in regulations made under subsection (1) shall not be limited by reference to the amount of administrative or other costs incurred or likely to be incurred in relation to providing the matter, service or facility to which such fee relates, and different fees may be so prescribed for the same matter, service or facility in order to provide for particular circumstances or particular cases specified in the regulations.
(Enacted 1995)
Section: | 70 | Regulations - general | L.N. 130 of 2007 | 01/07/2007 |
---|
Remarks: For the saving and transitional provisions relating to the amendments made by the Resolution of the Legislative Council (L.N. 130 of 2007), see paragraph (12) of that Resolution.
- (1)
- The Secretary for Constitutional and Mainland Affairs may make regulations for all or any of the following matters-(Amended L.N. 130 of 2007)
- (a)
- the particulars to be entered in the log book of a data user, including particulars referred to in section 27(2)(a), (b) and (c);
- (b)
- prescribing anything that is required or permitted to be prescribed under this Ordinance.
- (a)
- empower the Commissioner to grant exemptions from the regulations, either generally or in a particular case;
- (b)
- make different provisions for different circumstances and provide for a particular case or class of case;
- (c)
- be made so as to apply only in such circumstances as are prescribed by the regulations.
- (3)
- Any regulations made under this section may prescribe offences in respect of contraventions of the regulations, and may provide for the imposition in respect of any such offence of a fine not exceeding level 3 and of imprisonment for a period not exceeding 2 years and, in the case of a continuing offence, to a daily penalty not exceeding $1000.
(Enacted 1995)
Section: | 71 | Amendment of Schedules 2, 4 and 6 | 34 of 1999 | 01/07/1997 |
---|
Remarks:
Adaptation amendments retroactively made - see 34 of 1999 s. 3
The Chief Executive in Council may, by notice in the Gazette, amend Schedule 2, 4 or 6. (Enacted 1995. Amended 34 of 1999 s. 3)
Section: | 72 | (Omitted as spent) | 30/06/1997 |
---|
(Omitted as spent) | (Enacted 1995) | ||||
---|---|---|---|---|---|
(Omitted as spent) | (Enacted 1995) | ||||
[sections 2(1) & (6)] |
Section: | 73 | (Omitted as spent) | 30/06/1997 |
---|
Schedule: | 1 | DATA PROTECTION PRINCIPLES | 30/06/1997 |
---|
1. Principle 1-purpose and manner of collection of personal data
- (1)
- Personal data shall not be collected unless-
- (a)
- the data are collected for a lawful purpose directly related to a function or activity of the data user who is to use the data;
- (b)
- subject to paragraph (c), the collection of the data is necessary for or directly related to that purpose; and
- (c)
- the data are adequate but not excessive in relation to that purpose.
- (2)
- Personal data shall be collected by means which are
- (a)
- lawful; and
- (b)
- fair in the circumstances of the case.
- (3)
- Where the person from whom personal data are or are to be collected is the data subject, all practicable steps shall be taken to ensure that-
- (a)
- he is explicitly or implicitly informed, on or before collecting the data, of-
- (i)
- whether it is obligatory or voluntary for him to supply the data; and
- (ii)
- where it is obligatory for him to supply the data, the consequences for him if he fails to supply the data; and
- (b)
- he is explicitly informed-
- (i)
- on or before collecting the data, of-
- (A)
- the purpose (in general or specific terms) for which the data are to be used; and
- (B)
- the classes of persons to whom the data may be transferred; and
- (ii)
- on or before first use of the data for the purpose for which they were collected, of-
- (B)
- the name and address of the individual to whom any such request may be made, unless to comply with the provisions of this subsection would be likely to prejudice the purpose for which the data were collected and that purpose is specified in Part VIII of this Ordinance as a purpose in relation to which personal data are exempt from the provisions of data protection principle 6.
2. Principle 2-accuracy and duration of retention of personal data
(1) All practicable steps shall be taken to ensure that-
- (a)
- personal data are accurate having regard to the purpose (including any directly related purpose) for which the personal data are or are to be used;
- (b)
- where there are reasonable grounds for believing that personal data are inaccurate having regard to the purpose (including any directly related purpose) for which the data are or are to be used-
- (i)
- the data are not used for that purpose unless and until those grounds cease to be applicable to the data, whether by the rectification of the data or otherwise; or
- (ii)
- the data are erased;
- (c)
- where it is practicable in all the circumstances of the case to know that-
- (i)
- personal data disclosed on or after the appointed day to a third party are materially inaccurate having regard to the purpose (including any directly related purpose) for which the data are or are to be used by the third party; and
- (ii)
- that data were inaccurate at the time of such disclosure,
that the third party - (A)
- is informed that the data are inaccurate; and
- (B)
- is provided with such particulars as will enable the third party to rectify the data having regard to that purpose.
(2) Personal data shall not be kept longer than is necessary for the fulfillment of the purpose (including any directly related purpose) for which the data are or are to be used.
3. Principle 3-use of personal data
Personal data shall not, without the prescribed consent of the data subject, be used for any purpose other than-
- (a)
- the purpose for which the data were to be used at the time of the collection of the data; or
- (b)
- a purpose directly related to the purpose referred to in paragraph (a).
4. Principle 4-security of personal data
All practicable steps shall be taken to ensure that personal data (including data in a form in which access to or processing of the data is not practicable) held by a data user are protected against unauthorized or accidental access, processing, erasure or other use having particular regard to-
- (a)
- the kind of data and the harm that could result if any of those things should occur;
- (b)
- the physical location where the data are stored;
- (c)
- any security measures incorporated (whether by automated means or otherwise) into any equipment in which the data are stored;
- (d)
- any measures taken for ensuring the integrity, prudence and competence of persons having access to the data; and
- (e)
- any measures taken for ensuring the secure transmission of the data.
5. Principle 5-information to be generally available
All practicable steps shall be taken to ensure that a person can-
- (a)
- ascertain a data user's policies and practices in relation to personal data;
- (b)
- be informed of the kind of personal data held by a data user;
- (c)
- be informed of the main purposes for which personal data held by a data user are or are to be used.
6. Principle 6-access to personal data
A data subject shall be entitled to
- (a)
- ascertain whether a data user holds personal data of which he is the data subject;
- (b)
- request access to personal data-
- (i)
- within a reasonable time;
- (ii)
- at a fee, if any, that is not excessive;
- (c)
- be given reasons if a request referred to in paragraph (b) is refused;
- (d)
- object to a refusal referred to in paragraph (c);
- (e)
- request the correction of personal data;
- (f)
- be given reasons if a request referred to in paragraph (e) is refused; and
- (g)
- object to a refusal referred to in paragraph (f). (Enacted 1995)
Remarks: For the saving and transitional provisions relating to the amendments made by the Resolution of the Legislative Council (L.N. 130 of 2007), see paragraph (12) of that Resolution.
[sections 5(7), 10(2)(c) & 71]
1. Resources of Commissioner
(1) The resources of the Commissioner shall consist of-
- (a)
- all money
- (i)
- paid by the Government to the Commissioner and appropriated for that purpose by the Legislative Council; and
- (ii)
- otherwise provided to the Commissioner by the Government; and
- (b)
- all other money and property, including gifts, donations, fees, rent, interest and accumulations of income received by the Commissioner.
- (2)
- The Secretary for Financial Services and the Treasury may give directions in writing of a general or specific character to the Commissioner in relation to the amount of money which may be expended by the Commissioner in any financial year and the Commissioner shall comply with those directions. (Amended L.N. 106 of 2002)
- (3)
- For the avoidance of doubt, it is hereby declared that any remuneration or other benefit payable to, and any expenses of- (a) the Commissioner; or
- (b)
- any person employed or engaged under section 9(1) of this Ordinance, shall be paid out of the resources of the Commissioner.
2. Borrowing powers
- (1)
- Subject to subsection (2), the Commissioner may borrow by way of overdraft such money as he may require for meeting his obligations or performing his functions under this Ordinance.
- (2)
- The Secretary for Constitutional and Mainland Affairs may, after consulting with the Secretary for Financial Services and the Treasury, give directions in writing of a general or specific character to the Commissioner in relation to the amount of money which may be borrowed under subsection (1) and the Commissioner shall comply with those directions.
- (3)
- The Commissioner may with the approval of the Secretary for Constitutional and Mainland Affairs given after the Secretary has consulted with the Secretary for Financial Services and the Treasury borrow, otherwise than by way of overdraft, such money as he may require for meeting his obligations or performing his functions under this Ordinance.
- (4)
- A person lending money to the Commissioner shall not be concerned to inquire whether the borrowing of the money is legal or regular or whether the money raised has been properly applied and shall not be prejudiced by any illegality or irregularity or by misapplication or non-application of the money.
(Amended L.N. 106 of 2002; L.N. 130 of 2007)
3. Investment of surplus funds
- (1)
- Subject to subsection (2), the Commissioner may invest money that is not immediately required to be expended.
- (2)
- The Commissioner shall not invest money pursuant to subsection (1) except in such forms of investment as the Secretary for Constitutional and Mainland Affairs, after consulting with the Secretary for Financial Services and the Treasury, approves. (Amended L.N. 106 of 2002; L.N. 130 of 2007)
(3) Subsection (1) shall not be subject to section 10(1) of this Ordinance.
4. Accounts, audit and annual report of Commissioner
(1) The Commissioner shall cause proper accounts to be kept of all his financial transactions.
- (2)
- The Commissioner shall, as soon as practicable after the expiry of a financial year, prepare a statement of the accounts of the Commissioner, which statement shall include an income and expenditure account and a balance sheet.
- (3)
- The Commissioner shall appoint an auditor who shall, as soon as practicable, audit the accounts required under subsection (1) and the statement of accounts required under subsection (2) and shall submit a report on the statement to the Commissioner.
- (4)
- The Commissioner shall, as soon as practicable and in any case not later than 9 months after the expiry of a financial year (or such further period as the Chief Secretary for Administration allows), furnish-
- (a)
- a report on the activities of the Commissioner during that year including a general survey of developments, during that year, in respect of matters falling within the scope of the Commissioner's functions;
- (b)
- a copy of the statement of accounts required under subsection (2); and
- (c)
- the auditor's report on the statement, to the Chief Secretary for Administration who shall cause the same to be tabled in the Legislative Council. (Amended
L.N. 362 of 1997)
(5) This section shall not be subject to section 10(1) of this Ordinance.
5. Director of Audit's examination
- (1)
- The Director of Audit may, in respect of any financial year, conduct an examination into the economy, efficiency and effectiveness with which the Commissioner has expended his resources in performing his functions and exercising his powers.
- (2)
- Subject to subsection (3), the Director of Audit shall have a right of access at all reasonable times to all such documents as he may reasonably require for conducting an examination under this section and shall be entitled to require from any person holding or being accountable for any such document such information and explanation as he considers reasonably necessary for that purpose. (3) Subsection (2) applies only to documents in the custody and control of the Commissioner.
- (4)
- The Director of Audit may report to the President of the Legislative Council the results of an examination conducted by him under this section.
- (5)
- Subsection (1) shall not operate to entitle the Director of Audit to question the merits of the policy objectives of the Commissioner.
6. Exemption from taxation
(1) The Commissioner shall be exempt from taxation under the Inland Revenue Ordinance (Cap 112).
(2) For the avoidance of doubt, it is hereby declared that subsection (1) does not apply to or in relation to any remuneration, benefits or expenses referred to in section 1(3) paid out of the resources of the Commissioner to the Commissioner.
(Enacted 1995)
[section 14(10)]
- The name and address of the data user.
- A description of the kind of personal data in respect of which the data user is a data user.
- A description of the purpose or purposes for which the personal data referred to in item 2 are or are to be collected, held, processed or used by the data user.
- A description of any classes of persons to whom the data user discloses, intends to disclose or may wish to disclose the personal data referred to in item 2.
- The names or a description of any places outside Hong Kong to which the data user transfers, intends to transfer or may wish to transfer, the personal data referred to in item 2.
- The name and address of the individual to whom data access requests may be made to the data user. (Enacted 1995)
Schedule: | 4 | PROVISIONS OF ORDINANCES UNDER WHICH MATCHING PROCEDURES ARE REQUIRED OR PERMITTED | 30/06/1997 |
---|
[sections 30(1)(d) & 71] (Enacted 1995)
Schedule: | 5 | PRESCRIBED MATTERS | 30/06/1997 |
---|
[section 32(4)]
- Whether the carrying out of the matching procedure is in the public interest.
- The kind of personal data to be the subject of the matching procedure.
- The likely consequences to a data subject if the matching procedure were to result in any adverse action taken against the data subject.
- The practices and procedures, if any, that will be followed to enable a data subject to make a data correction request-
- in respect any of the personal data produced or verified by the matching procedure;
- before any adverse action is taken against the data subject.
- The practices and procedures, if any, that will be followed to ensure, so far as is practicable, the accuracy of any personal data produced or verified by the matching procedure.
- Whether any such data subject is to be informed of the procedure before it is first carried out.
- Whether there is any practicable alternative to the matching procedure.
- The benefits to be derived from carrying out the matching procedure. (Enacted 1995)
Schedule: | 6 | 30/06/1997 |
---|
[sections 42(6), (7) & (11) & 71]
PART 1
WARRANT AUTHORIZING PRIVACY COMMISSIONER FOR PERSONAL DATA
TO ENTER SPECIFIED PREMISES WITHOUT INFORMING
RELEVANT DATA USER
To the Privacy Commissioner for Personal Data.
Having been satisfied by information upon oath/declaration* that there are reasonable grounds for believing that the purposes of an investigation under the Personal Data (Privacy) Ordinance (Cap 486) in relation to ............................................................................ [name of relevant data user] may be substantially prejudiced if you were required to comply with section 42(3) of that Ordinance before exercising your power under section 42(2) of that Ordinance in respect of the premises at ...................................................................................................... ................................................................................... .......................................................... [address of premises occupied by the relevant data user/in which is situated the personal data system, or any part thereof, used by the relevant data user*]:
YOU ARE HEREBY AUTHORIZED, with such assistants as may be necessary, to exercise your power under section 42(2) of that Ordinance in respect of those premises without complying with section 42(3) of that Ordinance provided that such power is exercised before the expiration of 14 days after the date on which this warrant is issued.
Dated this ........... day of ...................... 19 ......
...................................... (Signature) Magistrate
* Delete whichever is inapplicable.
PART 2
WARRANT AUTHORIZING PRIVACY COMMISSIONER FOR PERSONAL DATA
TO ENTER SPECIFIED DOMESTIC PREMISES
To the Privacy Commissioner for Personal Data.
Having been satisfied by information upon oath/declaration* that there are reasonable grounds for believing that the purposes of the investigation into ................................... [name of relevant data user] may be substantially prejudiced if you are prevented by the operation of section 42(4) of the Personal Data (Privacy) Ordinance (Cap 486) from exercising your power under section 42(2) of that Ordinance in respect of the domestic premises at ............................. ............................................................................................................................................. [address of domestic premises occupied by the relevant data user/in which is situated the personal data system, or any part thereof, used by the relevant data user*]:
YOU ARE HEREBY AUTHORIZED, with such assistants as may be necessary, to exercise that power in respect of those premises provided that such power is exercised before the expiration of 14 days after the date on which this warrant is issued.
Dated this ........... day of ......................... 19 .......
