Data Hk and the Personal Data Protection Ordinance

Data hk is a crucial component of any data governance program. It helps ensure that all relevant stakeholders have their input heard, and the right people have responsibility for key tasks. As such, data governance programs tend to involve a large number of people. A good way to manage this is to use a RACI matrix (responsible, accountable, consulted, informed) that clearly identifies each person’s role in the project. This is an easy-to-use approach for managing a project that involves many people.

In Hong Kong, data privacy law is governed by the Personal Data Protection Policy Ordinance (“PDPO”). It establishes rights of data subjects and specific obligations for data controllers through six data protection principles.

It is important to note that the PDPO defines “data user” broadly and includes any person who controls the collection, holding, processing or use of personal data. This is a very broad definition, and in some cases it may cover individuals who are not involved in the processing of data. For example, a journalist who takes photographs of crowds at a concert is not considered to be a data user because he does not control the processing of the personal data that the photograph records.

The PDPO also requires that data users expressly inform a data subject on or before collecting their personal data of the purposes for which they are using it, and the classes of persons to whom their personal data will be transferred. As a result, the transfer of personal data is considered to be a form of use. This is in line with the definition of personal data used in other legislative regimes, such as the Personal Information Protection Law that applies in mainland China, and the General Data Protection Regulation that applies in the European Economic Area.

With the rapid growth of cross-border business activities in Hong Kong and Mainland China under the “one country, two systems” principle, it is unlikely that the PDPO will include any statutory restriction on the transfer of personal data abroad from Hong Kong. It is, however, possible that contracts will be used to protect personal data during the transfer process. However, the practical impact of this remains to be seen. In particular, it will be interesting to see how Hong Kong’s legal framework evolves in light of the ongoing negotiations between Mainland China and the EU over the Comprehensive Economic and Trade Agreement (CETA). It may be that CETA ultimately supersedes section 33 of the PDPO, although this is not yet known for certain. In any case, the development of the Mainland and Hong Kong legal systems will continue to have an impact on the global data privacy landscape. This will be especially true in the era of big data and AI. In this context, it is worthwhile for data managers to keep abreast of changes in legislation, including in mainland China. This will help them make the best possible decisions on behalf of their data subjects.