Passed in 1995, Hong Kong’s Personal Data (Privacy) Ordinance is one of Asia’s oldest and most established data privacy laws. It was created to give Hong Kong the levels of data protection that are necessary for its prominence as a trading hub.
As with other data privacy laws around the world, PDPO is designed to protect individuals from unfair or unnecessary use of information about them. It also sets out certain rights for those whose information is collected, and requires organisations to follow strict rules in how they handle personal information.
Under PDPO, all personal information collected must be done so on a lawful basis. An organisation must explain to an individual what they intend to do with that information before it is collected, ideally through a Personal Information Collection Statement (“PICS”) provided to the person upon request. The PICS must include the purpose for which the personal information is being collected and state whether the processing of the personal information will be automated or not. It should also describe the classes of persons to whom the data may be transferred and who will handle any requests made by a person for access to or correction of that personal information.
PDPO requires an organisation to keep only the personal information that is necessary for the purpose it was collected for, and not longer than that period of time. It also forbids organisations from disclosing or transferring personal information to any party not directly related to the original purpose of collection without first obtaining the prescribed consent of the individual.
The PDPO also requires an organisation to ensure that any information it holds about an individual is accurate, up-to-date and complete. In addition, it states that an individual must be informed of the right to request the deletion of any information deemed no longer needed for processing, and of their right to object to that processing. Finally, the PDPO prevents an organisation from using a person’s information for direct marketing activities.
As the PDPO was passed at the crest of a wave of globalisation, PDPO includes provisions aimed at regulating cross-border data transfers. Section 33 requires a Hong Kong data exporter to conduct an assessment of the foreign jurisdiction’s data protection standards and adopt any supplementary measures to bring those up to Hong Kong levels. These might be technical measures such as encryption or anonymisation, or contractual provisions imposing obligations on audit and inspection and reporting, beach notification, compliance support and co-operation.
The PDPO has a set of recommended model clauses for use in the event of a transfer of personal data from a data user to another data user or to a data processor. These can be incorporated into either separate agreements or schedules to the main commercial agreement with the other party, or as contractual provisions within the main commercial arrangement. Whichever form they take, these clauses will provide a significant level of additional protection that is not otherwise available under the PDPO itself.
