Module Application
- Does your organisation conduct business transactions or activities where interactions may create a risk of, or appear to involve, breaches of data privacy or data exposure?
- Is the organisation in an industry that is particularly susceptible to data privacy, such as where there is a high degree of government regulation (such as organisations that engage in direct marketing, may be exposed to breaches of data privacy)?
Module Scope
The PRIVACY AND DATA PROTECTION module informs the Hong Kong organisation of their legal data privacy obligations. The module also demonstrates effective practical advice and assistance to the organisation to implement procedures and processes that will ensure compliance and regulatory accountability throughout all levels of the Hong Kong entity.
The PRIVACY AND DATA PROTECTION module advises the Hong Kong organisation of the processes and procedures they need to implement to ensure compliance with all legal and regulatory obligations. Core legal and regulatory obligations are based on considerations of the broad questions determining;
- Decision making;
- Accountability;
- Stewardship;
- Direction; and
- Control
To fulfill its purpose the module focuses on providing practical assistance to the Hong Kong organisation establishing and maintaining a robust foundational framework that determines;
- How the organisation will function;
- Who is the responsible decision maker;
- What matters are relevant to the decision-making process; and
- Whether the desired outcome has been achieved.
As entities, their employees and authorised individuals are all expected to be familiar with the broad landscape of legal obligations to which they are subject as well as more specific obligations relevant to the particular sector they are operating in, the PRIVACY AND DATA PROTECTION module should be subscribed by all Hong Kong organisations, their employees and authorised individuals. The aim of the module is to equip the subscriber with knowledge of their obligations when operating within Hong Kong and the circumstances in which these obligations are relevant to the Hong Kong organisation. The module also provides the subscriber with the skills they require to establish relevant systems and processes to ensure compliance throughout their organisation.
The broad scope of the PRIVACY AND DATA PROTECTION module is to provide answers to these questions;
- What are our legal obligations?
- From where are our legal obligations derived?
- How can we ensure that we are complying with our legal obligations?
- What are the consequences if we are not complying with our legal obligations?
The PRIVACY AND DATA PROTECTION module covers all legislated legal obligations of Hong Kong organisations and demonstrates practical assistance and guidance to ensure that these obligations are complied with through the implementation and maintenance of best practice processes throughout the organisation. The module also covers the role of the regulator as well as exemptions to the obligations, if applicable, and how they may or may not apply in particular circumstances.
The module fulfils this objective by comprehensively covering three areas;
- Legislation;
- Obligations; and
- Consequences
- The legislative and regulatory landscape from which the primary legal obligations are derived;
- District Court Ordinance (Cap. 336) (HK);
- Personal Data (Privacy) Ordinance (Cap. 486) (HK);
- Insurance Ordinance (Cap. 41) (HK);
- Communications Authority Ordinance (Cap. 616) (HK);
- Securities and Futures Ordinance (Cap, 571) (HK);
- Construction Industry Council Ordinance (Cap. 587) (HK);
- Companies Ordinance (Cap. 622) (HK);
- Electronic Health Record Sharing System Ordinance (Cap. 625) (HK); and
- Independent Police Complaints Council Ordinance (Cap. 604) (HK).
- The specific areas where legal and regulatory obligations apply to the Hong Kong organisation;
- Data privacy principles;
- Purpose and manner of collection of personal data;
- Accuracy and duration of retention of personal data;
- Use of personal data;
- Security of personal data;
- Information to be generally available; and
- Access to personal data.
- Lodgement of data access request; and
- Rejection and Notification of Data Access request.
- Correction of personal data;
- Lodgement of correction of personal data; and
- Rejection and notification of request to correct personal data.
- General maintenance;
- Disposal of redundant personal data;
- Maintenance of data user log book;
- Permissible fees; and
- Language of notice.
- Codes of Practice and guideline;
- Code of Practice on identity card number and other personal identifiers;
- Code of Practice on human resource management;
- Code of Practice on consumer credit data; and
- Privacy guidelines on monitoring and personal data privacy at work.
- Qualifying criteria for matching procedures and transfer of personal data;
- Circumstances approved for matching procedure;
- Lodgement of matching procedure request;
- Restrictions on transfer of personal data; and
- Repetitive collection of personal data.
- Provisions of personal data in direct marketing;
- Notifying data subjects and prohibited usage without consent; and
- Cessation on usage of personal data.
- Investigations, complaints, inspections and exemptions;
- Inspection of personal data, complaint reviewing process, investigations by the Privacy Commissioner for Personal Data and its authority to access premises;
- Restrictions on investigations initiated by complaints;
- Proceedings of the Privacy Commissioner for Personal Data, evidence, the protection of witnesses and the maintenance of secrecy;
- Completion of investigations and the publication of reports of the Privacy Commissioner for Personal Data; and
- Exempted personal data from the Personal Data (Privacy) Ordinance.
- Offences and penalties;
- Disclosure of personal data without consent;
- Failure to comply with enforcement notice and requirements of the Privacy Commissioner for Personal Data;
- Liabilities of an employer, principal and agent;
- Entitlement of compensation, time limit on presenting a case and the assistance provided by the Privacy Commissioner for Personal Data; and
- Aggrieved individual.
- Transfer of records between authorities;
- The insurance authority; and
- Electronic health records.
- Preservation of Secrecy;
- Secrecy and confidentiality in the finance industry;
- Duty to keep confidence;
- Information obtained or received through the Communications Authority;
- Information obtained under the Mandatory Provident Fund Schemes Ordinance; and
- Financial reporting and personal data.
- Providing Prescribed Information on Demand; and
- Protection of information.
- Inspection of a Company's Records; and
- Preservation of secrecy and personal data protections.
- Privacy and data protection legislations in Hong Kong imposes penalties for data privacy breaches and failures.
Significant consequences can apply to Hong Kong organisations, their employees and authorised individuals found to have breached or not complied with data privacy legal obligations. These consequences vary considerably depending on the nature and extent of the breach or failure. The PRIVACY AND DATA PROTECTION module covers specific consequences in detail. They can include monetary penalties, disciplinary measures and even terms of imprisonment for individuals found to have committed serious criminal offences.
The PRIVACY AND DATA PROTECTION module does not cover the rights or entitlements of individuals who have suffered damages or losses due to breaches of data privacy obligations by Hong Kong organisations. The module does not cover the process that an entity or an individual would follow to report or seek compensation for the breach or their loss.