Data Hk and the PDPO

Data hk is a set of principles and tools developed by the Information Technology Association of Hong Kong to promote openness in the IT industry and introduce international best practices to Hong Kong. Its assessment model is based on 19 sets of established open data principles and benchmarks at the global, regional, and national levels. Its objective is to help businesses achieve more value from their data and make decisions based on quality, usability, and availability of information. It is also to increase awareness of the importance of data governance and promote adoption of a comprehensive and holistic approach to openness in business.

The PDPO is the primary legal instrument in Hong Kong to protect personal data, and it establishes privacy protection rights of data subjects and specific obligations to data controllers through six data protection principles. It came into force in 1996 and was amended significantly in 2012 and 2021.

While the definition of personal data is broadly comparable to other legislative regimes, such as GDPR in mainland China and the PIPL in Hong Kong, the PDPO has a stricter interpretation of what constitutes “personal data”. This means that only information that can identify an identifiable natural person will be protected by the PDPO.

This means that data users must expressly inform a data subject on or before the collection of personal data of the purposes for which their personal data will be used, and the classes of persons to whom their personal data may be transferred. A PICS must also contain the name or job title and address of the person responsible for handling such requests, and a contact point.

The PICS must also state that the data can be used for a different purpose than that stated on or before the original collection, and that the data subject must give his/her voluntary consent to such use. This is a higher standard than the consent requirement under the PDPO, but the distinction is understandable given that data transfer is a form of data use.

Before transferring any personal data in or out of Hong Kong, it is important to consider these requirements. Failure to do so can result in enforcement action and/or fines. Moreover, it can expose the company to significant liability under the PDPO and other local laws that govern data privacy. To minimise the risks and to ensure compliance with these laws, businesses should review their PDPOs and PICSs carefully, and consult with data privacy advisers to make any necessary changes. This will ensure that the company is prepared for any potential enforcement action and complies with data transfer requirements. In addition, it will reduce business risk and enhance efficiency by allowing for more effective compliance with data transfer regulations in a consistent and efficient manner.

Comments are closed, but trackbacks and pingbacks are open.