The Personal Data (Privacy) Ordinance (“PDPO”) provides individual with rights to the protection of their personal data. Organisations must implement good personal data management practices and procedures to comply with the requirements of the data protection principles (“DPP”) of the PDPO. The DPP requirements are listed below for reference:
Principle 1 – Purpose and manner of collection
Principle 2 – Accuracy and duration of retention
Principle 3 – Use of personal data
Principle 4 – Security of personal data
Principle 5 – Information to be generally available
Principle 6 – Access to personal data
In accordance with the DPP requirements, Employees are required to abide by the following practices and procedures:
1. Client’s personal information (information that allows the client to be identified e.g. client’s identification and contact details) collected by an Employee shall only be use for the purposes (“Purpose”) explained to the client at the time of collecting such personal information.
2. The information to bee collected from a client must be clearly set out in the relevant personal information collection document. The Company must also notify clients as to how they may access, correct or update personal information held by the Company.
3. Clients are entitled to access, correct or update personal information collected by the Company. If a client wishes to access, correct or update personal information, he/she may do so in writing addressed to the Compliance Officer of the Company.
4. All personal information held by the Company will be kept for the period necessary for the carrying out of the Purpose.
5. No personal information of any client may be disclosed to any third party by an Employee and/or the Company without the client’s prior consent, except as required by law or unless reasonably necessary for fulfilling the Purpose.
Protection of Employee Data
Under the definitions in the Ordinance, “personal data” includes much of the data you provide in the employment process as well as personal data, which is subsequently collected and held by the Company during your employment. The following information is provided to you under the terms of this ordinance.
You will be informed if it is obligatory for you to provide your personal data when requested.
If it is obligatory, you will be informed of the consequences to you if you fail to provide the data.
Use of Your Personal Data:
All personal data concerning you (whether provided by you or any other persons) may be used by any of the following people (each being a “User”):
(i) any person controlling, controlled by or under common control with the Company;
(ii) any director, officer or employee of the Company; or
(iii) any person authorized by the Company.
All personal data concerning you (whether provided by you or any other person) may be used by any User for any of the following purposes:
(i) the specific uses provided to you at the time of data collection;
(ii) transfer of data to any place outside Hong Kong;
(iii) any purpose relating to or in connection with your employment with the Company; or
(iv) any purpose relating to or in connection with the ordinary course of business of the Company.
(c) Rights of Access and Correction
You have the righty to have access to and correction of your personal data as set out in the Ordinance. In general, and subject to certain exemptions, you are entitled to:
(i) ascertain whether the Company holds personal data in relation to you;
(ii) request access to your personal data within a reasonable time, at a fee which is not excessive, in a reasonable manner, and in a form that is intelligible;
(iii) request the correction of your personal data; and
(iv) be given reasons if a request for access or correction is refused, and object to any refusal.
(d) Contact Person
The title and address of the person to whom any request for access to and/or correction of personal data concerning yourself, or further information about this Ordinance, may be made to the Compliance Officer.