Data hk is the information relating to an identifiable natural person, and includes data such as the name, identity card number, address, telephone numbers and other details pertaining to the physical, physiological, genetic, mental, economic, cultural or social identities of that person. It may also include a reference to the person’s sexual preference or criminal convictions. It is widely used in business operations to measure customer satisfaction, for research and development by marketing companies and for policy formation by government agencies.
A person acquiring personal data must consider whether he has the right to do so. It is essential that he is aware of the six data protection principles (DPPs) set out in the Personal Data (Privacy) Ordinance (“PDPO”). The first question to ask is whether the collection of personal data falls within the scope of PDPO, which only applies where a “data user” controls the collecting, holding, processing or use of the data in Hong Kong, even if the entire data cycle takes place outside of Hong Kong.
If the answer is yes, the data user must fulfil a range of statutory obligations. These include a requirement to provide a PICS to the data subject on or before collecting the personal data, and to obtain the voluntary and express consent of the data subject for processing the data for a particular purpose before it can be used for any other purposes.
If a data user wants to transfer personal data to another entity, it must comply with the obligation in DPP7 to obtain the consent of the data subject for that transfer. This is a very important element of the PDPO that is frequently overlooked in the context of data transfers.
When transferring personal data to a foreign jurisdiction, it is essential that the transferee conducts a thorough transfer impact assessment. This should take into account not only the DPPs but also the law and privacy environment of the destination jurisdiction, and its practices with regard to personal data.
If a company fails to comply with the requirements of PDPO, it could face fines of up to HK$1 million or imprisonment. This is why it is vital for businesses to ensure that they understand the requirements of PDPO and have effective processes in place to meet them. Padraig Walsh, partner of the Tanner De Witt Data Privacy practice group, takes us through some of the key points to note on data transfers, either from Hong Kong to other locations or into Hong Kong.