...................................... (Signature) Magistrate
* Delete whichever is inapplicable. (Enacted 1995)
章: | 486 | 個人資料(私隱)條例 | 憲報編號 | 版本日期 |
---|
詳題 | 30/06/1997 |
---|
本條例旨在在個人資料方面保障個人的私隱,並就附帶事宜及相關事宜訂定條文。 (1995年制定)
[第II部、第71條(以涉及附
表2為限)及附表2 } 1996年8月1日 1996年第343號法律公告
其他條文,但第30及33條 } 1996年12月20日 1996年第514號法律公告
除外
第30條 } 1997年8月1日1997年第409號法律公告]
(本為1995年第81號)
條: | 1 | 簡稱及生效日期 | L.N. 130 of 2007 | 01/07/2007 |
---|
附註:
有關《立法會決議》(2007年第130號法律公告)所作之修訂的保留及過渡性條文,見載於該決議第(12)段。
第I部
導言
(1) 本條例可引稱為《個人資料(私隱)條例》。 | |
(2) 本條例自政制及內地事務局局長以憲報公告指定的日期起實施。 | (由1997年第362號法律公 |
告修訂;由2007年第130號法律公告修訂) | |
(1995年制定 ) |
條: | 2 | 釋義 | L.N. 204 of 2006 | 01/12/2006 |
---|
- (1) 在本條例中,除文意另有所指外─ “文件”(document) 除包括書面文件外,包括─
- (a)包含視覺影像以外的資料的紀錄碟、紀錄帶或其他器件,而所包含的資料能夠在有或沒有其他設備的輔助下,從該紀錄碟、紀錄帶或器件重現;及
- (b)包含視覺影像的膠卷、紀錄帶或其他器件,而所包含的影像能夠在有或沒有其他設備的輔助下,從該膠卷、紀錄帶或器件重現; “不利行動”(adverse action),就個人而言,指可對該人的權利、利益、特權、責任或權益(包括合法
期望)有不利影響的任何行動; “不準確”(inaccurate),就個人資料而言,指資料是不正確的、有誤導性的、不完全的或過時的; “切實可行”(practicable) 指合理地切實可行; “有關人士”(relevant person),就個人(不論如何描述該名個人)而言─
- (a) 如該名個人是未成年人,指對該未成年人負有作為父母親的責任的人;
- (b) 如該名個人無能力處理其本身事務,指由法庭委任以處理該等事務的人;
- (c)如屬其他情況,指獲該名個人以書面授權代他提出查閱資料要求或改正資料要求或提
出該兩項要求的人; “有關資料使用者”(relevant data user)─
- (a)就一項視察而言,指使用某個人資料系統的資料使用者,而該系統是該項視察的對象;
- (b) 就一項投訴而言,指該項投訴所指明的資料使用者;
- (c) 就─
- (i) 由一項投訴引發的調查而言,指該項投訴所指明的資料使用者;
- (ii) 其他調查而言,指屬該項調查的對象的資料使用者;
(d) 就執行通知而言,指獲送達該通知的資料使用者; “每日罰款”(daily penalty) 指就在定罪後該罪行持續的每一日所處的罰款; “改正”(correction),就個人資料而言,指更正、刪除或填備; “改正資料要求”(data correction request) 指根據第22(1)條提出的要求; “作為”(act) 包括故意的不作為; “投訴”(complaint) 指根據第37條作出的投訴; “投訴人”(complainant) 指已作出投訴的個人或已代表一名個人作出投訴的有關人士; “使用”(use),就個人資料而言,包括披露或移轉該等資料; “披露”(disclosing),就個人資料而言,包括披露自資料推斷所得的資訊; “指明”(specified),就格式而言,指根據第67條指明; “指定日”(appointed day) 指根據第1(2)條指定的日子; “訂明人員”(prescribed officer) 指根據第9(1)條獲僱用或聘用的人; “相當可能損害”(would be likely to prejudice) 包括可能會損害; “保障資料原則”(data protection principle) 指在附表1列明的任何保障資料原則; “查閱資料要求”(data access request) 指根據第18條提出的要求; “紀錄簿”(log book),就資料使用者而言,指由資料使用者根據第27(1)條備存及維持的紀錄簿; “個人身分標識符”(personal identifier) 指─
- (a) 由資料使用者為其作業而編配予一名個人;及
- (b) 就該資料使用者而言,能識辨該名個人的身分而不虞混淆,
的標識符,但用以識辨該名個人的該人的姓名,則不包括在內; “個人資料”(personal data) 指符合以下說明的任何資料─
- (a) 直接或間接與一名在世的個人有關的;
- (b) 從該等資料直接或間接地確定有關的個人的身分是切實可行的;及
(c) 該等資料的存在形式令予以查閱及處理均是切實可行的; “個人資料系統”(personal data system)指全部或部分由資料使用者用作收集、持有、處理或使用個
人資料的任何系統(不論該系統是否自動化的),並包括組成該系統一部分的任何文件及設備; “核准實務守則”(approved code of practice) 指根據第12條核准的實務守則; “核對程序”(matching procedure) 指將為1個或1個以上的目的而取自10個或10個以上的資料當事人的
個人資料與為其他目的而自該等資料當事人收集的個人資料比較的程序(用人手方法的除外),而─
- (a)所作比較(不論是全部的還是部分的)是為了產生和核實某些可(即時或於其後任何時間)用作對任何該等資料當事人採取不利行動的資料的;或
- (b)所作比較產生和核實某些資料,而就該等資料而言可合理地相信將該等資料(即時或於其後任何時間)用作對任何該等資料當事人採取不利行動是切實可行的;
“核對程序要求”(matching procedure request) 指根據第31(1)條提出的要求; “財經規管者”(financial regulator) 指任何以下人士或機構─
- (a) 根據《外匯基金條例》(第66章)第5A條委任的金融管理專員; (b)《證券及期貨條例》(第571章)第3(1)條提述的證券及期貨事務監察委員會; (由2002年第5號第407條代替) (c)《證券及期貨條例》(第571章)附表1第1部第1條所指的認可結算所、認可交易所、認可控制人或認可投資者賠償公司; (由2002年第5號第407條代替)
- (d)根據《證券及期貨條例》(第571章)第III部獲認可提供該條例附表5所界定的自動化交易服務的人; (由2002年第5號第407條代替)
- (e)-(ea) (由2002年第5號第407條廢除)
- (f) 根據《保險公司條例》(第41章)第4條委任的保險業監督;
- (g) 根據《職業退休計劃條例》(第426章)第5條委任的職業退休計劃註冊處處長; (ga) 由《強制性公積金計劃條例》(第485章)第6條設立的強制性公積金計劃管理局; (由1998年第4號第14條增補)
(gb)由《財務匯報局條例》(第588章)第6(1)條設立的財務匯報局; (由2006年第18號第84條增補)
- (h) 屬根據第(7)款刊登的公告為本定義的目的所指明為規管者的人; “第三者”(third party),就個人資料而言,指除以下人士外的任何人─
- (a) 資料當事人;
- (b) 就資料當事人而屬有關人士的人;
- (c) 資料使用者;或
- (d) 獲資料使用者為以下事情以書面授權的人─
- (ii) 代資料使用者收集、持有、處理或使用有關的資料; “執行通知”(enforcement notice) 指第50(1)條下的通知; “專員”(Commissioner) 指根據第5(1)條設立的個人資料私隱專員; “處理”(processing),就個人資料而言,包括將資料修訂、擴增、刪去或重新排列(不論是否藉自動
化方法或其他方法); “提出要求者”(requestor),就─
(a)查閱資料要求或改正資料要求而言,指已提出該項要求的個人或代該名個人提出該項要求的有關人士;
(b) 核對程序要求而言,指已提出該項要求的資料使用者; “登記冊”(register) 指專員根據第15(1)條備存及維持的資料使用者登記冊; “視察”(inspection) 指根據第36條進行的視察; “資料”(data) 指在任何文件中資訊的任何陳述(包括意見表達),並包括個人身分標識符; “資料使用者”(data user),就個人資料而言,指獨自或聯同其他人或與其他人共同控制該等資料的
收集、持有、處理或使用的人; “資料使用者申報表”(data user return) 指第14(4)條所提述的資料使用者申報表; “資料當事人”(data subject),就個人資料而言,指屬該等資料的當事人的個人; “僱用”(employment) 指在以下合約下的僱用─
- (a) 僱傭合約或學徒訓練合約;或
- (b) 由個人親自進行某工作或勞動的合約,
而相關詞句均須據此解釋; “實務守則”(code of practice) 包括─
- (a) 標準;
- (b) 規格;及
- (c) 其他文件形式的實務性的指引; “調查”(investigation) 指根據第38條進行的調查; “諮詢委員會”(Committee) 指根據第11(1)條設立的個人資料(私隱)諮詢委員會。
- (2) 為免生疑問,現聲明︰“有關人士”的定義的(c)段不得解釋為─
- (a) 使只獲授權代表一名個人提出查閱資料要求的人有權代該名個人提出改正資料要求;
- (b) 使只獲授權代表一名個人提出改正資料要求的人有權代該名個人提出查閱資料要求。
- (3) 凡根據本條例任何作為可經某人(不論如何描述該人)的訂明同意而作出,該同意─
- (a) 指該人自願給予的明示同意;
- (b)不包括已藉向獲給予同意的人送達書面通知而予以撤回的任何同意(但不損害在該通知送達前的任何時間依據該同意所作出的所有作為)。
- (4)
- 在不抵觸第64(10)條的條文下,現聲明︰在本條例中的任何提述,凡其意思是指某資料使用者(不論如何描述該人)─ (a) 已違反本條例下的規定;或
- (b) 正在違反本條例下的規定, 均─
- (i) (如(a)段適用)包括指有關的資料使用者已作出某作為或已從事某行為,而該作為或行為是違反保障資料原則的;
- (ii) (如(b)段適用)包括指有關的資料使用者正在作出某作為或正在從事某行為,而該作為或行為是違反保障資料原則的。
- (5)
- 即使本條例有任何其他規定,投訴可就已不再是資料使用者的人提出,而由該項投訴引發的調查(如有的話)亦可就該人進行;但如該人在緊接專員接獲該項投訴的日期前2年期間內任何時間不曾是資料使用者,則屬例外;而凡有投訴就任何人提出,該人亦據此須就該項投訴及由該項投訴引發的調查(如有的話)被當作為資料使用者;而本條例其他條文須據此解釋。
- (6)
- 在本條例中,凡提述帶有編號的保障資料原則之處,均為提述附表1內所列明的有該編號的原則。
- (7) 行政長官可藉憲報公告指明某人為“財經規管者”的定義所指的規管者。 (由1999年第34號第3條修訂;由2002年第23號第126條修訂)
- (8) 現聲明︰第(7)款下的公告是附屬法例。
- (9) 凡任何人─
- (a) 擔任任何職位、從事任何職業或進行任何行業;及
- (b)按任何法律或根據或憑藉任何法律訂立的任何規則規定須屬擔任該職位、從事該職業
或進行該行業的適當人選(或相似意思的字眼), 而該人因任何行為而令他不再是上述適當人選或該行為會令他不再是上述適當人選,則就本條例而言,該行為須視為嚴重不當的行為。
- 第(9)款的施行不阻止作出嚴重不當的行為(就本條例而言,包括令任何人不再是適當人選或會令任何人不再是適當人選的行為,即使該行為並非該款所適用的行為)。
- (11) 就資料使用者而言,凡不指明屬男性或女性的字及詞句,亦指男性及女性。
- 如某人純粹代另一人持有、處理或使用的任何個人資料,而該首述的人並非為其任何本身目的而持有、處理或使用(視屬何情況而定)該等資料,則(但亦只有在此情況下)該首述的人就該等個人資料而言不算是資料使用者。
- 為免生疑問,現聲明︰就本條例而言,如一個人的行為已使他或可以使他根據不時生效的香港賽馬會賽事規例及董事局指示成為被吊銷資格的人或被暫時吊銷資格的人,則該等行為屬嚴重
不當的行為。 (由1999年第34號第3條修訂)
(1995年制定)
條: | 3 | 適用範圍 | 01/07/1997 |
---|
- (1) 本條例對政府具約束力。
- (2) (*不採用為香港特別行政區法律) (1995年制定)
註:
* 見《全國人民代表大會常務委員會關於根據〈中華人民共和國香港特別行政區基本法〉第一百六十條處理香港原有法律的決定》。該決定刊載於第1冊,第13/1頁。
條: | 4 | 保障資料原則 | 30/06/1997 |
---|
資料使用者不得作出違反任何保障資料原則的作為或從事違反任何該等原則的行為,但如該作為或行為(視屬何情況而定)是根據本條例規定須作出或進行或准許作出或進行的,則屬例外。 (1995年制定)
條: | 5 | 個人資料私隱專員職位的設立等 | 34 of 1999 | 01/07/1997 |
---|
附註:
具追溯力的適應化修訂─見1999年第34號第3條
第Ⅱ部
執行
- (1) 為本條例的施行,現設立一名為“個人資料私隱專員”的職位。
- (2) 專員為永久延續的單一法團及─
- (a) 須具有並可使用印章;及
- (b) 須可起訴及可被起訴。
- (3) 行政長官須藉憲報公告委任一人為專員。 (由1999年第34號第3條修訂)
- 除第(5)款另有規定外,獲委任為專員的人的任期為5年,並有資格再獲委任,但再獲委任的任期只可為多1個5年任期。
- (5) 獲委任為專員的人可─
- (a) 隨時藉書面通知向行政長官辭職;或
- (b) 基於以下理由,被行政長官經立法會藉決議批准免任─
- (i) 無能力執行其職位的職能;或
- (ii) 行為不當。 (由1999年第34號第3條修訂)
- (6) 行政長官須─ (由1999年第34號第3條修訂)
- (a) 釐定獲委任為專員的人的薪酬;及
- (b) 決定獲委任為專員的人的委任的條款與條件。
- (7) 附表2的條文就專員具有效力。
- 除第(9)款另有規定外,專員不得視為政府的僱員或代理人,亦不得視為享有政府的地位、豁免權及特權。
(9) 獲委任為專員的人須─
- (a) 當作為《防止賄賂條例》(第201章)第2條所指的公職人員;及
- (b) 為該條例的施行而當作為公職人員。 (1995年制定)
條: | 6 | 專員不得擔任其他職位 | 34 of 1999 | 01/07/1997 |
---|
附註:
具追溯力的適應化修訂─見1999年第34號第3條
獲委任為專員的人不得在沒有行政長官明確的批准下─ (由1999年第34號第3條修訂)
- (a) 擔任其專員職位以外的任何有酬職位;或
- (b) 為報酬而從事其職位的職能以外的任何職業。 (1995年制定)
條: | 7 | 臨時空缺的填補 | 34 of 1999 | 01/07/1997 |
---|
附註:
具追溯力的適應化修訂─見1999年第34號第3條
(1) 如獲委任為專員的人─
- (a) 去世;
- (b) 辭職;
- (c) 被免任;
- (d) 不在香港;或
(e) 因其他理由不能執行其職位的職能, 則行政長官可藉書面通知委任一人署理專員職位,直至(視情況所需)─ (由1999年第34號第3條修訂)
- (i) 新的專員根據第5(3)條獲委任為止;或
- (ii) 專員回任為止。
- (2) 根據第(1)款獲委任署理專員職位的人,在他獲委任的期間─
- (a) 須執行專員在本條例下的職能;及
- (b) 可行使專員在本條例下的權力。
- (3) 第6條須適用於根據第(1)款獲委任署理專員職位的人,猶如該人是專員一樣。 (1995年制定)
條: | 8 | 專員的職能及權力 | 34 of 1999 | 01/07/1997 |
---|
附註:
具追溯力的適應化修訂─見1999年第34號第3條
(1) 專員須─
第 486章 -個人資料 (私隱)條例
- (a) 就遵守本條例條文作出監察及監管;
- (b)促進及協助代表資料使用者的團體為第12條的施行擬備實務守則,以在遵守本條例條文(尤其是各保障資料原則)方面提供指引;
- (c) 促進對本條例的條文(尤其是各保障資料原則)的認識及理解以及遵守;
