Data Governance in Hong Kong
A data governance program is complex and involves many stakeholders, including employees, customers and partners. The most effective programs have a clearly defined vision and business case. The vision spells out your broad strategic objective for building a governance framework, while the business case is more hands-on and focuses on your specific data goals. Your vision will inform your policies and help you determine which roles to fill. The role of the data governance leader, for example, entails managing the program and driving ongoing activities and metrics. This person is often a skilled project manager who has a strong understanding of business processes and technology. They also serve as the primary point of escalation for the steering committee and executive sponsor.
A statutory body, the Privacy Commissioner for Personal Data (PCPD) is responsible for encouraging and enforcing adherence to Hong Kong’s data protection laws. This includes the Personal Data (Privacy) Ordinance, a set of principles designed to ensure privacy rights are protected and upheld by businesses in Hong Kong. The PDPO requires that personal information be collected only for lawful purposes, and that individuals be fully informed of the purpose of collection of their data prior to its processing. In addition, the PDPO stipulates that a data user must report any breaches of personal information to the PCPD and affected individuals.
The PDPO has been amended several times to keep up with changes in the world of data protection and data usage, for example, by introducing mandatory breach notification requirements and expanding the scope of what constitutes personal data. The PCPD is also actively involved in global initiatives such as the Asia Pacific Data Privacy Subgroup and the Data Privacy Working Group.
In the future, it’s possible that PDPO might be updated again to incorporate elements of international data privacy standards, most notably the European Union’s General Data Protection Regulation (GDPR). One change mooted is a revising of the definition of personal data, which would require it to concern an identifiable individual rather than simply an identifier.
When transferring personal data between jurisdictions, an impact assessment is essential to ensure that the transfer meets regulatory obligations. This is particularly true when the transferred data contains sensitive information. For example, the data may have implications for national security or public safety.