The first principles of data privacy are often taken for granted, but the interpretation of those fundamental concepts can be different across jurisdictions. Hong Kong’s Personal Data (Privacy) Ordinance (“PDPO”), for example, requires a data user to expressly inform a data subject on or before collecting his personal data of the purposes for which the data will be used and the classes of persons to whom the data may be transferred. It is important to remember that transfer is a form of use, and the PDPO defines the class of transferees as including third parties.
To make this work, it is necessary to have the right people on board, even if the actual team is small. A governance program can affect many people, from internal employees to external customers and partners. These people will have opinions, some of which may be strong and loud. To manage this, it is critical to have the right project leader who can bring structure and rigor to the initiative. This leader should be able to organize the efforts around a responsibility assignment matrix like RACI, which stands for responsible, accountable, consulted and informed.
As for the data itself, a key distinction is that the PDPO applies to personal data which can be identified “directly or indirectly” to a living individual, from which it is practicable to identify the individual, whether the identification is by reference to an identifier such as name; identification number; location data; or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual. Unlike some other data privacy regimes, the PDPO does not include an element of extraterritorial application, but only applies where the data user has operations controlling the collection, holding, processing or use of personal data in, or from, Hong Kong.
However, this does not mean that a data transfer in any other jurisdiction can be effected without adherence to the PDPO’s requirements. The PDPO contains many safeguards to ensure that personal data is transferred in accordance with its requirements, and these safeguards can be found in Part 4 of the PDPO. This article is based on the original version published by the Asia Pacific Data Protection Forum and has been updated for clarity and consistency. It is available for free download.