Data hk is the term used in Hong Kong to describe personal information that can be linked back to an identifiable individual. It includes any information that can be directly or indirectly associated with a living individual, including the person’s name, ID number, address, telephone number or email address. Other types of data hk include financial and health records, credit reports, medical records, driving licence details and photographs.
The definition of data hk is narrower than that used in other jurisdictions, as it only applies to information that can be attributed to an identifiable individual. Consequently, the pool of personal data is smaller than in some countries. A change to the definition of data hk is mooted by the government, which would broaden it to capture more types of information.
While data hk can be used to identify an individual, it is important to distinguish between personal and business-related data. The former is protected by the Personal Data Protection Policy (“PDPO”), which sets out a series of six core data obligations that all data users must comply with.
A key aspect of PDPO is that the personal data of an individual must be collected with his voluntary and express consent, which must be informed on or before the collection of his personal data. This requirement is often referred to as the ‘PICS’, or Personal Information Collection Statement, and is a key element of data privacy in Hong Kong.
When considering whether a PICS is required, it is important to consider the purpose for which the personal data is being collected. If the intention is not to identify an individual, then it will not be considered to be personal data and therefore no obligation to provide a PICS arises.
Once personal data has been collected, it cannot be used for a new purpose unless the consent of the data subject is renewed. Consent can be renewed by a PICS which must set out the purposes for which the personal data is being collected and the classes of persons to whom it may be transferred. It is also important to remember that transfer is a form of use and therefore the same PICS requirements must be met when transferring personal data.
When a data user is planning to transfer personal data outside of Hong Kong, it is important to consider the impact of PDPO. While several data privacy regimes contain a degree of extra-territorial application, Hong Kong does not. It is instead necessary to consider whether the data user has operations that control all or part of the collection, holding, processing or use of the personal data within Hong Kong. If this is the case, then the data user must fulfil a range of statutory obligations, including complying with the six DPPs and obtaining the express consent of the data subject to transfer personal data. The PCPD has issued two sets of model contractual clauses to help facilitate these transfers. These models are available on the PCPD website here.