The Hong Kong legal framework concerning privacy, data protection, and cybersecurity is consolidated under one piece of legislation, the Personal Data (Privacy) Ordinance (PDPO). All organisations that collect, hold, process or use personal data must comply with the PDPO and in particular, the six data protection principles (DPPs) in Schedule 1 of the PDPO, which are the foundation upon which the PDPO is based. The Office of the Privacy Commissioner for Personal Data (PCPD), an independent statutory body, was established to oversee the enforcement of the PDPO.
The PCPD published the Privacy Guidelines: Monitoring and Personal Data Privacy at Work to aid employers in understanding steps they can take to assess the appropriateness of employee monitoring. The guidelines are applicable to monitoring by telecommunications equipment (e.g., telephones, computers, mobile phones), company email services, internet browsing, video recording and closed-circuit TV systems.
Employers must ensure that they do not contravene the data protection principles of the PDPO while monitoring employees’ activities. In particular, employers must ensure the following points:
The Privacy Management Programme: Best Practice Guide (see Section II.i, supra) also provides guidance for organisations to develop their own privacy policies and practices. In particular, it is recommended that organisations should appoint a data protection officer to oversee the organisation’s compliance with the PDPO. In terms of company policies, apart from the PPS and PICS, the Best Practice Guide recommends that organisations develop key policies on the following areas:
The Best Practice Guide also emphasised the importance of ongoing oversight and review of the organisation’s privacy policies and practices to ensure they remain effective and up to date.
The use of personal data in connection with any legal proceedings in Hong Kong is exempted from the requirements of DPP3 (use of personal data), which requires organisations to obtain prescribed consent (see Section III.i, supra) from individuals before using their personal data for a new purpose. Accordingly, the parties in legal proceedings are not required to obtain consent from the individuals concerned before disclosing documents containing their personal data for discovery purposes during legal proceedings.
Regulatory bodies in Hong Kong such as the Hong Kong Police Force, the Independent Commission Against Corruption and the Securities and Futures Commission are obliged to comply with the requirements of the PDPO during their investigations. For example, regulatory bodies in Hong Kong are required to provide PICS to the individuals prior to collecting information or documents containing their personal data during investigations.
Nevertheless, in certain circumstances, organisations and regulatory bodies are not required to comply with DPP3 to obtain prescribed consent from the individuals concerned. This includes cases where the personal data is to be used for the prevention or detection of crime and the apprehension, prosecution or detention of offenders, and where the compliance with DPP3 would likely prejudice the aforesaid purposes.
Another exemption from DPP3 is where the personal data is required by or authorised under any enactment, rule of law or court order in Hong Kong. For example, the Securities and Futures Commission might issue a notice to an organisation under the Securities and Futures Ordinance requesting the organisation to produce certain documents that contain its customers’ personal data. In such a case, the disclosure of the personal data by the organisation would be exempted from DPP3 by reason that it is authorised under the Securities and Futures Ordinance.
Legislative enactments relating to cybersecurity in Hong Kong are dealt with by both the PDPO and the criminal law. The Computer Crimes Ordinance was enacted in 1993, and it has, through the amendment of the Telecommunications Ordinance, the Crimes Ordinance and the Theft Ordinance expanded the scope of existing criminal offences to include computer related criminal offences. These include unauthorised access to any computer, damage or misuse of property (computer program or data), making false entries in banks’ books of accounts by electronic means, obtaining access to a computer with intent to commit an offence or with dishonest intent, and unlawfully altering, adding or erasing the function or records of a computer.
The PCPD published Guidance on Data Breach Handling and the Giving of Breach Notifications, which provides data users with practical steps in handling data breaches and to mitigate the loss and damage caused to the individuals involved. In particular, after assessing the situation and the impact of the data breach, the data users should consider whether the following persons should be notified as soon as practicable:
Recent trend in Hong Kong clearly shows a stricter privacy regulatory regime in Hong Kong with closer scrutiny and increased enforcement actions by the Privacy Commissioner. There is also a growing public concern over privacy and data protection and a rising public expectation that organisations should adopt policies and procedures to protect their personal information. It is therefore crucial for organisations doing business in Hong Kong to ensure that they establish robust data privacy compliance programmes to meet the growing requirements and to conduct regular reviews and audits of their data privacy policies to keep pace with the legislative and technological developments.