GF 323
#
CONFIDENTIAL
10 -
機密
flow of information between peoples regardless of frontiers. Under this Convention, the contracting member states undertake to give effect to the data protection principles in their domestic law. Member states in their domestic law may prohibit trans-border data flow to the territories of non-contracting states but this is not compulsory under the Convention. The UK Data Protection Act 1984 was enacted to enable the United Kingdom to ratify the Convention. Section 12 of the UK Act deals with trans-border data flow and provides that if it appears to the Data Protection Registrar that a data user proposes to transfer personal data to a non-contracting state, and the Registrar is satisfied that the transfer is likely to contravene or lead to a contravention of the data protection principles, he may serve a transfer prohibition notice. However, in deciding whether to do so, the Registrar must consider whether the notice is required for preventing damage or distress to any person and shall have regard to the general desirability of facilitating the free transfer of data between the United Kingdom and other states and territories (section 12(4)). There is as yet no indication as to how Hong Kong will be affected by the UK Act or the domestic laws of other countries. It is acknowledged, however, that the likelihood of concerted action on the international front may increase as more countries introduce data protection legislation, and this developing situation requires to be carefully monitored. At present, the possibility of a denial of trans-border data flow to Hong Kong seems remote.
Conclusion
21.
Having given careful consideration to the issue, the majority of the Working Group members have taken the view that, on the evidence presently available, the need for legislation concerning data protection in Hong Kong has not yet been established. The Group, therefore, generally considers that initially, the voluntary compliance approach without legislation should be adopted. It is recommended that Government should publish suitably amended principles and guidelines which it has endorsed for use within the public sector as a Data Protection Code of Practice and that the private sector should be encouraged to adopt and comply with the same. Government should then indicate its willingness to accept any reports of non-compliance from the public. authority would be designated to act as a repository for receiving complaints and, even without the backing of legislation, to investigate them where appropriate and so far as it was able. Government would continue to monitor the effectiveness or otherwise of this approach, and both the guidelines and the Code of Practice would be reviewed one year after this report is endorsed and implemented by Government. If legislation were later considered necessary, further action would be taken.
CONFIDENTIAL ##
機密
Page 90Page 91
GF 323