Hong Kong Businesses Need a Bespoke bowers.law Data Retention Policy!
In this Room 228 Newsletter we look at the new personal data privacy rules which will soon have a significant impact on all Hong Kong businesses. While Apple-fans are keenly anticipating the new privacy protocol to be introduced in the new iOS 14 which should (maybe) help to protect Apple from privacy scandals, Hong Kong businesses should keep a close eye on and be prepared for new personal data privacy rules which are expected to become effective next year.
There are 6 key proposed changes to Hong Kong’s Personal Data (Privacy) Ordinance (PDPO):
- new mandatory data breach notification mechanism
- introduction of a data retention period
- strengthening sanctioning powers
- direct regulation of data processors
- redefining “personal data”
- regulation of disclosure of personal data of other data subjects
New mandatory data breach notification
This proposed new mandatory data breach notification mechanism will require data users to report data breaches which amount to a “real risk of significant harm” to the Privacy Commissioner within 5 business days and the affected data subjects should also be informed of the breaches. The notification may be provided by email, fax (regular readers will be aware of our strong views on the anachronistic use of the obsolete fax machine!) or post.
Data retention policy
The general principle under PDPO is that personal data should not be kept longer than necessary for a legitimate purpose. The longer the retention period, the higher privacy risk it attracts – simple logic (out of sight out of mind). The PDPO is still not seeking to impose any uniform retention policy, which means Hong Kong businesses will be expected to create, maintain, and implement their own effective record-keeping regimes for different classes of records containing personal data for specific purposes. Legal requirements under different laws and regulations will impact on the designated retention periods (e.g. employment and tax).
Currently, the maximum penalty for contravention is a fine of HK$50,000 which is (very) low by international standards. The changes are expected to increase the maximum fines and penalties under the PDPO, including the introduction of an administrative fine linked to the annual turnover of the data user, which for big business could mean BIG money!
Direct Regulation of data processors
Data processors are businesses which process personal data on behalf of another person, such as outsourced service providers. The PDPO currently only requires data users to impose their data protection measures on data processors by contractual means (i.e. under contracts), but data processors are not directly accountable for any data breach. This new proposal will impose legal obligations on data processors to observe and be directly liable under the PDPO for a retention period, security and mandatory notification of data breaches.
Redefinition of “Personal Data”
In view of the prevalent use of tracking and data analytical tools (do use Google Map, Gmail, Strava much?), it is proposed that the definition of personal data be expanded to include information that relates to an “identifiable” person, instead of only an “identified” person.
First, what is doxing? It is the internet-based practice of researching and publicly broadcasting private or identifying information about an individual or organization.
Another new (and topical) feature being proposed is the introduction of specific safeguards and sanctions to counter doxing, including conferring on the Privacy Commissioner statutory powers to require the removal of doxing content from social media platforms or websites, as well as carrying out criminal investigations and prosecutions.
Although there is currently no clear timeline for the proposed changes (improvements) to become law, it’s safe to say that Hong Kong’s existing personal data protection / privacy laws lag some way behind international standards, and are really only paper tigers in the fight to protect personal data in the digital age. There may still be further amendments coming to the PDPO, but we expect Hong Kong’s Legislative Council to be giving a big nod to (and cut & paste) provisions of the European Union’s much more comprehensive and digital age-appropriate General Data Protection Regulation (GDPR).
Well-publicised recent doxing incidents should be a reminder of just how easily and quickly personal data can be leaked and misused. With the instant availability of an innumerable range of social media postings on never-ending social media platforms just a single click away, Hong Kong businesses should be prepared in good time before the introduction of these changes to the PDPO by putting in place effective compliance policies and procedures and staff training in order to identify any weaknesses in their existing data protection protocols, and to enable them to effectively and quickly address (almost inevitable) data breaches so as to minimise both business and reputational risk.
The creation and effective implementation of a bespoke bowers.law data retention policy should mean that your Hong Kong business is ahead of the curve and ready to protect the data of all its employees, customers, suppliers and stakeholders.
For additional information on this Room 228 Newsletter, log onto the website of the Office of the Privacy Commissioner for Personal Data at www.pcpd.org.hk
This Newsletter is not intended to be and should not be relied on as legal advice. You should seek professional legal advice before taking any action in relation to the subject-matter of this Newsletter.