Whether data hk is used to identify individuals or for any other purpose, it must be carefully handled. This is because personal information can be easily misused by criminals, terrorists, fraudsters and other unprincipled people. Fortunately, Hong Kong has strict data privacy laws that protect the rights of individuals. The Office of the Privacy Commissioner for Personal Data (PCPD) oversees compliance with these laws. This statutory body encourages businesses to adhere to six data protection principles and helps them understand how to comply with the law.
When it comes to personal data, the PCPD has a clear definition of what constitutes such information. The word “personal” refers to any information that can be traced back to a particular individual, and thus includes names, addresses, telephone numbers, email addresses and other personal data. This definition is consistent with international standards and is also adopted by other legislative regimes such as the PIPL in mainland China and the GDPR in the EU.
The PCPD’s core obligations in respect of personal data largely centre around fulfilment of DPP1 (purpose and collection) and DPP3 (use). When data is collected, the data user must ensure that data subjects are informed of the purposes for which the data will be collected, including how that information might be transferred. The data user must also inform data subjects of the classes of persons to whom their personal information may be transferred. These obligations are deemed to have been met if the data subject consents to the transfer.
In addition, there are certain other duties that the data user must carry out before transferring any personal information to a data processor or another entity outside Hong Kong. These include undertaking a transfer impact assessment and agreeing to standard contractual clauses. The obligation to undertake a transfer impact assessment is triggered by the data user’s assessment of the law and practice in the jurisdiction to which it intends to transfer personal information. This process involves comparing the laws of that jurisdiction with the six DPPs contained within the PDPO and assessing how those differences might affect the protection of personal information.
If a transfer impact assessment is carried out and the results indicate that the law and practice in the foreign jurisdiction cannot meet the requirements of the PDPO, then the data exporter must take supplementary measures to bring those levels up. These might include technical measures such as encryption, anonymisation or pseudonymisation, or contractual provisions on audit, inspection and reporting, beach notification, and compliance support and co-operation. However, the supplementary measures must be proportionate to the needs of the business and its intended purposes. If the supplementary measures do not meet these requirements, then the PDPO will be breached if the personal data is transferred. This will be deemed a serious breach of the PDPO and the data exporter will face severe penalties. This is why a data transfer impact assessment is often carried out before deciding to export personal information abroad.
Comments are closed, but trackbacks and pingbacks are open.