30 -
The Bill implements the majority of the recommendations of the Law Reform Commission, which were based on more than four years of work, including a thorough public consultation exercise. In common with such legislation elsewhere, the Bill gives statutory effect to internationally accepted data protection principles. These are set out in Schedule 1 to the Bill and provide for matters such as the fair collection of personal data and for data subjects to have rights of access and correction with respect to their personal data. In the main body of the Bill there are detailed provisions to enable individuals to obtain access to and seek correction of their personal data held by data users.
The Bill establishes' an independent statutory body, the Privacy Commissioner for Personal Data, to promote and enforce compliance with the legislation. The Privacy Commissioner is given powers to approve and issue codes of practice giving guidance on compliance with the Bill and to specify classes of data users required to submit annual returns on the kinds of personal data they hold and the purposes to which the data are put for compilation on a public register. The Privacy Commissioner also has suitable powers to inspect personal data systems and investigate suspected breaches of the Bill's requirements.
In order to strike an appropriate balance between the right of privacy and certain public and social interests, there are provisions for narrowly-defined exemptions from the Bill's requirements on providing access to personal data by the individual concerned and limits on the use of personal data to the purposes for which they were collected. The exemptions are linked to specific interests, such as security and defence in respect of Hong Kong, the prevention and detection of crime, the assessment or collection of taxes, financial regulation and news reporting.
The offences provided for in the Bill include an offence of non-compliance with an enforcement notice issued by the Privacy Commissioner. Provision is made for an individual who suffers damage as a result of a contravention of a requirement of the Bill to be entitled to compensation.
As I have mentioned, we agreed around thirty Committee Stage amendments with the Bills Committee. This clearly demonstrates the constructive and flexible attitude we have adopted in finalising the Bill. Many of the amendments have been put forward to meet specific concerns of outside parties who made submissions to the Bills Committee. For example, service providers in the information technology industry were concerned that they could be made liable for breaches of the Bill by their customers. To allay this concern, I will move an amendment that will make it clear that a person who holds, processes or uses personal data solely on behalf of someone else is not a data user in respect of that data. Hence, such a person would not be liable for contraventions of the Ordinance by the person who has ultimate control over the data concerned.
No comments yet.
Private notes are available after approval.