The HK Data Governance Index, launched today, is based on 19 sets of established open data principles and assessment tools at international and regional levels. It aims to reveal achievements and identify challenges in Hong Kong’s efforts, and to introduce international best practices to the city.
The most important first step in building a data governance program is to articulate your vision and business case. A good vision should clearly spell out your broad strategic objective, while a strong business case should articulate the specific opportunities to be realized. The vision and business case will become the foundation for your governance policies, which should be designed to deliver a positive return on your investment in data.
One of the key questions that arises in interpreting data privacy laws is the scope of a person’s obligation to disclose and use personal information. This is a question that has been resolved in many jurisdictions by adopting a more expansive definition of “personal data.” In Hong Kong, personal data means any information that relates to an identifiable individual, and includes information that can be used to distinguish one person from another.
A person’s obligations to disclose and use personal information are determined by the provisions of DPP1 (Purpose and collection of personal data) and DPP3 (Use of personal data). The PDPO requires a data user to expressly inform a data subject on or before collecting his personal data of the purposes for which the personal data will be used, and of the classes of persons to whom the data may be transferred.
Moreover, a data user must inform the data subject of his right to object to the processing of his personal data, and of the possible consequences of such objection. The PDPO also contains requirements for the protection of personal data from unauthorised access, accidental or unlawful disclosure, modification, deletion or loss, and unreasonable retention.
Another implication of the PDPO’s broader definition of personal data is that the territorial scope of its application is wider than in most other data privacy regimes. In Hong Kong, the PDPO applies to any person who controls the collection, holding, processing or use of personal data, whether such processing takes place inside or outside Hong Kong. In contrast, most other data privacy regimes include a provision for extra-territorial application.