For example, a citizen orders a book from a bookstore, indicating his name, the book title, etc., and makes a down payment for his order. Such data as his name, including the title of the book he has ordered, the amount of his down payment and the outstanding amount, are his personal data, even though he has not given his ID card number, because the name he has given is already sufficient for identifying him. However, if he has not provided his name or any other data sufficient to identify him, then the title of the book he has ordered, the amount of down payment he has paid and the outstanding amount do not constitute his personal data.
From this example, it is obvious that “personal data” is a rather broad concept. We should familiar ourselves with the Personal Data Protection Act, so we can better respect other people’s personal privacy while protecting our own.
(Note: For specific provisions of the law, please refer to Article 4 of the Personal Data Protection Act.)
The Personal Data Protection Act provides that a “controller” may be a natural or legal person, public entity, agency or any other body which has the capacity to decide independently or in collaboration with others on the following things:
-
the purposes of personal data processing;
-
the means of personal data processing.
In Europe, Hong Kong and other places, a controller is also known as a “data controller” or “data user”.
For example, when receiving its customers, a hotel registers their names, ID document numbers, the rooms to which they are assigned, their spending in the hotel, their ways of payment, etc. The management of the hotel may process the data and decide on the purposes and means of the processing. The hotel as such constitutes a controller. The hotel’s accounting department and IT department, etc., are departments of the hotel with no jurisdiction over the purposes or means, and are subject to the hotel management’s decision; therefore, they are not regarded as “controllers”.
(Note: For specific provisions of the law, please refer to Article 4 of the Personal Data Protection Act.)
The Personal Data Protection Act provides that a processor may be a natural or legal person, public entity, agency or any other body commissioned by a data processing entity to undertake personal data processing. A processor is also usually known as an “outsource agency”. Processors do not decide on the following things:
-
the purposes of personal data processing;
-
the means personal data processing.
A processor is responsible for the security and confidentiality of the personal data it undertakes to process. Therefore, they may have certain degree of decision making power over the related security measures. However, it is a legal assumption that such decisions are made by a consigning data controller. The law expects a data controller to choose a processor, where necessary, who has sufficient technical and organizational means to afford appropriate security measures for the data processing, and oversee such measures’ implementation.
For example, company A needs to convert its customer records paper files into electronic ones, and outsources this work to an IT company B. Company A is then regarded as a data controller, while company B a processor. In compliance with the law, company A is expected to make an advance assessment of company B in terms of it's the latter’s ability to provide appropriate security means for the intended data processing; company A should also enter a contract or other appropriate legal instrument with company B over the project outsourcing. Should inappropriate data processing occur between them, liability will be decided on the basis of such legal documents.
While in general “processors” have the obligation to process personal data in line with the “data controller’s” guidance, it does not release them from their legal obligations to autonomously handle the data processing in accordance with law. Let us carry the above example further. If company B notices in its undertaking that company A in actuality is committing fraudulence in its business, company B must discharge its legal obligation by reporting its findings and transferring the related documents to the police. In doing so company B is treated as a “data controller” under another legal purpose, and as such it does not have to process the data according to company A’s instructions.
(Note: For specific provisions of the law, please refer to Articles 4, 6 and 15 of the Personal Data Protection Act)
-
General Security Measures
A data controller must implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected (Article 15 of the Personal Data Protect Act, henceforth “PDPA”).
In other words, to protect personal data security, the data controller should formulate personal data policies and adopt appropriate measures according to the level of risks posed by the data processing and the nature of the data to be protected. These measures should be able to protect personal data and avoid accidental or unlawful destruction, accidental loss, and unauthorized alternation, dissemination or access.
For example, when students’ personal data is processed by school computers, for which security measures should be established, for instance, installing firewall and anti-virus software, and setting up access passwords, etc. In addition, the school should also establish administrative measures or code of practice for its staff.
- Furthermore, when the data controller commissioned another party (processor) to process the data, this party (the commissioned party) shall offer adequate security measures in terms of technologies and organizational structure. A contract should be used to bind the processor to act in accordance with the data controller’s code of practice. Last but not least, the data controller should also monitor the execution of these measures.
- When processing personal data, the processor should be responsible for the security and confidentiality of the personal data.
-
Special Security Measures
When an entity as referred in Articles 7(2) and 8(1) processes sensitive data, or data suspicious of unlawful activities, criminal activities or administrative offenses, it should adopt the security measures as follows:
(1)control of entry to the premises: prevent unauthorised persons from entering the premises used for processing such data;
(2)control of data media: prevent data media from being read, copied, altered or removed by unauthorised persons;
(3)control of input: prevent unauthorised input and unauthorised obtaining of knowledge, alteration or elimination of personal data input;
(4)control of use: prevent automatic data processing systems from being used by unauthorised persons by means of data transmission premises;
(5)control of access: guarantee that authorised persons may only access data covered by the authorisation;
(6)control of transmission: guarantee the checking of the bodies to whom personal data may be transmitted by means of data transmission premises;
(7)control of input: guarantee that it is possible to check a posteriori , in a period appropriate to the nature of the processing, the establishment in the regulations applicable to each sector of which personal data are input, when and by whom;
(8)control of transport: in transmitting personal data and in transporting the respective media, prevent unauthorised reading, copying, alteration or elimination of data.
