The Hong Kong Government is currently reviewing and putting forward possible amendments to the Personal Data (Privacy) Ordinance (“PDPO”) with a view to strengthening the protection for personal data. One of the proposed changes is that businesses or data users will need to formulate a clear data retention policy which specifies a retention period for the personal data they collect.
The term “personal data” is broadly defined under PDPO to mean any information that relates to an identifiable individual whether it is direct or indirect. It can include information about an individual’s physical, physiological, genetic, mental, economic, cultural or social identity. The PDPO sets out a number of core principles which businesses must comply with, including the principle that personal data should be collected for a lawful purpose and not used for any other purposes.
A business must also ensure that the information it collects is adequate but not excessive in relation to the purpose for which it is being collected. It must not be held for longer than is necessary for that purpose, and it must be accurate, up-to-date and kept securely. The PDPO requires a business to keep records of the purposes for which personal data is collected and of the individuals for whom it is processed. This record-keeping obligation applies to both paper and electronic records.
As a result, many businesses that are subject to the PDPO have policies and procedures in place for deleting or anonymising personal data when it is no longer needed. For example, an employee’s name and HKID number are likely to constitute personal data, and should not be displayed together or made available to anyone other than those who need it for the purpose for which the data was collected. Employees may also be required to sign a written consent before their name and HKID number can be collected and used for any new purpose other than that for which it was originally collected.
If a business intends to transfer personal data overseas, it must first check that the lawful basis for doing so is legitimate. It must also review its PICS to ensure that it has properly disclosed the proposed transfer and, if not, obtain the data subject’s voluntary and express consent. In addition, the data exporter must consider any supplementary measures that it might need to adopt to bring the level of protection afforded by the foreign jurisdiction up to the standards of Hong Kong. These measures might include technical or contractual arrangements.
It is worth noting that there are a growing number of instances in which a business that operates in Hong Kong will need to carry out a transfer impact assessment because of the application of laws of other jurisdictions to its business. The data privacy regulations of these jurisdictions are often more stringent than those of Hong Kong. This has led to an increase in demand for data privacy expertise across the region. The emergence of such skills is welcome, and it is hoped that the proposed changes to the PDPO will help to further encourage their development.