The definition of personal data in Hong Kong is regulated by the Personal Data Protection Ordinance (PDPO). It sets out the rights and responsibilities of data users and regulates the collection, processing, holding, and use of personal data through six data protection principles. The PDPO was first enacted in 1996, but has been amended several times, including in 2012 and 2021. The amendments were primarily aimed at regulating direct marketing, and also to address the act of disclosing personal information without consent, known as “doxxing.”
The PDPO defines personal data as any information that can identify a living individual, whether it is recorded in a form that is identifiable or not. It can include name, identification number, location data, online identifiers, and factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of an individual. The PDPO does not include information about organisations or businesses, but if an organisation holds personal data on individuals, it must comply with the PDPO, even if the information is held for an entirely different purpose.
It is important to note that the PDPO does not include any exemptions, although there are exceptions for law enforcement and national security purposes. This is why it is important to consult legal counsel when preparing for data protection compliance. It is also a good idea to conduct regular data audits and refresh privacy policies to ensure that they are in line with the most current laws.
In addition to updating policies and procedures, businesses that hold personal data should review their contractual arrangements with third parties, particularly those that process the data outside of Hong Kong. These agreements should clearly state that the data will be protected in accordance with the PDPO. In addition, the contract should provide a clear description of the purpose for which the personal data will be processed and how it will be used.
As the definition of personal data is likely to be further strengthened, it is essential for organisations to take measures now to protect their data. This will ensure that they are ready when the new rules come into effect. It is also recommended that they keep a record of all personal data that they hold, as well as the purpose for which it was collected. This will be useful in case of any future disputes over the use of personal data. In addition, they should consider taking legal advice in respect of any cross-border data transfers that may be necessary. This will help them to ensure that they are compliant with data protection regulations in both jurisdictions.