- Considering the nature of the entity responsible for the processing and the type of premises in which the processing is carried out, the GPDP may waive the existence of certain security measures, on the basis of ensuring the respect for fundamental rights, freedoms and guarantees of the data subjects.
- The processing systems must guarantee logical separation between data relating to health and sex life, including genetic data, and other personal data.
- When sensitive data circulating over a network may jeopardise the fundamental rights, freedoms and guarantees of their data subjects, the GPDP may determine that transmission must be encoded.
(Article 16 of the PDPA)
If data is leaked, the controller should assume the legal responsibility, if any, including the leakage is caused by negligence, except when the controller can proof the leakage was caused by another party.
Example: If the staff of a company leaked the customer data by human error, when without proofs demonstrating the staff violated the company’s code of practice or proved that the staff did not violate any code of practice, the company is, mainly, liable to the leakage. On the other hand, if the staff is found violating the company’s code of practice, the staff is, mainly, liable then.
In addition, Article 18 of the PDPA regulates that controllers and the persons who obtain knowledge of the personal data processed in carrying out their functions shall be bound by professional secrecy, even when such functions are ended.
• Professional secrecy is a perpetual obligation, demanding that a person is obliged to professional secrecy for the information he learnt in the course of his duties, even when he left the job.
• Officers, agents or staff who act as consultants for the public authority shall be subject to the same obligation of professional secrecy.
Violation of professional secrecy may constitute criminal offences (Article 41 of the PDPA).
• Any person bound by professional secrecy according to the law who without just cause and without due consent reveals or discloses personal data, totally or in part, shall be liable to up to two years’ imprisonment or a fine of up to 240 days, if a more severe punishment is not to be enforced due to a specific law. The concerned criminal proceedings are initiated only on complaint.
• The penalty shall be increased by half the maxima if the agent:
i. is a civil servant or equivalent, according to penal law;
ii. acts with the intention of obtaining a material advantage or other unlawful gain;
iii. adversely affects the reputation, honour and esteem or the privacy of another person.
• A person guilty of negligence shall be liable to up to six months’ imprisonment or a fine of up to 120 days.
The transfer of personal data to a destination outside the MSAR may only take place subject to compliance with the PDPA and provided the legal system in the destination to which they are transferred ensures an adequate level of protection. (Article 19(1) of the PDPA) The legal system in the destination to which data is transferred ensuring an adequate level of protection forms the legal basis of transferring personal data to a country or a region outside the MSAR. According to law, whether the legal system of the destination ensures an adequate level of protection will be decided by the GPDP. (Articles 19(2) and 19(3) of the PDPA)
Normally a white list is adopted, under the principle of reciprocity, to include those countries or regions that have achieved an adequate level of protection. Until now, the GPDP has not included any countries or regions onto the white list.
If the destination of the personal data transfer does not ensure an adequate level of protection, only under any of the conditions that are legally governed, described as follows, an entity can make personal data transfer but it has to notify the GPDP. Also, when the adequate level of protection for personal data transfer in the destination is unsure, the entity can notify the GPDP under any of the following conditions:
-
when the data subject has explicitly agreed the transfer; the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken in response to the data subject’s request;
-
when the transfer is necessary for the performance or conclusion of a contract concluded or to be concluded in the interests of the data subject between the controller and a third party;
-
when the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise of defence of legal claims;
-
when the transfer is necessary in order to protect the vital interests of the data subject;
-
when the transfer is made from a register which according to laws or administrative regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, provided the conditions laid down in law for consultation are fulfilled in the particular case.
- (Article 21(1) of the PDPA)
When a transfer of personal data to a destination in which the legal system does not ensure an adequate level of protection and the transfer does not fulfill the conditions laid out in point 2 last mentioned, the GPDP may authorise a transfer of personal data provided that the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and with respect to their exercise, particularly by means of appropriate contractual clauses. (Article 20(2) of the PDPA)
When the transfer of personal data which is necessary for the protection of defence, public security and public health, and for the prevention, investigation and prosecution of criminal offences, it shall be governed by special legal provisions or by the international conventions and regional agreements to which the MSAR is party, then this transfer does not require an authorization from the GPDP. (Article 20(3) of the PDPA)
-
establish legitimate processing purposes
-
formulate comprehensive policies
-
respect legal principles
-
ensure data security
-
discharge notification obligation
