Hong Kong Data Privacy and Cyber Security Regulations and Compliance
Personal Data (Privacy) Ordinance (PDPO) 1996
Hong Kong’s 1996 Personal Data (Privacy) Ordinance (PDPO) was enacted to govern the way in which data subjects’ personal data was collected, processed and used by data users.
- Personal data is defined as ‘any data (a) relating directly or indirectly to a living individual; (b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and (c) in a form in which access to or processing of the data is practicable’.
- Data subject is defined as ‘the individual who is the subject of the data’.
- Data user is defined as ‘a person who, either alone or jointly in common with other persons, controls the collection, holding, processing or use of the data’.
Data Protection Principles
The PDPO laid down six Data Protection Principles (DPPs):
- DPP1: Personal data shall be collected for a purpose directly related to a function and activity of the data user; lawful and fair collection of adequate data; data subjects shall be informed of the purpose for which the data are collected and to be used.
- DPP2: All practicable steps shall be taken to ensure the accuracy of personal data; data shall be deleted upon fulfilment of the purpose for which the data are used.
- DPP3: Unless the data subject has given prior consent, personal data shall be used for the purpose for which they were originally collected or a directly related purpose.
- DPP4: All practicable steps shall be taken to ensure that personal data are protected against unauthorized or accidental access, processing or erasure.
- DPP5: Formulates and provides policies and practices in relation to personal data.
- DPP6: Individuals have rights of access to and correction of their personal data. Data users should comply with data access or data correction request within the time limit, unless reasons for rejection prescribed in the Ordinance are applicable.
The Office of the Privacy Commissioner for Personal Data
The Office of the Privacy Commissioner for Personal Data (PCPD) was established by the PDPO to oversee data users’ compliance with the PDPO. Its mission is ‘to secure the protection of privacy of the individual with respect to personal data through promotion, monitoring and supervision of compliance with the Ordinance.’
Personal Data (Privacy) (Amendment) Ordinance (PDPAO) 2012
The Personal Data (Privacy) (Amendment) Ordinance (PDPAO) was introduced in 2012 to strengthen the PDPO and address the use of personal data for direct marketing purposes. The Amendments have been effective since April 2013.
Penalties for non-compliance
- The PDPAO makes it an offence punishable by up to three years’ imprisonment and a fine of $500,000 (HKD$) for data users to use or disclose data subjects’ personal data without their consent.
- A maximum penalty of five years’ imprisonment and a fine of up to $1,000,000 (HKD$) is introduced for providing personal data for gain, or if the disclosure of their personal data causes loss or psychological harm to a data subject.
- The Privacy Commissioner may serve enforcement notices on data users if they fail to comply with the Ordinance. Repeated contravention of the Ordinance is punishable by two years’ imprisonment, a fine of $50,000 (HKD$) and, in the case of a continuing offence, a daily fine of $1,000 (HKD$). Repeated contravention of enforcement notices is punishable by two years’ imprisonment, a fine of $100,000 (HKD$) and, in the case of a continuing offence, a daily fine of $2,000 (HKD$).
Computer Crimes Ordinance 1993
The Computer Crimes Ordinance was enacted in 1993, creating new computer-related criminal offences and extending the scope of existing offences by amending the Telecommunications Ordinance (Cap. 106), the Crimes Ordinance (Cap. 200) and the Theft Ordinance (Cap. 210). These offences and their penalties are detailed below.
Telecommunications Ordinance (Cap. 106)
- Section 27A makes unauthorised access to any computer a criminal offence punishable by a fine of $20,000 (HK$).
Crimes Ordinance (Cap. 200)
- Section 59 extends the definition of property to include ‘any program, or data, held in a computer or in a computer storage medium’. Destruction of, or damage to, property belonging to another – including the misuse of a computer – is a criminal offence punishable by up to ten years’ imprisonment.
- Section 85 extends the definition of making false entries in bank account books to include the falsification of electronic banking records, an offence punishable by life imprisonment.
- Section 161 makes accessing a computer with intent to deceive or commit an offence a criminal offence punishable by five years’ imprisonment.
Theft Ordinance (Cap. 210)
- Section 11 extends the definition of burglary to include ‘unlawfully causing a computer…to function other than as it has been established by or on behalf of its owner to function’, ‘unlawfully altering or erasing any program, or data, held in a computer’, and ‘unlawfully adding any program or data to the contents of a computer’. Burglary is a criminal offence punishable by 14 years’ imprisonment.
- Section 19 extends the definition of false accounting to include the destruction, defacement, concealment or falsification of records ‘kept by means of a computer’. False accounting is a criminal offence punishable by ten years’ imprisonment.
Data Protection and ISO27001
DPP4 of the PDPO states: ‘All practicable steps shall be taken to ensure that personal data are protected against unauthorized or accidental access, processing or erasure’. In order for organisations to take practical steps towards effective data management they need to implement a robust Information Security Management System (ISMS). Information security is a broad approach that addresses the security of information in all forms and covers paper documents, physical security and human error as well as the handling of digital data.
ISO27001 is the internationally recognised best-practice Standard that lays out the requirements of an ISMS and forms the backbone of every intelligent cyber security risk management strategy. Other standards, frameworks and methodologies need ISO27001 in order to deliver their specific added value.
Organisations with multiple compliance requirements often seek certification to ISO27001 as its comprehensive information security approach can centralise and simplify disjointed compliance efforts; it is often the case that companies will achieve compliance with a host of legislative requirements simply by achieving ISO27001 certification.
The latest version of the Standard, ISO27001:2013, is simple to follow and has been developed with business in mind. It presents a comprehensive and logical approach to developing, implementing and managing an ISMS, and provides associated guidance for conducting risk assessments and applying the necessary risk treatments. In addition, ISO27001:2013 has been developed in order to harmonize with other standards, so the process of auditing other ISO standards will be an integrated and smooth process, removing the need for multiple audits.
Further, the additional external validation offered by ISO27001 certification is likely to improve an organisation’s cyber security posture while providing a higher level of confidence to customers and stakeholders – essential for securing certain global and government contracts.
Why IT Governance?
IT Governance is a specialist in the field of information security and IT Governance, and has led more than 140 successful certifications to ISO27001 around the world.
IT Governance has created ISO 27001 packaged solutions to give Asia Pacific organisations online access to world-class expertise. Each fixed-priced solution is a combination of products and services that will enable you to implement ISO 27001 at a speed and budget appropriate to your individual needs.
Get started today >>