'Most Innovative Startup 2020' by RSA - Watch the videoLearn More
In Hong Kong, the Personal Data (Privacy) Ordinance (Cap. 486) (the "PDPO") regulates the collection, holding, processing, disclosure, and usage of personal data. The PDPO was enacted in 1995 and took effect from December 1996, but significant amendments were brought into it in 2012. The Data Protection Principles ( the “DPPs or DPP”), contained in Schedule 1 to the PDPO outline how entities should collect, handle, disclose, and use personal data. The Office of the Privacy Commissioner for Personal Data (the “PCPD”) is the regulatory authority that enforces the PDPO in Hong Kong and also issues several guidelines for the organizations to effectively comply with the PDPO.
The following are the major definations of key terms:
Personal Data means information that relates to a living individual and can be used to identify that individual. Personal data should also exist in a form in which access to, or processing of the data is practicable.
Data User is a person or entity who, either alone or jointly with other persons, controls the collection, holding, processing, or use of personal data. This is the same as the term 'data controller.'
Data Processor is a person or entity who processes personal data on behalf of another person or entity (a data user) instead of for his/her purpose(s).
The PDPO prescribes the following rights for the data subjects;
The PDPO applies to private and public sector organizations that process, use, hold, or collect personal data. It covers any organization that deals with the collection and processing of personal data irrespective of the location of processing provided that the personal data is controlled by the data user based in Hong Kong.
The PDPO provides the following exemptions for the processing of personal data in Part VIII;
The PDPO does not directly regulate data processors; therefore, they do not directly come under the application scope of the PDPO. However, data users are required to, by contractual or other means, ensure that their data processors meet the applicable requirements of the PDPO.
Under the PDPO, noncompliance with DPPs is not considered an offense; however, contravention of specific provisions of the PDPO is an offense that can result in hefty fines and imprisonment.
The PCPD has issued a table detailing the penalties for each contravention of the PDPO. This table can be found here.
SECURITI.ai’s award-winning compliance solution revolves around the concept of PrivacyOps, which calls for utilizing robotic automation, artificial intelligence, and machine learning. This system provides enterprises with a system that automates the majority of compliance tasks, freeing up crucial resources for other areas of business.
SECURITI.ai helps businesses discover data over a web of internal and external systems, links personal data with each individual, conducts an automated internal assessment of policies as well as third-party vendors, manages consent, and does a lot more!
While businesses may hesitate to take the leap towards automation from their current manual methods for fear of the costs and change in infrastructure, it is clear that automation is truly the way forward. Automation increases ROI as well as productivity lowers cost and improves accuracy. It pays for itself and brings organizations several benefits along with it.
Automation helps you with swift and efficient compliance with the PDPO as well as other data privacy regulations. Watch it in action today!
The multi-disciplinary practice to grow trust-equity of your brand and comply with privacy regulations.Get the Book
“By leveraging the PrivacyOps constructs from this book across our organization we were able to not only save time and money but also mitigate the risks associated with manual methods of privacy management.”
- Marty Collins, Chief Privacy and Legal Officer, QuinStreet, Inc
A data subject can withdraw his/her consent previously given by the written notice.
There are currently no restrictions on the transfer of personal data outside of Hong Kong under the PDPO. However, Section 33 of the PDPO sets out requirements for the cross-border transfer that have not yet come into force.
Hong Kong’s government is currently reviewing the PDPO for possible amendments to ensure mandatory breach requirements and introducing new provisions for strengthening the protection of personal data.
The PCPD has the power to inspect a data user's privacy management system to make recommendations on how compliance may be enhanced by the data user.