Last updated on: Tuesday, 23rd July 2019

This sets out the policies and practices of the Office of the Special Prosecutor (“OSP” or “We”) in relation to the handling of personal data.

Statement of Notice

We respect privacy. OSP is committed to complying with all applicable personal data privacy laws and regulations.

When we collect and process personal data, we will ensure that there is legal basis for us to do so – including but not limited to issuing a Privacy Notice and/or fulfilling any other requirements as provided under all applicable laws.

Statement of Practice

Kinds of Personal Data Collected

We collect personal data in five broad categories below (“Categories of Personal Data”):

Subscription Records which include records containing the personal information of the subscribers of our publications, job alert services and any other subscription based products or services.

Personnel Records which include job applicants and our employees’ personal information.

Event Attendee Records which include the personal information provided by the attendees of our events such as conferences, promotion or charity activities.

Other Operational Records which include the personal data of such data subjects involved in newsgathering, security checks, cleaning, maintenance services, consultancy, technology, auditing, supplier, service provider, licensor and other data subjects providing services in relation to all aspects of our operations.

Records collected on/from Webservers which include but not limited to the email addresses, location data and other online identifiers such as IP addresses of such data subjects who visit our websites, platforms.

Main Purposes of Processing Collected Personal Data

Subscription Records are processed for the purposes of: (i) provision of subscription, job alert orders and any other subscription based products or services; (ii) billing and payment (if applicable); and (iii) conducting market research for statistical purposes.

Personnel Records are processed for the purposes of: (i) recruitment; and (ii) human resources management and employment related activities such as employment benefits, termination, performance appraisal and discipline.

Event Attendee Records are processed for the purposes of: (i) organising and managing the relevant events; and (ii) running the related competitions, prize draws and promotions.

Other Operational Records are processed for the purposes of facilitating the effective operation of our business such as newsgathering, security, maintenance, consultancy, technology, auditing, supplier, service provider, licensor and other data subjects providing services in relation to all aspects of our operations.

Records collected on/from Webservers are kept for the purposes of: (i) providing and/or improving on the news, information and related services to you; and (ii) keeping abreast of and analysing the latest trends in the global media landscape.

Data Protection Principles

All processing of personal data shall be conducted according to the data protection principles as follows:

  • Personal data must be processed lawfully, fairly and transparently.
  • Personal data can only be collected for specific, explicit and legitimate purposes.
  • Personal data must be relevant and limited to what is necessary for processing.
  • Personal data must be accurate and kept up to date with every effort to erase or correct.
  • Personal data must be kept in a form such that the data subject can only be identified if it is necessary for processing.
  • Personal data must be processed in a manner that ensures the appropriate security.

Data Inventory

We have also kept a data inventory and data flow process to determine various aspects of our data processing including:

  • Business processes that use personal data.
  • Purposes for collecting and/or using the personal data.
  • Source of personal data.
  • Processing activities.
  • Any data transfer, and to whom.
  • Any data access, correction or opt-out request.

Such data inventory would facilitate OSP in tracking its data and the related processing  activities, and put us in a better position to comply with the relevant privacy and other laws and regulations.

Legal Basis of Data Processing

We ensure that there is legal basis for our processing of the personal data.

Such legal basis includes: (i) legitimate business interests of OSP in processing personal data; (ii) if required by applicable laws or regulations, seeking your specific consent to process such personal data; and/or (iii) any other relevant basis under applicable laws and regulations.

Legitimate Interests

OSP processes personal data under the “legitimate interests” legal basis which means that the processing of the personal data is necessary for the legitimate interest pursued by OSP except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which requires protection of personal data.

Legitimate Interests Assessment

In each relevant situation, we assess: (i) what these legitimate interests are; (ii) whether it is necessary to process such data to attain the objective; and (iii) the relevant rights of the data subjects; and balance such rights against our interests in achieving such objective, and ensure that such rights do not override OSP’s legitimate interests before we conclude that OSP can process the personal data on the basis of legitimate interests.

Communicate with the Data subjects

All data subjects will be informed that we are collecting their personal data, the Categories of Personal Data concerned and the purpose of processing.  This is to ensure that the data subjects are clear about our collection and process of personal data and such collection and processing are within the data subjects’ reasonable expectation.

Please be informed that all data subjects can object to our collection and processing of their personal data at any time, in addition to their rights of requesting for accessing and/or correcting their personal data in our possession.

Data Security Mechanisms

We have also implemented appropriate mechanisms, policies and procedures to protect the confidentiality and security of the personal data that we collect and process, as we respect the privacy and related rights of the data subjects relating to such personal data by reducing the risks or potential negative impact of processing including but not limited to data minimisation, de-identification, encryption, restricted access and all other technical security methods and efforts to protect personal data. Such protection of the privacy and related rights of the data subjects would enable OSP in processing personal data under the legitimate interest legal basis.

Having conducted the above assessment thoroughly, OSP concludes that it is collecting and processing personal data under its legitimate interests as follows:

a. Serving our Customers and Operational Needs

The main purposes for processing the Categories of Personal Data have been set out above.  They are legitimate interests for OSP to process the same because all such purposes are essential to OSP serving its customers and its operational needs as a corporation and a media organisation.

A corporation like OSP needs employees to work for its business (and hence Personnel Records) and service providers to keep it running (and therefore Other Operational Records).

