As a business operator dealing with personal data, it is vitally important that you are mindful of existing regulations and best practices when handling such data. Padraig Walsh from Tanner De Witt provides us with some essential points when moving personal information between locations within Hong Kong or within your own company.
Considerations must be given when determining whether the cross-border data transfer provisions of PDPO apply in any given situation. One key aspect is if or not transferring personal data falls within its purview – failure to do so may result in serious penalties and prosecution.
Personal data is generally defined in PDPO as information pertaining to an identifiable individual. While this definition differs slightly from others such as China’s Personal Information Protection Law or EU Data Protection Directive, it remains broadly consistent with international norms.
Another significant consideration when transferring data between entities belonging to the same group is whether or not the information being sent across is personal data. This factor becomes especially crucial if data transfers occur between those within their group, since such transfers often fall under group policies that limit such transfer only where such personal information is necessary for business activities of each entity within that group.
As part of any transfer of personal data, it is also essential that it meets the legal bases outlined in section 33 of PDPO, which allows businesses with common law interests in its use to share it among themselves and use it lawfully. Otherwise, such transfers would violate PDPO and should not take place.
Final, it is worthwhile to assess whether or not the data user transferring personal information has completed a transfer impact assessment in accordance with PCPD recommendations. This step is much less onerous in Hong Kong than it would be under GDPR and involves an evaluation of the level of data protection available at its destination location overseas.
If the data user who is transferring their data hasn’t conducted an impact analysis of its transfer or their analysis is insufficient, additional measures may need to be taken in order to bring Hong Kong-level protection of personal information into their overseas location. These can include technical measures such as encryption, anonymisation or pseudonymisation as well as contractual measures such as audit, beach notification and compliance support and co-operation. Furthermore, any data user who transfers personal data should ensure that any subcontractors involved in processing agree with their level of data protection – this usually requires signing an agreement between themselves and sub-processors.