Privacy and Data Protection Policy and Practices
The protection of privacy in relation to personal data is the concern of every person in the Equal Opportunities Commission (EOC) Office. We respect personal data and are committed to fully complying with the data protection principles and all relevant provisions of the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO) which apply to any person (data user) that controls the collection, holding, processing or use of personal data and any person (data subject) who is the subject of such data.
Definition of Personal Data
Personal data means any data relating to a living individual from which it is practicable for the identity of the individual to be directly or indirectly ascertained and in a form in which access to or processing of the data is practicable. Personal data covers both factual information and expressions of opinions contained in any document, including documents in writing and other forms of documents, such as discs, tapes, films and other such devices.
The following data protection principles will be observed.
- Principle 1 - Purpose and manner of collection
Personal data will be collected for a lawful purpose directly related to a function or activity of the EOC Office. Only data which is necessary for or directly related to that purpose will be collected and the EOC Office will ensure that the data is adequate but not excessive. The collection will be lawful and by fair means, and all practical steps will be taken to ensure that the data subject is informed of the purpose of its collection, whether the data subject is obliged to supply the data, the consequences of not supplying the data, the class of persons to whom the data may be transferred, the rights of the data subject to request access to and /or correction of the data and the name and address of the person to whom such request may be made.
- Principle 2 - Accuracy and duration of retention
All practical steps will be taken to ensure that personal data is accurate and up-to-date. Personal data shall not be kept longer than is necessary to fulfil the purpose (including any directly related purpose) for which the data is to be used.
- Principle 3 - Use of personal data
Data subjects are assured that without their prescribed consent, their personal data will not be used for any purpose other than the purpose designated at the time of collection or a directly related purpose.
- Principle 4 - Security of personal data
All practical steps will be taken to ensure that personal data are protected against unauthorised or accidental access, processing, erasure or other use.
- Principle 5 - Information to be generally available
All practical steps will be taken to ensure that a person can ascertain the EOC Office’s policies and practices in relation to personal data, the kind of personal data held by it and the main purposes for which such data are held or are to be used.
- Principle 6 - Access to personal data
A data subject is entitled to ascertain whether the EOC Office holds his/her personal data and to request access to and/or correction of his/her personal data.
Kinds of Personal Data Held
There are three broad categories of personal data held in the EOC Office. They are personal data contained in:
- Records of public enquiries & complaints related to anti-discrimination legislation, which include records containing information supplied by data subjects and data users and collected in connection with the handling of enquiries, complaints, investigations, conciliation, legal proceedings and other related activities pursuant to the EOC’s statutory obligations under the relevant provisions of the Sex Discrimination Ordinance, Cap.480 (“SDO”), the Disability Discrimination Ordinance, Cap. 487 (“DDO”), the Family Status Discrimination Ordinance, Cap 527 (“FSDO”) and the Race Discrimination Ordinance (“RDO”).
- Personnel records, which include personal details, job particulars, details of salary, payments, benefits, performance appraisals, disciplinary matters, etc. of every person employed with the EOC Office and of applicants to the posts of the EOC Office.
- Other records, which include administration and operational files, papers and minutes of meetings, quotations and prices of purchased stores and equipment, proposals and contracts for services and consultancy services, etc., of which the personal identity of individuals can be ascertained.
The records described in A above are maintained by either the Complaint Services Division or the Legal Service Division. The records described in B and C above are maintained by the Corporate Planning and Services Division.
Main Purposes of keeping Personal Data
Personal data held in:
- Records of public enquiries & complaints related to anti-discrimination legislation are kept for the purposes of carrying out the statutory duties, including responding to and taking follow-up action on enquiries and complaints, conducting investigations and undertaking conciliation between the parties concerned, and commencing legal proceedings and taking any enforcement action;
- Personnel records of employees are kept for human resource management purposes, relating to such matters as recruitment, appointment, benefits administration, employees’ compensation, termination, performance appraisal, discipline and the like; and
- Other records are kept for various purposes which vary according to the nature of the record, such as administration of the EOC Office functions and activities, seeking advice on policy or operational matters, procurement of stores and equipment, acquisition of services, etc., and such records contain personal identifiers (e.g. minutes of meetings attributing views of individual members).
