Data Hk – What Personal Data Is and How It Is Protected

Data hk is a Hong Kong initiative designed to raise awareness about the risks associated with data transfers, while helping businesses assess them. It offers numerous helpful resources such as guides and questionnaires as well as advice regarding best practice and ethical standards for personal data governance.

Hong Kong’s personal data protection regime differs from GDPR in that there is no statutory restriction on the transfer of personal data outside Hong Kong, though that doesn’t mean no protections exist; businesses just need to ensure they follow legal requirements and best practice when sending personal data abroad.

The core principle underlying the PDPO is that personal data refers to any information about an identifiable individual, in line with international norms and practices. Note that this definition does not encompass personal identifiers such as name, address, date of birth, telephone number and nationality; rather it refers to “facts and circumstances” which allow an individual to be recognized. Therefore, photographs taken of crowds at concerts would not constitute personal data under Hong Kong law even if individuals could be identified within them. CCTV recordings, logs of persons entering car parks and records of meetings also do not qualify as personal data under this Act.

One of the key PDPO obligations of data users is notifying data subjects before collection (DPP1 and DPP3) of certain details related to why and who personal data will be given out (DPP1). This should include details regarding its purpose for collection as well as who it will be shared with. Typically this requirement is fulfilled by providing them with a Personal Information Collection Statement (“PICS”, though currently there are no provisions in place that require this in writing).

Before initiating any data transfer, data exporters must conduct a transfer impact assessment. This involves reviewing the laws and practices in the destination jurisdiction in relation to Hong Kong’s six core data protection principles in the PDPO and any additional steps needed for protection to meet Hong Kong standards.

Supplementary measures can take the form of technical or contractual safeguards. They could involve encryption, anonymisation and pseudonymisation techniques as well as additional contractual provisions imposing audit, inspection and reporting obligations, beach notification requirements and compliance support/co-operation obligations for data importers. Ultimately they should aim to prevent them repurposing personal data for other uses without prior consent being obtained from its subjects.

If a transfer impact assessment reveals an inadequate level of protection in a destination jurisdiction, the data exporter must either suspend the transfer or implement appropriate supplementary measures – for instance notifying data subjects, revising PICS files and, where relevant, seeking their consent directly. Likewise, as part of any procedures taken to enforce standard contractual clauses they must agree to jurisdiction and co-operation by their supervisory authority as part of any procedures used to enforce standard contractual clauses.