1. Principle 1 - Purpose and method of collecting personal data

(1) Unless—

a. Personal data is collected for lawful purposes directly related to the functions or activities of the data user who will use the data;

b. Subject to paragraph (c), the collection of the data is necessary or directly related to that purpose; and

c. (c) Information shall not be collected unless the information is sufficient but not excessive for that purpose.

(2) Personal data shall be in the form of-

a. Lawful; and

b. To be fair in all circumstances of the case, to collect.

(3) Where personal data is or will be collected from a person who is the data subject, all practicable steps shall be taken to ensure that—

a. He was informed, expressly or by implication, at or before the time of collecting the information—

i. whether he is obliged to provide such information or voluntarily able to provide such information; and

ii. if he is obliged to provide such information) the consequences he would suffer if he did not provide such information; and

b. He—

a. On or before the collection of such information, expressly informed—

A. the purpose for which the information will be used (generally or specifically, such purpose); and

B. the categories of persons to which the data may be transferred; and

b. On or before the information is first used for the purpose for which it was collected, expressly informed—

A. his right to request access to such data and to request correction of such data;

B. the name and address of the individual to whom such requests may be made,

Provided that the data are collected for the purposes specified in Part VIII of the Ordinance for which personal data are exempt from the provisions of Data Protection Principle 6 in respect of which the data are collected, subject to the provisions of this subsection is quite likely to compromise that purpose.

2. Principle 2 - Accuracy and retention period of personal data

(1) All practicable steps shall be taken to-

a. ensure that the personal data are accurate having regard to the purposes for which they are or will be used (including any directly related purposes);

b. Where there are reasonable grounds to believe that the personal data is inaccurate having regard to the purpose for which the personal data is or is to be used (including any directly related purpose), ensure that—

i. the data shall not be used for that purpose unless and until such reason ceases to apply to the data (whether by correction of the data or otherwise); or

ii. the data is deleted;

c. when it is practicable in the circumstances of the case as a whole to know that—

i. Personal data disclosed to a third party on or after the specified date is materially inaccurate having regard to the purposes for which the data is or will be used (including any directly related purposes); and

ii. the information was inaccurate when so disclosed,

Make sure that the third party—

A. be advised that the information is inaccurate; and

B. is given the necessary particulars to enable him to correct the information having regard to that purpose.

(2) Personal data shall not be kept longer than is necessary to carry out the purpose for which the data is or is to be used (including any directly related purpose).

3. Principle 3 - Use of Personal Data

Personal data shall not be used for purposes other than-

1. The purpose for which the information will be used when it was collected; or

2. A purpose directly related to the purpose referred to in paragraph (a).

4.
Principle 4 - Security of Personal Data
 
All practicable steps shall be taken to ensure that personal data held by data users (including data in forms in which access or processing is not practicable) are protected against unauthorised or accidental access, processing , deletion or other use, in particular—
 
(a)
the type of information and the damage that could be caused if such events occurred;
 
(b)
All other money and property, including gifts, donations, fees, rent, interest and accumulated earnings received by the Commissioner.
 
(c)
the security measures included (whether by automated means or otherwise) in the equipment in which the information is stored;
 
(d)
measures taken to ensure the good conduct, prudence and competence of persons having access to such data; and
 
(e)
Measures taken to ensure that such information is transmitted in good security.
 
 
 
5.
Principle 5 - Information must be generally available
 
All practicable steps shall be taken to ensure that any person—
 
(a)
Be able to determine data users' policies and practices with regard to personal data;
 
(b)
be informed about the types of personal data held by data users;
 
(c)
To be able to be informed of the primary purpose for which the personal data held by the data user is or will be used.
 
 
6.
Principle 6 - Access to Personal Data
 
(a)
The data subject has the right to—
 
(b)
request—
 
 
i. inspected within a reasonable time;

ii. Inspection upon payment of a non-extraordinary fee (if any);

iii. reasonable access; and

iv. Access to personal data in a clearly understandable form;
 
(c)
be given reasons for refusal of a request referred to in paragraph (b);
 
(d)
object to the refusal referred to in paragraph (c);
 
(e)
request correction of personal data;
 
(d)
object to the refusal referred to in paragraph (c);
 
(e)
request correction of personal data;
 
(f)
be given reasons for refusal of a request referred to in paragraph (e); and
 
(g)
object to the refusal referred to in paragraph (f).