In Hong Kong, the data protection regime is governed by the Personal Data Protection Ordinance (PDPO), which establishes personal information-related rights for data subjects and specific obligations to data users. It also regulates the collection, holding, processing or use of personal data through six data protection principles. The PDPO came into force on 20 December 1996 and has been amended several times, most recently in 2012 and in 2021.
The PDPO defines “personal data” as information about an identifiable person, including information that relates to his or her identity, financial status, profession, health or lifestyle. It further requires that the data user inform the data subject of the purposes for which the personal data is collected and, where necessary, the classes of persons to whom the personal data may be transferred. This is normally done by way of a PICS which must be provided to the data subject on or before the date on which the personal data is originally collected.
Data user obligations of collection and use are mainly defined by DPP1 (Purpose and Collection) and DPP3 (Use of personal data). A data user must expressly inform a data subject on or before the data is collected of the purposes for which the personal data is to be used. This must be accompanied by a clear and concise statement of the data subject’s voluntary and express consent. The data user must also keep a record of the purpose for which and the class of persons to whom the personal data is to be used.
It is important to note that there are no statutory restrictions on the transfer of personal data outside Hong Kong. However, the PDPO does contain provisions that help to protect personal data transferred from Hong Kong through contractual arrangements. These are designed to ensure that the personal data transferred will be protected in accordance with the PDPO’s six data protection principles.
A further stipulation in the PDPO is that personal data collected in Hong Kong may only be used for the purposes for which it was collected unless the personal data is transferred for another purpose and the data subject has given his or her express consent. The transfer must be fair and lawful, and in compliance with the PDPO’s requirements on data security.
In addition to its regulatory role, the PCPD also promotes and monitors good practice in the field of data privacy through its open data initiative. This includes the establishment of an Open Data Index and a set of best practices for open data in Hong Kong. This is in line with international best practice and demonstrates the commitment of the PCPD to promoting data transparency and accountability, as well as ensuring that all data collected is properly handled. The index will also provide a tool for assessing the quality of open data in Hong Kong. The index will be updated every year, and will reveal the progress that has been made to implement international standards in Hong Kong.