On 18 February 2014, Hong Kong’s Office of the Privacy Commissioner for Personal Data (the PCPD) released the Privacy Management Programme: A Best Practice Guide (the Guide). Organisations are now encouraged to, on top of compliance with the legal requirements, proactively embrace privacy and data protection as part of their corporate governance responsibilities through the new Privacy Management Programme (PMP). Mr Simon McConnell and Ms Mun Yeow of Clyde & Co (Hong Kong) elaborate more on the Guide as well as the PMP.
The release of the Guide is a clear signal of the PCPD’s determination to change corporate culture on personal data protection and to tighten the supervision of data users, particularly those with large databases of customers.
Background
In 2011, due to heightened public awareness in Hong Kong of privacy and corporate sensitivity about customers’ or clients’ data, the PCPD attempted to implement the Data User Return Scheme (DURS) set out in Part IV of the Personal Data (Privacy) Ordinance (Cap.486) (the PDPO).
The proposed DURS would require data users to file an annual return regarding the personal data controlled by them, the purposes of collection or processing of such data and other relevant information. Intentional provision of false/misleading information would constitute an offence. It was proposed that the DURS would be rolled out in phases, and the first phases would cover the banking, telecommunications and insurance industries, the public sector and organisations with a large database of members. In 2013, the PCPD decided to put the DURS project on hold until the reforms of the EU privacy law have been finalised.
As an interim measure, the PCPD has encouraged the banking, telecommunications and insurance sectors to implement a PMP. The objective of this project is to shift corporate perceptions on personal data protection “from compliance to accountability” – that is, to embrace privacy protection as part of the company’s corporate governance responsibilities. The Guide provides details as to how a corporation can develop sound internal systems and controls on personal data protection supported by an effective review and monitoring mechanism.
PCPD has made it clear that the PMP is an interim measure only. PCPD will roll out the DURS at some point in the future. The PMP is designed to assist corporations to comply with the necessary statutory requirements when the DURS is in place. Therefore, implementing a PMP should reduce the risk of privacy breaches, and also can save costs and time/resources in addressing any future regulatory changes, such as the DURS.
Introduction of the Guide
The Guide has no legal binding effect and does not constitute a Code of Practice under section 12 of the PDPO or a Guidance Note. The Guide provides recommendations for corporations to ensure that they handle personal data appropriately, and serves as the best practice recommended by PCPD.
The recommendations mainly address two aspects. The first aspect is in relation to how to develop an internal governance structure to cultivate a privacy protection culture and to implement a PMP. PCPD suggests that the top management of a corporation should oversee and support the implementation of PMP. A data protection officer should be appointed to design and administer the PMP, and handle all privacy-related inquiries and matters within the corporation. To ensure the PMP can be implemented effectively without confusion, a reporting mechanism should be established, so that it is clear what steps should be taken and who should be notified in the event of a potential data breach.
The second aspect is in relation to the internal controls of a corporation. The first step a corporation should take is to review the personal data it holds – including where the data is stored and why it is collected – and develop a proper database. This would greatly facilitate the implementation of privacy-related policies in the corporation. The next step is to develop internal policies and procedures with reference to the data protection principles in the PDPO and the guidance notes issued by the PCPD, and to ensure the employees and customers can have access to those policies.
Breach handling procedures and continuing monitoring activities highly recommended
In the event of change to the privacy-related regulations, a corporation should conduct risk assessment to ensure that it continues to comply with the PDPO. Training should be provided to raise the employees’ awareness of the privacy-related policies and procedures. A corporation is also highly recommended to formulate a set of breach handling procedures, so as to minimise the time and costs for responding to privacy-related incidents. For corporations which would outsource the processing of personal data, obligations should be imposed on the data processor in order to limit their exposures to data breaches caused by the data processor.
The Guide also highlights the importance of the continuing monitor and maintenance of a PMP to ensure ongoing effectiveness, compliance and accountability. A corporation should develop a plan to review its PMP regularly, and identify and assess any new risks or threats that the corporation may encounter.
Although these are high level recommendations, a corporation will be able to develop an internal regulatory system that is suitable for its size and business nature by following the Guide. If a corporation is subject to investigation arising from any privacy-related complaints, an appropriate PMP can be a strong, although not conclusive, indication that the corporation has complied with the PDPO.
Implementation of PMP
Since the introduction of PMP in mid February 2014, the Hong Kong Special Administrative Region Government, together with 25 companies from the insurance sector (eg ACE, AIA, AXA and QBE), nine companies from the telecommunications sector and five organisations from other sectors (eg the Hospital Authority), have all pledged to implement the PMP. The Hong Kong Association of Banks has also expressed its support towards a voluntary PMP framework and indicated that individual banks will take necessary steps to implement the principles of PMP.
The PMP has broad governmental and market support. We expect that support to grow consistently over time.
Conclusion
With the active participation of organisations across multiple industries, we anticipate the PMP to become a prominent feature in the field of corporate data privacy protection.
Although the Guide has no legal binding effect, it sets the regulator’s expectations as to how corporations should comply with the requirements under the PDPO. With the potential implementation of the DURS in the future, we expect that the Guide identifies the parameters of future binding data protection regulations in Hong Kong.
In view of the new regulatory trend, corporations – in particular those with a large database of customers – should consider implementing the PMP. Corporations that wish to implement PMP should:
• Gather and review all personal data controlled by them and to keep a proper record of such data;
• Consider a governance structure that is suitable for them in view of their business size, business nature and the volume of personal data they hold;
• Review their personal information collection statements and internal policies in relation to privacy and data protection to ensure that they comply with the PDPO;
• Conduct risk assessment for all projects involving the collection, use or disclosure of personal data; and
• Provide privacy-related training to employees.
Mr Simon McConnell and Ms Mun Yeow are both partners at Clyde & Co (Hong Kong).