Telephone: (852) 2500 6400

Personal Data (Private) Ordinance – Misused Shield or Unwarranted Fear against Data Request?

published in the 2020 Yearbook of Chartered Institute of Housing (Asia Pacific Branch)

By K.Y. Kwok and Harold Chiu of Li, Kwok & Law, Solicitors & Notaries

Many property managers may have received inquiries from potential claimants concerning the identities and personal data of certain owners, occupiers or visitors of the building in order to pursue their claims.   For instance, an owner may sustain injuries due to the negligence of a delivery worker or courier in the building, and would like to seek damages against him or his employer. An occupier of a unit may want to restrain his neighbour from committing nuisance caused by water leakage or noise against him. Very often, the identities of the wrongdoers are not known to the claimants, but they may be known to the property manager who has recorded the identities of the delivery worker when he enters the building as a visitor, or is keeping a record of all the owners and occupiers of the building.

The usual concern the property manager may have when facing a request for data disclosure is whether disclosure may be in breach of the provisions of the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”), particularly the Data Protection Principles (“DPP”) contained in the Schedule to the PDPO which may carry legal consequences. This article aims at discussing generally the legal issues involved and the appropriate measures the property manager should adopt when being faced with requests of the kinds mentioned above.

What is “Personal Data”?

Under section 2 of the PDPO, “personal data” means any data relating directly or indirectly to a living individual, from which his or her identity can practicably be ascertained either directly or indirectly. It refers to data kept in an accessible form and can be processed. Accordingly, the name, address, HKID number, telephone number, photo, CCTV records etc. of a living person all fall within the definition of “personal data”. For example, in Eastweek Publisher Limited v. Privacy Commissioner for Personal Data (2000), the Court of Appeal held that a photo of a person is his personal data. Therefore, it is clear that CCTV footages capturing the image of someone will also be personal data of that person, as they would assist in identifying the person concerned.

To cite an example, when a courier or a delivery worker from Deliveroo or Wellcome Supermarket delivers food or goods to an occupier of a building, it is a common practice for managers of the building to record his personal data like name and identity card number in the visitors’ logbook for records before entry into the building is permitted. Further, the CCTV may be capturing his appearance and actions. All these may come within the definitions of “personal data” within the meaning of the PDPO

Collection and Use of Personal Data

Under Data Protection Principle 3 in Schedule 1 to the PDPO (“DPP3”), personal data shall only be used for the purpose for which the data was to be used when they are collected without the prescribed consent of the data subject. When the security officer of a building collects an incoming delivery worker’s personal data, the worker may not have been told that his data will be disclosed to a potential claimant. In such case, question may arise as to whether the data is being used not for the purpose for which it is collected.

It should be noted that in the said Eastweek case, the Court of Appeal also held that the mere taking of a photo of a lady in the street (and subsequently publishing it in the magazine with comment on her attires) was not “collecting” her personal data, as the reporter were acting without knowing or being interested in ascertaining the lady’s identity. The court also gave an example of a photo being taken of the crowds in the racecourse and published in the newspaper.    Although any person knowing someone appearing in the photo would recognize him, that would not mean taking the photo was an act of collecting that someone’s personal data.

Applying that principle, installing CCTV for general security purpose not aiming at recording the images and activities of any particular person may not be “collecting” the personal data of any persons, and it may further be argued that the subsequent use and disclosure of the information so collected may not be subject to DPP3, as the manager is not using personal data they have “collected”. Notably, the Privacy Commissioner for Personal Data (“Commissioner”) has apparently taken a different view in this regard.   In the FAQ section of their official website, while admitting that to constitute the act of “collecting” personal data, “there should be compilation of information about an individual, whose identity must have been identified by the data user”, they went on to say that if “the data user intends or seeks to identify the identity of the individual”, he will also be “collecting personal data”. They gave an example that “after a special incident has happened, the Authority concerned may need to review the video records for the purpose of ascertaining the identity of persons involved in the incident and it may amount to collection of personal data”. As such, the Commissioner appears to take the view that in our example of deliveryman, any disposal of the CCTV footage after the review may amount to “use” of personal data “collected” (i.e. by the review) and hence subject to DPP3. The Commissioner recommended posting a notice at a prominent position near the CCTV camera stating that the area is being monitored, the purposes of monitoring, as well as the ways of handling the records etc.. There are also other recommendations relating to the use of CCTV as security measures in the “Guidance on CCTV surveillance and Use of Drones” published by the Commissioner which many experienced property management practitioners might have been familiar with.

