Personal Data Protection in Hong Kong

HK, which stands for Hong Kong, is the abbreviation of the Special Administrative Region of the People’s Republic of China. The territory is a major international financial centre and is renowned for its high standards of living, with many world-class facilities and services available to residents and visitors alike. Moreover, Hong Kong is the second largest trading hub in Asia and the third largest in the world, making it an attractive place to start or expand a business.

As the data economy continues to grow and evolve, it’s important for businesses in Hong Kong to keep pace with these changes and understand how they can better protect personal information. The Hong Kong Government is reviewing and putting forward possible amendments to the Personal Data (Privacy) Ordinance (“PDPO”) with a view to strengthening the protection of personal data. One proposed amendment would require data users to formulate a clear data retention policy which specifies a retention period for the personal data collected.

The PDPO requires data users to use contractual or other means to ensure that personal data processed by them or on their behalf is protected against unauthorised access, processing, erasure, loss or disclosure and is not retained for longer than necessary for the purpose for which it was collected or for which it was transferred. It does not, however, provide for a mandatory uniform data retention period and data users may be required to formulate their own policies, taking into account the specific legal requirements applicable to them.

In addition, the PDPO makes it unlawful for an entity to disclose a person’s personal data without that individual’s consent unless there are permitted grounds under the PDPO. These include providing the personal data to a law enforcement agency, complying with court orders or subpoenas or releasing the information on social media or the Internet.

This change would impact a variety of industries, particularly those which rely on the collection, analysis or processing of personal data. For example, staff cards typically exhibit an individual’s name, company name, photograph and employee number which are likely to constitute personal data. In the event that this amendment becomes law, companies will need to review their data governance practices and update their policies accordingly.