Hong Kong's Changing Privacy Laws

In January 2020, the Hong Kong Constitutional and Mainland Affairs Bureau released a paper linking to discussions around amendments to the Personal Data Privacy Ordinance (“PDPO”). Although the mention of these amendments were announced well over a year ago now, Hong Kong has no indication as to when these updated provisions will come into force. It is important for schools in Hong Kong to understand the scope of the measurements tied to the PDPO amendments so that when they are implemented, your school can rest assured that data protection compliance is upheld without delay or inconvenience.

Although there has been no date for the implementation of these updated regulations set in stone as of yet, Hong Kong’s Privacy Commissioner has noted that they are working with the Hong Kong Government in proposing the new amendments to the PDPO. This means that the revised regulations will be on their way to implementation and schools should prepare for them. Just because regulations are not yet implemented, does not mean that a school must wait for them to arrive before they act on the matter.

Many of these regulations are already the standard in other countries. For example, these amendments are included in the European GDPR, meaning that we can look to European countries and understand what procedures they have in place to take action against the regulations. Learn lessons from Catriona Thompson, Bursar at Kingham Hill School in the UK on her journey to GDPR compliance. With GDPR being considered the gold standard for data privacy regulations, countries from around the world can understand what a good compliance programme looks like, along with best practices.

What will the PDPO amendments affect?

• Data breach notifications - Data breach notifications will be introduced with the new amendments, you will only need to notify authorities if the data poses a real risk of significant harm. Your school will need to respond to data breaches within five days of the assessment being completed.
• Data retention period - Retention periods for personal data in schools are important for ensuring current and past students are aware of how long their data will be held for. The proposed PDPO amendments lay out retention periods for different types of personal data, which will enforce transparency and keep data subjects rightfully informed.
• Penalties - The Privacy Commissioner’s power will be enhanced with the enabling of administrative fines to be directly imposed based on breaches of the requirements under the PDPO. Currently ranging from HK$10,000, to HK$500,000 all the way up to HK$1,000,000 for neglecting obligations under the PDPO. Within the new regulations, there can be an imposition of a five year prison sentence too.
• Doxxing regulations - Doxxing, when personal information is shared on the internet with malicious intent, is an important factor that the PDPO will address. There will be consequences for cyber criminals and data processors when the sharing of this data negatively affects the psychological wellbeing of a data subject.

Understanding the main aspects of the upcoming implementation of the PDPO amendments in Hong Kong is imperative to schools as it will help them prepare for what lies ahead for Hong Kong data privacy. In ensuring that your school is prepared, there will be little to no chance of facing data privacy penalties when the amendments come into play.

9ine Training

A substantial part of compliance in schools is centred around an understanding of obligations. Whether your school is at the beginning of its data protection compliance programme, or well into it, 9ine’s training services are able to educate at all levels. Alongside this, we understand that there is a lack of applicable and instructional training focussed on data privacy and technology hardening. The 9ine Technical Academy and the 9ine Privacy Academy are designed to give you instructional, applicable, and understandable guidance towards data privacy and system hardening. This will allow you to implement best practices and procedures into your data privacy and IT compliance programmes.

If your school would like to know more about how 9ine can help with the implementation of the PDPO amendments