The recently enacted Personal Data (Privacy) (Amendment) Ordinance 2012 (the Ordinance) makes a number of significant changes to Hong Kong data privacy laws.
The changes take effect in two phases:
- most changes will come in on 1 October 2012;
- the new direct marketing rules will come into effect at a future date but this is expected to be around April 2013.
While the new direct marketing rules have attracted most media attention, there are many important changes which will apply from the beginning of October. With less than a month to go, there are two simple steps your business can take now to ensure you comply from day one.
- Check your agreements with data processors
A “data processor” is a person who processes personal data on behalf of your business and not for its own purposes. Common examples include providers of outsourced IT, payroll or telemarketing services.
The Ordinance requires that data users must take contractual or other means when using a data processor to prevent:
- the processor from keeping the personal data longer than necessary; and
- unauthorised or accidental access, processing, erasure, loss or use of data transferred to the processor.
Usually, the easiest way of doing this will be to include specific obligations in the data processor’s contract. If you use a data processor you should immediately:
- check your contract to confirm whether it already includes these obligations; or
- if not, seek to include these obligations as soon as possible.
It is important to note that a data processor is generally not bound by the Personal Data (Privacy) Ordinance (as it is excluded from the definition of data users) and therefore contractual provisions which merely require the data processor to comply with all applicable laws will not satisfy the new requirements.
- Review how you use personal data of minors and the incapacitated
The Ordinance changes the rules about how businesses are permitted to use and disclose personal data relating to people who cannot legally give consent; minors, the mentally incapacitated and persons who are otherwise incapable of managing their own affairs.
Generally, a data user can use and disclose personal data for three types of purpose:
- the original purpose for which the data was to be used at the time of its collection;
- any purpose directly related to that original purpose; and
- any other purpose to which the data subject has consented (which the Ordinance calls a “new purpose”).
However, where the data subject is a minor, is mentally incapacitated or is incapable of managing their own affairs, the Ordinance severely restricts the new purposes for which their data may be used. It provides that consent may be provided by a “relevant person” - a parent, a person authorised by a court to manage the data subject’s affairs, or a person authorised by the data subject in writing – but it also provides that a relevant person may only give consent if they reasonably believe that the new purpose is in the best interests of the data subject. In addition, even if consent is obtained, the data user may not use the data for the new purpose unless it also reasonably believes that the new purpose is in the best interests of the data subject.
This would seem to rule out many potential uses of personal data of minors, mentally incapacitated persons or persons incapable of managing their own affairs. For example, it would be very difficult to justify direct marketing as “in the best interests of the data subject”.
All businesses who maintain this sort of personal data should immediately:
- review the purposes for which they use that data and whether any of those are “new purposes”;
- identify whether they have obtained consent for those new purposes; and
- consider whether those new purposes could reasonably be said to be “in the best interests of the data subject”.