With the over consumption of data in our daily lives, it is easy for companies to be confused about their data-related obligations. Understanding the legal definitions of 'personal data' in Hong Kong and other applicable jurisdictions is important to ensure companies put measures in place to comply with the rules regarding the collection, use and other processing of that information. This exercise, alongside data mapping, will also help businesses to differentiate personal data from other, non-personal, data they may hold, which falls outside of the scope of data privacy laws.
Personal data and the Personal Data (Privacy) Ordinance
In Hong Kong, it is necessary to consider the scope of the Personal Data (Privacy) Ordinance (PDPO), which is aimed at protecting the personal data of individuals. The PDPO is not intended to apply to cases where personal data is not involved, and nor does it restrict how an individual can use their own personal data.
Personal data in Hong Kong is defined in the PDPO as any data:
- relating directly or indirectly to a living individual;
- from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and
- in a form in which access to or processing of the data is practicable
In short, the definition seeks to protect any representation of information of a living individual where the identity of that individual can be directly or indirectly ascertained. Broadly put, if you could identify a person based on the information you currently hold or information you can access, then you are likely to be handling personal data under the PDPO.
It is useful to consider the definition of 'personal data' in the context of everyday examples.
Example – photo IDs
When visiting some residential or office buildings, there is often a requirement to produce a photo ID for registration purposes. The Hong Kong Identification Card (HKID) is often produced to satisfy the requirement. The HKID and the HKID number would constitute personal data under the PDPO and any collection and use would need to comply with the PDPO.
Unless authorised by law, there is no right to compel an individual to provide their HKID or HKID number. However in this case, collection of the HKID card number, if no other less privacy intrusive document can be provided, is generally accepted for security reasons. This is because it is unlikely that existing buildings will have the ability to monitor the activities of every individual inside its premises. The means of registration is a permitted form of collection under the first data protection principle in the PDPO.
Once the data is collected, the individual's name and HKID number should not be publicly displayed together or made available to anyone beyond those who need it to carry out activities related to the purpose in which the data was collected. It should also be collected and stored securely in compliance with other data protection principles.
The combination of data contained on a staff card, which usually exhibits a person's own name, company name, photograph and employee number, is likely to constitute personal data under the PDPO, and the above measures would equally apply.
Example – telephone number
Many individuals will encounter their telephone number being added into a group chat or have receives a call asking whether they are interested in buying a property in the Greater Bay Area. Telephone numbers alone do not constitute personal data under the PDPO. This is because it is not practicable for the identity of an individual to be directly or indirectly ascertained without further information. If in the course of an exchange of messages or a voice conversation other details are revealed, such as an individual's name or location details, then this will increase the likelihood of the telephone number, as well as those other details, constituting personal data under the PDPO.
In Hong Kong, individuals can opt out from receiving unsolicited phone calls by registering their telephone number on the 'Do Not Call' register, which is administered by the Office of the Communications Authority.
Proposals to update the PDPO
A discussion paper published by the Hong Kong government earlier this year explored potential changes to the PDPO, including a possible revising of the definition of 'personal data'.
The change mooted is to expand the current definition of personal data to require that data only need to concern a person who is 'identifiable', and not only an 'identified' person. This seemingly small change, if introduced into law, would catch a broader number of uses of data.
Businesses that have already encountered the EU's General Data Protection Regulation (GDPR) will recognise that the proposed change is similar to the legal definition of personal data under GDPR, which encompasses "any information relating to an identified or identifiable natural person".
Individuals are likely to welcome a broadening of the definition in this way, particularly in the modern world of powerful algorithms and artificial intelligence (AI) tools, where data is tracked and analysed through various technologies and by different means.
If the Hong Kong government does move towards a definition of 'personal data' akin to that in the GDPR, it would mean additional protection for individuals and increase the compliance measures for companies who use data. This is particularly the case for businesses that use data-related technologies that learn about individuals' behaviours or that process information that will have an impact on an individual. These companies would need to ensure their processes comply with all of the data protection principles under the PDPO.
In addition, we could see the controversial case of Eastweek being overruled or distinguished by the widening of the definition of personal data. It has been almost 20 years since the Court of Appeal in Hong Kong held that the data user needs to identify or intend to identify an individual for it to constitute as personal data under the PDPO. When the proposed change is enacted, we may see the courts widening its interpretation to do justice in the facts it is presented with.
For businesses that operate cross-border and that process sensitive personal data, such as data on ethnic origin, political opinions, and biometric data, care is needed. The GDPR imposes additional restrictions on the processing of such sensitive personal data, referred to under the EU Regulation as 'special category' data. Currently, the proposed changes to the PDPO does not envisage including additional protection for these special categories of personal data, however it would be prudent for any company to take note of these types of data during their data mapping exercise.