Data HK and the PCPDPO
Data hk is a free, open-source repository for scholarly datasets deposited at Hong Kong University. It serves to store the datasets, provide access to them and mint a digital object identifier (DOI) for each of them. The DOI can then be used in monographs and journal articles to cite the data, as well as for reporting research completion to funders and institutions. Data hk is also able to host data from other repositories, as long as the data is duplicated in the HKU DataHub and the metadata describing it is deposited in the same place.
The PDPO defines a “data user” as any person who controls the collection, holding, processing or use of personal data in or from Hong Kong. It does not contain any express provisions conferring extra-territorial application, but in the context of data transfers it is common to assume that the PDPO has some scope for applicability to persons who control the transfer of personal data between Hong Kong and a foreign jurisdiction.
In a scenario where a data user is transferring personal data to an overseas entity, the PCPD may require it to agree to the standard contractual clauses and to contribute to a transfer impact assessment. The standard clauses will have a number of prescriptive provisions, such as that the data exporter should undertake an assessment to identify any supplementary measures necessary to bring the level of protection of the transferred personal data up to standards in Hong Kong. This might include technical measures such as encryption, anonymisation or pseudonymisation, split processing or multi-party processing, and contractual provisions covering audit and inspection, beach notification, compliance support and co-operation.
A further issue to consider is whether the PDPO requires a data exporter to make a “personal information collection statement” (PICS) available to individuals whose personal data are collected and processed by its overseas business. The PICS will be required if the data is intended to be transferred outside the EEA, or if it is to be offered to people in the EEA as part of an online service or a database that monitors the behaviour of people in the EEA.
While the approach of Hong Kong to adequacy and equivalent regimes may seem out of step with international trends, the need for efficient and reliable means of transferring personal data with mainland China and internationally will probably drive change in this area in the future. For now, it is a matter for individual businesses to weigh up the pros and cons of this approach against their own particular circumstances. If in doubt, it is best to consult the PCPD for guidance. Ultimately, however, it is up to each business to ensure that its data transfer practices comply with the PDPO and its DPPs. Those that do will be able to demonstrate this compliance through the issuance of a PDPO certificate.