- (d)對他認為可影響在個人資料方面的個人私隱的建議制定的法例(包括附屬法例)加以審核,並向建議制定該法例的人報告其審核結果;
- (e)進行視察,包括對屬政府部門或法定法團的資料使用者所使用的任何個人資料系統的視察;
- (f)為更佳地執行他的其他職能而對資料處理及電腦科技進行研究及監察其發展,以顧及該等發展在個人資料方面對個人私隱相當可能有的不利影響;
- (g) 與─
- (i) 在香港以外任何地方執行專員認為與其在本條例下的任何職能相似(不論全部或部分相似)的職能的人,進行聯絡及合作;及
- (ii) 該等人士在某些相互關注的並涉及在個人資料方面的個人私隱的事項方面進行聯絡及合作;及
- (h) 執行根據本條例或其他成文法則委予他的其他職能。
- 專員可作出所有為更佳地執行其職能而需要作出的或對此有助的所有事情,或為更佳地執行其職能而連帶須作出的所有事情,而在不影響前文的概括性原則下,專員尤可─
- (a) 在認為任何類別的財產對─
- (i) 為專員或任何訂明人員供給地方;或
- (ii) 專員可執行的任何職能的執行, 屬必要時,取得及持有該財產,並可在持有該財產所按的條款及條件的規限下,處置該財產;
- (b)訂立、履行、轉讓、更改或撤銷任何合約、協議或其他義務,或接受他人所轉讓的合約、協議或其他義務;
- (c)承辦或執行合法信託,但限於以推動專員在本條例下須予執行或准予執行的職能為宗旨的信託及具有其他類似宗旨的信託;
- (d) 接受饋贈及捐贈,不論是否受信託所規限的饋贈或捐贈;
- (e) 在獲得行政長官事先批准下,成為任何關注(不論是完全或部分)在個人資料方面的個人私隱的國際組織的正式成員或附屬成員; (由1999年第34號第3條修訂)
- (f) 行使本條例或其他成文法則賦予他的其他權力。
- 專員在執行其職能或行使其權力時,可製備及簽立任何文件;凡任何與他執行職能或行使權力所合理附帶或相應引起的事宜,專員亦可在與該等事宜有關連的情況下,製備及簽立任何文件。
- 任何文件如看來是以專員的印章簽立的,須予接納為證據,在沒有相反證據的情況下須當作已妥為簽立。
(5)為向資料使用者提供指引,專員可不時安排擬備不抵觸本條例的指引以顯示他擬執行其在
本條例下任何職能或行使其在本條例下任何權力的方式,並安排將該指引藉憲報公告刊登。 (1995年制定)
(1) 專員可─
- (a) 僱用他認為合適的人士(包括從事技術工作的人士及專業人士);及
- (b) 以僱用以外的方法聘用他認為合適的從事技術工作的人士或專業人士,
以協助他執行其在本條例下的職能及行使其在本條例下的權力。
- (2) 專員須─
- (a)釐定可根據第(1)(a)款僱用的任何人或任何屬於可根據該款僱用的某類別人士的人的薪酬及決定僱用該人的條款及條件;
- (b)釐定可根據第(1)(b)款聘用的任何人或任何屬於可根據該款僱用的某類別人士的人的薪酬及決定聘用該人的條款及條件。
- (3) 專員可─
- (a) 發放或提供資金以備發放退休金、酬金及退休利益予僱員;
- (b) 為僱員及其受養的人的福利,提供其他利益;
- (c)批准付款予已去世的僱員的遺產代理人,或在該僱員去世時倚靠他供養的任何人,不論付款是否在法律上應付的。
- (4) 為提供資金作發放第(3)款所指的退休金、酬金、利益及付款之用,專員可─
- (a) 設立、管理及掌管任何基金或計劃;或
- (b)與任何公司或組織作出安排,由該公司或組織單獨或聯同專員設立、管理及掌管任何基金或計劃。
- (5) 專員可向第(4)款所提述的基金或計劃供款,並可要求僱員向該基金或計劃供款。
- 在本條例中,“僱員”(employees)包括專員指明的任何類別的僱員,而在第(3)款中,包括
前度僱員。 (1995年制定)
(1)在不抵觸第(2)款的條文下,專員可在他認為合適的規限條款及條件(如有的話)下,將他在本條例下的任何職能或權力,轉授予任何訂明人員,規限條款及條件 (如有的話)須在授權書中指明。
- (2) 專員不得轉授他在以下條文下的職能或權力─
- (a) 第(1)款;
- (b) 在根據本條例訂立的規例中指明為不受第(1)款規限的該等規例的條文;
- (c) 在附表2中指明為不受第(1)款規限的該附表的條文。
- (3) 獲專員轉授職能或權力的人 ─
- (a) 須執行該等職能及可行使該等權力,猶如該人是專員一樣;及
- (b) 在沒有相反證據的情況下,須推定為按照有關的轉授行事。 (1995年制定)
附註:有關《立法會決議》(2007年第130號法律公告)所作之修訂的保留及過渡性條文,見載於該決議第(12)段。
- (1) 現設立一個委員會,名為“個人資料(私隱)諮詢委員會”,諮詢委員會的設立目的為就任何與在個人資料方面的私隱有關的事宜,或在其他方面與本條例的施行有關的事宜,向專員提供意見。
- (2) 諮詢委員會由以下人士組成─
- (a) 專員,他須擔任主席;及
- (b) 由政制及內地事務局局長委任的4名至8名其他人士,其中─
- (i) 最少須有1名具備5年或5年以上處理資料的經驗;及
- (ii) 公職人員不得多於1名。
- 根據第(2)(b)款委任的諮詢委員會成員,須按政制及內地事務局局長在他們各自的委任書中指明的或不時指明的任期及任職條款,擔任成員職位。
- 根據第(2)(b)款委任的諮詢委員會成員可隨時藉向政制及內地事務局局長遞交書面通知而辭去成員職位。
(5) 諮詢委員會可規管其程序。 (1995年制定。由1997年第362號法律公告修訂;由2007年第130號法律公告修訂)
第III部
實務守則
- 在符合第(8)及(9)款的規定下,專員可為就施加予資料使用者的本條例下的規定提供實務性指引,而─
- (a) 核准及發出他認為對該目的屬適合的實務守則(不論是否由他擬備的);及
- (b) 核准他認為對該目的屬適合並由其他人或擬由其他人發出的實務守則。
- (2) 凡專員根據第(1)款核准任何實務守則,他須藉憲報公告─
- (a) 示明有關的守則,並指明對其的核准的生效日期;及
- (b) 指明是為了本條例下的哪一或哪些規定而如此核准該守則。
- (3) 專員可─
- (a) 不時修訂他根據本條擬備的實務守則的全部或其任何部分;及
- (b) 核准對或擬對在當其時已根據本條核准的實務守則的全部或任何部分作出的修訂, 而第(2)款的條文在經必要的變通後,須就根據本款核准修訂而適用,如同它們適用於根據第(1)款核准實務守則。
- (4) 專員可在任何時間,撤回他給予任何已根據本條核准的實務守則的核准。
- 凡專員根據第(4)款撤回他給予任何已根據本條核准的實務守則的核准,他須藉憲報公告,示明有關的守則及指明他給予該守則的核准自何日起停止有效。
- 本條例中提述核准實務守則之處,為提述該守則憑藉根據本條核准的對該守則的全部或其任何部分的修訂而在當其時具有效力的版本。
- 專員根據第(1)(b)款核准由或擬由專員以外的人發出的實務守則的權力包括核准該等守則的一部分的權力,而在本條例中“實務守則”(code of practice) 據此可理解為包括該等守則的一部分。
- 在本條開始實施的日期後的6個月內或在民政事務局局長容許的不超過該限期之後6個月的較後期間內,專員須就第(1)款所提述的所有或任何規定(只要該等規定是關乎屬個人身分標識符的個人資料)根據第(1)款核准實務守則。 (由1997年第362號法律公告修訂)
- 專員在根據第(1)款核准實務守則或核准根據第(3)款對該守則作出的任何修訂或建議如此作出的修訂前─
- (a)如該守則或經如此修訂的守則(視屬何情況而定)將會適用(不論是完全適用或部分適用)於某些資料使用者,他須諮詢他認為合適的並代表該等資料使用者的團體;及
- (b) 他須諮詢他認為合適的其他有利害關係的人。
- 為免生疑問,現聲明︰專員可為不同類別的資料使用者,及為第(1)款所提述的相同或不同的規定,根據第(1)款核准不同的實務守則(包括第(8)款所提述的任何實務守則)。
- (1995年制定)
- 凡任何資料使用者不依循核准實務守則的條文,此事本身不令他可在民事或刑事法律程序中被起訴,但如在根據本條例進行的法律程序中,資料使用者被指稱為違反本條例下的規定,而在指稱中的違反行為發生時,已有關於該項規定的核准實務守則,則第(2)款須就該等法律程序在該等守則方面具有效力。
- 凡有人指稱本條例下的某規定遭違反,指明當局覺得與該規定有關的實務守則的條文,可在有關的根據本條例進行的法律程序中獲接納為證據;如證明在關鍵時間有不依循該守則任何條文的情況,而該指明當局覺得該守則的任何條文與它為確證違反該規定的情況須予證明的事項有關,則在沒有證據證明該規定就該事項而言已以依循該條文以外的方式獲遵守的情況下,該事項須視為已獲證明。
- 在根據本條例進行的法律程序中,指明當局覺得屬第12條下的通知的標的之實務守則,在沒有相反證據的情況下,須視為該通知的標的。
- (4) 在本條中─ “指明當局”(specified body) 指─
- (a) 裁判官;
- (b) 法庭;或
- (c) 行政上訴委員會; “根據本條例進行的法律程序”(proceedings under this Ordinance) 在有資料使用者被指稱為因為違反
本條例下的規定而犯罪行的情況下,包括刑事法律程序。 (1995年制定)
附註:有關《立法會決議》(2007年第130號法律公告)所作之修訂的保留及過渡性條文,見載於該決議第(12)段。
第IV部
資料使用者申報表及 資料使用者登記冊
- (1) 在符合第(2)款的規定下,專員可藉憲報公告指明本條所適用的某類別的資料使用者。
- (2) 專員在根據第(1)款以公告指明某類別的資料使用者之前,須─
- (a) 諮詢他認為合適的並代表屬於該類別的資料使用者的團體;及
- (b) 諮詢他認為合適的其他有利害關係的人。
- 除非資料使用者屬正在生效的在第(1)款下的公告中指明某類別的資料使用者,否則本條不適用於該資料使用者。
- (4) 資料使用者須向專員呈交一份資料使用者申報表,該份申報表─
- (a) 須符合指明格式;
- (b) 須載有由該申報表就該資料使用者規定須有的訂明資訊;
- (c) 如是由─
- (i) 在指明有關類別的資料使用者的第(1)款下的公告開始生效當日即屬於該類別的資料使用者呈交的,須於該日後的每年同月同日當日或之前的3個月內呈交;
- (ii) 在指明有關類別的資料使用者的第(1)款下的公告開始生效日期之後的某日才首次屬於該類別的資料使用者呈交的,須於該某日之後的每年同月同日當日或之前的3個月內呈交;及
- (d) 須附同訂明費用。
- (5) 專員須安排在每段6個月期間內最少刊登一次公告,該公告─
- (a) 須─
- (i) 在憲報刊登;及
- (ii) 在1份或1份以上的中文報章以中文刊登及在1份或多於1份的英文報章以英文刊登,該等報章須是每日在香港行銷的;及
- (b)在不抵觸第(6)款的規定下,須為本條的施行而指明資料使用者申報表在何處及哪些時間內可供資料使用者領取。
- 專員不得行使他在第(5)(b)款下的權力而指明屬政府辦公室的地方,除非及直至他已獲政制及內地事務局局長的書面批准。 (由1997年第362號法律公告修訂;由2007年第130號法律公告修訂)
- (7) 專員須安排資料使用者申報表可供資料使用者─
- (a) 免費領取;及
- (b) 在根據第(5)款刊登的最近一份公告所指明的地方及時間內領取。
- 凡根據第(4)款由資料使用者呈交予專員的資料使用者申報表中所載的訂明資訊,在申報表呈交後有所變更─
- (a) 如(但只有在以下情況下)─
- (i) 該等資訊在該申報表中指明為本款所適用的資訊;及
- (ii) 該申報表載有或附有─
- (A) 本款的文本一份;或
- (B) 一項摘要說明本款施加予資料使用者的規定的陳述, 該資料使用者須向專員送達指明該等變更的書面通知;及
- (b) 該資料使用者須在該等變更發生後的30日內向專員送達上述通知。
- (9) 現聲明─
- (a) 第(1)款下的公告是附屬法例;
- (b)凡某資料使用者屬於在正生效的2份或2份以上的第(1)款下的公告中指明的2個或2個以上的資料使用者類別,則就本條而言,該資料使用者須當作屬於在憲報刊登的該等公告之中的第一份所指明的資料使用者類別;
- (c) 第(3)款的施行不得損害第67(4)(c)條的概括性。
- 在本條及第15條中,“訂明資訊”(prescribed information) 指在附表3中指明的任何資訊。 (1995年制定)
- (1) 專員須使用─
- (a) 根據第14(4)條呈交予他的資料使用者申報表;及
- (b) 根據第14(8)條送達予他的通知, 以備存及維持一份已呈交該等申報表的資料使用者的登記冊。
(2) 登記冊須─
- (a) 採用數據庫的形式;及
- (b)就每一名已根據第14(4)條呈交資料使用者申報表的資料使用者,載有在該申報表中提
供並且是專員認為合適的資訊的詳情。
- 凡專員為在登記冊與某資料使用者有關的範圍內備存及維持登記冊而合理地需要關於該資料使用者的訂明資訊,專員可藉送達予該資料使用者的書面通知,要求該資料使用者呈交載有該等資訊並符合訂明格式的通知,而該資料使用者須在專員所送達的通知中規定的期間(該期間不得遲於通知送達後的30日)內,以專員在通知中規定的方式,呈交該符合訂明格式的通知。
- (4) 凡根據第(3)款由某資料使用者呈交予專員的訂明資訊在呈交後有所變更─
- (a) 如(但只有在以下情況下)─
- (i) 該等資訊在該款下的有關的通知中指明為本款所適用的資訊,及
- (ii) 第(i)節所提述的通知載有或附有─
- (A) 本款的文本一份;或
- (B) 一項摘要說明本款施加予資料使用者的規定的陳述, 該資料使用者須向專員送達指明該等變更的書面通知;及
- (b) 該資料使用者須在該等變更發生後的30日內向專員送達上述通知。
- 如專員信納某人已不再是資料使用者,他可從登記冊中,刪去其中所載的基於該人的資料使用者的身分而與他有關的任何詳情。
- 已不再是資料使用者的人,可藉向專員送達符合訂明格式的通知,要求專員從登記冊中,刪去其中所載的基於該人的資料使用者的身分而與他有關的詳情,而除非該人已撤回該項要求,專員須在收到該通知當日後的3個月內,依從該項要求。
(1995年制定)
- (1) 專員須提供設施以令登記冊中所載詳情─
- (a) 可供任何人查閱;
- (b) 可藉可觀看及可閱讀的形式供查閱;
- (c) 可在一般辦公時間內供查閱;及
- (d) 可免費供查閱。
- (2) 如專員─
(a) 收到由某人提出的符合指明格式的申請;及
(b) 收到訂明費用, 他須以書面提供登記冊所載的關於該申請所指明的某資料使用者(或某類別的資料使用者)詳情的複本。
(1995年制定)
(1) 為免生疑問,現聲明─
(a) 登記冊是否載有關於某資料使用者的詳情此事;
(b) 登記冊中載有的關於某資料使用者的詳情, 本身不得─
- (i) 局限、限制或規限本條例任何條文(包括第2(5)條及各保障資料原則)就該資料使用者的施行;
- (ii) 豁免該資料使用者使其不受本條例任何條文的施行所管限。
(2) 第(1)款不得損害在本條例其他條文中有所規定的任何局限、限制、規限或豁免的施行。 (1995年制定)
第V部
個人資料的查閱及更正
- (1) 任何個人或代表一名個人的有關人士可提出內容如下的要求─
- (a) 要求資料使用者告知他該使用者是否持有該名個人屬其資料當事人的個人資料;
- (b) 如該資料使用者持有該等資料,要求該使用者提供一份該等資料的複本。
- (2) 在第(1)款(a)及(b)段下的查閱資料要求,須視為單一項要求,而本條例的條文須據此解釋。
(3)在沒有相反證據的情況下,第(1)款(a)段下的查閱資料要求須視為該款(a)及(b)段下的查閱資料要求,而本條例的條文(包括第(2)款)須據此解釋。
(4) 就某些個人資料而言,如某資料使用者─
- (a) 不是持有該等資料的;但
- (b)控制該等資料的使用,而控制的方式禁止實際持有該等資料的另一資料使用者依從(不論是完全依從或部分依從)關乎該等資料的查閱資料要求,
則他須當作持有該等資料,而本條例的條文(包括本條)須據此解釋。 (1995年制定)
(1)在符合第(2)款及第20及28(5)條的規定下,資料使用者須在收到查閱資料要求後的40日內,依從該項要求。
- (2) 凡資料使用者不能在第(1)款指明的期間內依從查閱資料要求,他─
- (a) 須在該期間屆滿前─
- (i) 藉書面通知告知提出要求者他不能如此依從該項要求,以及其理由;及
- (ii) 在他能依從該項要求的範圍(如有的話)內,依從該項要求;及
- (b)須在該期間屆滿後,在切實可行的範圍內盡快依從或盡快完全依從(視屬何情況而定)該項要求。
- (3) 依從某項查閱資料要求而由資料使用者提供的個人資料複本─
- (a) 須以收到該項要求時的該等資料為準而提供,但該複本可─
- (i) 參照─
