Personal Data and PIPD in Hong Kong

The definition of personal data in the PDPO is not as wide as that of GDPR. The latter defines an identifiable natural person as a person who can be identified, directly or indirectly, by reference to any information such as name; identification number; location data; and factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

The PDPO, on the other hand, only requires that personal data be collected lawfully and fairly and for one purpose only. This does not mean that personal data can be used for new purposes, even with the consent of the individual, unless it is necessary to do so for a lawful purpose such as the prevention or detection of crime or the enforcement of the laws of Hong Kong or its territories. This is why it is important to consider the purpose for which you collect personal data when preparing for a PIPD assessment.

Whether an organisation will be required to obtain a PICS will depend on whether it processes sensitive personal data. If it does, it will be required to comply with a range of obligations under the six core data protection principles (DPPs) and any additional provisions in the PDPO.

As well as being required to have a PIPD assessment, any organisation that processes sensitive personal data will be subject to higher security and compliance requirements. This includes a duty to report any breaches of the PDPO to the Data Protection Supervisory Authority. It is also important for organisations to consider how they will deal with a data subject’s request to access their personal data under the DPPs.

In addition to meeting a requirement for a PIPD assessment, organisations that process sensitive personal data will be required to comply with the higher standards of the Data Protection Supervisory Authority’s Code of Practice. The code of practice sets out a framework for good practices and guidance on how to handle data in line with the principles of the PDPO.

Aside from being a legal requirement, it is in the interests of businesses to comply with the PDPO’s high standards as this will ensure that they meet their data protection obligations and avoid potential legal action. This is particularly the case for those who use personal data that has an impact on individuals. With the current mooted modernisation of Hong Kong’s data protection regime, there is no better time for companies to review their data processing activities and ensure that they are compliant with the PDPO.