Professional Documents
Culture Documents
Note
Guidance on Preparing
Personal Information Collection Statement and
Privacy Policy Statement
Introduction DPP5 requires a data user to take all reasonably
This Guidance Note serves as a general practicable steps to ensure that a person can
reference for data users when preparing ascertain its policies and practices in relation
Personal Information Collection Statement to personal data and is informed of the kind
(“PICS”) and Privacy Policy Statement of personal data held by the data user and the
(“PPS”). Both PICS and PPS are important main purposes for which personal data held by
tools used respectively for complying with a data user is or is to be used.
the requirements of Data Protection Principle
(“DPP”)1(3) and DPP5 under the Personal Data What is personal data?
(Privacy) Ordinance (the “Ordinance”).
“Personal data” is defined under the Ordinance
The legal requirements to mean any data:–
DPP1(3) specifies that a data user, when (a) relating directly or indirectly to a living
collecting personal data directly from a data individual;
subject, must take all reasonably practicable
(b) from which it is practicable for the
steps to ensure that:
identity of the individual to be directly or
(a) the data subject is explicitly or implicitly indirectly ascertained; and
informed, on or before the collection of (c) in a form in which access to or processing
his personal data, of whether the supply of the data is practicable.
of the personal data is voluntary or
obligatory (if the latter is the case, the Data users often specifically collect or access
consequence for the individual if he does a wide range of personal data of individuals
not supply the personal data); and whose identities they intend or seek to
ascertain. They should be mindful, however,
(b) the data subject is explicitly informed: that in some other cases the information they
(i) on or before the collection of his have collected, in its totality, could be capable
personal data, of the purpose for of identifying individuals. For example, a
which the personal data is to be used
business may collect information about the
and the classes of persons to whom
the personal data may be transferred; kinds of goods and services that their customers
and purchase and subscribe so that it could track
the shopping behaviour of its customers for
(ii) on or before the first use of the promoting goods and services that are of
personal data, of the data subject’s interest to selected groups of customers.
rights to request access to and
correction of the personal data, and
the name (or job title) and address of
the individual who is to handle any
such request made to the data user.
Guidance on Preparing Personal Information Collection Statement and Privacy Policy Statement 1 July 2013
What are PICS and PPS, and how are they The need for a PICS applies to the collection
different? of information in both the physical world and
the online environment. The most common
A PICS (or its equivalent) is a statement example in which information of a data subject
given by a data user for the purpose of is collected online is in filling out an online
complying with the notification requirements registration form. The form should include a
under DPP1(3) of the Ordinance. While the PICS, either as part of its text or by means of a
Ordinance does not require the notification hyperlink on the form. Similarly, information
to be given in writing, it is good practice for about a data subject may also be collected
the requisite information to be provided to from him unbeknown to him (e.g. through
the data subjects in writing in the interests the use of cookies1). A PICS is still required
of transparency and to avoid possible to be presented to the individual on or before
misunderstanding between the parties. collecting the data.
A PPS (or its equivalent) is a general statement Example:
about a data user’s privacy policies and
practices in relation to the personal data it • “When you visit this website, we may use
handles. It is good practice to have a PPS in cookie files to store and track information
written form to effectively communicate the about your (details to be specified by the
data user’s data management policies and data user) or your actions for the purposes
practices despite the Ordinance is silent on the of providing our services to you on/for
format or presentation of a PPS. (details to be specified by the data user).”
Guidance on Preparing Personal Information Collection Statement and Privacy Policy Statement 3 July 2013
R Direct marketing: If a data user intends
to use personal data of the data subject If you do not wish to receive
for direct marketing, or provide the information on the above, please tick
personal data to third parties for use in the box below:
direct marketing, it shall comply with
the notification requirements under the □ I object to the proposed use
Ordinance2 and obtain the consent or an of my personal data as stated
indication of no objection from the data above.
subject before so using his personal data.
