Tech Data Distribution (Hong Kong) Limited, a TD SYNNEX company (“Tech Data HK”), is the leading global distributor and solutions aggregator for the IT ecosystem. The company empowers customers in 100+ countries to maximize their technology investments, demonstrate business outcomes and unlock growth opportunities. Tech Data HK brings together compelling IT products, services and solutions from more than 1,500 best-in-class vendors.
The Hong Kong Personal Data Protection Ordinance (“PDPO”) lays out specific data protection rights for individuals and strict requirements for businesses that handle their personal information, including controls on how personal information can be used. PDPO was first introduced in 1996 and has been amended several times, most recently in 2012.
Modernisation of the PDPO is mooted, but until change happens, businesses must ensure they understand their obligations under the current framework. This is especially important for those with data governance programs that involve a large number of people and must be communicated clearly across all stakeholders.
A data governance program requires a vision and business case that articulates the specific goals of the initiative. The business case should also spell out the actual people (roles) that will be involved in the project. A RACI matrix (responsible, accountable, consulted and informed) can be useful for organizing roles in such a way that everyone is clear about what they need to do.
Currently, PDPO limits the use of personal data to those purposes that have been originally notified to the individual. It also prohibits the disclosure of an individual’s personal data for a new purpose without the consent of that individual, unless it is necessary to safeguard the life, health or safety of any person, protect the property of the government, public interest or national security, or carry out any other lawful activity.
If the definition of ‘personal data’ is changed to resemble that in GDPR, this would mean additional privacy protection for individuals and increased compliance measures for businesses handling sensitive information. A change to this definition could also have implications for those who use technologies that learn about individual behaviours. For example, the combination of a staff member’s name, photograph, company name and HKID number on their staff card is likely to be considered personal data under the PDPO, and should therefore be protected accordingly.