A data governance program is a multi-faceted initiative that includes policies, people and technologies. To succeed, the vision must be clear and the business case articulated. The latter must be specific, identifying the actual people (roles), technologies and processes that will support your governance efforts. It should also define the policies that align to your organization’s data goals.
To do this, the vision and business case must be written in a way that makes sense for your organization. It must specify the actual people that will support, sponsor, steward and operationalize your governance initiatives. Use a responsibility assignment matrix, such as RACI (which stands for responsible, accountable, consulted and informed), to ensure that the right person is providing input and approvals at the right time. A well-organized matrix will help to prevent siloes of knowledge.
The PDPO defines data subject rights, specific obligations to data controllers and regulates the collection, processing, holding and use of personal data through six data protection principles. The PDPO is a very comprehensive piece of legislation and it is important for businesses in Hong Kong to understand its application to their operations.
For example, the PDPO requires a data user to expressly inform a data subject on or before collecting personal information of the purposes for which it will be used. This applies even if the purpose is not directly related to the original collection of the personal information. In addition, a data user must obtain the voluntary and express consent of the data subject before it can either transfer the personal data to a class of persons not set out in the PICS or use it for a purpose that is not notified to the data subject at the time of the original collection.
Another requirement of the PDPO is that a data user must protect personal information from accidental loss, destruction or unauthorised access or disclosure. This applies whether the data is in the form of a hard copy or electronic file. This includes ensuring that physical files are locked or password-protected and that computer systems are configured in a secure manner. This is particularly important for businesses that process personal information, such as CCTV recordings, logs of vehicles entering car parks and records of meetings, which may be used to identify individual individuals.
If you disable JavaScript, you will not be able to use some GovHK functions, including changing text size and the chatbot function. However, you should still be able to access the majority of GovHK services.