Data protection in Hong Kong: an overview

Data protection in Hong Kong: an overview

Stefania Lucchetti
Mallesons Stephen Jaques, Hong Kong

As multinational corporations strengthen their presence in Asia, it is increasingly important that they are aware of privacy requirements applicable to their customers’, employees’ and suppliers’ data. This year, data protection has been under the spotlight in Hong Kong due to several media reports of high profile leakages of confidential personal data by public and private organisations. Among others, the Department of Immigration was reported as having leaked confidential files containing a list of people that the Department’s officers were required to be on the lookout for. These files included travel document information and travel records. This followed disclosures by the police force, the Department of Health, the Hospital Authority and a Hong Kong private banking institution.

The media attention which followed such events clearly illustrates the importance for businesses to comply with privacy laws from a reputation perspective, as breaches of privacy will quickly impact on consumer confidence and are likely to affect all stakeholders.

The Hong Kong data protection regulatory framework

The main privacy law in Hong Kong is the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance). The Ordinance, which generally reflects the OECD guidelines for the Protection of Privacy and Trans-border Flows of Personal Data (1980), has been in force since December 1996. The purpose of the Ordinance is to protect individuals’ right to privacy by regulating the handling of personal data in Hong Kong. It applies to any person or organisation, both public and private, that collects, holds, processes or uses personal data.

Hong Kong has a very advanced data protection regulatory framework compared to the rest of Asia, where the extent of personal data protection varies across the region but in general it is still at an embryonic stage. Japan, Malaysia, South Korea, Taiwan, Vietnam, Singapore and Indonesia have implemented laws and regulations to govern the protection of personal data, however in most cases protection is sector specific or fragmented through various pieces of legislation. The implementation of a data protection law is still being considered in China, Thailand, India and Philippines.

Activities regulated by the Ordinance

The Ordinance applies to personal data defined as all information (however recorded, including expressions of opinions and personal identifiers such as identity card numbers) relating directly or indirectly to a living individual and from which it is practicable to ascertain the identity of the individual. Nearly all active businesses in Hong Kong will be holding some form of personal data, whether that data is kept on electronic databases or in hard copy files.

When collecting, holding, processing or using personal data in Hong Kong, businesses should comply with the data protection principles set out in the Ordinance relating to:

  • the purpose and manner of collection of personal data;
  • the accuracy and retention of personal data;
  • the use of personal data;
  • the security of personal data;
  • information that should be made generally available; and
  • access to personal data.

Under the Ordinance, individuals have the right to confirm with businesses whether their personal data is held and to have their personal data corrected if it is inaccurate. Individuals also have the right to obtain a copy of their data upon payment of a reasonable fee.

The Ordinance also regulates direct marketing activities and requires businesses to inform recipients when carrying out direct marketing activities that they will cease to use the recipient’s personal data if so requested. This regime (commonly referred to as an ‘opt-out’ regime) is consistent with the anti-spam laws in Hong Kong.

Transfer of data overseas

A specific section of the Ordinance regulates the transfer of data outside Hong Kong and prohibits the transfer of data outside Hong Kong except in specified circumstances, eg, if written consent to the transfer has been obtained from the individuals to which the data relates. However, despite the Ordinance coming into force over a decade ago, this section is still not in force. According to a statement of the Secretary for the Civil Service released in early 2007, the Government is seeking to gain a thorough understanding, before this section is in force, of the pervasiveness of trans-border data flows, the processes involved in the transfer of data and the issues pertaining to its protection that organisations may encounter.

Although this section is not yet in force, it is prudent for businesses to ensure that any data transfer is carried out in compliance with it as the section supplements the application of the general data protection principles set out in the Ordinance. In addition, if a Hong Kong business retains control over the data after the transfer, all other provisions of the Ordinance will continue to apply.

Consequences of breaching the Ordinance

Individuals may complain to the Privacy Commissioner about suspected breaches of the Ordinance's requirements. Suspected breaches may be investigated by the Commissioner, either in response to a complaint or at its own initiative. If the Privacy Commissioner concludes that a contravention is likely to be repeated, an enforcement notice may be issued.

Contravention of an enforcement notice is an offence under the Ordinance and is liable upon conviction to fines up to HK$50,000 and/or imprisonment for up to two years. Continuing offences are liable to a daily penalty of HK$1,000. Individuals may also claim compensation through civil proceedings for damage caused to them as a result of a contravention of the Ordinance, including that for injured feelings.


Apart from a broad exemption from compliance for data held for recreational or domestic purposes – that is, personal data concerned only with the management of personal, family or household affairs – the Ordinance provides that businesses need not give employees access to certain employment-related personal data. However, not all employment-related data is exempt and businesses should be careful to ensure that the data falls within the exemption before refusing to grant an employee access to their personal data.

There are also various categories of data that are exempt from specific provisions of the Ordinance on the basis of prevailing public or social interests. The exempt categories of data include those in respect of security, defence and international relations, prevention or detection of crime, assessment or collection of any tax or duty, news activities and health.

Practical steps to ensure compliance

Practically speaking, all businesses which handle personal data in Hong Kong should consider the following risk management initiatives:

  • Sensitive information As far as possible, avoid the collection of sensitive information without first seeking legal advice.
  • Privacy statement Draft a privacy statement which complies with the Ordinance.
  • Guidelines and processes Develop and regularly review formal guidelines and processes in respect of privacy related matters.
  • Logbook Maintain a logbook of refusals to grant access to personal data.
  • Privacy officer Appoint a privacy officer to administer compliance with the Ordinance as well as the training of relevant staff.
  • Security measures Implement physical and electronic security measures to prevent unauthorised access and misuse of personal data.
  • Transferring personal data Prior to the transfer of personal data to foreign countries, ensure that the obligations under the Ordinance are satisfied.