Legal Protection of Digital Property
PhD(Computer Science) LLM(Intellectual Property) Department of Computer Science
Legal Protection of Data
Copyright By PowCoder代写 加微信 powcoder
• confidentialinformation,tradesecrets
– protected by common law of confidentiality
• officialsecrets
– Official Secrets Ordinance (Cap 521)
– National Security Law in HK (if involves collusion with foreign country/organisation)
• personaldata
– Personal Data (Privacy) Ordinance (Cap 486)
Personal Data (Privacy) Ordinance, Cap 486
• enactedinAugust1995toprotectthe privacy of individuals in relation to personal data
• muchinfluencedbytheOECD Guidelines and the European Directive
NB. Not about personal privacy but data privacy!
Key Terms: s.2
• “data”=anyrepresentationof information (including an expression of opinion) in any document, and includes a personal identifier
NB. The data must be recorded in a document. Verbal information or information kept merely in human memory is not data.
• “personaldata”=anydata
– relating directly or indirectly to a living individual; (“attribution”)
– from which it is practicable for the identity of the individual to be directly or indirectly ascertained; (“identification”) and
– in a form in which access to or processing of the data is practicable (“retrievability”)
NB. Does not cover data relating to legal persons such as corporations.
• meaningof“relating”toanindividual
– Durant v Financial Services Authority [2004] FSR 28 (CA)
» notallinformationretrievedfroma computer search against an individual’s name or unique identifier is personal data
» whetherornotinformationis”personal” depends on its relevance or proximity to the data subject
» personal data must affect data subject’s privacy, whether in his personal or family life, business or professional capacity
» 2usefulpointers:
whether the information is biographical in a significant sense ie. not mere record of a person’s involvement in an event with no personal connotations
whether the information is one of focus ie. has the data subject as its focus rather than some other person or event in which he is involved
• “practicable”=”reasonablypracticable”
– question of degree depending on nature of the data and resources of the data user
NB. Data need not be computerised.
NB. Data must be in a form (physical shape, structure, type etc) which enables practicable access or process.
• “processing”includes”amending, augmenting, deleting or rearranging the data, whether by automated means or otherwise”
• “use”includes”discloseortransferthe data”
– “disclose” includes disclosing information inferred from the data
NB. HKID number alone may not be personal data. But HKID number publicly displayed has the risk of being passed to someone who has the means of ascertaining the data subject ie. becomes personal data!
NB. In addition, HKID number may be used as a key for searching other data which, when combined with HKID number, is likely personal data.
• codeofpracticeonIDcardnumberand other personal identifiers – compliance guide for data users: (*RR)
– always consider less privacy-intrusive alternatives to collecting HKID number wherever practicable;
– check whether collection of HKID in the circumstances is authorised by law;
– should not publicly display HKID number and name together;
– should not issue any card bearing HKID number (except driving licence);
– …… 10
Q: Is exam script personal data? If so, of whom? (*RR: Privacy Commissioner’s Report R08-10578)
Cf. “Retention of and access to examination-related personal data” under HKU’s “Notice to Students sitting University Examinations”.
Persons Affected
• “datasubject”=thelivingindividualwho is the subject of the data
• “datauser”=thepersonwho,either alone or with others, controls the collection, holding, processing or use of the data
NB. Crucial is “control”. The data user need not have any right to use the data.
• s.2(12):apersonisnotadatauserin relation to a personal data if he holds, processes or uses the data solely on behalf of another person if, but only if, he does not hold, process or use the data for his own purposes
NB. Most relevant to data processing centres and employees. But note that s.2(12) does not mention “collection”.
Data Protection Principle 1 (DPP1): Sched 1
1. Personaldatashallnotbecollected unless
– for a lawful purpose directly related to an activity of the data user;
– the collection of data is necessary for or directly related to that purpose; AND
– the data are not excessive in relation to that purpose
2. means of collection must be lawful and fair
NB. “Unfair” = unfair to the data subject, including whether the means is within the reasonable expectation of the data subject eg. deception, coercion, covert recording, taking pictures of individuals in private premises from outside using long-focus lens.
3. if data collected from the data subject, he must be informed
– whether it is obligatory to supply the data;
– purpose of use and classes of potential recipients; AND
– before 1st use of data, his access and correction rights and the contact for handling such requests
NB. Condition 3 not applicable if compliance with it would likely prejudice the purpose for which the data were collected and that purpose is exempted from DPP6 under Part VIII ie.
– data collected for news activity, or
– data collected for law enforcement (more later).
Q: Is taking a picture of someone without having obtained consent and publishing it on newspaper a breach of DPP1?
Cf. Eastweek v Privacy Commissioner [2000] 1 HKC 692 (*RR)
– collection of personal data must be for compiling information about an identified person OR a person whom the data user intends to identify
• personaldatashouldbekeptaccurate
• ifreasonablegroundsforbelievingthat data is inaccurate
– must not use the data until rectified, or
– erase the data
• ifpracticaltoknowthatdatadisclosedto 3rd party was inaccurate at time of disclosure
– must inform the 3rd party, and
– provide particulars to the 3rd party to enable rectification
• personaldatashouldnotbekeptlonger than is necessary
NB. s.26 imposes a duty on data users to erase personal data held if they are no longer required for the purpose for which they were used unless
– such erasure is prohibited under any law (cf. Inland Revenue Ordinance requirements); or
– it is in the public interest (including historical interest) for the data not to be erased
• personaldatashallnot,withoutthe prescribed consent of the data subject, be used for a new purpose ie. any purpose other than
– the purpose for which they were to be used at time of collection; or
– a directly related purpose
• “prescribedconsent”:s.2(3)
– express consent given voluntarily
– excludes consent withdrawn by notice in writing
NB. “Prescribed consent” need not be in writing!
NB. “Prescribed consent” not exactly the same as “consent” in direct marketing (see later notes).
Q: How do DPP1 and DPP3 operate when a data user obtains personal data from another data user?
• a”relevantperson”(eg.parentofa minor, guardian of a mentally incapacitated: s.2(1)) may give prescribed consent on behalf of the data subject if he has reasonable grounds for believing that use for the new purpose is clearly in the interest of the data subject: DPP3(2)(c)
NB. Even with prescribed consent from the relevant person, data user must not use personal data for the new purpose unless has reasonable grounds for believing that such use is clearly in the interest of the data subject: DPP3(3).
E1: Bank X collects data from an individual Y who is advised that the data purpose includes processing of his application and servicing of his accounts at the bank. X then transfers the data to a credit reference agency Z for advice on Y’s creditworthiness.
E2: Similar to E1. Z transfers the data to an insurance company W.
Recommended Reading
• CodeofPracticeonIDCardNumberand Other Personal Identifiers – Compliance Guide for Data Users
• PrivacyCommissioner’sReportR08- 10578
• EastweekvPrivacyCommissioner [2000] 1 HKC 692
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com