Data hk is Hong Kong’s source for news, commentary and analysis about data & information in Hong Kong. With frequent updates featuring content that’s both educational and accessible – Data hk provides news coverage that matters!
Hong Kong is an international center of data and information services, offering an ideal platform to promote personal data protection and information security. The data hk initiative forms an essential part of Hong Kong government efforts to foster innovation, economic growth and international competitiveness of their territory.
Personal data as defined by Hong Kong law includes any information that identifies an identifiable individual, whether about their past, present, or future actions.” Unfortunately, many assume there are no restrictions when it comes to cross-border transfers of personal data – however this is incorrect; indeed the PDPO contains provisions which permit contractual clauses protecting data users both inside and outside Hong Kong when transfer arrangements take place between data users.
Under the PDPO, data users have an obligation to expressly notify individuals, upon or prior to collecting their personal data, about its intended uses and potential transfers (DPP1 and DPP3). This requirement can be met without having a formal PICS prepared but it would be good practice for data users to provide such notification as soon as they collect personal information from individuals.
Data users must also take measures to prevent personal data transferred outside Hong Kong from being kept longer than necessary for processing (DPP 4). To achieve this goal, contracts between data users should prohibit third parties from keeping personal data beyond what is necessary for processing (e.g. 1 year for financial transactions, 2 years for health information etc).
Furthermore, the PDPO stipulates that data users are ultimately accountable for the actions of their agents, including sub-processors operating both inside and outside Hong Kong (DPP 11). This legal provision serves to emphasize their responsibility as ultimately accountable parties for sub-processors they engage.
The PDPO has published model clauses which can be included in contracts dealing with personal data transfers between data users, both within Hong Kng and outside it, which reflect an increasing awareness of data protection issues in transfer arrangements, to safeguard individuals’ rights under such circumstances and prevent their rights being infringed upon. While not mandatory under PDPO, these models reflect an increased understanding of data protection issues when making such arrangements.