The Hong Kong government will establish a new office to draw up digital policies in the middle of this year, in an effort to boost innovation and technology-centered productivity and accelerate smart city initiatives. The move is an attempt to harness data as a key driver of economic growth, Financial Secretary Paul Chan Mo-po said in a Sunday blog post. Chan also called for clearer guidelines on data governance to promote a more responsible use of personal information and enhance people’s trust in the collection and processing of their data.
The prevailing law in Hong Kong is the Personal Data (Privacy) Ordinance (PDPO), which was first enacted in 1996 and is in line with international norms on what constitutes personal data. In the context of PDPO, the definition of personal data encompasses information that can be used to identify an individual. This includes data such as an individual’s name, HKID number and telephone number, as well as photographs of them.
Under PDPO, personal data must only be collected for a specified purpose and is subject to strict measures on how it is used, stored and destroyed. In addition, it must only be processed for legitimate purposes and in accordance with the principle of proportionality. For example, an individual’s name and HKID number may be publicly displayed together on staff cards, but this is only permitted when it is for the purpose of conducting employee verification. Furthermore, a staff card’s personal data cannot be transferred to third parties without the consent of the individual.
In addition to regulating data usage within Hong Kong, the PCPD has also been actively engaged in global privacy-related initiatives. It has been a member of several intergovernmental bodies and forums, including the Asia Pacific Privacy Authorities Forum, which aims to advance regional data protection standards; and the Digital Economy Steering Group Data Subgroup, which concerns cross-border transfers of data. The PCPD also takes part in workshops and forums convened by members of the European Union’s data protection authorities.
The PCPD has also released two sets of model contractual clauses to aid data transfers between data users, both of which address transfers of personal data between data users based in Hong Kong and those located abroad. The models include provisions ensuring that personal data will be treated in a similar manner regardless of whether it is processed in Hong Kong or outside the jurisdiction.
A good start to developing a data governance program is to understand your organization’s business goals for data. This will help you decide which roles to assign to your team and what tools to use. You’ll need a vision and a business case to guide your efforts. A vision should spell out your broad strategic objective and articulate the business opportunity for implementing data governance. The business case should be more pragmatic and hands on, specifying the actual people, technologies and processes you’ll need to support your governance program.