Personal Data Transfers to and From Overseas
Data is the raw information from which statistics are created. Statistics give an interpretation of the data. Generally, people use statistical data to analyse the population, trends, economy, climate, etc., to make predictions about the future.
In a globalised world, data transfers are common. However, the transfer of personal data to and from overseas may raise privacy issues for businesses. Padraig Walsh from the Tanner De Witt Data Privacy team outlines some key points to consider for effective compliance with personal data transfers.
The first issue to consider is whether the data transfer falls within the scope of the PDPO. This is defined by reference to whether a person has any operations controlling collection, holding, processing or use of personal data in, or from, Hong Kong. The definition of a person may seem broad, but it does not include businesses or organisations that do not have any staff in Hong Kong. It also excludes activities such as the taking of photographs (not intended to identify individuals) and logs of persons entering car parks, even if those people can be identified from the data recorded.
If the data transfer does fall within the scope of the PDPO, then the next step is to consider what the requirements are in respect of the data transfer. The PDPO requires the data user to fulfil a range of statutory obligations in respect of the purposes for which the personal data is collected, and how it will be used. This is often achieved through a personal information collection statement (PICS) provided to data subjects on or before the collecting of their personal data.
A PICS must notify the data subject that his/her personal data will be transferred outside of Hong Kong and to what classes of people that data will be transferred. It must also obtain the voluntary and express consent of the data subject for the proposed transfer. In addition, the data user must keep a record of the data transfer and must verify with the data importer that the purpose for which the data was collected is still lawful in the jurisdiction to which it is being transferred.