Data HK – Personal Data Protection Regulations and How to Meet Them

Data hk is a 3G/4G prepaid SIM card with roaming data on Three HK network, designed specifically for Indonesian domestic helpers working in Hong Kong. It’s available in 3Shops and selected Indonesian supermarkets (full list here). It comes with a preloaded amount of HK$38 credit that’s valid for 90 days from the date of activation.

The personal information protection regulation of Hong Kong imposes significant and onerous obligations upon data users in respect of cross-border transfers of data out of Hong Kong. Padraig Walsh, from the Tanner De Witt Data Privacy practice group, explains what those obligations are and how they should be met.

Data governance programs typically involve a large number of people: employees, customers, partners and stakeholders who are affected by data transfer decisions and procedures. It’s important to organize and streamline that process so that the right people get involved at the right time and everyone is clear about their responsibilities. A good way to do that is through a responsibility assignment matrix such as RACI (Responsible, Accountable, Consulted and Informed).

As the name suggests, this matrix assigns roles for each of these areas and sets out who’s responsible for each activity and who has input into decision-making. It’s also a helpful way to communicate project progress and status, especially in cases where there are multiple teams or groups working on a particular part of the program.

A key issue for data transfers under PDPO is the question of who is considered to be a “data user” and thus subject to the PDPO’s requirements. The PDPO defines this as a person who controls the collection, holding, processing or use of personal data. That means that if a person controls all or any of those activities outside Hong Kong, the PDPO does not apply to them.

Another aspect of PDPO is that the collection of personal data for a purpose must be lawful. In order to collect data for a new purpose, the data user must obtain the voluntary and express consent of the data subject. This must be done before the data user can transfer the data to a class of persons not set out in the original PICS or use it for a purpose not specified in the original PICS.

The PDPO also requires data users to have appropriate security measures in place in order to protect personal data transferred out of Hong Kong. This is intended to ensure that the data transferred will be protected against unauthorised access, alteration or destruction. It is recommended that these measures are documented in a policy or in the form of contractual provisions within an overall commercial agreement. This can be in the form of a separate agreement, a schedule to the main commercial arrangement or as contractual provisions within the main commercial agreement itself. The form ultimately does not matter; the substance and content of the document is crucial. This is particularly important in respect of data transfers which involve third parties and/or third countries.