- (A) 在收到該項要求的時間至供應該複本之時之間作出的;及
- (B) 不論有否收到該項要求亦會作出的,
對該等資料的處理;及 - (ii) 在符合第(5)款的規定下,參照在收到該項要求的時間至供應該複本之時之間對該等資料作出的改正;
- (b)在已對該等資料作出(a)(ii)段所提述的任何改正的情況下,須附同一份通知,說明該等資料已依據該段予以改正(或相似意思的字眼);及
- (c) 在切實可行範圍內─
- (i) 須是清楚易明的,但如該複本是一份文件的真實複本,而該份文件─
- (A) 載有該等資料;而
- (B) 在表面上不是清楚易明的,
則屬例外; - (ii) 在該資料使用者所使用的編碼已獲充分解說的情況下,須是容易理解的;及
- (iii) (A) 除(B)分節另有規定外,須採用該項要求所指明的語文(可為中文或英文);如無如此指明語文,則可採用提出該項要求所採用的語文(可為中文或英文);
(B) 如(但只有在以下情況下)─
- (I) 持有該等資料所採用的語文,不是在該項要求所指明的語文或(如沒有如此指明語文)提出該項要求所採用的語文(視屬何情況而定);而
- (II) (在符合第20(2)(b)條的規定下)該複本是載有該等資料的文件的真實複
本, 須採用該項要求所指明的語文以外的語文或(如沒有如此指明語文)提出該項要求所採用的語文(視屬何情況而定)以外的語文;
- (iv)在不損害第(iii)節的概括性原則下但在不抵觸第(4)款的條文下,須採用該項要求所指明(如有指明的話)的形式或(如指明一種形式以上)其中一種形式;
- (v) (如第(iv)節不適用)須採用該資料使用者認為合適的形式。
(4) 凡─
- (a)查閱資料要求指明所尋求採用的為依從該項要求而提供的個人資料的複本而須採用的一種或多於一種形式;及
- (b)有關的資料使用者不能提供採用該種形式或該等形式中的一種(視屬何情況而定)的複
本,而理由是該資料使用者如此行事並不切實可行, 則─
- (i) 如該資料使用者提供該複本能採用的切實可行形式只有一種,該資料使用者須以該種形式提供該複本,並附同一份書面通知,告知有關的提出要求者該種形式是提供該複本可採用的唯一切實可行形式;
- (ii) 在其他情況下,該資料使用者須─
- (A) 在切實可行範圍內,盡快以書面通知告知該提出要求者─
- (I) 該資料使用者提供採用該項要求所指明的一種形式或(如指明一種形式以上)其中任何一種形式(視屬何情況而定)的複本,並不切實可行;
- (II) 該資料使用者提供該複本可採用的切實可行形式為何種形式;及
- (III)提出要求者可在收到該通知後的14日內,用書面指明該複本須以第(II)分節中指明的形式中的哪一種形式提供;及
- (B) 在切實可行範圍內,盡快─
- (I) 採用對(A)節所提述的通知書的回覆(如有的話)所指明的形式提供複本;
- (II) (如在(A)(III)節所指明的期間內沒有該等回覆)採用(A)(II)節所提述的形式中該資料使用者認為合適的一種,提供複本。
- (5) 第(3)款(a)段第(ii)節及(b)段在指定日的1周年當日停止有效。 (1995年制定)
- (1) 在以下情況,資料使用者須拒絕依從查閱資料要求─
(a) 該資料使用者不獲提供他合理地要求─
- (i) 以令他信納提出要求者的身分的資訊;
- (ii) (如提出要求者看來是就另一名個人而屬有關人士)以令他─
- (A) 信納該另一名個人的身分;及
- (B) 信納提出要求者確是就該另一名個人而屬有關人士, 的資訊;
(b)(在符合第(2)款的規定下)該資料使用者不能在不披露另一名個人屬其資料當事人的個人資料的情況下依從該項要求;但如該資料使用者信納該另一名個人已同意向該提出要求者披露該等資料,則屬例外;或
(c) (在其他情況下)在當其時,依從該要求根據本條例是被禁止的。
- (2) 第(1)(b)款的施行不得─
- (a)令該款提述另一名個人屬其資料當事人的個人資料之處,包括提述識辨該名個人為有關的查閱資料要求所關乎的個人資料的來源的資訊(但如該名個人在該等資訊被點名或該等資訊以其他方式明確識辨該名個人的身分則除外);
- (b)令資料使用者無須在不披露該另一名個人的身分(不論是藉著略去姓名或其他能識辨身分的詳情或以其他方法)的情況下,在有關的查閱資料要求是可予依從的範圍內依從該項要求。
- (3) 在以下情況,資料使用者可拒絕依從查閱資料要求─
- (a) 該項要求既不是採用中文而以書面作出,亦不是採用英文而以書面作出;
- (b) 該資料使用者不獲提供他為找出該項要求所關乎的個人資料而合理地要求的資訊;
- (c) 該項要求關乎某些個人資料,並是在由─
- (i) 就該等資料屬資料當事人的個人;
- (ii) 一名或一名以上代表該名個人的有關人士;或
- (iii) 該名個人及該等有關人士的任何組合, 所提出的2項或2項以上的類似要求之後提出,而在所有有關情況下,要該資料使用者依從該項要求是不合理的;
(d)(在符合第(4)款的規定下)有另一資料使用者控制該等資料的使用,而控制的方式禁止本款所述的第一位資料使用者依從(不論是完全依從或部分依從)該項要求;
- (e) 提出該項要求須採用的格式已根據第67條指明,而該項要求並非採用該種格式;或
- (f) (在其他情況下)在當其時可根據本條例拒絕依從該項要求,不論是憑藉第VIII部下的豁免或其他規定而拒絕。
(4) 如─
- (a)查閱資料要求與第18(1)(a)條有關,第(3)(d)款的施行不得令有關的資料使用者在任何範圍內無須依從該項要求;
- (b)查閱資料要求與第18(1)(b)條有關,第(3)(d)款的施行,不得令有關的資料使用者無須在
能不違反有關禁制而依從該項要求的範圍內依從該項要求。 (1995年制定)
- 在不抵觸第(2)款的條文下,依據第20條拒絕依從某項查閱資料要求的資料使用者,須在收到該項要求後的40日內,於切實可行範圍內盡快以書面通知告知提出要求者─
- (a) 拒絕該項要求一事;
- (b) (在不抵觸第(2)款的條文下)拒絕的理由;及
- (c) (如第20(3)(d)條適用)有關的另一資料使用者的地址及姓名或名稱。
- (2) 如─
- (a) 資料使用者已依據第20條拒絕依從查閱資料要求;而
- (b) 該項要求憑藉第63條亦是與第18(1)(a)條有關, 則該資料使用者可在根據第(1)款發出的有關通知中,告知有關的提出要求者該資料使用者並沒有他須向該提出要求者披露其是否存在的個人資料(或相似意思的字眼),而不是告知該資料使用者須根據第(1)款告知該提出要求者的事宜。
(1995年制定)
(1) 在不抵觸第(2)款的條文下,如─
(a) 資料使用者已依從查閱資料要求而提供個人資料的複本;及
(b) 屬有關的資料當事人的個人或代表該名個人的有關人士認為該等資料不準確, 則該名個人或有關人士(視屬何情況而定)可提出要該資料使用者對該等資料作出所需的改正的要求。
(2) 就某些個人資料而言,如某資料使用者─
- (a) 不是持有該等資料的;但
- (b)控制該等資料的處理,而控制的方式,禁止實際持有該等資料的另一資料使用者就關
乎該等資料的改正資料要求遵守(不論是完全遵守或部分遵守)第23(1)條, 則他須當作可向其提出該項要求的資料使用者,而本條例的條文(包括第(1)款)須據此解釋。
- (3) 在不損害第23(1)(c)及25(2)條的概括性原則下,任何資料使用者如在接獲一項改正資料要求後但在依據第24條依從該要求前或在依據第25條拒絕依從該項要求前,向第三者披露該項要求所關乎的個人資料,則該使用者須採取所有切實可行的步驟,以告知該第三者有關資料為該使用者仍在考慮中的改正資料要求的標的(或相似意思的字眼)。
- (1995年制定)
- 除第(2)款及第24條另有規定外,如資料使用者信納改正資料要求所關乎的個人資料屬不準確,在收到該項要求後的40日內─
- (a) 他須對該等資料作出所需的改正;
- (b) 他須向提出要求者提供經如此改正的該等資料的複本一份;及
- (c) 除第(3)款另有規定外,如─
- (i) 在緊接作出有關改正之前的12個月內該等資料曾披露予第三者;及
- (ii)該等資料是為某目的(包括任何直接有關的目的)披露予該第三者,而該資料使用者
沒有理由相信該第三者已停止將該等資料用於該目的, 他須採取所有切實可行的步驟,向該第三者提供經如此改正的該等資料的複本一份,並附同一份述明改正理由的書面通知。
- (2) 如資料使用者不能在第(1)款指明的期間內就某項改正資料要求遵守該款,他─
- (a) 須在該期間屆滿前─
- (i) 藉書面通知告知提出要求者他不能如此遵守該款,以及其理由;及
- (ii) 在他能遵守該款的範圍(如有的話)內,遵守該款;及
- (b)須在該期間屆滿後,在切實可行的範圍內盡快遵守或盡快完全遵守(視屬何情況而定)該款。
- (3) 凡將個人資料向第三者作有關的披露,包含由該第三者查閱─
(a) 記入或以其他方式記錄該等資料的;及
(b) 可供公眾查閱的, 登記冊或其他相似文件,有關的資料使用者無須遵守第(1)(c)款,但如該第三者已獲供應該等資料的由該使用者核證或根據該使用者授權而核證為正確的複本,則本款不適用。
(1995年制定) (1) 除第(2)款另有規定外,如資料使用者不獲提供他合理地要求─
- (a) 以令他信納提出有關的改正資料要求的人的身分的資訊;
- (b) (如提出要求者看來是就另一人而屬有關人士)以令他─
- (i) 信納該另一人的身分;及
- (ii) 信納提出要求者確是就該另一人而屬有關人士,
的資訊, 他須拒絕就該項要求遵守第23(1)條。
(2)如改正資料要求是因為查閱資料要求而產生,而兩項要求是由同一人提出的,則第(1)款不適用於該項改正資料要求。
- (3) 在以下情況,資料使用者可拒絕就某項改正資料要求遵守第23(1)條─
- (a) 該項要求既不是採用中文而以書面作出,亦不是採用英文而以書面作出;
- (b) 該資料使用者不信納該項要求所關乎的個人資料屬不準確;
- (c)該資料使用者合理地要求某些資訊,以確定該項要求所關乎的個人資料在哪些方面不準確,但是他不獲提供該等資訊;
- (d) 資料使用者不信納屬該項要求的標的之改正是準確的;或
- (e) (在符合第(4)款的規定下)有另一資料使用者控制該等資料的處理,而控制的方式禁止本款所述的第一位資料使用者遵守(不論是完全遵守或部分遵守)該條。
- 第(3)(e)款的施行,不得令資料使用者在能不違反有關禁制而遵守第23(1)條的範圍內,無須
遵守該條。 (1995年制定)
- 依據第24條拒絕就某項改正資料要求遵守第23(1)條的資料使用者,須在收到該項要求後的40日內,於切實可行範圍內盡快以書面通知告知提出要求者─
- (a) 拒絕該項要求一事及拒絕的理由;及
- (b) (如第24(3)(e)條適用)有關的另一資料使用者的地址及姓名或名稱。
- (2) 在不損害第(1)款的概括性原則下,凡─
- (a) 改正資料要求所關乎的個人資料是一項意見表達;而
- (b) 有關的資料使用者不信納該項意見屬不準確, 則─
(i) (A)如提出要求者就某些事宜認為該意見屬不準確,該資料使用者須作一項關於該等事宜的附註(不論是附於該等資料或附於別處);而
(B) 作出該項附註的方式,須令任何人(包括該資料使用者及第三者)不能在該人不會注意到該項附註的情況下及不能在該項附註不能供該人查閱的情況下,使用該等資料;及
(ii)該資料使用者須將該項附註的複本一份,附於第(1)款所提述的關乎該項要求的通知書上。
- (3) 在本條中─ “意見表達”(expression of opinion) 包括斷言一項─
- (a) 不能核實的事實;或
- (b) 在有關個案的所有情況下,予以核實不是切實可行的事實。 (1995年制定)
- (1) 凡資料使用者持有的個人資料是用於某目的(包括與該目的有直接關係的目的),但已不再為該等目的而屬有需要的,則除在以下情況外,該資料使用者須刪除該等資料─
- (a) 該等刪除根據任何法律是被禁止的;或
- (b) 不刪除該等資料是符合公眾利益(包括歷史方面的利益)的。
- (2) 為免生疑問,現聲明─
- (a)即使任何其他資料使用者(“前者”)控制(不論是完全控制或部分控制)該等資料的處理,持有有關資料的資料使用者(“後者”)須按照第(1)款刪除個人資料;
- (b) 後者不得就該等刪除而在前者為損害賠償而提出的訴訟中負法律責任。 (1995年制定)
- (1) 資料使用者須備存及維持符合以下說明的紀錄簿─
- (a) 為本部的施行而備存及維持的;
- (b) 採用中文或英文的;及
- (c) 備存及維持方式令依據本條記入該紀錄簿的詳情在以下限期屆滿前不被刪除─
- (i) (除第(ii)節另有規定外),該等資料如此記入的日期之後的4年;
- (ii) 根據第70條訂立的規例就一般情況或個別個案訂明的較長或較短限期。
- (2) 資料使用者─
- (a)如依據第20條拒絕依從查閱資料要求,他須在紀錄簿內按照第(3)款記入拒絕理由的詳情;
- (b)如依據第21(2)條不遵守第21(1)條,他須在紀錄簿內,按照第(3)款記入如有關的查閱資料要求所關乎的個人資料的存在與否被披露,將會對受在第VIII部下的有關豁免所保障的利益做成的損害的詳情;
- (c)如依據第24條拒絕就某項改正資料要求遵守第23(1)條,他須在紀錄簿內,按照第(3)款記入拒絕理由的詳情;
- (d)須在紀錄簿內,按照第(3)款記入根據第70條訂立的規例所規定須記入紀錄簿內的任何其他詳情。
- (3) 第(2)款規定須由資料使用者記入紀錄簿的─
- (a)該款(a)段所提述的詳情,須在第21(1)條下的通知就該等詳情所關乎的拒絕而送達之時或之前記入紀錄簿;
- (b)該款(b)段所提述的詳情,須在第21(1)條下的通知就該等詳情所關乎的拒絕而送達之時或之前記入紀錄簿;
- (c)該款(c)段所提述的詳情,須在第25(1)條下的通知就該等詳情所關乎的拒絕而送達之時或之前記入紀錄簿;
- (d)該款(d)段所提述的詳情,須在根據第70條訂立的規例就該等詳情所指明的期間內記入紀錄簿。
- (4) 資料使用者須─
- (a) 准許專員在任何合理時間查閱及抄錄或複製紀錄簿(或其任何部分);及
- (b) 免費向專員提供專員為該等查閱及抄錄或複製的目的而合理地要求的設施及協助。 (1995年制定)
- 除獲本條明文准許外,資料使用者不得為依從或拒絕依從查閱資料要求或改正資料要求而徵收費用。
- (2) 在符合第(3)及(4)款的規定下,資料使用者可為依從查閱資料要求而徵收費用。
- (3) 為依從查閱資料要求而徵收的費用不得超乎適度。
- 如依據第19(3)(c)(iv)或(v)或(4)(ii)(B)(II)條,資料使用者可藉提供查閱資料要求所關乎的個人資料的複本,依從該項要求,而複本是採用2種或以上的形式中的一種的,則無論該資料使用者依從該項要求是採用何種形式,他為依從該項要求而徵收的費用,不得高於他為採用任何形式依從該項要求而徵收的最低費用。
- 資料使用者可拒絕依從該項要求,除非及直至資料使用者為依從要求而徵收的費用已獲繳付。
條: | 28 | 資料使用者徵收費用 | 30/06/1997 |
---|
(6) 如─
- (a) 資料使用者已藉提供查閱資料要求所關乎的個人資料的複本,依從該項要求;而
- (b)有關的資料當事人或代表他的有關人士,要求資料使用者提供該等資料的另一份複
本, 則即使有該資料使用者為依從該項要求而徵收的費用,該資料使用者可為提供該另一份複本徵收費用,但該費用不得多於他為提供該另一份複本而招致的行政成本或其他成本。
(1995年制定)
條: | 29 | 某些通知的送達及語文 | 30/06/1997 |
---|
在不損害第68條的概括性原則下,凡依據查閱資料要求或改正資料要求,資料使用者須藉或可藉書面通知告知提出要求者任何事宜,而提出要求者須當作沒有被如上述般通知,除非及直至─
- (a) 採用該項要求所採用的語文(如該語文是中文或英文);
- (b) (在其他情況下)按該資料使用者視乎合適而採用中文或英文,
的通知送達提出要求者。 (1995年制定)
條: | 30 | 如無資料當事人同意等不得進行核對程序 | 23 of 2002 | 19/07/2002 |
---|
第VI部
個人資料等的核對程序及轉移
- (1) 資料使用者不得進行(不論是完全進行或部分進行)核對程序─
- (a)除非及直至屬核對程序的標的之個人資料的資料當事人已就進行該核對程序給予訂明同意;
- (b) 除非及直至專員已根據第32條就進行該核對程序給予同意;
- (c) 除非核對程序─
- (i) 屬於第(2)款下的公告所指明的核對程序類別;及
- (ii) 是按照該公告所指明的條件(如有的話)進行的;或
- (d) 除非核對程序是根據附表4所指明的任何條例的條文規定須進行的或准許進行的。
- (2) 專員可為本條的施行,藉憲報公告指明─
