Data Transfer Impact Assessment

If a business wants to be able to transfer data abroad, it must comply with Hong Kong’s laws and best practice. This includes a requirement to conduct a transfer impact assessment before the transfer. This is an important obligation that businesses should not ignore.

A transfer impact assessment is an evaluation of the level of protection in the destination jurisdiction for a given class of personal data. The assessment aims to identify measures that can be taken to ensure that the transferred data is adequately protected in line with Hong Kong’s laws. These measures can be technical or contractual. For example, a technical measure might be to apply a level of encryption or pseudonymisation. A contractual measure might include additional terms relating to audit, reporting, beach notification, and compliance support and co-operation.

The data transfer impact assessment can be completed using a set of recommended model clauses. These are available from the PCPD’s website and have been developed with a view to adoption by medium-sized enterprises. These include provisions requiring the recipient to adopt appropriate technical and organizational measures to bring the transferred personal data up to Hong Kong standards, a requirement that the recipient not use the personal data other than for purposes agreed with the original data user and a requirement that the recipient not permit any third party to access the transferred personal data in any way that would violate DPP1.

It is also necessary to assess whether a foreign jurisdiction’s laws and practices comply with the PDPO. If they do, the transfer is likely to be lawful. For example, the PDPO excludes from its scope persons who do not control the collection, holding, processing or use of personal data in Hong Kong. A person controls these operations if he or she is in the country when the collection takes place. This excludes individuals who have moved to Hong Kong and businesses in which the collection of data does not involve individuals living in the country.

A further consideration is whether the personal data is likely to be sensitive. The PDPO defines sensitive personal data as information relating to a person’s racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sexual life, criminal convictions, criminal proceedings and offences, financial status, marital status, nationality, religion or other beliefs, occupation, property, medical records, genetic data, biometric data, sexual orientation, image, religion or belief. The definition is similar to that in the GDPR.

Creating a governance program involves a lot of people. This is why it’s important to define roles and responsibilities early on. You should also consider using a responsibility assignment matrix such as RACI (responsible, accountable, consult and informed). It will help you map out who will be involved in the process. You can then ensure that everyone is clear about their role and responsibilities. It is also important to communicate well and regularly. It will enable you to gain buy-in and support from key stakeholders and to get your project off the ground.