Data users may embody the notification
in the PICS which should be easily Name and signature
understandable and, if in written form, (dd/mm/yyyy)
easily readable form. A response channel
should be provided by the data users in (In both cases the data user may not use the
the notification for the data subject to personal data for direct marketing purpose
communicate his consent3. unless a signed form is returned. In the latter
case, if the form is returned with a signature
Example of a PICS given by a society or an but without a tick, it may be considered as
association which offers special discounts an “indication of no objection”.)
on goods and services (e.g. recreational
activities) to individuals who are interested R Statement of rights of access and
to subscribe or participate: correction and contact detail: This
statement is required to inform the data
• “Your name, mobile phone number and subject that he or she has the right to
home address collected by us will be request access to and correction of his
used for providing you with information personal data that is held by the data user.
about recreational activities and special
offers on household goods, food R Notice of contact person for requesting
and entertainment to be provided or access or correction: The data subject
sponsored by us. should be informed of the name (or job
title) and contact details of the individual
We cannot use your personal data who is responsible for handling any data
unless we have received your consent access and data correction requests.
or indication of no objection.”
Example:
Please indicate your consent to
receiving information relating to the • “You have the right to request access
above by signing and returning to us to and correction of information held
this Form by Fax # 1234 5678 or by by us about you. If you wish to access
sending it to any of our liaison offices. or correct your personal data, please
contact our data protection officer at
‘1/F, No.1 Main Road, Hong Kong’ or
dpo@company.com.“
Name and signature
(dd/mm/yyyy)
or
2
Sections 35C and 35J of the Ordinance
3
For details, please refer to the New Guidance on Direct Marketing issued by the Commissioner:
http://www.pcpd.org.hk/english/publications/files/GN_DM_e.pdf
Guidance on Preparing Personal Information Collection Statement and Privacy Policy Statement 4 July 2013
Recommended good practices – PICS Example:
R The purpose statement should not be • “The information you submit in filling an
too vague and too wide in scope: If online order form will be encrypted (a
the purpose statement is so crafted that secure means of transmission) when it is
the possibilities are endless, then it sent electronically to us.”
cannot qualify as a purpose. The data
subject must be able to ascertain with R Link to PPS: A hyperlink can be provided
a reasonable degree of certainty the on online forms for collecting personal
purposes of use from a PICS. For example, data to draw the data subject’s attention
“the personal data that you provide us to the contents of the data user’s PPS.
may be used by us as a source of data
for other related purposes according to Specific Details of a PPS
industry practice” lacks sufficient certainty
as “related purposes” therein arguably R When and how should a PPS be provided:
include “remotely related purposes”. A PPS should be made available to
Also, the term “industry practice” is not anyone, in an easily accessible manner,
an appropriate description of collection no matter whether personal data is
purpose in the PICS as it is not self- collected by the data user in the physical
explanatory. The data user should specify world or in the online world (e.g. through
the practice for the data subjects so that the use of cookies), or whether personal
they can make an informed decision. data is collected directly from the data
subject.
R The language and presentation of the
PICS should be user-friendly: The If a website of the data user only collects
PICS shall be presented in a manner aggregated information about its visitors
that renders it easily readable and (e.g. statistics on the web pages visited,
understandable in terms of its length, type of browsers used, location of the
complexity, font size and accessibility. visitor, number of new or returning visitors
etc.) but not any data that could be used
R Specific PICS to be used for specific to identify a data subject, it would be
collection purposes: If a website has good practice for the data user to include
more than one online form for collection a statement on its homepage to say clearly
of personal data each serving a different and exactly what it collects to alleviate the
purpose, the PICS used for each form concerns of the data subjects in relation to
should be tailored to the particular personal data protection.
purpose.
If a data user operates a website, it is
R Statement of security measures: A PICS recommended that a web version of the
may include a notice about the security PPS be made available by means of a
measures adopted by the data user in the prominent link at the top or at the bottom
handling of personal data (in particular if of the home page and every page of the
the personal data is collected online, the website. More and more Internet users
specific security measures that are applied are looking for the privacy policies of
to online transactions such as collection the websites they visit before they go
of credit card numbers). beyond the homepages. A prominent link
to the PPS will therefore help reassure
Internet users that the data user is privacy-
conscious and transparent about its policy.
