Global menu

Our global pages


Coronavirus - The use of Personal Data in connection with Covid-19 – Hong Kong

  • Hong Kong
  • Coronavirus
  • Privacy, data protection and cybersecurity


As a general rule of data privacy protection in Hong Kong, personal data should be used only for the original purpose for which the data was collected, or a directly related purpose. One exception is where the data user obtains the consent from the relevant data subject. (See Data Protection Principle 3 of the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO)).

The Hong Kong Privacy Commissioner for Personal Data recently made a media statement specifically about using information taken from social media for public health purposes, such as tracking potential carriers of Covid-19. The Privacy Commissioner has clarified that a data subject’s right to privacy is “not absolute” and it is subject to other competing rights or interests. These include the absolute right to life and the interests of the public, including public health.

The Privacy Commissioner made the following key observations:

1. The right to life exception refers not only to the life of the data subject (which could be the potential carrier of Covid-19), but also to the lives of others in the community. Relevantly, the United Nations Human Rights Committee in October 2019 confirmed that the right to life is a supreme right and the duty to protect life implies that Governments should take appropriate measures that may give rise to direct threats to life (including the prevalence of communicable diseases).

2. In Hong Kong, Covid-19 has been classified as a notifiable infectious disease under the Prevention and Control of Disease Ordinance (Cap. 599). Accordingly, all registered medical practitioners are required to notify the Centre for Health Protection of the Department of Health of all suspected or confirmed cases of Covid-19.

3. If persons are suspected of having close contact with persons infected with Covid-19, it would be in the public interest to closely monitor their whereabouts.

4. Pursuant to s.59 of the PDPO, the use of personal data may be exempted from the application of Data Protection Principle 3 where the relevant personal data relates to the physical or mental health or the identity or location of a data subject. Further, s.59(2) of the PDPO provides that where restrictions on the use of personal data would likely cause serious harm to the physical or mental health of any other individual, personal data relating to the identity or location of the data subject may be disclosed to a third party without the consent of the data subject.

It is not uncommon for Governments or regulatory bodies to process personal data for the purpose of tracking and monitoring the whereabout of individuals who are infected (or potentially infected) due to public interest and the overall health and safety of the community. For example, Israel has deployed technology to track carriers and potential carriers of Covid-19 which is otherwise used for counter-terrorist surveillance purposes. Given the World Health Organization’s recent declaration that Covid-19 has reached pandemic status, we expect many privacy regulators around the world to follow the approach taken by the Hong Kong Privacy Commissioner in clarifying such further use and purpose.

Key Takeaways

In cases where protections for the use and access of personal data would be likely to cause serious harm to the physical or mental health of the data subject or any other individual, s.59 of the PDPO provides the relevant exemptions for the use of such personal data in the absence of obtaining the data subject’s prescribed consent.

Importantly, organisations must be mindful that the remaining provisions of the PDPO shall continue to apply to such personal data notwithstanding these exemptions. For example, the requirement to undertake all practicable steps to ensure the personal data collected is accurate and retained for no longer than is necessary to fulfil the purpose for which it was collected (Data Protection Principle 2) remains applicable. Further, data users must continue to implement steps to ensure that any personal data it possesses is protected against unauthorised or accidental access, processing, erasure or loss, as required pursuant to Data Protection Principle 4.

Please don’t hesitate to contact us if you would like to hear more.