In Hong Kong, personal data protection is regulated by the Personal Data Protection Ordinance (PDPO), which establishes data subject rights and provides specific obligations to data controllers through six data protection principles. One key aspect of the PDPO is its ban on the disclosure of personal information without consent, which is also known as ‘doxing’.
However, it is important to note that a number of exceptions are provided for in the PDPO. These include the ability to disclose personal information for certain public interests, such as assisting police investigations, preventing serious improper conduct, reporting news and conducting due diligence exercises. It is important to ensure that your organisation can satisfy these exceptions before transferring any personal data outside of Hong Kong.
Similarly, there are also some exemptions from the use limitations and access requirements under the PDPO. These include the ability of an individual to be identified directly or indirectly from the data, and the necessity of storing the information in a form that can be readily accessed by individuals. In addition, the PDPO permits the use of personal data for the purpose of safeguarding the security of Hong Kong, its defence and international relations, crime prevention or detection, assessment or collection of tax or duties, news activities and legal proceedings.
As such, it is essential to review your current processes and policies in order to ensure that you are complying with the PDPO. A risk-based approach is recommended, which involves assessing your business’s ability to meet the PDPO’s standards, and then determining how you can improve. This will help reduce the risk of breaching the PDPO and the associated fines.
Data governance programs involve a lot of people. This includes stakeholders, business units and the wider IT department. Each of these groups has their own concerns and opinions, which can lead to conflict. The best way to manage this is by using a responsibility assignment matrix such as RACI (which stands for responsible, accountable, consulted and informed). This will ensure that everyone involved has their say, but also that the final decision is made by the person who has the most knowledge and authority.
Data transfer between businesses is often a necessity in the course of business activity. This is why it is essential to understand the regulatory environment around personal data transfers in order to minimise business risk and promote efficient compliance across organisations. Padraig Walsh from the Tanner De Witt Data Privacy practice group guides you through the PDPO’s rules for transferring personal data abroad, including how to apply the statutory safeguards.