On many occasions, the identity of the wrongdoer is already known to the property manager without resorting to the video records.   In the example of deliveryman given above, such data might well have already been recorded in the logbook of the management office. Reviewing the CCTV records, therefore, may well be for other purposes like collating evidence of the tortious acts in question.    Even if the video records are reviewed to ascertain the identity of the potential defendant, it is perhaps arguable whether this would amount to “collection” of personal data and hence its subsequent “use” will be subject to DPP3. One would argue that a person may not be “collecting” something he is already possessing in the same way that I cannot be collecting money already in my pocket. Further, if the act of installing a camera for general security purpose is not “collecting” personal data, it is difficult to see why the information recorded may not be used for that purpose without any artificial concept or obstacle of “collecting data by reviewing what has been collected” stepping in. This may largely defeat the original purpose of installing the CCTV. Nevertheless, in the absence of clear legal authorities in support, very few property managers will prefer taking any risk by supplying CCTV footage captured to a third party on the basis that they are not “using” any personal data they have “collected”.

To reduce the risk of any challenge by the Commissioner, property managers may consider following their recommended practice of giving notices. In our example of the careless deliveryman, however, that would involve expressly stating in the notice put up in the building that any personal data recorded by the CCTV will be supplied to potential claimants to pursue their claims. The content of the notice may sound quite complicated especially when it is sought to include all possible uses of the information captured. There will also be the argument of whether the content of the notice has been sufficiently brought to the attention of the data subjects concerned when it is complicated and lengthy.   The same observations may apply to visitors filling in the logbook of the management office upon entering a building, as they may be expressly told all possible uses that may be put to their personal data, including passing them onto any potential claimants. However, again, the content of the notice will be quite complicated and this is not frequently adopted in practice.

Legal Consequence for contravening PDPO

In case of contravention of the PDPO, section 50 empowers the Commissioner to issue an enforcement notice and direct the data user to remedy and prevent similar future contravention. Non-compliance with the enforcement notice is a criminal offence and the offender is liable for penalty and imprisonment of 2 years.    Besides, section 66 of the PDPO provides that an individual who suffers damage as a result of any breach of DPP3 etc. shall be entitled to compensation from that data user for any damage caused, including damages for injury to feelings. The Commissioner may also publish openly their conclusion after investigating into a particular case, which may not be conducive to the corporate image of a reputable property management company if the outcome is not that favourable.

In view of those possible adverse consequences, understandably property managers are inclined to adopt a blanket policy to decline all information requests (be it visitors’ data in logbook or CCTV footage) whenever such information may fall within the ambit of personal data.


However, the exemptions to DPP3 under the PDPO ought not to be overlooked. Section 60B of the PDPO provides that personal data is exempted from the provisions of DPP3 if the use of such data is (i) required in connection with any legal proceedings in Hong Kong; or (ii) required for establishing, exercising or defending legal rights in Hong Kong. Further, section 58(2) of the PDPO also provides that the restriction contained in DPP3 is exempted if the use of the data is for inter alia remedying unlawful or seriously improper conduct, or dishonesty or malpractice.

In the case of Lily Tse Lai Yin v. Incorporated Owners of Albert House and Others (1998) (the famous or indeed notorious case of 添喜大厦), after a tragic incident of the collapse of a canopy of Albert House in Aberdeen which caused injuries and death, the Plaintiffs were seeking disclosure of relevant witness statements taken by the Police to assist in their claim for compensation. However, the Police declined disclosure due to DPP3. The Court held that it has “no hesitation” that the exemption under section 58(2) of

the PDPO applies, and ordered the Police to make the disclosure.    The Court also hoped that the authorities “will no longer have to live with the shadow previously cast over them by the [PDPO] when being requested for witness statements by parties involved in personal injuries litigations arising out of the same accident”. Twenty two years have passed since then. Even if the Police may no longer be living with such shadow as discussed below, some other people like property managers and their legal advisors may still be.