A media organisation such as OSP needs the personal data of its newspaper subscribers, event attendees and website visitors so as to be able to have relevant and timely provision of information and/or other services (and thereby Subscription and Event Attendee Records together with Records collected on Webservers).

b. Inform the Public

As a news organisation – OSP respects the public’s right to know about what is happening in our community and the world. OSP has a duty both under law and journalistic ethics to inform the public of such happenings (“duty to inform”).

We collect and process such data as the name, email address, online identifier and/or location data of those data subjects who visit any of our news, media or other websites.  We take note of the web pages being viewed as well as the time and frequency of such viewing. All of such data (“Public View Data”) are used to recommend to such data subjects relevant articles or content which should be of their interests.

Such recommendation does not prohibit or restrict anyone from viewing all of the other articles or content on such websites which they can access at any time as available.


Where applicable legal requirement demands specific consent must be obtained before we can process personal data including conducting direct marketing, we will ensure that such specific consent will be obtained as follows:

  1. the consent has to be clear, explicit and specific;
  2. data subject is fully aware of the types of the personal data that we intend to use; and the purposes of such usage (such as improving our services to the data subject or direct marketing); and
  3. the name/identity of the transferee (if we ever intend to transfer your data) and how the transferee shall use your personal data.

Rights of the Data subjects

OSP respects that data subjects have the following rights about the data processing, and the data which is recorded about them:

  1. To request for access regarding the nature of information held and to whom it has been disclosed.
  2. To prevent processing likely to cause damage or distress.
  3. To prevent processing for purposes of direct marketing.
  4. To be informed about the mechanics of automated decision-making process which will significantly affect them.
  5. Not to have significant decisions that will affect them taken solely by automated process.
  6. To sue for compensation if they suffer damage by any contravention of the applicable privacy and other laws.
  7. To take action to rectify, block and erase including the right to be forgotten or destroy inaccurate data.
  8. To request the supervisory authority (eg. a privacy commissioner or a data protection officer) to assess whether any provision of the relevant privacy and other laws has been violated.
  9. To have personal data provided to them in a structured, commonly used and machine-readable format, and the right to have such data transmitted to another data controller.
  10. To object to any automated profiling which is occurring.

Transfer of Personal Data

We will keep confidential the personal data that we hold, which may be transferred to the following parties within Hong Kong for the purposes as stated above.

  1. Delivery agents of OSP for delivering the newspapers or other publications relating to the subscriptions or free trials;
  2. Agents, contractors or third parties which/who provide administrative, technology or other services to OSP for its operations;
  3. Credit reference or debt collection agencies; and
  4. Any affiliates of OSP.

In the event of such transfer, OSP shall use contractual or other means to ensure that the data transferees shall keep the transferred personal data confidential and comply with all relevant personal data privacy laws and regulations.

Regarding the situation as described under sub-clause (iv) above –  If such intra-group transfer among OSP affiliates involves cross-border data transfer, OSP may adopt binding corporate rules for safeguarding the security of such personal data; and ensuring that all affiliates involved shall comply with the relevant privacy and other laws.

Outsourcing Arrangements

OSP has been using its in-house resources to develop and maintain its IT systems.  Occasionally OSP engages a third-party vendor to provide certain services relating its IT systems.  This vendor does not have access to the personal data stored in the IT systems under usual circumstances.

In the exceptional case where such vendor has such access, OSP uses reasonable measures to ensure that: (i) such vendor is contractually bound to keep such personal data confidential and adopt appropriate means to prevent any unauthorised access, use, loss, retention, modification, transfer or otherwise.

Data Retention

We implement data retention policies and records to ensure that personal data will not be kept longer than is necessary in relation to the purpose for which they were collected.

Different retention period apply to various types of personal data that we hold, depending on the respective data collection/usage purpose and relevant legal requirements.

Data Protection Officer

We have appointed a Data Protection Officer show responsibilities include the following:

  1. To inform and advise OSP and its employees of their obligations pursuant to the applicable privacy and other laws and regulations (collectively “Privacy Laws”);
  2. To monitor OSP’s compliance with such Privacy Laws;
  3. To co-operate with the supervisory authority (eg. privacy commissioner or equivalent bodies); and
  4. To act as the contact point for the supervisory authority on issues regarding the data processing and related matters.

Data Access / Correction and Other Inquiries

You have the right to know whether OSP holds your personal data, access the data and/or correct any inaccuracies of such data.   You also have the right to make reasonable inquiries about OSP’s personal data policies and procedures. You have the right to object to the processing of your personal data or withdraw your consent (if applicable) at any time. Please note however that if you object to the processing of your personal data, it may affect OSP’s ability to provide the services that you required to you or may affect the quality of such services. If you withdraw your consent (if applicable), OSP Group will stop providing such services to you which applicable laws requires specific consent.

All of the above requests should be made in writing to our Data Protection Officer at dataprotection@osp-ghgov.org

A reasonable fee may be charged in light of the administrative costs that OSP shall incur in addressing your request(s).

We keep our Privacy Notice under regular review, and reserve the right to amend it from time to time as appropriate.

 This Notice was last updated on Tuesday, 23rd July 2019.


Get answers to most of your questions on the work of the Office of the Special Prosecutor




Call 055 9166 733 | 020 4136 564
or email report@osp-ghgov.org


Get answers to most of your questions on the work of the Office of the Special Prosecutor




Call 055 9166 733 | 020 4136 564
or email report@osp-ghgov.org