Data hk is an open data portal offering access to over one million datasets from international, EU, national, regional and local sources – such as open government data, academic publications and private sector research. Furthermore, its data visualization tools make exploring, analysing and understanding these datasets simpler for its users.
Hong Kong is a hub for businesses from around the world, and data transfers between jurisdictions are commonplace. Therefore, it’s essential for them to understand any regulations placed upon personal data transfers and take the necessary steps to comply with them.
One key provision of the PDPO requires data users to notify individuals, prior to gathering personal data, of its intended purposes and the classes of individuals to whom it may be provided (i.e., consent). Furthermore, data users cannot disclose personal information to another data user for another use (i.e. data use) without first receiving voluntary and express consent from individuals themselves.
Under the Personal Data Protection Order (PDPO), personal data refers to any information pertaining to an identifiable natural person. This definition aligns with that used under other legislation regimes such as the Personal Data Protection Law in mainland China and General Data Protection Regulation in Europe; however, an amended definition could broaden it even further to encompass any data capable of being associated with an individual identified or identifiable person.
If a data user engages a third-party processor outside Hong Kong to process personal data on its behalf, contractual or other measures must be put in place to ensure the level of protection for that personal data meets those set out by PDPO. These may include technical measures like encryption or pseudonymisation as well as contractual provisions imposing obligations related to audit, beach notification and compliance support and co-operation.
If a data transfer is being made to a jurisdiction without laws and practices that comply with those under PDPO, the data exporter must perform an assessment to ascertain what additional steps might be needed to bring it up to level of protection provided under PDPO. This may involve negotiating contractual provisions that include requirements on audit, inspection and reporting obligations; beach notification requirements; compliance support/co-operation obligations etc.