Data hk is the collection and analysis of information from a variety of sources for business purposes. Data can be used to improve customer service, increase revenue, find market trends and identify areas for improvement in businesses of all types. Data hk can be collected using primary data such as surveys or interviews, or secondary data such as published reports and statistics. It is increasingly important for businesses to understand how to collect and use data hk correctly and in compliance with applicable privacy regulations.
The main law governing data protection in the Hong Kong Special Administrative Region is the Personal Data Protection Ordinance (“PDPO”) which was first enacted in 1996 and amended in 2012 and 2021. The PDPO provides basic rights for individuals and specific obligations to data users through six data protection principles.
To be covered by the PDPO, information must concern an identifiable individual. The PDPO defines an identifiable person as one who can be identified directly or indirectly, for example, by reference to an identifier such as a name, telephone number or email address. This definition is consistent with international norms on the meaning of personal data. However, a mooted change to the definition of personal data that would be more aligned with those in other jurisdictions, for example, the Personal Information Protection Law that applies in mainland China and the General Data Protection Regulation that applies in the European Economic Area, could have a significant impact on businesses that collect and process information that is likely to impact the identity of individuals.
A key aspect of the PDPO concerns data transfers. It requires that a data user expressly informs a data subject on or before collecting personal data of the purposes for which the data will be used and the classes of persons to whom the data may be transferred. This requirement is based on the principle that data transfer is a form of use, so that the PICS obligation cannot be avoided by transferring the data to another class of person after its initial collection.
The PDPO also provides a framework for processing of personal data outside of Hong Kong. This includes the requirement to use contractual or other means to ensure that any data processors outside of Hong Kong do not allow unauthorised access, processing, erasure, loss or use of personal data transferred to them. This is referred to as the ‘adequacy’ principle.