Hong Kong Data Privacy Laws
Data Protection and Privacy Legislation in Hong Kong
Hong Kong is one of Asia’s early adopters of data privacy legislation. Hong Kong has a well-developed data protection regulatory framework compared to the rest of Asia and Hong Kong’s Privacy Commissioner for Personal Data is very active. The Office of the Privacy Commissioner for Personal Data (PCPD) is an independent statutory body set up to oversee the enforcement of the main privacy law in Hong Kong, the Personal Data (Privacy) Ordinance (Cap. 486) (“the Ordinance”) has been in force since December 1996. The purpose of the Ordinance is to protect individuals’ right to privacy by regulating the handling of personal data in Hong Kong. It applies to any person or organization, both public and private, that collects, holds, processes or uses personal data. The guidance issued in February, 2014 calls for businesses to adopt comprehensive Privacy Management Programmes directed at achieving compliance in all aspects of business.
The Hong Kong legislation controls personal information collected and held by both public and private bodies and applies to automated and non-automated data. Data protection legislation only applies to public bodies in the United States, Canada and Australia but to both public and private bodies in Europe.
When collecting, holding, processing or using personal data in Hong Kong, businesses should comply with the data protection principles set out in the Ordinance.
Six Data Protection Principles (DPP) of the Personal Data (Privacy) Ordinance
Personal data shall be collected for a purpose directly related to a function and activity of the data user; lawful and fair collection of adequate data; data subjects shall be informed of the purpose for which the data are collected and to be used.
All practicable steps shall be taken to ensure the accuracy of personal data; data shall be deleted upon fulfillment of the purpose for which the data are used.
Unless the data subject has given prior consent, personal data shall be used for the purpose for which they were originally collected or a directly related purpose.
All practicable steps shall be taken to ensure that personal data are protected against unauthorized or accidental access, processing or erasure.
Formulates and provides policies and practices in relation to personal data.
Individuals have rights of access to and correction of their personal data. Data users should comply with data access or data correction request within the time limit, unless reasons for rejection prescribed in the Ordinance are applicable.
Under the Ordinance, individuals have the right to confirm with businesses whether their personal data is held and to have their personal data corrected if it is inaccurate. Individuals also have the right to obtain a copy of their data upon payment of a reasonable fee.
Transfer of data to other countries
A specific section of the Ordinance regulates the transfer of data outside Hong Kong and prohibits the transfer of data outside Hong Kong except in specified circumstances, e.g., if written consent to the transfer has been obtained from the individuals to which the data relates.
Penalties for Non-Compliance
Individuals may complain to the Privacy Commissioner about suspected violations of the Ordinance. The Commissioner can investigate complaints of breach as well as initiate investigations. With increased fines and new regulations it is clear that PDPO compliance has to be a priority for enterprises doing business in Hong Kong.
Persons who control or use personal data (“Data Users”) must prove they took all reasonable precautions and exercised all due diligence to avoid violation. The burden of proof is on the Data User and it is also liable for its agent’s contravention of the legislation. Violations can result in fines and even imprisonment.
Satisfying Hong Kong Data Privacy Requirements via a Cloud Data Protection Platform
The Blue Coat Cloud Data Protection Gateway lets Hong Kong enterprises define their data protection policies to ensure that sensitive data is appropriately secured and protected in cloud applications. Authorized data security administrators can select, on a field-by-field basis, whether to allow a data going to the cloud to remain in clear text, to be encrypted, or to be replaced with a token. When using tokens as a surrogate value, sensitive data never leaves the organization’s control in any format – making it particularly useful for organizations that need to adhere with Hong Kong’s Six Data Protection Principles (DPP) of the Personal Data (Privacy) Ordinance.
The data in the cloud is either tokenized or encrypted so it is meaningless when viewed in the cloud, and organizations can be confident that their sensitive data is within their full control at all times.