Access to Personal Data and Correction
The EOC Office recognises an individual’s right of access to and correction of personal data in accordance with the PDPO. To ensure compliance with the PDPO, data access and correction requests to the EOC Office are handled by:
- Director (Complaint Services) and the Chief Legal Counsel for personal data held in records of enquiries and complaints in respect of anti-discrimination legislation in their respective areas of work, and
- Director (Corporate Planning and Services) for personal data held in all other records.
Any request for access to personal data and correction should be made in writing to the division head concerned. All requests will be promptly attended to and the response will be made no later than 40 days after its receipt. For correction requests, a written confirmation together with a copy of the corrected personal data will be provided to the requestors after correction has been made. Where a request is refused, the requestor will be advised in writing of the refusal and the reason for refusal within 40 days after its receipt. Particulars of the refusal to supply data, refusal to correct data and the reasons for so doing will be recorded in the respective data protection log books. The log books will be kept for at least 4 years and available for inspection by the Privacy Commissioner for Personal Data. Any appeal on refusals of data access and/or correction requests should be directed to the Executive Director (Operations) / Chairperson who will advise on the appropriate action to be taken.
Exemptions to Access
The PDPO provides the following exemptions from the obligations to provide access to personal data:
- a broad exemption for personal data held for domestic or recreational purposes
- exemptions from certain employment related personal data, such as:
- personal data relating to staff planning
- personal data generated by certain evaluative processes, including a recruitment or promotion exercise, prior to a decision being taken and where an appeal can be made against such decision
- personal data in a personal reference given outside the ordinary course of occupation; where the personal reference is given on or after 20 December 1996, the exemption is only up to the time the position is filled
- personal data of current employees provided prior to 20 December 1996 on the basis that the data subject would not have access (such exemption from right of subject access expires on 3 August 2002)
- exemptions from subject access and use of personal data where disclosure is likely to cause prejudice to certain public or social interests, such as security, defence and international relations; prevention or detection of crime; assessment or collection of any tax or duty; news activities; legal professional privilege; and health of a data subject.
The following is maintained to ensure compliance with the PDPO:
- Two log books, as provided for in section 27 of the PDPO, be kept under lock in the Personnel Section of the EOC Office as follows:
- one in respect of refusals of data access and/or data correction requests in relation to personal data held in records of public enquiries and complaints related to anti-discrimination legislation
- one in respect of refusals of data access and/or data correction requests in relation to personal data held in all other records
- Internal operating procedures dealing with the handling of enquiries and complaints from the public related to anti-discrimination legislation, which include procedures for compliance with the PDPO and Internal guidelines on dealing with personal data in relation to all other areas.
- Data Access Request Form for ascertaining and access to personal data held by the EOC Office.
The EOC Office will charge for each data access request a processing fee for complying with the request (see section 28(2) of the PDPO) as follows:
(i) HK$2.5 per page for paper record1; or
(ii) HK$55 for the simple production of a CD/CD-ROM/DVD/audio/video record2; or
(iii) HK$7 per minute of an audio record which may require editing work like redacting any personal data relating to a third party3; or
(iv) A variable fee based on lowest quotation for the production of a CD/CD-ROM/DVD/audio/video record which requires complicated editing work4; or
(v) A fee which varies according to the actual amount of audio recordings to be transcribed in the form of a transcript. The variable fee will be based on either
- (a) the direct and necessary costs of transcription to be done by appropriate EOC staff; or
- (b) the lowest quotation charged by a service provider hired by the EOC, whichever cost is lower5.
The EOC may refuse to comply with a data access request unless and until any fee imposed by the EOC for complying with the request has been paid (See section 28(5) of the PDPO).
- For paper records, the processing work incurred by the EOC includes but is not limited to locating, vetting, sorting and redacting information and photocopying of documents.
- If the data access request requires processing of paper records and conversion of these records into files/records to be stored in a digital format such as CD-ROM, the processing fee will include both the fee for processing paper records and the processing fee of production of a digital format.
- If the audio record is requested to be stored in a digital format, the fee for the production of the specified digital format, i.e. item (ii) above, will also be charged.
- Where more complicated editing work like redacting the personal data not belonging to the data subject is required, and the work needs to be outsourced to a service provider, the processing fee will be based on the lowest quotation obtained by the EOC for work to be performed by a service provider hired by the EOC.
- If the transcription is requested to be stored in a digital format, the fee for the production of the specified digital format, i.e. item(ii) above, will also be charged.
The EOC may refuse to comply with Data Access Requests(s) in the circumstances specified in section 20 of the PDPO.
Revised in November 2020