If you’re a technologist, data scientist or a programmer who works in Hong Kong (or looking for work here), it may come as no surprise to learn that the job market is competitive. In fact, there’s a lot of interest in this field in the city, and companies are offering higher salaries and better benefits. However, it’s important to understand the responsibilities associated with data-related jobs in Hong Kong before you sign up.
Whether you’re a business owner or an employee, it is essential to ensure that your company’s processes comply with the data protection laws in Hong Kong. This is particularly true for businesses that are using personal information about individuals to make decisions that will impact those individuals.
The PDPO defines personal data as information relating to an identified or identifiable natural person. This definition is similar to that in other data privacy laws around the world, such as the GDPR that applies to people in the European Union. However, there are some differences in how this term is applied in the PDPO, and these can have important implications for business operations.
For example, the PDPO requires a data user to inform a data subject on or before the collection of his personal information of the purposes for which the personal data will be used. It also requires the consent of a data subject for the transfer of his personal data to a third party in a class of persons which has been notified to him on or before the collection of his personal information. This is because transferring data is a form of use.
Moreover, the PDPO prohibits the disclosure of an individual’s name and HKID number together or making such information available to others without his express consent. This is a significant restriction that should be taken into account by any organisation wishing to collect personal information from employees. In addition, it is a good practice for organisations to restrict access to staff records by only allowing those who need them to have access, and to keep these records secure and up to date.
Another factor to consider is the jurisdictional scope of Hong Kong’s data protection laws. Many other data privacy regimes contain some element of extra-territorial application, but the PDPO does not. This means that the PDPO only applies where the data user controls any of his operations in, or from, Hong Kong.
This can have consequences for companies that are based outside of Hong Kong but process personal information about individuals in the territory. For example, a company that conducts background checks for prospective hires in Hong Kong might need to be aware of the restrictions in the PDPO on sharing this information with foreign authorities. In addition, the company might have to follow additional compliance measures when processing data of Hong Kong residents, including the requirement to obtain the consent of the individual before conducting a background check.