Skip to main content

3. Do the Data Protection Principles apply to the outsourced processing of personal data?

It is an increasingly common practice for data users to outsource and entrust personal data processing to third parties. There have also been an increasing number of personal data leakage incidents which have occurred during the outsourced processing of personal data, which may have caused substantial and irreparable damage to the affected data subjects.


All the data protection principles apply to the processing of personal data by a third party. Under the Ordinance, where personal data is entrusted to a data processor, a data user is liable as the principal for any act done by its authorised data processor.


The Amendment Ordinance 2012 provides enhanced protection by amending DPP 2 and DPP 4. With effect from 1 October 2012, additional obligations are imposed on a data user which engages a data processor, whether within or outside Hong Kong, to carry out data processing on that user’s behalf. The data user must adopt contractual or other means to prevent any personal data transferred to the data processor from being kept longer than necessary for processing the data (DPP2(3)) and to prevent unauthorised or accidental access, processing, erasure, loss or other inappropriate use of the data (DPP 4(2)).


Data processor means a person who:


  1. processes personal data on behalf of another person; and
  2. does not process the data for any of the person’s own purposes.

Please read the PCPD’s leaflet for more details on the new obligations.


With the rapid advancement in information and communication technologies (ICT) and the popularization of outsourcing the processing of personal data, the collection (other than from the data subject directly) and dissemination of personal data has become much easier. This also makes it easier for data subjects to suffer damage if a person, whether or not entrusted by the data user, intentionally discloses the personal data obtained from a data user. In view of the seriousness of any intrusions into personal data privacy and the gravity of the harm that may be caused to the data subjects, the Amendment Ordinance 2012 creates a new offence to combat the disclosure of personal data obtained without the consent of the data user under certain conditions.


Under section 64, it is an offence for any person to disclose any personal data of a data subject obtained from a data user without the data user’s consent:


  1. with the intent to obtain gain in money or other property, whether for the benefit of the person or another person; or
  2. with the intent to cause loss in money or other property to the data subject.

The maximum penalty is a fine of $1,000,000 and imprisonment for five years.


Also, doxxing acts, which commonly involve gathering and disclosure of the personal data of target persons on the internet or other open platforms, have become rampant in recent years. The Personal Data (Privacy) (Amendment) Ordinance 2021 was thus passed by the Legislative Council to criminalise doxxing acts, empower PCPD to carry out criminal investigations and institute prosecutions for doxxing and related offences, as well as confer on PCPD statutory powers to demand the cessation of disclosure of doxxing contents. 


Please go to Part VII for more information on doxxing-related offences.