Guidance on Preparing Personal Information Collection Statement and Privacy Policy Statement 5 July 2013
Example: R Statement of practices: This should
include the kind of personal data held by
• “When you visit our website we will the data user and the purposes for which
record your visit only as a “hit”. The it uses the data. The kind of personal data
webserver makes a record of your collected should depend on the actual
visit that includes your IP 4 addresses operational needs of the data user. They
(and domain names), the types and may include identification information,
configurations of browsers, language contact details, financial details (income/
settings, geo-locations, operating systems, savings/payments etc.), interests,
previous sites visited, and time/durations preferences (language, webpage layout
and the pages visited (visitor data). We etc.), location information of mobile
use the visitor data for the purpose of devices, browser details and IP addresses
maintaining and improving our websites etc. Common purposes for which these
such as to determine the optimal screen types of personal data are used may
resolution, which pages have been most include the delivery of goods/services, the
frequently visited etc. We use such management of accounts, the processing
data only for website enhancement and of orders, the facilitation of website
optimisation purposes. We do not use, access, the compilation of aggregate
and have no intention to use the visitor statistics on website usage, etc.
data to personally identify anyone.”
Examples:
What goes into a PPS? • “Your personal details, job particulars,
salary and benefits, appraisal and
R Statement of policy: This would express disciplinary records collected and held by
a data user’s overall commitment in us will be used for the purpose of human
protecting the privacy interests of the resource management.”
individuals who provide information about
themselves to the data user. • “We will not provide your personal data
to third parties for direct marketing or
Examples: other unrelated purposes without your
• “We are committed to protecting the consent.”
privacy, confidentiality and security of
the personal information we hold by
complying with the requirements of Recommended good practices – content of PPS
Personal Data (Privacy) Ordinance with
R DPP1: Collection of personal data from
respect to the management of personal minors: If a data user wants to collect
information. We are equally committed personal data from young people and/
to ensuring that all our employees and or its website includes content of interest
agents uphold these obligations.” to young people, it should include in
its PPS a statement on its practices in
• “We pledge to comply with the relation to the collection of personal data
requirements of the Personal Data from young people. Generally, data users
(Privacy) Ordinance. In doing so, we are not advised to collect personal data
will ensure compliance by our staff with from minors (particularly those who are
the strictest standards of security and incapable of making an informed decision)
confidentiality.” without prior consent from a person with
parental responsibility for the individual.
4
IP stands for Internet Protocol. IP addresses are used by computers to identify other computers that connect to them.
Guidance on Preparing Personal Information Collection Statement and Privacy Policy Statement 6 July 2013
R DPP1: Collection of personal data from R DPP3: Disclosure of personal data: If
individuals without their knowledge: personal data would not be disclosed to
If technical means such as cookies other parties without the data subject’s
are used to collect information from express and voluntary consent, it is
individuals without their knowledge, the advisable for such policy to be stated
data user should include statements on in the PPS. If personal data would be
this arrangement in the PPS. Matters that disclosed to third parties (such as to pass
should be covered in the PPS include: personal data to credit card companies
for payment transactions and this is made
• when are such means used; clear under the PICS) or if the website will
• what kind of information is collected share visitor details (such as IP addresses
by these means, in particular whether and browser types) with other parties and
any personal data is collected; organisations, all such practices should be
• what the information is used for and made known in the PPS.
any disclosure of the information to
other parties. R DPP4(1): Protection measures: Data users
are advised to state in the PPS how they
The PPS should also state whether the ensure the security and confidentiality of
website allows access by users who do the personal data collected. For example,
not accept cookies, and what loss of if the data user has adopted protective
functionality (if any) would result from not measures such as restricting access of
accepting cookies5. personal data to relevant employees on a
“need-to-know” basis, providing relevant
R DPP2: Retention of personal data: The training to the employees to handle
PPS may state, in general terms, for how personal data properly and applying
long the personal data will be retained. If encryption to personal data when
a data user provides online facilities that necessary, it is a good practice to state
allow a data subject to make a deletion such measures in the PPS. This assures
request or directly delete his or her data subjects that their personal data is
account or personal data held by the data duly protected.
