The Privacy Commissioner has issued a consultation paper on the implementation of a data user return scheme. The Personal Data Privacy Ordinance already provides that the Commissioner may specify a class of data users and require them to submit data user returns to him. However, the relevant provisions have never been invoked, until now.
The scheme will require data users to submit an annual return setting out the personal data they control and the purposes of collection or processing of such data. It is hoped that the scheme will lead to greater accountability and transparency of data protection practices as well as enhancing data privacy protection standards.
The Commissioner will keep a register of data users, which will contain all the information submitted annually. The register will be open to the public for inspection. Data subjects will be able to access the information on how their personal data is being handled and can compare the practices of different data users. Data users may voluntarily provide additional information to show their commitment to the protection of the personal data of their customers.
It will be an offence for any data user to knowingly supply false or misleading information. The penalty will be a fine at level 3 (currently at HK$10,000) and imprisonment of up to six months. It will also be an offence not to submit a return or to submit it late.
The scheme will initially cover:
These sectors have been selected because of the large amount of sensitive personal data under their control and the relatively high number of complaints in these areas. Also, it is common practice in these sectors to transfer personal data to third parties for marketing or other purposes.
The Privacy Commissioner intends to finalise the framework of the scheme by the end of 2011 and the scheme will commence operation in the fourth quarter of 2012. The first data user returns may have to be submitted by the second half of 2013.