- (a) 某類別的核對程序;
- (b) 在符合第(3)款的規定下,屬於該類別的核對程序須在其規限下進行的條件(如有的話)。
- (3) 專員在根據第(2)款於公告中指明任何條件前,須諮詢專員認為合適的─
- (a) 該等條件將(不論是完全或部分)對其適用的資料使用者的代表團體;及
- (b) 其他有利害關係的人。
- (4) 現聲明︰第(2)款下的公告是附屬法例。
- (5) 除第(6)款另有規定外─
(a) 除非資料使用者已向有關的個人送達書面通知─
- (i) 指明該資料使用者擬向該名個人採取的不利行動及其理由;及
- (ii) 述明該名個人可在收到該通知後7日內提出不應該採取該行動的因由;及
- (b) 在該7日限期屆滿前, 該資料使用者不得因應(不論是完全或部分)核對程序而對該名個人採取該不利行動。
- (6)
- 如遵守第(5)款的規定,會損害對犯罪行為或可能有的犯罪行為的調查,則第(5)款的施行不得阻止資料使用者對個人採取不利行動。 (由2002年第23號第126條修訂) (1) 擬進行(不論是完全進行或部分進行)核對程序的資料使用者可作出符合以下說明的要求─
- (a) 符合訂明格式的;
- (b) 向專員作出的;及
- (c) 尋求專員就該核對程序的進行根據第32條給予同意的。
- (2)
- 如2名或2名以上的資料使用者可就同一核對程序各自提出一項核對程序要求,則任何該等資料使用者可代表所有該等資料使用者提出該項要求,而本條例的條文(包括第(1)款)須據此解釋。
(3)在不損害第(2)款的概括性原則下,現聲明︰一項核對程序要求可就2項或2項以上的核對程
序提出,或就一系列的核對程序提出,而本條例其他條文(包括第32條)須據此解釋。 (1995年制定)
(1) 專員須─
- (a) 在收到核對程序要求後的45日內就該項要求作出決定;
- (b) 藉考慮適用於該項要求的訂明事宜,並─
- (i) (在專員信納該等事宜時)向提出要求者送達書面通知,述明他同意該項要求所關乎的核對程序在該通知所指明的條件(如有的話)的規限下進行;
- (ii) (在專員不信納該等事宜時)向提出要求者送達書面通知,述明─ (A) 他拒絕同意該項要求所關乎的核對程序的進行;及
- (B) 他不信納哪些事宜及不信納的理由,
而就該項要求作出決定。
(2)為免生疑問,現聲明︰凡核對程序要求關乎某項核對程序,在第(1)(b)(i)款下的通知中所示的同意,不得阻止既不是有關的提出要求者亦(如第31(2)條適用於該項要求)不是有人代其提出該項要求的任何資料使用者進行該項程序,不論是完全進行或部分進行。
- (3) 反對─
- (a) 在─
- (i) 第(1)(b)(i)款下的通知所指明的條件;或
- (ii) 第(1)(b)(ii)款下的通知所指明的拒絕,
的上訴,可向行政上訴委員會提出; - (b)上述事項的上訴,可由獲送達有關通知的提出要求者提出,或由有人代其提出有關的核對程序要求的資料使用者提出。
- (4) 在本條中,“訂明事宜”(prescribed matter) 指附表5所指明的事宜。 (1995年制定)
附註:尚未實施
(1) 除─
(a) 其收集、持有、處理或使用是在香港進行的個人資料;或
- (b) 其收集、持有、處理或使用是由主要業務地點是在香港的人所控制的個人資料, 外,本條不適用於任何個人資料。 (2) 除非符合以下條件,否則資料使用者不得將個人資料移轉至香港以外的地方─
- (a) 該地方是為本條的施行而在第(3)款下的公告中指明的;
- (b)該使用者有合理理由相信在該地方有與本條例大體上相似或達致與本條例的目的相同的目的之法律正在生效;
- (c) 有關的資料當事人已以書面同意該項移轉;
- (d) 該使用者有合理理由相信在有關個案的所有情況下─
- (i) 該項移轉是為避免針對資料當事人的不利行動或減輕該等行動的影響而作出的;
- (ii) 獲取資料當事人對該項移轉的書面同意不是切實可行的;及
- (iii) 如獲取書面同意是切實可行的,則資料當事人是會給予上述同意的;
- (e) 該等資料憑藉第VIII部下的豁免獲豁免而不受第3保障資料原則所管限;或
- (f)凡假使該等資料在香港以某方式收集、持有、處理或使用,便會屬違反本條例下的規定,該使用者已採取所有合理的預防措施及已作出所有應作出的努力,以確保該等資料不會在該地方以該方式收集、持有、處理或使用。
- (3)
- 凡專員有合理理由相信在香港以外的某地方有與本條例大體上相似或達致與本條例的目的相同的目的之法律正在生效,他可藉憲報公告,為本條的施行指明該地方。
- (4)
- 凡專員有合理理由相信在第(3)款下的公告所指明的某地方,已不再有與本條例大體上相似或達致與本條例的目的相同的目的之法律正在生效,他須藉廢除或修訂該公告,令該地方停止被為本條的施行而指明。
- (5) 為免生疑問,現聲明─
- (a)就第(1)(b)款而言,資料使用者如屬在香港成立為法團的公司,即為主要業務地點是在香港的資料使用者;
- (b) 第(3)款下的公告是附屬法例;及
- (c) 本條的施行不損害第50條的概括性。 (1995年制定)
- (1) 凡資料使用者─
- (b) 將該等資料用於直接促銷的目的, 則─
- (i) 在該使用者於本條開始實施後首次如此使用該等資料時,他須告知該資料當事人謂如該資料當事人要求該使用者停止如此使用該等資料,該使用者須在不向該當事人收費的情況下照辦;
- (ii)如該資料當事人作此要求,該資料使用者須在不向該當事人收費的情況下停止如此使用該等資料。
- (2) 在本條中─ “直接促銷”(direct marketing) 指─
- (a) 要約提供貨品、設施或服務;
- (b) 就貨品、設施或服務的可予提供而進行廣告宣傳;或
- (c) 索求用於慈善、文化、娛樂、政治或其他目的的捐贈或貢獻,
而該等要約、廣告宣傳或索求是藉着以下資訊、貨品或通話進行的─
- (i) 藉郵遞、圖文傳真、電子郵件或其他相似的傳訊方法送交予任何人的資訊或貨品,而該等資訊或貨品是指名致予某一個或某些特定人士的;或
- (ii) 以特定人士為對象的電話通話。 (1995年制定)
- (1) 凡資料使用者─
- (b) 在其後再次從該資料當事人收集個人資料(“繼後收集”), 則在以下情況下(但只有在以下情況下),他無須就繼後收集遵守該等條文─
- (i) 就該次繼後收集遵守該等條文,將會是在沒有重要分別的情況下,重複已為就首度收集遵守該等條文而作出的事情;及
- (ii) 首度收集與該次繼後收集之間的相隔時間不超過12個月。
(2) 為免生疑問,現聲明︰如(但只有在以下情況下)有關的資料使用者已就某次繼後收集遵守第
1(3)保障資料原則,第(1)款的施行不得阻止該次繼後收集變為首度收集。 (1995年制定)
第VII部
視察、投訴及調查
在不損害第38條的概括性原則下,專員可對─
(a) 資料使用者所使用的任何個人資料系統;或
(b) 屬於某資料使用者類別的資料使用者所使用的任何個人資料系統, 進行視察,目的在確定資訊以協助專員─
- (i) 在─
- (A) (a)段適用時,向有關的資料使用者;
- (B) (b)段適用時,向有關的資料使用者所屬於的一個類別的資料使用者, 作出建議;及
- (ii)作出關於促進有關的資料使用者或有關的資料使用者所屬於的一個類別的資料使用者
(視屬何情況而定)遵守本條例的條文(尤其是各保障資料原則)的建議。
(1995年制定)
條: | 37 | 投訴 | 30/06/1997 |
---|
(1) 任何個人或代表個人的任何有關人士可就符合以下說明的作為或行為向專員作出投訴─
- (a) 在該項投訴中指明的;及
- (b) 是─
- (i) 已經或正在(視屬何情況而定)由在該項投訴中指明的資料使用者作出或從事的;
- (ii) 關乎該名個人的個人資料的,而該人是或(如在有關個案中該資料使用者倚賴在第VIII部下的豁免)可能是有關的資料當事人;及
- (iii) 可能屬違反本條例(包括第28(4)條)下的規定的。
(2)凡2名或2名以上的個人可就同一作為或行為各自作出一項投訴,則任何該等個人或代表他們的任何有關人士,可代表所有該等個人作出該項投訴,而本條例的條文(包括第(1)款)須據此解釋。
- (3) 投訴─
- (a) 須用中文或英文以書面作出;或
- (b) 須採用專員所接受的其他形式而作出。
- 凡任何個人或代表個人的有關人士欲作出投訴並要求協助以擬訂該項投訴,專員及根據第
9(1)(a)條僱用的每名訂明人員均有責任向他提供適當協助。 (1995年制定)
條: | 38 | 由專員進行的調查 | 30/06/1997 |
---|
凡專員─
- (a) 收到一項投訴;或
- (b) 有合理理由相信有符合以下說明的作為或行為─
- (i) 已經或正在(視屬何情況而定)由資料使用者作出或從事的;
- (ii) 關乎個人資料的;及
(iii) 可能屬違反本條例下的規定的, 則─
- (i) 如(a)段適用,除第39條另有規定外,專員須就有關的資料使用者進行調查,以確定在有關的投訴中指明的作為或行為是否屬違反本條例下的規定;
- (ii)如(b)段適用,專員可就有關的資料使用者進行調查,以確定該段所提述的作為或行為
是否屬違反本條例下的規定。 (1995年制定)
條: | 39 | 對由投訴引發的調查的限制 | 30/06/1997 |
---|
- 即使由本條例賦予專員的權力有其概括性,在以下情況下,專員可拒絕進行或拒絕繼續進行由投訴引發的調查─
- (a) 投訴人(如投訴人是就某名個人而屬有關人士的有關人士,則指該名個人)在超過緊接專員收到該項投訴當日之前的2年的時間內,已實際知悉有在該投訴中指明的作為或行為,但如專員信納在該個案的所有情況下,進行或繼續進行(視屬何情況而定)該項調查是恰當的,則屬例外;
- (b) 該項投訴是匿名者作出的;
- (c) 投訴人的身分無法識辨或無法尋獲投訴人;
- (d) 就該項投訴所指明的作為或行為而言,以下所有條件均不獲符合─
- (i) 在有人作出或從事有關作為或行為(視屬何情況而定)的任何時間─
- (A) 投訴人(如投訴人是就某名個人而屬有關人士的有關人士,則指該名個人)是居於香港的;或
- (B) 有關的資料使用者能夠在香港控制有關的個人資料的收集、持有、處理或使用或能夠從香港行使該項控制的;
- (ii) 在有人作出或從事有關作為或行為(視屬何情況而定)的任何時間,投訴人(如投訴人是就某名個人而屬有關人士的有關人士,則指該名個人)是在香港的;
- (iii) 專員認為有關的作為或行為(視屬何情況而定)可能損害投訴人(如投訴人是就某名個人而屬有關人士的有關人士,則指該名個人)強制執行在香港獲取或產生的權利或行使在香港獲取或產生的特權;或
- (e)專員信納有關的資料使用者在不少於緊接專員收到該項投訴當日之前的2年的期間內,不曾是資料使用者。
- 如專員在顧及有關個案的所有情況後,信納有以下情況,他可拒絕進行或拒絕繼續進行由投訴引發的調查─
- (a)該項投訴或一項在性質上大體與其相似的投訴已在先前引發一項調查,而專員在進行該項先前的調查後信納沒有違反本條例下的規定的情況;
- (b) 在該項投訴中指明的作為或行為微不足道;
- (c) 該項投訴屬瑣屑無聊或無理取鬧,或不是真誠作出的;或
- (d) 因為任何其他理由,調查或進一步調查是不必要的。
- 凡專員根據本條拒絕進行或拒絕繼續進行一項由投訴引發的調查,他須於收到該項投訴後的45日內,在切實可行範圍內,盡快藉向投訴人送達一份附同第(4)款的文本的書面通知,告知該投訴人─
- (a) 該項拒絕一事;及
- (b) 拒絕的理由。
(4) 反對─
- (a) 第(3)款下的通知所指明的拒絕的上訴,可向行政上訴委員會提出;及
- (b)上述拒絕的上訴,可由獲送達該項通知的投訴人提出;如投訴人是就某名個人而屬有
關人士的有關人士,則可由該投訴人或該名個人提出。 (1995年制定)
即使有投訴引發調查而投訴人撤回該項投訴,如專員認為進行或繼續進行該項調查是符合公眾利益的,他可進行或繼續進行該項調查,而在此情況下,本條例的條文須適用於該項投訴及該投訴人,猶如該項投訴沒有被撤回一樣。
(1995年制定)
(1)在進行視察前,或(除第(2)款另有規定外)在進行調查前,專員須藉送達有關的資料使用者的書面通知,將專員進行視察或調查(視屬何情況而定)的意向,告知有關的資料使用者。
(2)如就任何調查而言,專員有合理理由相信遵守第(1)款可能損害該項調查的目的,則專員無
須遵守第(1)款。 (1995年制定)
- (1) 在符合第(3)及(8)款的規定下,專員可為視察的目的─
- (a)在以下情況下進入在其內有屬於該項視察對象的個人資料系統或個人資料系統的任何部分的處所─
- (i) 如屬非住宅處所,可在任何合理時間進入該處所;
- (ii) 如屬住宅處所,須在於該處居住的任何人(未成年人除外)的同意下進入該處所;
- (b) 在該處所內進行該項視察。
- (2) 在符合第(3)及(8)款的規定下,專員可為調查的目的─
(a) 進入─
- (i) 由有關的資料使用者佔用的;或
- (ii)在其內有有關的資料使用者所使用的個人資料系統或個人資料系統的任何部分
的,
的任何處所;
(b) 在該處所內進行該項調查。
- 除第(4)及(5)款另有規定外,專員在就任何處所行使他在第(1)或(2)款下的權力的至少14日以前,藉送達有關的資料使用者的書面通知,告知該資料使用者─
- (a) 他擬就甚麼處所行使該權力;及
- (b) 在該通知送達後的14日屆滿前,該權力將不會如此行使。
- 在不損害第(5)款的概括性原則下,凡專員擬就第(3)款所指的通知中所指明的任何住宅處所行使他在第(2)款下的權力,除非專員在送達該通知後的14日內獲得於該處居住的人(未成年人除外)的同意,否則在未獲得同意前不得就該處所行使該項權力。
- 專員可依據根據第(6)款發出的手令,在不遵守第(3)款的情況下就該手令所指明的處所行使他在第(2)款下的權力。
- 裁判官如因專員或任何訂明人員所作的經宣誓的告發,信納有合理理由相信如專員在就任何處所行使他在第(2)款下的權力前,須遵守第(3)款,便可能對任何調查的目的造成重大損害,該裁判官可─
- (a) 發出符合附表6第1部所指明的格式的手令;及
- (b) 就該處所發出該手令。
- 裁判官如因專員或任何訂明人員經宣誓而作的告發,信納有合理理由相信如專員因第(4)款的實施而不能就任何住宅處所行使他在第(2)款下的權力,便可能對某項調查的目的造成重大損害,則該裁判官可─
- (a) 發出符合附表6第2部所指明的格式的手令;及
- (b) 以該手令批准專員就該處所行使該項權力。
- 如專員就某處所以某方式行使他在第(1)或(2)款下的權力,便會對該處所內正進行的作業(不論是由有關的資料使用者或其他人進行的)做成不當打擾,則專員不得以該種方式就該處所行使該權力。
- 凡專員行使他在第(1)或(2)款下的權力,有關的資料使用者須免費向專員提供專員可為有關視察或調查而合理地要求的設施及協助。
- 凡專員依據根據第(6)款發出的手令,就該手令所指明的處所行使他在第(2)款下的權力,如在該處所內的任何人質疑專員就該處所行使該權力的權限,專員須出示該手令以供該人查閱。
- 在本條及附表6中─ “住宅處所”(domestic premises) 指興建作或擬作居住用途的任何處所; “非任宅處所”(non-domestic premises) 指不屬住宅處所的任何處所; “處所”(premises) ─
- (a) 指其中並無任何部分被分開佔用的建築物,並包括任何附屬於該建築物的土地;
- (b)在任何其他情況下,指建築物中任何被分開佔用的部分,並包括任何附屬於該部分的
土地。 (1995年制定)
- (1) 在符合本條例的規定下,專員可為任何調查的目的而─
- (a)自他認為合適的人處獲提供他認為合適的資訊、文件或物品,及作出他認為合適的查訊;及
- (b) 以他認為合適的方式規管本身的程序。
- (2) 除在以下情況外,為調查的目的而進行的聆訊須公開進行─
- (a) 專員認為在有關個案的所有情況下,調查應在不公開情況下進行;或
- (b) (如調查是由投訴引發的)投訴人以書面要求調查不在公開情況下進行。
(3)在為調查的目的而進行的聆訊中,大律師及律師在專員席前沒有發言的權利,但如專員認為合適,大律師及律師可到其席前。
- (4) 專員不一定要為調查的目的而進行聆訊,而沒有人有向專員發言的當然權利。
- 如在某項調查的進行過程中的任何時間,專員覺得可能會有充分理由支持他作出可能會批
評某人或對某人有不利影響的報告或建議,專員須給予該人發言的機會。 (1995年制定)
附註:
具追溯力的修訂─見1998年第25號第2條
(1) 在不抵觸第(2)款及第45條的條文下,專員可為調查的目的─
- (a) 傳召他認為能夠提供任何關於該等目的的資訊的人到他席前;
- (b)在該項調查是由投訴引發的情況下,傳召有關的投訴人或(如投訴人是就某名個人而屬
