Personal data in Hong Kong refers to information that identifies an individual, such as their name, address, email address or telephone number. Under the Personal Data (Privacy) Ordinance, companies that collect it must have a purpose and obtain consent before passing it along to third parties. Compliance monitoring by the Office of the Privacy Commissioner for Personal Data ensures compliance and can investigate violations such as doxxing as required.
Hong Kong enacted this law after transitioning from British colony to Special Administrative Region of China status in 1997, when there had been no prior data protection law. Concerns over possible misuse and erosion of human rights prompted its creation; as per international privacy legislation it provides guidance.
One of the major changes made by PDPO was requiring consent before personal data can be collected and shared, prohibiting sharing that is unnecessary for specific purposes and mandating data users take measures to ensure all collected personal information is accurate and up-to-date. Furthermore, data users are obliged to inform individuals of all purposes for which their personal information will be used as well as which individuals it might be transferred too.
If a company wishes to transfer personal data outside Hong Kong, they must first conduct a data protection impact analysis and ensure all processing takes place in compliance with local privacy laws. They must also obtain consent from any data subjects involved and adhere to any other statutory or common law requirements which may exist.
Any data governance program will involve many individuals from business and IT subject matter experts to project managers. An experienced project manager can organize this process by assigning roles based on the RACI model (responsible, accountable, consult, informed). This helps everyone understand their responsibilities clearly while keeping things moving while decreasing conflicts or escalated situations from emerging; ultimately helping the organization meet its business objectives for data governance programs.