What is Data Hong Kong?
Data hk is the process of managing and using information about individuals. This data can include anything from an individual’s name, address and HKID number to their bank accounts, credit card details, social media profiles, and medical records. It can also include genetic and biometric information, as well as their location data and online identifiers. There are six core data protection principles that businesses must comply with when processing personal data in Hong Kong. These principles cover consent, accuracy, purpose, security, and accountability.
In Hong Kong, the Personal Data (Privacy) Ordinance (“PDPO”) sets out these principles and establishes a range of data subject rights and specific obligations to data controllers. It was first introduced in 1996 and then significantly amended in 2012 and 2021.
The PDPO defines “personal data” as data that relates to a living individual, is capable of being identified directly or indirectly and is in a form that can be accessed or processed by the individual. However, this definition does not extend to include information about legal entities. In general, the PDPO applies only to data users that control the collection, holding, processing or use of personal data in, or from, Hong Kong. This includes data users whose operations in Hong Kong are located outside the jurisdiction, but where they have a presence in, or have facilities in, Hong Kong that control such activities.
A data governance framework must be in place to ensure that an organization complies with the PDPO. This includes appointing data stewards, who are business and IT subject matter experts. These stewards are responsible for interpreting and communicating how the PDPO affects the business’s processes, decisions and interactions. Ideally, data stewards should be cross-functional and represent both the business and IT. This helps ensure that they are able to make decisions about how to best manage and use data.
Unless a privacy exemption is available, data users must seek consent from the data subject before disclosing their personal data to third parties. They must also notify the data subject if they intend to use their personal data for any new purpose that has not been notified to them, and they must obtain the subject’s consent before doing so. The PDPO also lists a number of defences that a data user may rely on in defending themselves against claims that they have breached the PDPO.
While modernisation of data protection laws in Hong Kong is mooted, in the meantime businesses should ensure they understand their obligations under the existing framework and how these might differ to their duties in other jurisdictions. This will help them to prepare for the anticipated introduction of the EU’s General Data Protection Regulation in 2018.