有關人士的有關人士)有關的個人或該兩人到其席前, 並可訊問該人及規定他向專員提交任何資訊,或向專員出示專員認為是與該等目的有關並由該人所管有或控制的文件或物品。
(2) 凡─
- (a) 有任何調查已由投訴引發;
- (b) 該項投訴的全部或部分是關乎第61(1)條所提述的個人資料的;
- (c) 專員為該項調查的目的已根據第(1)(a)款傳召任何人到他席前;及
- (d)該人在回應專員根據第(1)款作出的須向專員提供資料或出示文件或物件的規定時,聲言─
(i) 遵從該項規定會直接或間接將有關的個人(該等資料的全部或部分是收集自該名個人的)的身分披露;或
(ii) 他憑藉任何普通法特權而不須遵從該項規定, 則─
- (i) 即使本條例有任何其他規定,專員不得就該規定向該人送達執行通知;
- (ii)專員可在獲悉該聲言的28日內,向原訟法庭作出申請,要求一項指示該人須遵從該規定的命令; (由1998年第25號第2條修訂)
- (iii) 原訟法庭只有在顧及所有情況(包括投訴人的情況)後,才可作出命令─ (由1998年第25號第2條修訂)
- (A)如有關投訴所指明的作為或行為證實是本條例下某項規定的違反,則該項違反的嚴重性足以構成該人須遵從(d)段所提述規定的理由;
- (B) 如(d)段所提述的規定不獲遵從,會對該項調查造成重大損害;
- (C) 在顧及相當可能會對該項調查所產生的利益後,遵從(d)段所提述的規定是符合公眾利益的;及
- (D) 在(d)(ii)段所適用的任何個案中,所聲言的普通法特權並不適用;及
- (iv)在聆訊申請時,專員、該人及投訴人各須有權就申請發言及傳召任何證人,並向其訊問及盤問。
(3) 凡─
- (a) 任何人已遵從第(2)(d)款所提述的規定,即該款所提述的聲言的標的;及
- (b)關乎該項規定的調查的(全部或部分)結果,是專員認為第(2)(d)(i)款所提述的有關個人並
無就引發該項調查的投訴標的所關乎的事宜違反在本條例下的規定, 則即使本條例的任何其他條文有所規定,專員及訂明人員均不得向投訴人披露該名個人的身分。
- 原訟法庭可藉本身的意願或就該目的向其作出的申請,以命令推翻、更改或撤銷一項根據第(2)(iii)款作出的命令或暫緩該項命令的施行。 (由1998年第25號第2條修訂)
- (5) 法院可─
- (a) 就根據第(2)(iii)或(4)款向原訟法庭作出的申請;
- (b) 就一般任何與該申請有關的原訟法庭程序, 訂立法院規則。 (由1998年第25號第2條修訂)
- (6) 第(5)款並不損害一般任何現有訂立規則的權力。
- (7) 如專員認為合適,他可為根據第(1)款進行訊問的目的而監誓。
- (8) 現聲明─
- (a)就正在或曾經由第(1)款所提述的人所管有或控制的資訊、文件或其他物品保密的責任,以及由法律施加的對該等資訊、文件或物品的披露的其他限制,均不適用於將該等資訊、文件或物品為一項調查的目的而披露;及
- (b)由專員作出的須將(a)段所提述的該等資訊、文件或物品為一項調查的目的而披露或出示的規定,即為將它向專員披露或出示的充分權限。
- (9) 專員可支付投訴人(如投訴人是就某名個人而屬有關人士的有關人士,包括該名個人)及證人
在一項調查的進行過程中所招致的合理支出。 (1995年制定)
附註:
具追溯力的適應化修訂─見1998年第25號第2條;1999年第34號第3條
- 就為一項調查的目的而提供資訊、回答問題及出示文件或物品而言,任何人均享有與高等法院民事法律程序中的證人所享有的特權相同的特權,但如任何法律規則准許或規定以披露有關文件或物品或回答有關問題會損害公眾利益為理由而不提供該文件或物品或不回答該問題(視屬何情況而定),該法律規則不得就任何調查而適用。 (由1998年第25號第2條修訂)
- 除在就某人的經宣誓而作的證供而對他控以作偽證罪的審訊,及在對他控以本條例所訂罪行的審訊外,該人或任何其他人在調查進行過程中所作的陳述或所給予的答案,不得在任何裁判官席前或在任何法庭、任何研訊或任何其他法律程序中獲接納為針對該人的證據,而關於調查的證據亦不得針對任何人而提出。
- 凡任何資訊的提供、任何問題的回答或任何文件或物品的出示將會涉及在沒有行政長官的同意下披露行政會議的商議內容,專員不得規定須提供該等資訊或答案或出示該等文件或物品(視屬何情況而定)。 (由1999年第34號第3條修訂)
- (1995年制定)
- 除第(2)及(3)款另有規定外,專員及每一訂明人員均須將他們在執行在本部下的職能或行使其在本部下的權力的過程中實際得知的所有事宜保密。
- (2) 第(1)款的施行不得阻止專員或任何訂明人員─
- (a) 在─
- (i) 為本條例所訂罪行而進行的;及
- (ii) 在任何法庭或裁判官席前進行的,
法律程序過程中,披露與該等程序有關的事宜; - (b) 向他認為適當的有關當局報告任何罪行的證據;
- (c)將專員或訂明人員認為可能是某人作出投訴的理由的第(1)款所提述的任何事宜,向該人披露。
- 在符合第(4)款的規定下,除專員認為若被披露便會涉及披露憑藉第VIII部下的豁免而不受第6保障資料原則所管限的個人資料的事宜外,專員可在其根據本條例作出的報告中,披露他認為為確立他的裁斷或建議所基於的理由而應披露的事宜。
- (4) 除非以下條件獲符合,專員不得在完成視察或調查後根據本條例發表報告 ─
- (a) 符合在其發表時將會採用的格式的該報告文本一份,已提供予有關資料使用者;
- (b)該文本附同一項書面通知,該通知邀請該資料使用者在獲送達該文本後的28日內,以書面向專員說明─
- (i) 該資料使用者認為在該文本內是否有任何若被披露便會涉及披露憑藉第VIII部下的豁免而不受第6保障資料原則的條文所管限的個人資料的事宜;及
- (ii) 該資料使用者是否反對披露該事宜;及
- (c) (i) (b)段所提述的期間已屆滿而專員沒有收到任何該等說明;或
- (ii) 專員收到該等說明,並─
- (A) 從該報告中刪去屬該項說明的標的之事宜;或
- (B) 決定不從該報告中刪去屬該項說明的標的之事宜,而─
- (I) 第(6)款所提述的期間屆滿,而該資料使用者沒有根據該款提出上訴反對該決定;或
- (II) 該上訴不成功或被撤回。
- (5) 凡專員作出第(4)(c)(ii)(B)款所提述的決定,他須向作出有關的說明的有關資料使用者送達─
- (a) 述明其決定;
- (b) 告知該資料使用者他可根據第(6)款提出上訴反對該決定;及
- (c) 附同本條的文本一份, 的書面通知。
(6)在第(5)款下的述明第(4)(c)(ii)(B)款所提述的專員的決定的通知送達有關資料使用者後的14日
內,該資料使用者可向行政上訴委員會提出上訴,反對該決定。 (1995年制定)
- 凡專員已完成一項視察,他須以他認為合適的方式及在他認為合適的時間,將以下事宜告知有關資料使用者─
- (a) 該項視察的結果;
- (b)由該項視察引致的、專員認為是適合作出的關乎促進該資料使用者遵守本條例條文(尤其是各保障資料原則)的任何建議;
- (c) 由該項視察引致的、專員擬根據第48條發表的任何報告;及
- (d) 由該項視察引致的、專員認為適合作出的任何其他評論。
- 凡專員已完成一項調查,他須以他認為合適的方式及在他認為合適的時間,將以下事宜告知有關資料使用者─
- (a) 該項調查的結果;
- (b)由該項調查引致的、專員認為是適合作出的關乎促進該資料使用者遵守本條例條文(尤其是各保障資料原則)的任何建議;
- (c) 由該項調查引致的、專員擬根據第48條發表的任何報告;
- (d) 他是否擬因應該項調查向該資料使用者送達執行通知;及
- (e) 由該項調查引致的、專員認為適合作出的任何其他評論。
- 凡專員已完成一項由投訴引發的調查,他須以他認為合適的方式及在他認為合適的時間,將以下事宜告知有關的投訴人─
- (a) 該項調查的結果;
- (b) 根據第(2)(b)款向有關資料使用者作出的任何建議;
- (c) 由該項調查引致的、專員擬根據第48條發表的任何報告;
- (d) 有關資料使用者或其代表對該等建議或報告作出的任何評論;
- (e) 專員有否或是否擬因應該項調查向有關資料使用者送達執行通知;
- (f) (如專員沒有如此送達執行通知亦不擬送達該通知)投訴人根據第(4)款對此提出反對的權利;及
- (g) 由該項調查引致的、專員認為適合作出的任何其他評論。
- 投訴人可向行政上訴委員會提出上訴(如投訴人是就某名個人而屬有關人士的有關人士,則上訴可由該名個人提出或由投訴人及該名個人其中一人提出),反對符合以下說明的由專員作出的決定─
- (a)決定的效果是專員沒有因應有關的調查而向有關資料使用者送達執行通知,亦不擬如此行事;及
- (b) 該投訴人是因根據第(3)款送達予他的通知而獲告知該項決定的。 (1995年制定)
- (1) 在符合第(3)款的規定下,專員在第36(b)條適用的情況下完成一項視察後,可─
- (a)發表列明由該項視察引致的、專員認為是適合作出的關乎促進有關資料使用者所屬的
- 某類別資料使用者遵守本條例條文(尤其是各保障資料原則)的任何建議的報告;及
- (b) 以他認為合適的方式發表該報告。
- 在符合第(3)款的規定下,專員在完成一項調查後,如認為如此行事是符合公眾利益的,可 ─
- (a) 發表列明以下事項的報告─
- (i) 該項調查的結果;
- (ii) 由該項調查引致的、專員認為是適合作出的關乎促進有關資料使用者所屬的某類別的資料使用者遵守本條例條文(尤其是各保障資料原則)的任何建議;及
- (iii) 由該項調查引致的、專員認為適合作出的任何其他評論;及
- (b) 以他認為合適的方式發表該報告。
- 除第(4)款另有規定外,根據第(1)或(2)款發表的報告的擬訂形式,須以防止可從報告中確定任何個人的身分為準。
(4) 第(3)款不適用於屬以下人士的個人─
- (a) 專員或訂明人員;
- (b) 有關資料使用者。 (1995年制定)
凡─
- (a) 專員已完成一項調查(不論是否由投訴引發的調查);
- (b)調查的結果是︰屬調查對象的作為或行為因為第VIII部下的豁免,而不屬違反本條例下的規定;及
(c) 第47及48條如就該項調查而適用,便相當可能會損害受該項豁免所保障的利益, 則─
- (i) 為47及48條不得就該項調查而適用;而
- (ii) 專員須以他認為合適的方式及在他認為合適的時間─
- (A)將該項調查的結果及該項調查引致的、他認為合適的其他評論,告知有關資料使用者;
- (B) (如該項調查是由投訴引發的)告知有關的投訴人謂該項調查的結果是︰專員信納屬
調查對象的作為或行為不屬違反本條例下的規定(或相似意思的字眼)。 (1995年制定)
(1) 凡專員在完成一項調查後認為有關資料使用者─
(a) 正在違反本條例下的規定;或
- (b) 已違反本條例下的規定,而違反情況令到違反行為將持續或重複發生是相當可能的, 則專員可向有關資料使用者送達書面通知,所送達的通知須─
- (i) 述明專員持上述意見;
- (ii) 指明專員是就哪一規定而持上述意見及他持該意見的理由;
- (iii) 指示該資料使用者在該通知所指明的期間(該期間不得在第(7)款所指明的上訴限期前完結)內,採取該通知所指明的步驟,以糾正導致送達該通知的違反或事宜(視屬何情況而定);及
- (iv) 附同本條的文本一份。
- (2)
- 在決定是否送達執行通知時,專員須考慮該通知所關乎的違反或事宜,是否已對或是否相當可能會對屬該違反或事宜(視屬何情況而定)所關乎的個人資料的資料當事人的個人,做成損害或困擾。 (3) 執行通知所指明的糾正該通知所關乎的違反或事宜的步驟─
- (a) 可在任何程度上藉提述核准實務守則的形式擬訂;
- (b)的擬訂形式,可令有關資料使用者可從不同的糾正有關的違反或事宜(視屬何情況而定)的方式中作出選擇。
- (4)
- 除第(5)款另有規定外,執行通知所指明的採取該通知所指明的步驟的限期不得在第(7)款所指明的上訴限期完結前屆滿,而如有該等上訴提出,在該上訴有決定或被撤回前不需採取該等步驟。
- (5) 如專員認為因為特殊情況,執行通知所指明的步驟因事態緊急而應即採取─
- (a) 他可在該通知中加入一項有該意思的陳述及他持該意見的理由;
- (b)凡專員如此加入該項陳述,第(4)款即不適用,但該通知不得規定須在該通知送達當日起計的7日期間屆滿前採取該等步驟。
- (6) 專員可藉送達有關資料使用者的書面通知,撤銷執行通知。
- (7) 有關資料使用者可在執行通知送達後14日內,向行政上訴委員會提出上訴反對該通知。
- (8) 凡專員─
- (b) 同時認為因為特殊情況,執行通知因事態緊急而應即送達有關資料使用者, 則即使該項調查未完成,他可如此送達該通知,而在該等情況下─
- (i) 專員須在不損害須加入該通知任何其他事宜的原則下,在該通知中指明他持(b)段所提述的意見的理由;而
- (ii) 本條例其他條文(包括本條)須據此解釋。 (1995年制定)
第VIII部
豁免
凡任何個人資料憑藉本部獲豁免而不受本條例任何條文管限,則就該資料而言及在該項豁免範圍內,該條文既不對任何人賦予任何權利,亦不對其施加任何規定,而與該條文有關(不論是直接有關或間接有關)的本條例其他條文須據此解釋。
(1995年制定)
由個人持有並─
- (a) 只與其私人事務、家庭事務或家居事務有關的個人資料;或
- (b) 只是為消閒目的而如此持有的個人資料,
獲豁免而不受各保障資料原則、第IV和V部及第36和38(b)條的條文所管限。 (1995年制定) 包含與─
條: | 53 | 僱傭─職工策劃 | 30/06/1997 |
---|
- (a) 填補任何系列的現正出缺或可能會出缺的僱傭職位;或
- (b) 終止任何組別的個人的僱用,
的職工策劃建議有關的資訊的個人資料獲豁免而不受第6保障資料原則及第18(1)(b)條的條文所管限。 (1995年制定)
條: | 54 | 僱傭─過渡性條文 | 30/06/1997 |
---|
(1) 凡個人資料─
- (a) 是─
- (i) 在緊接指定日之前被持有;
- (ii) 由屬有關的資料當事人的僱主的資料使用者持有;及
- (iii) 與該當事人的僱用有關;及
- (b)是由一名個人提供,並是在該當事人不會有途徑接觸該資料的暗喻或明示條件的規限
下提供的, 該等資料獲豁免而不受第6保障資料原則及第18(1)(b)條的條文所管限,直至緊接本條例制定之後的7年屆滿為止。
(2) 凡個人資料─
- (a) 屬第(1)(a)款所適用的個人資料;或
- (b) 是─
- (i) 在指定日當日或以後才被持有;
- (ii) 由屬有關的資料當事人的僱主的資料使用者持有;及
- (iii) 與該當事人的僱用有關,
該等資料獲豁免而不受第6保障資料原則及第18(1)(b)條的條文所管限,直至1996年7月1日為止。 (1995年制定)
條: | 55 | 有關程序 | 30/06/1997 |
---|
- 屬有關程序的標的之個人資料獲豁免而不受第6保障資料原則及第18(1)(b)條的條文所管限,直至該程序完成為止。
- (2) 在本條中─ “有關程序”(relevant process) ─
(a)除(b)段另有規定外,指任何程序,而個人資料是在該程序下由一個或多於一個的人為決定以下事宜(或為使以下事宜得予決定)予以考慮的─
- (i) 就─
- (A) 僱用或委任以擔任職位;
- (B) 在僱用或職位方面的晉升或繼續留任;
- (C) 解僱或免除職位;或
- (D) 授予任何合約、名銜(包括學術及專業資格)、獎學金、榮譽或其他利益, 而言,有關的資料當事人的合適程度、是否合乎資格或具資歷;
- (ii) 與有關的資料當事人有關的任何合約、名銜(包括學術及專業資格)、獎學金、榮譽或利益應否予以延續、修改或撤銷;或
- (iii) 應否為有關的資料當事人違反其僱用條款或委任以擔任職位的條款而對他採取紀
律行動;
(b)如在某程序中,針對該等決定提出上訴(不論是根據條例或其他依據提出)是不獲容許的,則不包括該等程序;
“完成”(completion),就有關程序而言,指“有關程序”的定義(a)段所提述的有關決定的作出。 (1995年制定)
由資料使用者持有並包含符合以下說明的個人評介的個人資料─
- (a) 由一名個人在其職業的正常過程以外作出的;及
- (b)與就現正出缺或可能會出缺的僱傭職位或其他職位的填補而言另一名個人的合適程度
或其他條件有關的, 獲豁免,而─
- (i) 在任何情況下,不受第6保障資料原則及第18(1)(b)條的條文所管限,但如(a)段所提述的個人已以書面告知該資料使用者他不反對該評介被(b)段所提述的個人閱覽(或用相似意思的字句),則屬例外;或
- (ii)在該評介是在本條開始實施之日或以後作出的情況下,不受第6保障資料原則及第18(1)(b)條的條文所管限,直至(b)段所提述的個人已獲書面告知他已被接納或已被拒絕以填補該僱傭職位或其他職位(或用相似意思的字句)為止,
