Data hk is the practice of gathering and analysing information; combining primary and secondary sources to create statistics and reports for business use or policy formation by government agencies. Data is an essential tool for businesses and there are many different ways in which it can be utilised, whether to monitor customer satisfaction, understand market trends or to identify problem areas.
The Hong Kong Privacy Commissioner for Personal Data (“PCPD”) has published extensive guidance on the requirements for cross-border data transfers from Hong Kong and how those can be met. In particular, it requires that a data user who intends to transfer personal data to another person or entity in a jurisdiction other than Hong Kong, must carry out a “transfer impact assessment” before the actual transfer takes place. The purpose of the assessment is to ensure that the transferred data will be treated in a way that is consistent with the PDPO and its six core DPPs.
In this article, Padraig Walsh from Tanner De Witt’s Data Privacy practice group outlines the main points to consider when carrying out a transfer impact assessment and the steps involved in complying with data transfer laws. The article also discusses the implications of agreeing to standard contractual clauses that have been proposed by EEA data exporters under GDPR and the need for a Hong Kong data importer to contribute to such an assessment.
For the purposes of a transfer impact assessment, a “data user” is defined as a person who controls the collection, holding, processing or use of personal data (whether in its own right or in partnership with other persons). This includes any such activity carried out by an organisation and any such activity that is subcontracted to someone else. The PCPD’s guidance clarifies that the intention of the data user is a key factor in determining whether the assessment should be undertaken.
Where a transfer impact assessment reveals that the level of protection offered by a foreign jurisdiction is inconsistent with the PDPO and its DPPs, then the data exporter must adopt supplementary measures to bring the level of protection in line. This can include technical measures such as encryption, anonymisation or pseudonymisation; and contractual provisions relating to audit, inspection and reporting, beach notification and compliance support and co-operation.
Finally, the PCPD guidance sets out a “six step framework” for conducting a transfer impact assessment and suggests that it should be adopted as a best practice in all cases. In the event that an adverse assessment is made, then the data exporter should consider suspending the transfer and/or implementing adequate supplementary measures. However, this is a significant step and should only be triggered in the most serious of circumstances. In all other cases, the best approach is to carry out a transfer impact assessment in conjunction with the relevant data importer. This will avoid any unnecessary delay and ensure that the requirements of the PDPO are met in an efficient manner.