Data Governance in Hong Kong

Data hk is an initiative to promote open data and related initiatives in Hong Kong. It also seeks to highlight and share best practices in data protection in the city and region, including international standards. It is built on 19 sets of established open data principles and assessment tools at the international and regional levels. This is a major undertaking with the support of various government departments and organizations, including the Technology Development Fund.

The first step to achieving a successful data governance program is to develop an organizational vision and business case. The vision lays out the broad strategic objectives for building a governance program, while the business case articulates the specific opportunity to drive a return on investment for data. Both are key components of a strong governance strategy and enable the right people to be in place to lead, sponsor, steward, and operationalize the program.

One of the biggest challenges in implementing data governance is defining what constitutes personal data under local law. Under current statutory and common law in the Hong Kong Special Administrative Region (“SAR”), personal data is defined as any information that relates directly or indirectly to an identified or identifiable individual. This definition has been in place since the enactment of the Personal Data (Privacy) Ordinance (“PDPO”) in 1996, and it is consistent with the definitions of personal data in other privacy laws around the world, such as the PIPL and the GDPR.

Another challenge in establishing data governance is the requirement that data users expressly inform a data subject of the purposes for which personal data are collected, and the classes of third parties to whom the data may be transferred. This requirement is also reflected in the PDPO. However, a significant issue is that the PDPO does not contain any express provisions conferring extra-territorial application.

A third challenge in establishing data governance is the requirement to have appropriate technical and contractual measures in place to protect personal data. This includes ensuring that the third party’s processing of personal data is carried out in accordance with local laws, and that it has adequate security measures in place to ensure compliance with the PDPO. This requires a detailed understanding of the local laws and regulations, as well as the local industry and regulatory environment. In addition, a good governance framework should incorporate best practice risk management and mitigation techniques to identify risks and to ensure the PDPO is fully complied with. The framework should also include a system for monitoring and reporting on compliance with the PDPO.