In Hong Kong, data protection law is based on the Personal Data (Privacy) Ordinance (PDPO), which sets out personal data rights for individuals and specific obligations for data users through six core data privacy principles. This extensive legislation aims to safeguard the privacy of people with regard to their personal data and has played a pivotal role in regulating personal information flows between organisations across the region.
Unlike many other countries, the PDPO does not explicitly confer extra-territorial application. Its jurisdiction only extends to a data user who controls any collection, holding, processing or use of personal data in, or from, Hong Kong. However, this is a somewhat misleading test as it fails to take into account the fact that a wide range of uses are covered by the PDPO’s definition of “personal data” which includes disclosure or transfer.
A key issue for the PDPO is to identify whether a person can be identified by the data. An identifiable person means one who can be recognised, directly or indirectly, by the data or any other information in possession of the data user. This can be a very broad definition and can include such things as a name, identification number, location data or online identifier as well as factors that reveal the physical, physiological, genetic, mental, economic, cultural or social identity of an individual.
The PDPO also regulates the purposes for which personal data may be collected and the classes of persons to whom personal data can be transferred. A data user must expressly inform a data subject, on or before collecting his personal data, of the purposes for which the personal data will be used and the classes of persons to whom the personal data may be transferred. This obligation is usually fulfilled by a data user providing the data subject with a Personal Information Collection Statement (PICS).
Data users are required to implement appropriate technical and organisational measures to protect the personal data they control from unauthorised or accidental access, processing, erasure, loss or use. They must also ensure that any agents or contractors they engage to process personal data on their behalf have adequate security measures in place and comply with the PDPO.
The PDPO prohibits the unauthorized disclosure of personal data, which can result in substantial fines and even imprisonment. As such, it is important to train employees who handle personal data on the organization’s PDPO policies and procedures.