Data hk is a term used to describe personal information that can be linked back to an identifiable individual. Hong Kong has strict data privacy laws and the statutory body responsible for enforcement is called the Office of the Privacy Commissioner for Personal Data (PCPD). The PCPD promotes compliance with the Personal Data Protection Ordinance, which sets out six data protection principles. The data hk framework also includes the requirement for a privacy impact assessment before starting a new project that uses personal data.
A PIA is an analysis of the risks that could arise from the use of personal data and measures to mitigate these risks. It can help organisations make better business decisions by identifying and prioritising the potential impact of an initiative before it starts. Ultimately, a PIA is designed to minimise any harm that might be caused to the rights and freedoms of individuals, businesses and society as a whole.
The PDPO defines personal data to mean any information that can be directly or indirectly identified with an individual, including information on activities, interests and online behaviour. This definition is in line with international norms and is similar to the definition of personal data in other legal regimes, such as the Personal Information Protection Law that applies to mainland China and the General Data Protection Regulation that applies to the European Economic Area.
One of the responsibilities of a data user under the PDPO is to provide a data subject with a Personal Information Collection Statement (“PICS”) before collecting his personal data. This PICS should include the purpose for which the data will be collected, as well as a list of the classes of persons to whom the data may be transferred. It is not a requirement that the PICS is provided in writing, although it is generally good practice to do so.
In addition, the PDPO requires that a data exporter adopt any supplementary measures necessary to bring the level of protection in a foreign jurisdiction up to Hong Kong standards before the transfer of personal data abroad. These supplementary measures can include technical measures such as encryption or pseudonymisation; and contractual provisions that impose obligations on audit, inspection and reporting, beach notification, and compliance support and co-operation.
The PCPD has published two sets of recommended model contractual clauses that can be used in a data transfer between a Hong Kong entity and an entity outside Hong Kong, or between two entities both of which are located outside of Hong Kong but one of which controls the collection, holding, processing and use of the personal data. These model clauses streamline the compliance arrangement in respect of cross-boundary data flow for businesses and thus facilitate leveraging of data flow to drive innovation and enhance Hong Kong’s positioning as an international data hub. They are available on the PCPD’s website at: https://www.pcpd.gov.hk/en/model-contractual-clauses.html. Please note that the draft models are subject to further refinement and will not be finalised until further consultation is conducted.