PCO Office of the Privacy Commissioner for Personal Data, Hong Kong imagebanner image
Privacy Policy StatementSearchSite DirectoryText Only VersionChinese  
image
About PCPD
image
The Ordinance
image
PCPD Activities
image
Information Centreimage
Privacy Zone for Youngsters (Games)
image
Publications and Videos
image
Enquiries and Complaints
image
Case Notes
image
Contact Us
image
Annual ReportCode of Practice & Explanatory BookletConsultation Document/Report
NewsletterGuidance Note & Fact SheetLeaflet & FormOpinion Survey
OthersInvestigation Report / Inspection ReportInformation Book
image

Publications and Videos
Leaflet & Form
 

Matching Procedure : Some Common Questions

Matching Procedure : Some Common Questions A leaflet to explain what matching procedures are and how to obtain consent from the Privacy Commissioner to carry out such processes
Question What is a matching procedure?
Answer
Docwnload the from
PDF (53.5KB)

The Personal Data (Privacy) Ordinance (the Ordinance) has a definition of "matching procedure". The definition can be divided into four criteria for determining whether a particular process of comparing personal data is a "matching procedure". All four criteria must be met before such a process qualifies as a "matching procedure". The four criteria are that :

  1. there is a comparison of two sets of personal data, each of which is collected for different purposes, e.g. one set of personal data collected for purposes A and B and a second set collected for purposes X and Y;
  2. each comparison involves the personal data of 10 or more data subjects;
  3. the comparison is not carried out by manual means, e.g. it is carried out by using a computer programme designed and applied for performing the comparison process; and
  4. the end result of the comparison may be used, whether immediately or at any subsequent time, for the purpose of taking adverse action against any of the data subjects concerned.
Question What is meant by adverse action?
Answer Adverse action is defined in the Ordinance as any action that may adversely affect an individual's rights, benefits, privileges obligations or interests, including legitimate expectations.
Question Why is consent needed?
Answer

Section 30 of the Ordinance provides that a matching procedure may not be carried out unless one of the following conditions has been met:-

  1. all the individuals who are the subjects of the data to be matched have voluntarily given express consent to the matching procedure being carried out;
  2. the Privacy Commissioner has given consent under section 32 of the Ordinance for the matching procedure to be carried out;
  3. the matching procedure belongs to a class of matching procedures which the Privacy Commissioner has specified by notice in the Government Gazette as a class of such procedures that may be carried out; or
  4. the matching procedure is required or permitted by a provision of an Ordinance specified in Schedule 4 to the Ordinance.

The Privacy Commissioner has not specified any class of matching procedures as a class of such procedures that may be carried out, condition (c) above; neither have any provisions of an Ordinance requiring or permitting a matching procedure been specified in Schedule 4 to the Ordinance, condition (d) above. Accordingly, if someone wishes to carry out a matching procedure in compliance with section 30, they must meet either condition (a) or (b). That is, they must either obtain the express consent of the individuals who are the subjects of the data to be matched or seek the consent of the Privacy Commissioner to carry out the matching procedure concerned.

Consent of the Privacy Commissioner should be sought using a matching procedure consent application form, which can be obtained from the Office of the Privacy Commissioner for Personal Data at 12/F, 248 Queen's Road East, Wanchai, Hong Kong.
Question Are there any restrictions on the comparison of personal data which is not a "matching procedure"?
Answer

Such a comparison process is not subject to the special requirements of the Ordinance relating to matching procedures. However, it is subject to the other general provisions of the Ordinance. For example, data protection principle 3 in Schedule 1 provides that personal data may not be used for a purpose other than a purpose for which the data were to be used when they were collected, or a directly related purpose, unless the subject of the data voluntarily gives express consent.
Question Can I seek consent to carry out a series of matching procedures?
Answer Yes, so long as there is no significant difference between the individual procedures with respect to the details and supporting case provided in Parts B and C of the relevant consent application form.
Question What if the two sets of personal data are collected and used by the same organisation?
Answer This is not relevant so long as the four criteria detailed above for a matching procedure are met. In other words, a comparison process that meets all four criteria for a matching procedure is a matching procedure whether one or more organisations are involved in collecting or holding the personal data concerned.

Next Page

  imageNotice/ Copyright 2001 Office of the Privacy Commissioner for Personal Data, Hong Kong. All rights reserved. Disclaimer