Data hk is a new initiative to promote best practice and ethical standards in the governance of personal data. It also seeks to facilitate efficient compliance data transfers across organisations.
Data is a key asset for any business, and it is increasingly being used in a variety of ways. It can be used to understand customers better, make more informed business decisions and provide products and services that meet customer needs. It can also help improve efficiency, reduce costs and support innovation. However, it is important to remember that with the growth of data comes a responsibility to protect personal information. This is a complex task and requires the development of a culture of data protection that permeates all areas of an organisation.
Padraig Walsh from Tanner De Witt’s Data Privacy team discusses the importance of understanding the obligations that exist in respect of cross-border data transfer, whether it is from Hong Kong to other locations or from other locations into Hong Kong.
When it comes to the collection and use of personal data, there are a wide range of statutory obligations that must be met. This is especially true when it comes to data transfer. In addition to the six core data protection principles (DPPs) that form core data privacy obligations, there are specific provisions relating to data transfer, which have been interpreted broadly and impose significant and onerous requirements on data users.
The first step in any data transfer process should be to consider whether the data subject would reasonably expect the transfer to be made. This is a crucial question, as the DPPs include a requirement to inform the data subject of the purposes for which their personal data will be collected, and in particular, of any planned changes to those purposes. Consequently, a transfer can only take place where the data subject has provided their voluntary and express consent.
This requirement is reflected in the definition of “data user” under the PDPO, which refers to anyone who controls the collection, holding or processing of personal data. This includes any person who is a data user within the meaning of the GDPR, but excludes those who only have control over processing activities in the sense of their role in an organisation.
There is an important distinction to be made here, as it is common for data users to share data with other businesses and this can trigger a requirement to notify the other data user of the transfer. This notification can be in the form of a separate agreement, a schedule to the main commercial arrangement or as contractual provisions within the main commercial agreement.
The data exporter should carry out a transfer impact assessment to determine whether the personal data transferred is likely to be at risk of being abused or subjected to unlawful processing. This might involve technical measures such as encryption or anonymisation, or contractual arrangements such as beach notification and compliance support and cooperation.