What to Consider When Transferring Personal Data to Hong Kong

A key part of a data governance framework is your people. You need a team that is both business and IT savvy to translate how your policies affect the organization’s processes, decisions and interactions. They are also the people who will support, sponsor, steward and operationalize your governance framework. They will be the ones who will help you get value from your investment in data.

You must have a vision and a business case for your governance program. Your vision should clearly articulate your broad strategic objectives, and your business case should be specific and actionable. Your business case should detail the people (roles), technologies and processes that you need to align with your governance program goals. It should also include a cost-benefit analysis and a risk/reward profile for each initiative.

The PDPO requires data users to have a lawful purpose for collecting personal data and to notify the data subject of that purpose on or before collection. It also states that data may only be used for the purposes stated in the PICS and not for any other purpose unless the consent of the data subject is obtained. This includes the transfer of personal data.

A mooted change to the PDPO definition of personal data is that it would be expanded to include an identifiable natural person rather than only a person who is identified. This change is meant to catch a wider range of uses, and could potentially lead to more businesses being required to comply with the PDPO.

If you are considering transferring personal data to Hong Kong, there are some important things to consider. First, determine whether the data is subject to the PDPO. This will be based on whether the person acquiring the data controls the collection, holding, processing or use of the data. Then, determine whether the data concerns a particular individual or is intended for an individual.

The PDPO provides that personal data must be collected fairly and in accordance with the laws of Hong Kong. It also specifies that the data collected must be adequate and not excessive in relation to the purpose for which it is collected. It also stipulates that the data must be accurate, complete and up-to-date. Additionally, it must be protected against unauthorised access, unauthorized modification or disclosure, and unnecessary retention. This is to ensure the integrity of the data and its security. Finally, it must be made accessible to individuals in a manner that is not unreasonably costly or difficult.