Publications and Videos

Leaflet & Form

Personal Data Privacy and the Internet - A Guide for Data Users

Collecting personal data on the Internet

DPP1 requires the lawful and fair collection of personal data and sets out the information a data user must provide to an individual when collecting personal data from that individual. Organisations often use on-line forms on their web pages to collect personal data from web users when providing services or request web users to "Send an e-mail" with personal details. In doing so, organisations should take all reasonably practicable steps to ensure that an individual providing his/her personal data is provided with the information required by DPP1. This applies to on-line forms on web pages that an organisation controls, as well as to paper forms which are used to collect personal data.

=>Provide a Personal Information Collection statement. An acceptable way to inform a person from whom personal data are collected is to provide a Personal Information Collection statement (PIC statement). A PIC statement should be easy to find, easy to read and easy to understand. As a minimum, it should cover the following information required by DPP1:

• The purposes for which the data are or are to be used;
  
  
• The classes of person to whom the data may be passed;
  
  
• The data subject's rights to request a copy of the data and correct any errors, and who should be contacted to make such requests. organisation's policy on "spamming", and its security and retention policies in respect of personal data.

=>Make the PIC statement an on-line notice. The PIC statement can be laid out on the same web page as each form, or it can be on another page, as long as every form carries a clearly visible, well-described link to that separate page. The link could be a button or icon that, when clicked, will allow access to the additional pages containing the PIC statement.

=>Collect data fairly. The purpose for which data are collected should be stated in a straightforward and open manner without trickery or deception. For example, building a candidate file by inviting applications to vacancies that are, in reality, non-existent would not be fair data collection. Similarly, collecting personal data for a fictitious lucky draw would not meet the requirements of DPP1. Special care is needed when a web page and any form on it are expected to collect personal data from children. The wording should be as complete, clear and simple as possible. In addition, the statement on the form may suggest that the child talks to a parent before filling in the form.

=>Collect adequate but not excessive data relevant to the purpose. When an organisation collects personal data, whether on the Internet or through any other medium, DPP1 requires that the items of information collected should be necessary for or directly related to the purpose of collection and not excessive for that purpose. For examples: If no purchase is to be made, generally it will be excessive and not relevant to request a credit card number. Often age is requested, when all that is needed is a statement that the respondent is over 18. The sex of a respondent is often requested but keeping a record of that might not be justified for the purpose for which the data are collected.

[Image of Previous Page][Image of image][Image of Next Page]

End of Page

[Annual Report] [Code of Practice/ Guideline & Explanatory Booklet] [Consultation Document/ Report] [Newsletter] [Guidance Note & Fact Sheet] [Leaflet & Form] [Opinion Survey] [Others] [Investigation Report / Inspection Report] [Information Book]

[About PCPD] [The Ordinance] [PCPD Activities] [Information Centre] [Privacy Zone for Youngsters (Games)]
[Publications & Videos] [Enquiries & Complaints] [Case Notes] [Contact Us] [Search] [Site Directory] [Graphical Version]
[Chinese Version]

Notice/Copyright 2001 Office of the Privacy Commissioner for Personal Data, Hong Kong. All rights reserved. Disclaimer