以先發生者為準。 (1995年制定)
附註:
具追溯力的適應化修訂─見1999年第34號第3條
- 凡個人資料是為保障關於香港的保安、防衞或國際關係的目的而由政府或代政府持有,則如第6保障資料原則及第18(1)(b)條的條文適用於該等資料,便相當可能會損害本款所述的任何事宜的話,該等資料獲豁免而不受該等條文所管限。
- (2) 凡─
- (a) 個人資料是為第(1)款所提述的目的而使用(不論該等資料是否為該等目的而持有);及
- (b) 第3保障資料原則的條文就該等使用而適用便相當可能會損害該款所提述的任何事宜, 該等資料獲豁免而不受第3保障資料原則的條文所管限,而在為任何人違反任何該等條文而針對他進行的法律程序中,如該人證明他當時有合理理由相信不如此使用該等資料便相當可能會損害任何該等事宜,即為免責辯護。
- 就任何個人資料是否需有第(1)款下的豁免或曾否在任何時間需有第(1)款下的豁免的問題,可由行政長官或政務司司長決定,而一份由行政長官或政務司司長簽署並證明需有或曾在任何時間需有該項豁免的證明書,即為該事實的證據。 (由1997年第362號法律公告修訂;由1999年第34號第3條修訂)
- 就第(2)款而言,一份由行政長官或政務司司長簽署的證明個人資料是為或曾為第(1)款所提述的任何目的而使用的證明書,即為該事實的證據。 (由1997年第362號法律公告修訂;由1999年第34號第3條修訂)
(5)行政長官或政務司司長可在第(3)或(4)款所提述的證明書中,就該證明書所關乎的個人資料及為該證明書所指明的理由,指示專員不得進行視察或調查,而在此情況下,專員須遵從該項指示。 (由1997年第362號法律公告修訂;由1999年第34號第3條修訂)
- 看來是第(3)或(4)款所提述的證明書的文件,須獲收取為證據,而在沒有相反證據的情況下,該文件須當作為該等證明書。
- (7) 在本條中─ “保安”(security) 包括防止或排拒無權進入香港及留在香港的人(包括按照《入境條例》(第115章)的條文被扣留的人)進入香港及留在香港; (由1997年第80號第103(1)條修訂)
“國際關係”(international relations)包括與任何國際組織的關係。 (1995年制定)
(1) 為─
- (a) 罪行的防止或偵測;
- (b) 犯罪者的拘捕、檢控或拘留;
- (c) 任何稅項的評定或收取;
- (d)任何人所作的不合法或嚴重不當的行為、或不誠實的行為或舞弊行為的防止、排除或糾正(包括懲處);
- (e) 防止或排除因─
- (i) 任何人輕率的業務經營手法或活動;或
- (ii) 任何人所作的不合法或嚴重不當的行為、或不誠實的行為或舞弊行為, 而引致的重大經濟損失;
- (f) 確定有關的資料當事人的品格或活動是否相當可能對以下事情有重大不利影響─
- (i) 由該資料使用者執行法定職能所關乎的事情;或
- (ii) 與本段憑藉第(3)款而適用的職能的執行有關的事情;或
(g) 本段憑藉第(3)款而適用的職能的執行, 而持有的個人資料,在以下情況下獲豁免而不受第6保障資料原則及第18(1)(b)條的條文所管限─
(i) 該等條文適用於該等資料便相當可能會損害本款所提述的任何事宜;或
(ii) 該等條文適用於該等資料便相當可能會直接或間接識辨屬該等資料來源的人的身分。 (1A) 如—
- (a) 與香港以外某地區的政府有訂立根據《稅務條例》(第112章)第49(1A)條有效的安排;而
- (b)該地區的某稅項屬該等安排中某條文之標的,而該條文是規定須披露關乎該地區的稅
項資料的, 則在第(1)(c)款中,“稅項”(tax) 包括該稅項。 (由2010年第1號第9條增補)
(2) 凡─
(a) 個人資料是為第(1)款所提述的目的而使用(不論該等資料是否為該等目的而持有);及
- (b) 第3保障資料原則的條文就該等使用而適用便相當可能會損害該款所提述的任何事宜, 則該等資料獲豁免而不受第3保障資料原則的條文所管限,而在為任何人違反任何該等條文而針對他進行的法律程序中,如該人證明他當時有合理理由相信不如此使用該資料便相當可能會損害任何該等事宜,即為免責辯護。 (3) 第(1)款(f)(ii)及(g)段適用於財經規管者的以下職能─
- (a) 保障公眾免受因以下事情導致的財政損失的職能─
- (i) 屬─
- (A) 從事銀行、保險、投資或其他財經服務的提供;
- (B) 從事公司的管理; (BA)從事已根據《強制性公積金計劃條例》(第485章)註冊的公積金計劃的管理;(由1998年第4號第14條增補)
- (C) 從事《職業退休計劃條例》(第426章)所指的職業退休計劃的管理;或
- (D) 公司股東, 的人的不誠實行為、不勝任、不良行為或嚴重不當的行為;或
- (ii) 已獲或未獲解除破產令的破產人的行為;
- (b)維持或促進提供(a)(i)(A)段所提述的任何服務的任何體系的一般穩定性或有效運作的職能;或
- (c) 為本款的施行而在第(4)款下的公告中指明的職能。
- (4) 行政長官可為第(3)款的施行藉憲報公告指明財經規管者的職能。 (由1999年第34號第3條修訂) (5) 現聲明─
- (a)第(3)款的施行不得損害第(1)款(a)、(b)、(c)、(d)及(f)(i)段就財經規管者而施行的概括性;
- (b) 第(4)款下的公告是附屬法例。 (1995年制定)
- (1)
- 如個人資料系統是由資料使用者為收集、持有、處理或使用屬受保護成果或有關紀錄的個人資料或包含於受保護成果或有關紀錄內的個人資料的目的而使用的,則該個人資料系統在它被如此使用的範圍內獲豁免,不受本條例的條文管限。
- (2)
- 屬受保護成果或有關紀錄的個人資料或包含於受保護成果或有關紀錄內的個人資料獲豁免,不受本條例的條文管限。
- (3) 在本條中— “有關紀錄”(relevant records) 指—
- (a)關乎根據《截取通訊及監察條例》(第589章)為尋求發出訂明授權或器材取出手令或將訂明授權續期而提出的申請的文件及紀錄;或
- (b)關乎根據該條例發出或續期的任何訂明授權或器材取出手令(包括依據該授權或手令作
出或就該授權或手令而作出的任何事宜)的文件及紀錄; “受保護成果”(protected product) 具有《截取通訊及監察條例》(第589章)第2(1)條給予該詞的涵義; “訂明授權”(prescribed authorization)具有《截取通訊及監察條例》(第589章)第2(1)條給予該詞的涵
義; “器材取出手令”(device retrieval warrant) 具有《截取通訊及監察條例》(第589章)第2(1)條給予該詞的涵義。”。 (由2006年第20號第68條增補)
與有關的資料當事人的身體健康或精神健康有關的個人資料,獲豁免而不受以下任何或所有條文所管限─
(a) 第6保障資料原則及第18(1)(b)條的條文;
(b) 第3保障資料原則的條文, 但上述豁免僅在以下情況適用─
- (i)該等條文適用於該等資料便相當可能會對該資料當事人的身體健康或精神健康造成嚴 重損害;或
- (ii)該等條文適用於該等資料便相當可能會對任何其他個人的身體健康或精神健康造成嚴
重損害。 (1995年制定)
條: | 60 | 法律專業保密權 | 30/06/1997 |
---|
假如在法律上就某些資訊而享有法律專業保密權的聲稱是能夠成立的,包含該等資訊的個人資料獲豁免而不受第6保障資料原則及第18(1)(b)條的條文所管限。 (1995年制定)
條: | 61 | 新聞 | 30/06/1997 |
---|
(1) 由─
(a) 其業務或部分業務包含新聞活動的資料使用者持有;及
- (b) 該使用者純粹為該活動(及任何直接有關的活動)的目的而持有, 的個人資料,獲豁免而─
- (i) 不受第6保障資料原則及第18(1)(b)及38(i)條的條文所管限,除非及直至該等資料已發表或播放(不論在何處或藉何方法);
- (ii) 不受第36及38(b)條的條文所管限。
- (a) 該資料的使用包含向第(1)款所提述的資料使用者披露該等資料;及
- (b)作出該項披露的人有合理理由相信(並合理地相信)發表及播放(不論在何處及藉何方法)該等資料(不論是否實際有發表或播放該等資料)是符合公眾利益的。
- (3) 在本條中─ “新聞活動”(news activity) 指任何新聞工作活動,並包括─
- (a) 為向公眾發布的目的而進行─
- (i) 新聞的搜集;
- (ii) 關於新聞的文章或節目的製備或編纂;或
- (iii) 對新聞或時事所作的評析;或
- (b) 向公眾發布─
- (i) 屬新聞的或關於新聞的文章或節目;或
- (ii) 對新聞或時事所作的評析。 (1995年制定)
條: | 62 | 統計及研究 | 30/06/1997 |
---|
在以下情況,個人資料獲豁免而不受第3保障資料原則的條文所管限─
- (a) 該等資料將會用於製備統計數字或進行研究;
- (b) 該等資料不會用於任何其他目的;及
- (c)所得的統計數字或研究成果不會以識辨各有關的資料當事人或其中任何人的身分的形
式提供。 (1995年制定)
條: | 63 | 第18(1)(a)條的豁免 | 30/06/1997 |
---|
凡查閱資料要求關乎獲豁免而憑藉第57或58條不受第18(1)(b)條所管限的個人資料(或如該等資料曾存在,則本會獲該項豁免),則如披露該等資料的存在或不存在此事相當可能會損害受該項豁免保障的利益,該等資料亦獲豁免而不受第18(1)(a)條所管限。
(1995年制定)
條: | 63A | 人類胚胎等 | L.N. 164 of 2007 | 01/08/2007 |
---|
- 包含顯示某名身分可被辨別的個人是或可能是經由《人類生殖科技條例》(第561章)所指的生殖科技程序而誕生的資訊的個人資料,獲豁免而不受第6保障資料原則及第18(1)(b)條的條文所管限,但如根據該等條文而按照該條例第33條披露該等資料,則屬例外。
- 凡查閱資料要求是關乎憑藉第(1)款獲豁免而不受第18(1)(b)條所管限的個人資料的,或是關乎假如存在便會獲該項豁免的個人資料的,則在披露該等資料的存在或不存在相當可能會損害受該項豁免保障的利益的情況下,該等資料亦獲豁免而不受第18(1)(a)條所管限。
(由2000年第47號第48條增補)
條: | 64 | 罪行 | 30/06/1997 |
---|
第IX部
罪行及補償
(1) 任何資料使用者─
- (a) 在根據第14(4)條向專員呈交的資料使用者申報表中;
- (b) 在根據第14(8)條送達專員的通知書中;或
- (c) 在根據第15(3)或(4)條向專員呈交或送達專員的通知書中, 在知情下或罔顧實情地─ (i) 提供在要項上屬虛假或有誤導性的資訊;而
- (ii) 該等資訊看來是為遵守該條的規定而提供的, 即屬犯罪,一經定罪,可處第3級罰款及監禁6個月。 (2) 任何人在查閱資料要求或改正資料要求中─ (a) 提供在要項上屬虛假或有誤導性的資訊;而
- (b) 該等資訊是為使有關的資料使用者依從該項要求的目的而提供的, 即屬犯罪,一經定罪,可處第3級罰款及監禁6個月。 (3) 任何人在根據第15(6)條送達專員的通知書中─ (a) 提供在要項上屬虛假或有誤導性的資訊;而
- (b) 該等資訊是為使專員依從該通知所關乎的要求的目的而提供的, 即屬犯罪,一經定罪,可處第3級罰款及監禁6個月。 (4) 任何資料使用者在向專員呈交的核對程序要求中─ (a) 提供在要項上屬虛假或有誤導性的資訊;而
- (b) 該等資訊是為使專員同意該要求所關乎的核對程序的目的而提供的, 即屬犯罪,一經定罪,可處第3級罰款及監禁6個月。
- (5)
- 任何資料使用者(包括在第32(2)條首述的資料使用者)違反第30(2)或32(1)(b)(i)條下的通知所指明的任何條件,即屬犯罪,一經定罪,可處第3級罰款。 (6) 任何人違反第44(3)或46(1)條,即屬犯罪,一經定罪,可處第3級罰款及監禁6個月。
- (7)
- 除第(8)款另有規定外,任何有關資料使用者獲送達執行通知而違反該通知,即屬犯罪,一經定罪,可處第5級罰款及監禁2年,如屬持續罪行,可處每日罰款$1000。
- (8)
- 被控犯第(7)款所訂罪行的有關資料使用者,如證明他已盡所有應盡的努力以遵從有關的執行通知,即為免責辯護。
(9) 任何人─
- (a)無合法辯解而妨礙、阻撓或抗拒專員或任何其他人執行其在第VII部下的職能或行使其在第VII部下的權力;
- (b) 無合法辯解而不遵從專員或任何其他人根據該部所作出的任何合法規定;或
- (c)在專員或任何其他人執行其在該部下的職能或行使其在該部下的權力時,向其作出他
明知為虛假或不相信為真實的陳述或以其他方式在知情下誤導專員或該人, 即屬犯罪,一經定罪,可處第3級罰款及監禁6個月。
(10) 任何資料使用者無合理辯解而違反本條例下的任何規定(保障資料原則除外),而本條並無為
其指明罰則,該資料使用者即屬犯罪,一經定罪,可處第3級罰款。 (1995年制定)
- 任何人在其受僱用中所作出的任何作為或所從事的任何行為,就本條例而言須視為亦是由其僱主所作出或從事的,不論其僱主是否知悉或批准他作出該作為或從事該行為。
- (2) 任何作為另一人的代理人並獲該另一人授權(不論是明示或默示,亦不論是事前或事後授權)的人所作出的任何作為或所從事的任何行為,就本條例而言須視為亦是由該另一人作出或從事的。
- (3) 在根據本條例對任何人就其僱員被指稱作出的作為或從事的行為(視屬何情況而定)而提出的法律程序中,該人如證明他已採取切實可行的步驟,以防止該僱員作出該作為或從事該行為或在其受僱用過程中作出該類作為或從事該類行為,即為免責辯護。
- (4) 為免生疑問,現聲明︰本條不就刑事法律程序而適用。 (1995年制定)
- 除第(4)款另有規定外,任何個人如因符合以下說明的違反事項而蒙受損害,則該名個人有權就該損害向有關的資料使用者申索補償─
- (a) 遭違反的是本條例下的規定;
- (b) 違反規定者是資料使用者;及
- (c) 該違反規定事項全部或部分關乎個人資料而該名個人是資料當事人。
- (2) 為免生疑問,現聲明︰第(1)款所提述的損害可以是或可包括對感情的傷害。
- (3) 在憑藉本條針對任何人提出的法律程序中,如證明以下事項,即為免責辯護─
- (a)該人已採取在所有情況下屬合理所需的謹慎措施,以避免有關的違反規定事項發生;或
- (b)在因有關的個人資料不準確而發生的有關違反規定事項的個案中,該個人資料準確地記錄有關的資料使用者從資料當事人或第三者處所收到或取得的資料。
- 凡因有關的個人資料不準確而發生第(1)款所提述的違反規定事項,並因此而導致有關的個人蒙受該款所提述的損害,則不得就緊接本條開始實施後1年期屆滿前的任何時間所發生的損害,根據該款獲支付補償。
(1995年制定)
第X部
雜項條文
- 在符合第(2)款的規定下,專員可就本條例規定須符合指明格式的任何文件,及就為本條例的施行而須有的其他文件,訂明他認為合適的格式。
- 第(1)款賦予專員的權力,須受本條例下任何指明格式或其他格式的內容須予遵從的任何明文規定所規限,但專員如認為他就有關格式行使該權力並不違反該明文規定,則該規定不得限制他就有關格式行使該權力。
- (3) 專員可行使第(1)款賦予他的權力,以─
- (a) 在第(1)款所提述的任何文件的指明格式內加入一項─
- (i) 須由以該格式填備表格的人作出;及
- (ii) 須表明該格式內所載詳情是否盡該人所知所信屬真實及正確, 的法定聲明;
- (b)按他認為合適的情況,為第(1)款所提述的任何文件指明2款或2款以上的格式,以供選擇,或供在某些情況下或在某些個案中使用。
- (4) 根據本條指明格式的表格─
- (a) 須按照表格中指明的指引或指示填寫;
- (b) 須附同表格中指明的文件;及
- (c) 若需在填妥後交予─
- (i) 專員;
- (ii) 代專員行事的另一人;或
- (iii) 任何其他人,
須以在該表格中指明的方式(如有的話)如此提交。 (1995年制定)
根據本條例須向或可向某人(不論如何描述該人)送達的通知(不論如何描述該通知),在以下情況,在沒有相反證據的情況下即須當作已經送達─
- (a) 就個人而言,該通知已─
- (i) 遞交予他;
- (ii) 留在他在香港最後為人所知的供送達用途的地址,或他在香港最後為人所知的居住地點或營業地點;
- (iii) 以郵遞方式寄往他在香港最後為人所知的供送達用途的地址,或他在香港最後為人所知的郵遞地址;或
- (iv)以電傳、圖文傳真或其他相似方法傳送到他在香港最後為人所知的供送達用途的地址,或他在香港最後為人所知的郵遞地址,或他在香港最後為人所知的居住地點或營業地點;
- (b) 就公司而言,該通知已─
- (i) 交予或送達該公司的高級人員;