After the said Lily Tse case, the Police would voluntarily make disclosure of personal data (including the name and address) of the potential defendant to intended claimants who are victims of traffic accidents even without any court order, and even though the potential defendants might not have consented to it. It is difficult to see any reason warranting different treatment between victims of tortious acts committed inside a building or housing estate and victims of road traffic accidents in such regard, as the legal basis allowing voluntary disclosure is the same (the statutory exemptions under sections 58(2) and 60B as discussed above). After all, Lily Tse’s case is also a claim for negligence or occupier’s liability concerning maintenance of a building, with the defendants including its owner, occupier, manager and owners’ corporation.

Even after Lily Tse’s decision, in cases other than traffic accident, there might still be refusal for disclosure of personal data by the Police which had attracted the Court’s criticism.   In Chan Chuen Ping v. The Commissioner of Police (2013), a potential claimant was struck by a wheelchair being pushed by an unknown person in Tai Po Central Town Square. When the victim requested for disclosure of that unknown person’s personal data, the Police again relied on the PDPO to decline her request so that the claimant has no choice but to apply for a court order. The High Court (i.e. Court of First Instance) emphasized that the PDPO has been “misconstrued and misunderstood by many as that the law encourages secretiveness and lack of cooperation, but failing to understand that its purpose is to protect data where necessary, not to obstruct across the board”. The Court quite severely criticized the Police’s refusal to the data request and forcing the claimant to apply for a court order as “obstructing the proper efficient and fair administration of justice” and “a waste of administrative and judicial resources”, which must not happen again.      It reiterated that as the potential claimant was taking steps to remedy a civil wrong (unlawful conduct), acceding to her data request falls well within the exception of “remedying of unlawful conduct” under the PDPO.

Applying those decided cases, if the circumstances are reasonably clear that a potential claimant does have a genuine claim against another person, but the identity and address of the person he intends to pursue against is unknown without the personal data kept by the property manager, acceding to the claimant’s request for disclosure may fall within the statutory exemption under the PDPO discussed above. There would unlikely be any serious risk that the data subject could successfully claim against the property manager by alleging any contravention of the PDPO.

Some property managers may question how they would know whether the person requesting for the personal data has a genuine claim. Of course, the intended claimant should supply some basic information to justify his request, including identifying the incident in question and explaining why he has a claim as well as the relevance of the information sought. Once this is done, however, on many occasions the property manager may come to a sensible and reasonable judgment on whether to accede to the request without the slightest difficulty.    There are instances when the wrongful acts in question have been clearly witnessed or even recorded. For example, we have been involved in a case in which an elderly person was hit by a hand cart and suffered from bone fracture while entering a lift of the building. The hand cart was at that time pushed along by a delivery worker whose identity was unknown to the victim (subsequently known to be employed by a local well-known online shop).   The accident was witnessed by the watchman stationed at the Ground Floor lift lobby and was also recorded in the CCTV installed in the lift. The identities of the workman and his employer had also been recorded by the management office when he entered the building. Under such circumstances, it should be quite apparent that the victim did have a bona fide claim. Any request for disclosure of the personal data of the potential defendants (e.g. names of the worker and his employer) to enable him to take legal action should be exempted from the operation of the DPP3 by virtue of sections 58(2) and 60B discussed above, and if it is exempted, it will be difficult for the manager to justify his refusal to make disclosure.

Moreover, the property managers are employed and paid by the owners to manage the buildings.   They are possessing the personal data of the visitor as agent for and on behalf of all owners. In the above example, the victim is an owner or family member of an owner of the building in which the accident happened. It would be really anomalous if the manager could refuse disclosure made by an injured owner or occupier for whose interest they should protect. It may indeed be a breach of the duty owed by the manager to the owner if disclosure is refused.

Another common example is when an owner complaining of nuisance like noise or water leakage in a building caused by his neighbour. The property manager may be faced with a request made by one owner to disclose the data like the identity of the occupier (not the owner whose name may appear in the records maintained in the Land Registry) causing the nuisance to enable legal action to be taken. There may also be cases where the precise source of the nuisance and the identity of the culpable owner cannot be identified (e.g. the precise flat from which some bad odour originates or the identity of the owner of a dog attacking or causing nuisance to the residents in a building). The initial complaint of nuisance is often made to the management office who has investigated into the matter for some time, and should be fully aware whether the owner has any bona fide claim.

