Data hk is an independent project that provides guidance to businesses on the implementation of Hong Kong’s Personal Data (Privacy) Ordinance (PDPO). The PDPO establishes data subject rights and specific obligations to data controllers through six data protection principles. It is intended to promote compliance and encourage responsible data handling. This is important given that the PDPO imposes severe penalties on individuals and organisations that breach the law, including fines and imprisonment.
Data HK also aims to provide an accurate and reliable resource for those seeking information about data protection in Hong Kong. It is the first of its kind to combine data-related laws, best practices, industry initiatives, and case studies. In addition, the platform features an extensive catalogue of tools, templates and guides that can be utilised to improve data management and security across an organisation.
The Hong Kong Data Protection Portal also features detailed and up-to-date information on the PDPO and its related regulations. These include the Code of Practice, a set of guidelines for business and public authorities on the processing of personal data; the Personal Information Disclosure Guidelines, which regulates the release of information by government agencies; and the Data Sharing Agreement Model, which is a legal framework that enables the exchange of personal information between entities.
When considering a data transfer, it is important to consider whether the person involved is considered a “data user”. A data user controls the collection, holding, processing or use of personal data. The PDPO includes the requirement that a data user must comply with a range of other statutory obligations, including fulfilling obligations relating to data transfer.
These requirements include the obligation to notify a data subject of the purposes for which their personal data will be collected and the classes of persons to whom the personal data may be transferred. The PDPO also requires that consent must be obtained in order to change the use of an individual’s personal data. This is known as the “prescribed consent”.
Furthermore, a data user must use contractual or other measures to ensure that transferred personal data is protected against unauthorised access, modification, processing or disclosure, accidental loss or destruction and that it is retained only for as long as necessary for the agreed purpose. It must also take steps to protect personal data from the risk of breaches occurring at any time, regardless of the location of that data.
The PDPO also prohibits the transfer of data that concerns a “protected class” of person, such as an ethnic group or religion. It is therefore essential to conduct a thorough data impact assessment prior to engaging in any form of cross-border data transfer.
As the global economy becomes increasingly interconnected, a trusted legal basis for data transfers will become increasingly critical. For example, many companies in Europe will have significant volumes of personal data that are transferred to and stored in Hong Kong. This will require a robust approach to compliance, including the use of standard data protection clauses and contribution to a transfer impact assessment.