Confidentiality
and Preservation of Electronic Data
Over
the past few years, there has been an increasing number of
consumers using the Internet to perform transactions.
The development of the Internet as a communications
medium to commercial advantage through e-commerce has
raised increasing concerns over privacy issues relating to
the collection, use and security of personal data given
over the Internet. The
Personal Data (Privacy) Ordinance (Cap. 486) was an
attempt by the Government to secure the importance of
personal privacy and to provide legal protection in the
use of an individual's personal data.
In addition, the Hong Kong Internet Service
Providers Association (HKISPA) has taken the initiative in
bringing into force the Code of Practice on Anti-Spam in
February 2000.
The
aim of the Ordinance is to safeguard the free flow of
personal data in Hong Kong and to regulate the transfer of
Hong Kong collected data out of Hong Kong which includes
China. The
Ordinance covers personal data collected and recorded in a
document, and therefore by virtue of the Electronic
Transactions Ordinance now extends to include personal
data recorded electronically.
The Ordinance may protect an individual who suffers
damage, including injured feelings in relation to misuse
of his/her personal data by seeking compensation from the
data user concerned.
The term 'data users' is defined in the Ordinance
as persons who control the collection, holding, processing
and use of personal data.
Besides,
the Ordinance has granted to individuals several privacy
rights including the right to confirm that their data is
held, right of access, right of correction, right to be
informed of use, right to fair collection, right to give
only necessary data, right to consent to a change of use,
right to openness of data policies and practices, and
right to accuracy and security.
For
an organisation, it is advisable to set out its policy
with respect to protection of its customers' personal data
and designate particular employees of the organisation to
ensure compliance with the Ordinance. Users should then ensure that the purposes and means of
collection are lawful.
Data users must always inform the data subjects of
the purposes for which personal data collected is used and
the persons to whom the data may be transferred.
On
the other hand, there are restrictions under the Ordinance
regarding the transfer of personal data to places outside
Hong Kong unless the data user has taken all reasonable
precautions and exercised all due diligence to ensure that
the personal data concerned is given substantially
equivalent protection to that provided for by the
Ordinance. One
of the methods to achieve this is for the parties to the
transfer to enter into a contract, or other acceptable
agreement, applying the data protection principles to the
data upon its transfer to the place outside Hong Kong. Under these circumstances, the Commissioner has prepared a
model contract which sets out the provisions which a data
transfer contract may include to assist those data users.
In
conclusion, although the Ordinance was not drafted
specifically to protect individuals' privacy rights on the
Internet, data users and net users alike should carefully
examine it, either to ensure that they comply with the
requirements contained therein or to know what rights they
have.
