Data HK – A Data Privacy Impact Assessment
Data hk is a new initiative to promote open data in Hong Kong. It is a result of a collaboration between Hong Kong’s Data Protection Commissioner and several data users. It is an important step towards more transparency in the use of personal data. It is a platform that provides data to the public in a secure and trusted manner. It is a good example of how businesses can collaborate to create and share useful information for the benefit of all stakeholders.
Data privacy regulation imposes many requirements on data transfers. These requirements are often complex and difficult to comply with. They can have a significant impact on business operations and increase the cost of compliance. However, if properly understood, the regulations can be applied in a practical way to reduce risk and facilitate efficient compliance with data transfer regulation.
The first thing to consider is whether the person intending to transfer personal data is a data user under Hong Kong law. If he is, then this triggers the obligation to fulfil a range of statutory obligations, including complying with the six data protection principles that form core data obligations under privacy law in Hong Kong.
One of these obligations is to expressly inform a data subject, on or before the collection of his personal data, of the purposes for which the information will be used and the classes of persons to whom it may be transferred. In addition, he must not transfer the personal data to a third party in any class of persons other than those that were notified on or before the collection of the personal data unless he has obtained the voluntary and express consent of the data subject.
Another requirement is that he must take steps to prevent the transferred personal data from being kept longer than necessary for the agreed processing purpose (DPP 2(3)). He must also ensure that any sub-processors of the transferring data user do not keep, process or otherwise access or use the transferred personal data in places outside Hong Kong other than those places that have been expressly agreed with him (DPP 4(2)).
In addition, he must take steps to protect the transferred personal data against unauthorised access, processing, erasure, loss or use by persons other than those to whom he has given permission (DPP 6).
In short, a data transfer impact assessment is required where a person wishes to transfer personal data to a data processor in another jurisdiction that does not comply with the same data protection laws as in Hong Kong. This is a common situation and one that requires careful consideration of the legal implications. The purpose of the assessment is to determine whether such a transfer will adversely affect the interests of the individual in a way that would require him to have the right to object to such a transfer.