Data Governance in Hong Kong
Data governance is a complex initiative with many stakeholders. Its success requires an effective communication and coordination strategy with the right people in place. A governance team should include a data leader, stewards and sponsors to ensure a program delivers measurable business value. A well-organized, structured process helps people understand their responsibilities and provides a clear path of escalation. A responsibility assignment matrix (such as RACI, which stands for responsible, accountable, consulted and informed) can help organize the work and manage conflicting opinions.
Under Hong Kong law, personal data includes data that identifies a person or relates to an identifiable individual. It can be collected for a specified purpose or in the course of a legitimate activity and must be fair, transparent, intelligible and accessible. The PDPO prohibits unauthorized disclosure of personal data, including to a third party, and establishes six data protection principles for data users.
The HK government has mooted changing the definition of personal data to broaden the scope of its protection. This would increase compliance measures for businesses that use data-related technologies or process information with an impact on individuals, such as online tracking and profiling.
A new law is also proposed to penalise acts of doxxing by making it an offence to publish details of an individual’s personal information without consent, whether the data is stored in Hong Kong or overseas. This could be a welcome addition to the law as it is currently unclear whether the PDPO applies to acts of doxxing. It is important to continue to keep abreast of developments in the legislation and in data protection practices in Hong Kong.