Personal Data Retention in Hong Kong

A business may need to transfer personal data from Hong Kong to another jurisdiction in order to carry out its normal operations. This is especially common for businesses that offer cloud services, which can involve storing personal data on servers located in other countries. It is important for a business to have a clear policy regarding the retention of personal data and to communicate this to its employees so that they understand how long their company will retain their personal data. In addition, it is also important to consider what laws and regulations will apply when transferring personal data.

The Hong Kong Government has been reviewing and putting forward possible amendments to the Personal Data (Privacy) Ordinance (“PDPO”). One proposal is that the PDPO would require businesses / data users to formulate a clear data retention policy which specifies a retention period for personal data collected. In this article, we look at the background to this proposed change and what it means for businesses in practice.

Under the current PDPO, a data user is required to ensure that personal data is not retained for longer than necessary for the fulfilment of the purpose(s) for which it is collected or used. However, the current PDPO does not specify any maximum or uniform retention period and it is left to data users to decide on what periods are both appropriate for their purposes and compliant with legal requirements.

In light of this, the new proposal to introduce a requirement that businesses formulate a clear data retention policy is a welcome development and provides some much needed clarity for businesses. In a similar vein, the PCPD has also been pushing for the introduction of a mandatory breach notification regime in Hong Kong. Having such a regime in place will help to provide better protection for individuals and increase the compliance measures that companies need to implement.

The definition of personal data in the PDPO includes any information that can be used to identify an individual. This can include a person’s name; identification number; location data; online identifier and factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual. This includes the type of information contained on a staff card, which typically exhibits an employee’s name, their photo, their HKID number and their job title, as well as other information related to their work duties.

When a business transfers personal data overseas, it must comply with the requirements of the PDPO including the standard contractual clauses and, where applicable, conduct a transfer impact assessment or contribute to a transfer impact assessment conducted by a competent authority. This is most frequently required where a data exporter in the EEA transfers personal data to Hong Kong. This will often be triggered by GDPR or other relevant law of the jurisdiction to which the transfer is being made. However, there are a growing number of circumstances where it is likely that a business will need to perform or contribute to a transfer impact assessment.