Whether to analyse customer satisfaction or identify market trends, data is a useful tool for any business. It can be gathered through primary and secondary sources; primary data such as field observations or published reports and secondary data like statistics collected by businesses or government agencies. Often this information is combined into reports or statistics for business use or policy formation by government agencies. This data hk can be used to create targeted campaigns, improve product offerings, identify issues and even drive business growth.
The Hong Kong data privacy regime is outdated and has not been updated since its introduction in 2012. It is time to give serious consideration to adopting a new legal framework that includes the necessary safeguards for the digital economy. The GDPR offers a model for this. As a first step, Hong Kong could make its data access regime more user-friendly. The Access My Info: Hong Kong (AMI:HK) project provides an easy-to-use website that allows residents to submit access requests in English and Chinese to eight different mobile phone and internet service providers. To date, the site has generated 1603 requests.
A key element of the PDPO is that personal data must only be collected for specified purposes. There is also an obligation to provide information to a data subject on or before the collection of his personal data (described as a PICS). A person who controls the collection, holding, processing or use of personal data must comply with six core data protection obligations.
It is important to consider whether the data a person is collecting is actually personal data. If it is not, the PDPO does not apply and issues in respect of data transfer may not arise. If the data is personal, then a number of issues will arise. These include whether the purpose for which the data is being collected is lawful; whether it is necessary for that purpose and if not, whether the processing is proportionate; and whether the data is transferred outside Hong Kong.
If a person is transferring personal data abroad, he must prepare and carry out a transfer impact assessment (TIA). The TAIA is designed to help him identify and consider the potential risks and benefits of a transfer of personal data. It should include an examination of the foreign jurisdiction’s laws and practices with regard to data protection and national security, as well as the exporter’s own responsibilities.
The PCPD’s guidance indicates that the TAIA should be completed at least one month before a transfer is undertaken. In addition, the TAIA should set out a plan for bringing any transferred personal data up to Hong Kong standards. This might include technical measures such as encryption or anonymisation, and contractual provisions requiring audit, inspection and reporting, data subject rights, beach notification, and compliance support and co-operation.
As the cross-border flow of personal data increases, it is important for companies to be able to trust that the data they are transferring is being treated lawfully in the jurisdiction to which it is being transferred. The TAIA and the model data transfer contracts are designed to help ensure that this is the case.
