The objective of the Personal Data (Privacy) Ordinance (Cap. 486) is to protect the privacy rights of a person in relation to personal data (Data Subject).
A person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data. The Data User is liable as the principal for the wrongful act of its authorised data processor.
Core of the Ordinance covering the life cycle of a piece of personal data:
Personal data must be accurate and should not kept for a period longer than is necessary to fulfil the purpose for which it is used.
Personal data must be used for the purpose for which the data is collected or for a directly related purpose, unless voluntary and explicit consent with a new purpose is obtained from the data subject.
A data user needs to take practical steps to safeguard personal data from unauthorised or accidental access, processing , erasure, loss or use.
A data user must make personal data policies and practices known to the public regarding the types of personal data it holds and how the data is used.
A data subject must be given access to his/her personal data and allowed to make corrections if it is inaccurate.