Data Hk and the PDPOData Hk and the PDPO
Data hk is a process of gathering and analysing information about individuals or legal entities, either from primary or secondary sources. It can be used for a variety of purposes, including business analytics and research, market forecasting, policy formation and public health management. Primary data may come from field observations, while secondary data comes from various sources such as published reports or surveys. The resulting data can then be combined to produce reports or statistics for business use or policy formulation by government agencies. Data hk also plays an important role in the insurance industry, providing useful insights on risks and customer satisfaction.
The PDPO defines personal data as any information that relates directly or indirectly to an identified or identifiable individual. This definition is in line with the definitions of personal data in other privacy laws. For example, the definition of personal data in the European Union’s General Data Protection Regulation is similar to that of the PDPO. The PDPO defines the processing of personal data as any activity that combines or uses personal data, whether it is collecting, recording, maintaining, organising, storing, retrieving, using, disclosing or transmitting personal data. In addition, the PDPO requires that personal data be processed fairly and in accordance with the law.
Under the PDPO, data users must ensure that personal data is kept securely and is protected against unauthorised access, processing, erasure or loss. They are also required to notify data subjects of any changes or intended uses of their personal data. However, there are certain exemptions from these requirements, for example, when the processing of personal data is necessary to safeguard Hong Kong’s security, defence and international relations, or for crime prevention or detection purposes. Other exemptions include the assessment or collection of tax or duty, news activities and due diligence exercises.
When a data user wishes to transfer personal data overseas, it must conduct a transfer impact assessment. This involves identifying and adopting any supplementary measures needed to bring the level of protection of the personal data transferred up to Hong Kong’s standards. These measures might be technical, such as encryption or anonymisation, or contractual, such as additional provisions relating to audit, inspection and reporting, beach notifications and compliance support and cooperation.
While increased cross-border data flow is widely viewed as beneficial, it has also imposed additional obligations upon data users. It is therefore vital that businesses are aware of the relevant regulations and adhere to best practice and ethical standards in their governance of personal data.
Padraig Walsh from the Data Privacy practice group at Tanner De Witt provides a brief overview of what needs to be considered when transferring personal data between locations, or within the same company. He highlights some of the key points to consider, as well as providing some practical advice for complying with these requirements. To find out more, download the full article.