Ordinance & Principles

The Ordinance

The objective of the Personal Data (Privacy) Ordinance (Cap. 486) is to protect the privacy rights of a person in relation to personal data (Data Subject).


Personal Data

  • The information which relates to a living person and can be used to identify that person.
  • It exists in a form in which access or processing is practicable.
  • E.g.: names, phone numbers, addresses, identity card numbers, photos, medical records and employment records.

Data User

A person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data. The Data User is liable as the principal for the wrongful act of its authorised data processor.

Data Processor

A person who
  • processes personal data on behalf of another person; and
  • does not process the data for any of the person’s own purposes.

Six Data Protection Principles (DPP)

Core of the Ordinance covering the life cycle of a piece of personal data:

DPP1 - Data Collection Principle
  • Personal data must be collected in a lawful and fair way, for a purpose directly related to a function /activity of the data user.
  • Data subjects must be notified of the purpose and the classes of persons to whom the data may be transferred.
  • Data collected should be necessary but not excessive.
DPP2- Accuracy & Retention Principle

Personal data must be accurate and should not kept for a period longer than is necessary to fulfil the purpose for which it is used.

DPP3 - Data Use Principle

Personal data must be used for the purpose for which the data is collected or for a directly related purpose, unless voluntary and explicit consent with a new purpose is obtained from the data subject.

DPP4 - Data Security Principle

A data user needs to take practical steps to safeguard personal data from unauthorised or accidental access, processing , erasure, loss or use.

DPP5 - Openness Principle

A data user must make personal data policies and practices known to the public regarding the types of personal data it holds and how the data is used.

DPP6 - Data Access & Correction Principle

A data subject must be given access to his/her personal data and allowed to make corrections if it is inaccurate.