How Does Data Hk Work?
Data hk is a new online service to assist business in complying with Hong Kong’s data privacy regulations. It provides information and support on the application of six core data protection principles to data transfers between businesses, as well as providing templates that can be used to streamline compliance arrangements.
Padraig Walsh from Tanner De Witt explains why the service is important and how it works.
Modernisation of Hong Kong’s data privacy laws is mooted, but until this happens, businesses must be mindful of the existing legal framework. This includes the requirement to have clear and comprehensive contractual provisions in place to cover all the main obligations a data user is bound by. This is particularly relevant to cross-border transfer arrangements.
As a first step, a data user must assess the foreign jurisdiction’s laws and practices to determine whether their level of data protection meets those required under the PDPO. This is commonly referred to as a “transfer impact assessment”.
If the assessment concludes that the foreign jurisdiction’s laws or practices do not meet the standards set out in the PDPO, then the data exporter must identify and adopt supplementary measures to bring the processing up to Hong Kong levels. This can be achieved through a variety of technical means such as encryption, anonymisation or pseudonymisation, or by adding a contractual provision to the transfer agreement.
Finally, the data exporter must also notify the data subject that the data is being transferred to another location. This can be done by issuing a personal information collection statement (“PICS”) or through other means such as notification in the form of a letter or email.
A PICS must contain certain prescribed information, including the purpose of collection and the classes of persons to whom the data may be disclosed or transferred. It must be provided to data subjects at or before the time of collecting their personal data.
The data user must also take steps to ensure that the data is securely transferred, including implementing appropriate security safeguards. This could include a contractual requirement to adopt contractual or other appropriate means to prevent unauthorised access, use, processing, destruction or disclosure of the personal data being transferred for processing (DPP 5).
Although some of these statutory requirements appear onerous, businesses will have different commercial arrangements, so these can often be tailored without diminishing their substantive protections. It is therefore a good idea for businesses to be familiar with the requirements and have clear and robust transfer arrangements in place, and to continue to observe best practice and ethical standards in their governance of personal data. This will help them minimise the risk of breaching data privacy regulations and maintain a competitive advantage in their industry. In particular, this will be increasingly important given the close tie between Hong Kong and mainland China under the ‘one country, two systems’ principle. This will result in increasing volumes of personal data being transferred between the jurisdictions.