In the examples given above, the manager may indeed have a duty to take action to abate the nuisance if the Deed of Mutual Covenant (“DMC”) contains the usual provision that an owner shall not cause nuisance, annoyance etc. to the other owners or occupiers of the building, as it is likely the manager’s duty to enforce the DMC even though the nuisance does not occur in the common parts. Successful legal action was taken by the manager in such a case in MTR Corporation Ltd v. Cheung Ching Kin (2015) where complaints were made by various flat occupiers against noise produced from a flat often at small hours repeatedly, although the nuisance, like many water leakage cases, did not occur in the common parts of the estate. Indeed, failure or refusal by the manager to take appropriate action may entitle the innocent owner to obtain an injunction compelling it to take action, as it is both the power and duty of the manager to enforce the DMC, see Law Bik Ling, Milly v. Kai Shing Management Services Ltd (2010). Strange enough, we have seen quite a few property managers, for reason best understood by themselves, think that they can simply keep their hands folded and refuse to do anything whatever to assist the innocent owner (whether to make disclosure of personal data or take legal action to abate the nuisance) simply because the nuisance occurs inside a unit and not the common part of the building. Of course, where nuisance does occur at the common part, the owners’ corporation or the manager will also be obligated and empowered to take action to abate the nuisance under section 34I(1)(b) of the Building Management Ordinance (Cap. 344).

Court Order to Disclose Personal Data

That said, the law may not have imposed a positive obligation on the part of a data user (not being a manager owing legal duties to the owners as discussed above) to accede to a data request no matter how reasonable it is and when the disclosure is clearly exempted by the PDPO. Many property managers are simply reluctant to make voluntary disclosure of personal data for no legal reason. What they would normally do is to wait until the potential claimant has obtained a court order compelling their disclosure before doing so (commonly known as Norwich Pharmacal Order).

If the potential claimant does apply for such an order, the property manager will normally remain neutral to such an application and neither consent to nor resist the application. The usual cost order of a Norwich Pharmacal application is that the applicant will have to pay the cost of the manager who has not committed anything unlawful, but only an innocent party involved in the tortfeasor’s wrongdoing. Such a usual cost order often encourages the manager to remain uncooperative to a reasonable and lawful request for disclosure because they will likely have their legal cost reimbursed for taking such a stand.

In the case of Able Force Freight Ltd v. East Sun Estate Management Ltd (2010), the District Court decided that so long as the party required to make disclosure has a genuine doubt on whether the applicant is entitled to the information, or worried that it might be sued or suffer damage etc., that party can still ask the requesting party to pay its legal costs.

The said Chan Chuen Ping case was decided otherwise, where the Department of Justice was ordered to pay the costs of and occasioned by the application for disclosure which included the costs of six of the seven letters the Applicant’s solicitors had written to the Police and of considering their replies. The Court opined that it would be “patently unfair” to ask the claimant to pay the legal costs, when the Police’s refusal to the data request was considered so unreasonable as amounting to obstructing the proper efficient and fair administration of justice.

Besides, in the recent case of Leung Yiu Ting v. MTR Corporation Ltd (2020), while endorsing the general principle of Totalise plc, the Court of First Instance held that if a party has taken an adversarial stance in an application of Norwich Pharmacal Order upon him, this is a factor which the court can take into account on costs. Therefore, without any good reason or legal justification suggesting otherwise, the property manager should remain neutral and adopt a passive role when faced with a Norwich Pharmacal application.

Another 10 years have lapsed since Able Force was decided. The effect of the exemptions under the PDPO discussed above has become clearer than ever. Wilful refusal to accede to a request for disclosure when there is plainly no legal risk involved may well attract negative judicial comment with consequences like unfavourable cost order or adverse public image. Further, a property manager may also owe the owners a duty to enforce the DMC. If the manager neither does so nor disclose the personal data of the potential defendant to an owner intending to pursue a claim, the manager will be compelling the claimant to turn to sue him instead, and the manager will unlikely receive any sympathy before the court under such circumstances. Therefore, the manager has to look at each request carefully on a case-by-case basis with the above legal principles in mind, rather than adhering to a rigid policy of requiring any request for disclosure to be accompanied by a court order before it will be dealt with.

“This article is for general reference only and should not be acted upon in any actual case. Further, the information contained in the article may not be updated. The readers should consult their solicitors for legal opinion.”