Data Consent Form (Hong Kong)

A Data Consent Form in Hong Kong records the consent or release given and the scope of what the party agrees to.

Data Protection Principle 1 (DPP1) in Schedule 1 to Cap. 486 imposes three interlocking obligations on data collectors: personal data may only be collected for a lawful purpose directly related to a function or activity of the data user; only the minimum amount of data necessary for that purpose may be collected; and the data subject must be informed of the purpose of collection and the classes of persons to whom the data may be transferred, before or at the time of collection. A PICS incorporated within the consent form satisfies the notification obligation. The individual's signature or electronic confirmation records consent.

The Direct Marketing provisions in Part VIA of Cap. 486, inserted by the Personal Data (Privacy) (Amendment) Ordinance 2012, impose a higher consent standard for marketing use of personal data. Before using an individual's personal data for direct marketing, the data user must: (a) inform the individual in writing that their data will be used for direct marketing; (b) state the kinds of data to be used and the classes of marketing subjects; (c) state whether the data will be provided to third parties for their direct marketing use; and (d) obtain the individual's explicit written consent. A data consent form that includes a clearly framed direct marketing consent box — separate from the general PICS consent — provides the required documentary evidence. Failure to obtain this consent before conducting direct marketing is a criminal offence under Section 35C of Cap. 486, carrying a maximum fine of HK$500,000 and imprisonment for three years on first conviction.

For employee data collection, the consent form must be adapted to the employment context. Employers collect HKID copies, bank account details, MPF account numbers, emergency contact information, and medical declarations from employees. DPP1 requires that employees be informed of the specific purposes for which each category of data will be used — payroll processing, MPF contribution reporting to the Mandatory Provident Fund Schemes Authority (MPFA), statutory leave record-keeping under the Employment Ordinance (Cap. 57), work injury claims under the Employees' Compensation Ordinance (Cap. 282), and compliance reporting to the Labour Department. Forms-legal.com provides this Data Consent Form template for customer, employee, and service user data collection in Hong Kong.

Data breach notification in Hong Kong is currently voluntary rather than mandatory under Cap. 486, but the PCPD strongly recommends that organisations notify affected data subjects promptly when a breach involving their personal data occurs. The 2021 amendments to Cap. 486 strengthened the PCPD's investigative powers and introduced new enforcement tools, making a well-maintained consent record increasingly important as evidence of lawful data collection. Where a data breach exposes personal data collected without proper PICS documentation, the PCPD treats the absence of a consent form as an aggravating factor in determining the appropriate enforcement response under Section 50 of Cap. 486.

A Data Consent Form in Hong Kong is needed whenever an organisation collects personal data directly from an individual, with six categories of collection scenarios being most common in Hong Kong commercial practice.

Customer onboarding is the most frequent use case. A bank, insurance company, or retail business collecting customer names, HKID numbers, addresses, contact details, and financial information at account opening must provide a PICS and obtain consent before or at the point of collection. Financial institutions regulated by the HKMA must additionally comply with Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615) KYC documentation requirements alongside PDPO consent requirements.

Employee recruitment requires a consent form when job applicants submit personal data — CVs, HKID copies, academic certificates, reference contact details — to a prospective employer. DPP3 of Cap. 486 restricts use of applicant data to the recruitment purpose only; using applicant data for future marketing or sharing it with third parties without consent breaches Cap. 486.

Healthcare and medical services require a consent form when patients provide personal health information, medical history, and insurance details to hospitals, clinics, or laboratories. Medical data is treated as particularly sensitive under PCPD guidance, and consent for specific uses — sharing with insurers, overseas specialists, or medical research institutions — must be obtained explicitly.

Direct marketing campaigns require a written consent form with a specific direct marketing consent clause under Part VIA of Cap. 486. Organisations that wish to send promotional materials, newsletters, or commercial offers to individuals must obtain explicit written consent before doing so, and must honour opt-out requests promptly.

Research, surveys, and data analytics programmes that collect personal data from participants require a consent form explaining the research purpose, the anonymisation or retention approach, and whether results will be shared with third parties. Hong Kong universities, market research firms, and government agencies conducting surveys involving personal data must comply with DPP1.

Services to minors require parental or guardian consent where personal data is collected from individuals under 18. The PCPD's guidance on children's data emphasises the importance of age-appropriate consent mechanisms and enhanced transparency in PICS for young people.

A Data Consent Form compliant with the Personal Data (Privacy) Ordinance (Cap. 486) in Hong Kong must include the following elements to satisfy DPP1(3), the direct marketing requirements of Part VIA, and the PCPD's recommended PICS content.

Organisation Identity clearly identifies the data user — the full legal name of the company or organisation collecting the personal data, its business registration number issued by the Inland Revenue Department (IRD), its registered address, and its data protection contact. For financial institutions regulated by the HKMA or the SFC, the licence number should also be stated.

Personal Information Collection Statement (PICS) is the core disclosure section required by DPP1(3) of Cap. 486. The PICS must state: (1) the specific purpose or purposes for which the personal data is being collected; (2) the classes of persons to whom the data may be transferred (including service providers, regulatory bodies such as the PCPD, HKMA, IRD, Labour Department, or MPFA, and overseas recipients); (3) whether supply of the data is obligatory or voluntary, and the consequences of not supplying it; and (4) the data subject's right to request access to and correction of their personal data under sections 18 and 22 of Cap. 486 and the contact details for making such a request.

Direct Marketing Consent Clause must be presented as a separately identifiable opt-in mechanism — not buried within the general PICS text — disclosing: the kinds of personal data to be used for marketing; the classes of products and services to be marketed; whether the data will be shared with third parties for their own marketing use; and the individual's right to opt out at any time without charge. A tick-box opt-in (not a pre-ticked box) satisfies the explicit consent requirement under Section 35C of Cap. 486.

Data Retention Information states how long the personal data will be retained, consistent with the organisation's Data Retention Policy and the applicable statutory minimum retention periods — seven years for tax records under Cap. 112, six years plus the limitation period for contract records under the Limitation Ordinance (Cap. 347).

Security Statement briefly describes the security measures the organisation takes to protect the collected personal data, consistent with DPP4 — encryption, access controls, and secure storage. This demonstrates DPP5 (openness) compliance and builds data subject confidence.

Consent Signature Block provides space for the data subject's name, HKID number (last four characters only, to minimise data collection), date, and signature — or, for electronic forms, equivalent electronic confirmation mechanisms. The consent must be freely given, informed, specific, and unambiguous. forms-legal.com also provides a Data Retention Policy and Data Processing Agreement as companion documents for a complete PDPO compliance documentation suite.

Data breach notification reference: The consent form should include a brief statement of the organisation's data breach notification procedure — that in the event of a data breach affecting the individual's personal data, the organisation will notify the affected individual and the PCPD in accordance with the PCPD's recommended breach notification guidelines. While breach notification is not yet mandatory under Cap. 486, including this commitment in the consent form demonstrates transparency consistent with DPP5.

Bilingual presentation: The PCPD recommends that consent forms and PICS be presented in both English and Traditional Chinese for Hong Kong data subjects, to confirm genuine informed consent across Hong Kong's bilingual population. A bilingual consent form reduces the risk that a data subject can later claim they did not understand the terms to which they consented.