The abbreviation HK is used to refer to Hong Kong, a special administrative region of China. It is an international hub for finance, shipping, manufacturing, and IT services. The government of Hong Kong is currently considering amending the Personal Data (Privacy) Ordinance with the aim of strengthening data protection. One of the changes being proposed is a requirement that businesses / data users formulate and implement a clear data retention policy specifying a period for the storage of personal data collected by them. This article discusses the background to this proposal and what businesses need to do to ensure compliance.
In Hong Kong, personal data is mainly protected by the Personal Data (Privacy) Ordinance (PDPO), which came into force on 20 December 1996 and has been amended in 2012 and 2021. The PDPO establishes rights for data subjects and specific obligations to data controllers, and regulates the collection, processing, holding, use and provision of personal data through six data protection principles. It also prohibits the disclosure of personal data without consent, a practice known as ‘doxxing’.
Unlike many other laws, the PDPO applies to both data controllers and processors, irrespective of where they are located in the world. As a result, any business that collects or processes personal data in Hong Kong is required to comply with the PDPO. This is particularly true when the data being processed is transferred outside Hong Kong.
It is therefore important for a company to consider its obligations under the PDPO in all aspects of its operation, including any transfer of personal data to locations abroad. This is especially the case when the PDPO’s new section 33 comes into effect, which will prohibit the transfer of personal data from Hong Kong to places outside the European Union unless certain conditions are met.
As well as considering the legal aspects of transferring personal data overseas, companies need to consider the technical and operational implications. In particular, they need to ensure that their systems and any cloud service providers comply with the PDPO’s requirements. They need to be able to demonstrate that their systems can protect personal data against unauthorised access, processing, erasure or loss. They also need to be able to show that their processes are in place to prevent accidental or malicious misuse of personal data, and can respond quickly to any breaches of security.
Another aspect of a successful data governance program is putting the right people in place to drive it forward. This includes the team members who will support, sponsor, steward and operationalize your policies. The team should include both business and IT subject matter experts. These are the ones who will understand how your data governance framework affects business processes, decisions and interactions. They will need to be able to communicate clearly with business stakeholders. It is also a good idea to use a responsibility assignment matrix, such as RACI (responsible, accountable, consultative and informed), to organize the team and provide clarity around roles and responsibilities.