The framework for the DURS was set out in the Personal Data (Privacy) Ordinance (PDO) when this came into force in August 1995 but the Privacy Commissioner has only now decided to establish the register and implement the scheme. This is probably a reaction to the high level of public concern in Hong Kong over the loss of personal data by various public bodies and the alleged misuse of personal data by large organisations like Octopus cards, the operator of Hong Kong's largest electronic payment stored value card network.
The DURS will require various large users of personal data to register with the Office of the Privacy Commissioner. This will include all authorised insurers in Hong Kong. These data users will have to submit returns confirming:
- The types of personal data they collect
- The purposes for which they collect it
- Who they disclose personal data to and why
- Whether they transfer that personal data out of Hong Kong
The requirement to confirm whether they transfer personal data out of Hong Kong is of particular note since section 33 of the PDO is not yet in force. Broadly speaking section 33 prohibits the transfer of personal data to a jurisdiction outside Hong Kong unless the data subject has consented to that transfer or that jurisdiction has similar data protection legislation to Hong Kong. The Commissioner has confirmed that with the introduction of the DURS he is looking to bring s.33 into force as soon as possible.
The data user must also notify the Commissioner of any change to the information they have provided no later than 30 days after that change.
A data user who knowingly or recklessly supplies false or misleading information to the Commissioner or who fails to submit a return will commit a criminal offence and be subject to a fine and imprisonment for up to six months. Data subjects are also likely to use the information in the return when bringing data privacy claims against these organisations and to 'hold' these organisations to strict compliance with their stated policies and procedures for their collection,
holding, use and transfer of the personal data they collect.
The Commissioner has launched a consultation process asking the proposed classes of data user for their views on the operation of the DURS.
Data users who will be caught by the DURS, which includes all authorised insurers in Hong Kong, should now:
- Review their personal information collection statements to ensure these are up to date and obtain consent from data subjects for the use of their personal data for the necessary business purposes.
- Review their personal data privacy policies and procedures to ensure these comply with the PDO (including the new rules on direct marketing and the sale of personal data which will come into force when the Personal Data (Privacy) Amendment Bill becomes law (this was introduced to the Legislative Council on 8 July 2011).
- Ensure they are in a position by the end of 2012 to comply with the DURS and are able to file their first return by the end of Q3 2013.
- Agree who will submit their return and ensure procedures are in place to collate the necessary information and to ensure any change in that information is notified to the Privacy Commissioner.
- Ensure they are s.33 ready if they transfer or may need to transfer personal data out of Hong Kong.
Our data privacy team in Hong Kong has considerable experience in advising data users on compliance with the PDO including how to conduct an internal audit of personal data policies, practices and procedures.