user, the PPS should give details such as
how it is done and whether the personal R DPP4(2): Outsourcing arrangements: If
data or account so deleted is permanently a data user engages service providers 6
removed from the system. to handle or process personal data (such
as IT contractors, agencies for clearing
R DPP3: Handling of sensitive personal payments, survey software/agencies,
data: If a data user collects sensitive website analytics service provider,
personal data (health, finance, location, confidential documents disposal service
etc.), the data user should explain how agents etc.), the PPS should, as a matter of
it uses, processes, handles and transfers good practice, state clearly what personal
such data. The data user should also make data will be transferred to such third-
it clear in the PPS whether data subjects parties and how such third-parties will
have the choice to have such personal ensure protection of the personal data
data held by the data user erased and collected.
express their choice not to have the data
shared or transferred.
5
Data users may refer to our Information Leaflet on “Online Behavioural Tracking” issued by the Commissioner.
http://www.pcpd.org.hk/english/publications/files/online_tracking_e.pdf
6
A service provider includes a person who processes personal data on behalf of a data user, and does not process the data for any
of his own purposes. Data users may refer to the Information Leaflet on “Outsourcing the Processing of Personal Data to Data
Processors” issued by the Commissioner.
http://www.pcpd.org.hk/english/publications/files/dataprocessors_e.pdf
Guidance on Preparing Personal Information Collection Statement and Privacy Policy Statement 7 July 2013
R DPP5: Transparency: If an organisation Recommended good practices – format of PPS
does not collect or use personal data R User-friendly language and presentation:
obtained from or about individuals, The PPS should be easily understandable
they should make this practice known and readable, taking into account factors
through a PPS to assure the public of such as content, font size, language used.
its commitments. This is particularly
important when individuals believe R Layered presentation: If the privacy
or suspect their personal data is being policies and practices of a data user is so
collected or used. For example, in the complex that it requires a lengthy PPS,
case of individuals using an organisation’s the data user may consider using proper
smartphone app, browsing its website, headings and adopting a layered approach
or visiting its premises that have CCTV in presentation. With this approach, a
cameras installed. Individuals may assume key statement in easily understandable
that their personal data is collected under language is presented to data subjects
these circumstances and if they do not see in the first instance, and more in-depth
relevant information in the PPS about how explanation is made available as a
the organisation handles their personal second-layer document. If a data subject
data, they may lose their confidence in wishes to learn more about a specific
the organisation. aspect of the data user’s policies or
practices, he can follow links (for online
version) or references (for printed version)
R DPP6: Access and correction: In the and move to the more detailed second-
interest of transparency, a data user is layer document for answers.
advised to state in the PPS its policy
on handling data subject’s requests to
access and to correct their personal data Office of the Privacy Commissioner for Personal Data,
held by the data user. It should include Hong Kong
Tel: (852) 2827 2827
information on how a data user prefers to Fax: (852) 2877 7026
receive such requests (e.g. the requester Address: 12/F, 248 Queen’s Road East, Wanchai,
needs to use the form 7 prescribed by Hong Kong
Website: www.pcpd.org.hk
the Commissioner); what the data user Email: enquiry@pcpd.org.hk
requires in order to be satisfied that the
requestor is properly authorised and Copyrights
entitled to make the request 8 ; and the Reproduction of all or any parts of this guidance is permitted
on condition that it is for non-profit making purposes and an
amount payable9, if any. acknowledgement of this work is duly made in reproduction.
7
The data access request form, OPS003, which can be downloaded from the Commissioner’s website.
http://www.pcpd.org.hk/english/publications/files/Dforme.pdf
8
Reference can be made to the Guidance Note on “Proper Handling of Data Access Request and Charging of Data Access Request
Fee by Data Users” issued by the Commissioner.
http://www.pcpd.org.hk/english/publications/files/DAR_e.pdf
9
Any fee charged by the data user for compliance with a data access request must not be excessive.
Guidance on Preparing Personal Information Collection Statement and Privacy Policy Statement 8 July 2013