- (ii) 留在該公司在香港最後為人所知的供送達用途的地址,或該公司在香港最後為人 所知的營業地點;
- (iii) 以郵遞方式寄往該公司在香港最後為人所知的供送達用途的地址,或該公司在香港最後為人所知的郵遞地址;或
- (iv)以電傳、圖文傳真或其他相似方法傳送到該公司在香港最後為人所知的供送達用途的地址,或該公司在香港最後為人所知的郵遞地址,或該公司在香港最後為人所知的營業地點;
- (c) 就合夥而言─
- (i) 該通知按照(a)段遞交予、留給、寄予或傳送予屬個人的任何合夥人;或
- (ii) 該通知按照(b)段交予、送達、留給、寄予或傳送予屬公司的任何合夥人;
- (d)就持有授權書而根據該授權書獲授權代另一人接受所送達的文件的人(“獲授權人”)而言─
- (i) 若獲授權人屬個人,指該通知已按照(a)段遞交、留下、寄出或傳送;
- (ii) 若獲授權人屬公司,指該通知已按照(b)段交付、送達、留下、寄出或傳送;
- (iii) 若獲授權人屬合夥,指該通知已按照(a)段遞交予、留給、寄予或傳送予屬個人的任何合夥人;或
- (iv)若獲授權人屬合夥,指該通知已按照(b)段交予、送達、留給、寄予或傳送予屬公
司的任何合夥人。 (1995年制定)
- 專員可訂立規例訂明須就任何事項、服務或設施(根據本條例是須就該事項、服務或設施繳付訂明費用予專員的)付給專員的費用。
- 根據第(1)款訂立的規例所訂明的任何費用款額,不須受以參照有關的行政成本或其他成本的方式的限制(該等行政成本及其他成本是指就提供有關費用所關乎的事項、服務或設施而招致或相當可能招致的);專員亦可就規例中指明的某些情況或某些個案而為相同的事項、服務或設施訂明不同的費用。
(1995年制定)
附註:有關《立法會決議》(2007年第130號法律公告)所作之修訂的保留及過渡性條文,見載於該決議第(12)段。
- 政制及內地事務局局長可就以下所有或任何事項訂立規例─ (由1997年第362號法律公告修訂;由2007年第130號法律公告修訂)
- (a) 在資料使用者紀錄簿內所須記入的詳情,包括第27(2)(a)、(b)及(c)條所提述的詳情;
- (b) 訂明任何根據本條例須予訂明或可予訂明的事情。
- (2) 根據本條訂立的任何規例可─
- (a) 授權專員就一般情況或就某個案豁免任何人使其無須遵守有關規例;
- (b) 就不同的情況訂定不同的條文,及為某個案或某類個案訂定條文;
- (c) 限於只適用於其本身所訂明的情況。
- 根據本條訂立的任何規例,可就違反規例訂明罪行,並可規定就任何該等罪行可處不超逾第3級的罰款及監禁不超逾2年;如屬持續罪行,可處每日罰款不超逾$1000。
(1995年制定)
條: | 71 | 附表2、4及6的修訂 | 34 of 1999 | 01/07/1997 |
---|
附註:
具追溯力的適應化修訂─見1999年第34號第3條
行政長官會同行政會議可藉憲報公告修訂附表2、4及6。 (1995年制定。由1999年第34號第3條修訂)
條: | 72 | (已失時效而略去 ) | 30/06/1997 |
---|
(已失時效而略去) | (1995年制定 ) | ||||
---|---|---|---|---|---|
(已失時效而略去) | (1995年制定 ) |
條: | 73 | (已失時效而略去 ) | 30/06/1997 |
---|
附表: | 1 | 保障資料原則 | 30/06/1997 |
---|
[第2(1)及(6)條]
1. 第1原則─收集個人資料的目的及方式
(1) 除非─
- (a)個人資料是為了直接與將會使用該等資料的資料使用者的職能或活動有關的合法目的而收集;
- (b) 在符合(c)段的規定下,資料的收集對該目的是必需的或直接與該目的有關的;及
- (c) 就該目的而言,資料屬足夠但不超乎適度, 否則不得收集資料。 (2) 個人資料須以─ (a) 合法;及
- (b) 在有關個案的所有情況下屬公平, 的方法收集。
- (3)
- 凡從或將會從某人收集個人資料,而該人是資料當事人,須採取所有切實可行的步驟,以確保─
- (a) 他在收集該等資料之時或之前,以明確或暗喻方式而獲告知─
- (i) 他有責任提供該等資料抑或是可自願提供該等資料;及
- (ii) (如他有責任提供該等資料)他若不提供該等資料便會承受的後果;及
- (b) 他─
- (i) 在該等資料被收集之時或之前,獲明確告知─
- (A) 該等資料將會用於甚麼目的(須一般地或具體地說明該等目的);及
- (B) 該等資料可能移轉予甚麼類別的人;及
- (ii) 在該等資料首次用於它們被收集的目的之時或之前,獲明確告知─
- (B) 該等要求可向其提出的個人的姓名及地址, 但在以下情況屬例外︰該等資料是為了在本條例第VIII部中指明為個人資料就其而獲豁免而不受第6保障資料原則的條文所管限的目的而收集,而遵守本款條文相當可能會損害該目的。
2. 第2原則─個人資料的準確性及保留期間
(1) 須採取所有切實可行的步驟,以─
- (a)確保在顧及有關的個人資料被使用於或會被使用於的目的(包括任何直接有關的目的)下,該等個人資料是準確的;
- (b)若有合理理由相信在顧及有關的個人資料被使用於或會被使用於的目的(包括任何直接有關的目的)下,該等個人資料是不準確時,確保─
- (i) 除非該等理由不再適用於該等資料(不論是藉着更正該等資料或其他方式)及在此之前,該等資料不得使用於該目的;或
- (ii) 該等資料被刪除;
- (c) 在於有關個案的整體情況下知悉以下事項屬切實可行時─
- (i) 在指定日當日或之後向第三者披露的個人資料,在顧及該等資料被使用於或會被使用於的目的(包括任何直接有關的目的)下,在要項上是不準確的;及
- (ii) 該等資料在如此披露時是不準確的,
確保第三者─
- (A) 獲告知該等資料是不準確的;及
- (B) 獲提供所需詳情,以令他能在顧及該目的下更正該等資料。
(2)個人資料的保存時間,不得超過將其保存以貫徹該等資料被使用於或會被使用於的目的(包括任何直接有關的目的)所需的時間。
3. 第3原則─個人資料的使用
如無有關的資料當事人的訂明同意,個人資料不得用於下列目的以外的目的─
- (a) 在收集該等資料時會將其使用於的目的;或
- (b) 直接與(a)段所提述的目的有關的目的。
4. 第4原則─個人資料的保安
須採取所有切實可行的步驟,以確保由資料使用者持有的個人資料(包括採用不能切實可行地予以查閱或處理的形式的資料)受保障而不受未獲准許的或意外的查閱、處理、刪除或其他使用所影響,尤其須考慮─
- (a) 該等資料的種類及如該等事情發生便能做成的損害;
- (b) 儲存該等資料的地點;
- (c) 儲存該等資料的設備所包含(不論是藉自動化方法或其他方法)的保安措施;
- (d) 為確保能查閱該等資料的人的良好操守、審慎態度及辦事能力而採取的措施;及
- (e) 為確保在保安良好的情況下傳送該等資料而採取的措施。
5. 第5原則─資訊須在一般情況下可提供 須採取所有切實可行的步驟,以確保任何人─
- (a) 能確定資料使用者在個人資料方面的政策及實務;
- (b) 能獲告知資料使用者所持有的個人資料的種類;
- (c) 能獲告知資料使用者持有的個人資料是為或將會為甚麼主要目的而使用的。
6. 第6原則─查閱個人資料
資料當事人有權─
- (a) 確定資料使用者是否持有他屬其資料當事人的個人資料;
- (b) 要求─
- (i) 在合理時間內查閱;
- (ii) 在支付並非超乎適度的費用(如有的話)下查閱;
- (iii) 以合理方式查閱;及
- (iv) 查閱採用清楚易明的形式的,
個人資料;
- (c) 在(b)段所提述的要求被拒絕時獲提供理由;
- (d) 反對(c)段所提述的拒絕;
- (e) 要求改正個人資料;
- (f) 在(e)段所提述的要求被拒絕時獲提供理由;及
- (g) 反對(f)段所提述的拒絕。 (1995年制定)
附註:有關《立法會決議》(2007年第130號法律公告)所作之修訂的保留及過渡性條文,見載於該決議第(12)段。
[第5(7)、10(2)(c) 及71條]
1. 專員的資源等
(1) 專員的資源計有─
- (a) 以下一切款項─
- (i) 經立法會撥作委員會用途並由政府付予專員的款項;及 (由1999年第34號第3條修訂)
- (ii) 由政府以其他方式提供予專員的款項;及
- (b)所有其他款項及財產,包括專員所收的饋贈、捐贈、費用、租金、利息及累積的收益。
- 財經事務及庫務局局長可就專員在任何財政年度內可支出的款額,向專員發出一般性或具體的書面指示,而專員須予遵從。(由1997年第362號法律公告修訂;由2002年第106號法律公告修訂)
- (3) 為免生疑問,現聲明︰須付予─
- (a) 專員;或
- (b) 根據本條例第9(1)條僱用或聘用的人, 的薪酬或其他利益及其開銷費須自專員的資源撥付。
2. 借款權力
- 在符合第(2)款的規定下,專員為履行其在本條例下的責任或執行其在本條例下的職能,可以透支方式借入所需款項。
- 政制及內地事務局局長經諮詢財經事務及庫務局局長後可就專員根據第(1)款可借入的款額,向專員發出一般性或具體的書面指示,而專員須予遵從。
- 專員為履行其在本條例下的責任或執行其在本條例下的職能,可藉透支以外的方式借入所需款項,但須得到政制及內地事務局局長經諮詢財經事務及庫務局局長後給予的批准。
(4)貸款給專員的人無須查究專員借款是否合法或合乎規定,或所籌集的款項是否妥為運用,
亦無須因為有任何不合法或不合乎規定的事,或有關款項運用不當或不予運用而蒙受不利。 (由1997年第362號法律公告修訂;由2002年第106號法律公告修訂;由2007年第130號法律公告修訂)
3. 盈餘資金的投資
(1) 在符合第(2)款的規定下,專員可將非即時需支用的款項投資。
(2)專員依據第(1)款將其款項投資的方式,必須得到政制及內地事務局局長經諮詢財經事務及庫務局局長後給予的批准。 (由1997年第362號法律公告修訂;由2002年第106號法律公告修訂;由2007年第130號法律公告修訂)
(3) 第(1)款不受本條例第10(1)條規限。
4. 專員的帳目、審計及年報
(1) 專員須就其所有財務往來安排備存妥善的帳目。
- 在財政年度屆滿後,專員須在切實可行範圍內盡快擬備專員帳目的報表,其中須包括收支結算表及資產負債表。
- 專員須委任一名核數師,該核數師須在切實可行範圍內盡快審計第(1)款規定須備存的帳目及第(2)款規定須擬備的帳目報表,並就該報表向專員提交報告。
- 在財政年度屆滿後9個月內(或在政務司司長准許的較長期間內),專員須在切實可行範圍內盡快將以下文件提交政務司司長,而政務司司長則須安排將之提交立法會省覽─ (由1997年第362號法律公告修訂;由1999年第34號第3條修訂)
- (a)一份專員在該年度內的事務的報告,報告須包括一項縱覽,內容是在專員職能範圍之內的事宜,在該年度內的發展;
- (b) 第(2)款規定的該年度帳目報表一份;及
- (c) 核數師就該帳目報表所作的報告。
(5) 本條不受本條例第10(1)條規限。
5. 審計署署長的審核
(1)審計署署長可就任何財政年度,對專員在執行其職能及行使其權力時使用其資源是否合乎經濟原則及講求效率及效驗的情況,進行審核。
- 在符合第(3)款的規定下,審計署署長有權在任何合理時間,查閱他為進行本條下的審核而可能合理地需要的一切文件,並有權向持有該等文件的人或對該等文件負責的人,要求提交他認為為該目的而合理地需要的資料及解釋。
- (3) 第(2)款只適用於由專員保管及控制的文件。
- (4) 審計署署長可向立法會主席提交關於他根據本條進行的審核的結果的報告。 (由1999年第34號第3條修訂)
(5) 第(1)款的施行不得令審計署署長有權質疑專員的政策目的是否可取。 (由1997年第362號法律公告修訂)
6. 豁免徵稅
- (1) 專員豁免繳交《稅務條例》(第112章)下的徵稅。
- (2) 為免生疑問,現聲明︰第(1)款不適用於第1(3)條所提述的由專員的資源撥付予專員的薪酬、
利益或開銷費,亦不就該等薪酬,利益或支出而適用。 (1995年制定)
〔第14(10)條〕
- 1. 資料使用者的地址及姓名或名稱。
- 2. 凡資料使用者就某些個人資料而屬資料使用者,一項對該等資料所屬的種類的描述。
- 3. 凡第2項所提述的個人資料是或將會是由資料使用者為某目的或某些目的而收集、持有、處理或使用的,一項對該目的或該等目的的描述。
- 4. 凡資料使用者向或擬向或可能欲向某類別的人披露第2項所提述的個人資料,一項對該類別的描述。
- 5. 凡資料使用者將或擬將或可能欲將第2項所提述的個人的資料移轉至香港以外的某些地方,該等地方的名稱或一項對該等地方的描述。
- 6. 向資料使用者作出的查閱資料要求須向其提出的個人的姓名及地址。 (1995年制定)
〔第30(1)(d)及71條〕 (1995年制定) [第32(4)條]
- 1. 進行有關的核對程序是否符合公眾利益。
- 2. 將成為有關的核對程序的標的之個人資料的種類。
- 3. 假使有關的核對程序導致對有關的資料當事人採取不利行動,便相當可能對該人做成的後果。
- 4. 將會予以依循以令資料當事人能夠─ (由2002年第23號第126條修訂)
- (a) 就由有關的核對程序所產生或核實的任何個人資料;
- (b) 在有任何不利行動對資料當事人採取前,
作出改正資料要求的實務及程序(如有的話)。 (由2002年第23號第126條修訂)
- 5. 將會予以依循以在切實可行範圍內確保由有關的核對程序所產生或核實的任何個人資料的準確性的實務及程序(如有的話)。
- 6. 任何該等資料當事人是否會在有關的程序首次進行前獲告知該項程序。
- 7. 有關的核對程序是否有切實可行的交替性措施。
- 8. 進行有關的核對程序將會帶來的利益。 (1995年制定)
[第42(6)、(7)及(11)及71條]
第1部
授權個人資料私隱專員在不告知有關資料使用者 的情況下進入指明處所的手令
致︰個人資料私隱專員
鑑於本席已因經宣誓/聲明*而作的告發而信納有合理理由相信如你在根據《個人資料(私隱)條例》(第486章)就位於.................................................................. ...............................................................................〔有關資料使用者所佔用的處所的地址/有關資料使用者所使用的個人資料系統或其部分所處的處所的地址*〕的處所行使你在該條例第42(2)條下的權力前,須遵守該條例第42(3)條的話,便可能對一項根據該條例就.......................................................................................................... ......................〔有關資料使用者的姓名或名稱〕進行的調查的目的造成重大損害︰
現授權你在無須遵守該條例第42(3)條的情況下就上述處所行使你在該條例第42(2)條下的權力,並可帶同所需的助理人員,但本手令只授權在本手令發出日期後的14日內行使該權力。
19................. 年................ 月.................. 日
..................................................... (簽署)裁判官
*刪去不適用者。
第2部
授權個人資料私隱專員進入 指明住宅處所的手令
致︰個人資料私隱專員
鑑於本席已因經宣誓/聲明*而作的告發而信納有合理理由相信如你因《個人資料(私隱)條例》(第486章)第42(4)條的實施而不能就位於......................................... ..................〔有關資料使用者所佔用的住宅處所的地址/有關資料使用者所使用的個人資料系統或其部分所處的處所的地址*〕的處所行使你在該條例第42(2)條下的權力的話,便可能對一項就.............................................................〔有關資料使用者的姓名或名稱〕進行的調查的目的造成重大損害︰
現授權你就上述處所行使該權力,並可帶同所需的助理人員,但本手令只授權在本手令發出日期後的14日內行使該權力。
19................. 年................ 月.................. 日
..................................................... (簽署)裁判官
*刪去不適用者。 (1995年制定)