Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Back
Nov 2021
LinkedIn Created with Sketch. Twitter Created with Sketch.

Hong Kong: Data Protection in the Financial Sector

Financial Services
sankai / Signature collection / istockphoto.com

1. Governing Texts

1.1. Legislation

The Personal Data (Privacy) Ordinance 1996 as amended in 2012 ('PDPO') is the main data protection law in Hong Kong, applicable to both the private and the public sectors. The Office of the Privacy Commissioner for Personal Data ('PCPD') was established under the PDPO as an independent statutory body that oversees the enforcement of the PDPO, and has issued a variety of guidance, including guidelines and codes of practice, on the handling of personal data. There are currently no sector-specific data protection laws for financial institutions. Nevertheless, notable PCPD publications relating to the financial sector are in place, which include:

Financial regulators and other sector associations in Hong Kong have also published guidance and codes of conduct to address issues of data privacy and data protection, and such financial regulators are increasingly taking an active role in enforcement in this area.

The PDPO came into force on 20 December 1996 and has since been amended by the Personal Data (Privacy) (Amendment) Ordinance 2012 ('2012 Amendment Ordinance') and Personal Data (Privacy) (Amendment) Ordinance 2021 ('2021 Amendment Ordinance'). All organisations, including financial institutions, which collect, hold, process, or use personal data (also known as the 'data users') must comply with the PDPO, including the six data protection principles ('DPPs') listed in Schedule 1 of the PDPO.

DPPs - Implications For Financial Institutions

The six DPPs are the foundation upon which the PDPO is based and set out the basic requirements that data users must comply with when handling personal data. Although contravention of a DPP does not in and of itself constitute an offence, the PCPD may serve an enforcement notice on data users who breach the DPPs, and any subsequent failure to comply with such an enforcement notice constitutes an offence and may result in penalties (see section on fintech below). Furthermore, an individual who suffers damage by reason of a contravention of the PDPO (including the DPPs) in relation to their personal data may also seek compensation from data users through civil proceedings.

DPP 1 – Purpose and Manner of Collection of Personal Data

DPP 1 provides that personal data shall only be collected if it is necessary for a lawful purpose directly related to the function or activity of the data user. In addition, the data collected must be adequate but not excessive in relation to the purpose collected.

Data users are required to take all practicable steps to ensure that on or before the collection of a data subject's personal data, the data subject is informed of the following:

  • the purpose for which the data is to be used;
  • the classes of persons to whom the data may be transferred; and
  • whether it is obligatory to provide the data, and if so, the consequences of failing to supply the data.

Further, on or before the first use of the data for the purpose for which it was collected, data users are also required to take all practicable steps to ensure that the data subject is informed of their right to request access to, and the correction of, the data, and the contact details of the individual who is to handle such a request.

A personal information collection statement ('PICS') (or its equivalent) is a statement given by a data user for the purposes of complying with the above notification requirements.

It is worth noting that in 2011, the PCPD carried out various investigations into banks which relate to the transfer of customer personal data to insurance companies. In one of the resulting reports, the PCPD noted that the banks' PICS were drafted in vague terms, and as a result, customers could not determine with a reasonable degree of certainty the persons who could potentially be using their personal data. In particular, the investigation report stated that phrases such as 'any person under a duty of confidentiality' and 'who has established or proposes to establish any business relationship' are too vague as they do not specify the class to which such persons belonged to, and whether such class could include an insurance company.

The PCPD also found that the amount of personal data that the banks had transferred to insurance companies (e.g. the customer's gender, date of birth, marital status, partial credit card number, and partial identity card number) was excessive in relation to the purpose of carrying out direct marketing activities. The PCPD was of the view that for such a purpose, it would suffice to only disclose customers' contact information (e.g. name and telephone number or address), and that insurance companies could collect further personal data from customers directly once customers decide to go ahead with the purchase of a product in response to the direct marketing.

Following the PCPD investigations, the PDPO review working group under the Hong Kong Association of Banks ('HKAB') worked closely with the PCPD on defining the classes of transferees in more specific terms in the PICS so that customers could more easily understand the use of their data in cross-marketing activities. Taking into account the recommendations of the PCPD, the HKAB circulated a revised pro-forma PICS for its members to follow.

On 29 July 2013, three months after the new direct marketing provisions came into force under the 2012 Amendment Ordinance, the PCPD published the Guidance on Preparing Personal Information Collection Statement and Privacy Policy Statement ('the Privacy Policy Guidance') to guide data users when preparing their PICS.

Specific to the collection of biometric data, the PCPD published the Guidance on Collection and Use of Biometric Data on 20 July 2015 (revised in August 2020) to provide practical guidance on complying with the requirements under the PDPO, and to emphasise the sensitive nature of the data and the importance of ensuring that its collection is necessary and not excessive.

DPP 2 – Accuracy and Duration of Retention

Under DPP 2, data users must take all practicable steps to ensure that the personal data held is accurate, and is not kept longer than necessary for the fulfilment of the purpose(s) collected.

Under DPP 2, data users who engage a data processor, whether within or outside Hong Kong, are required to adopt contractual or other means of preventing any personal data transferred to the data processor from being kept longer than necessary. A data processor is a person who processes personal data on behalf of a data user, and does not process the data for its own purposes.

In one of its investigations, the PCPD found that a bank's policy of retaining customer bankruptcy data for 99 years was longer than necessary for any of the purposes the bank claimed, and, consequently, the bank was held to have contravened DPP 2. As a result of the investigation, the bank amended its existing policy to retain bankruptcy data for no more than eight years. More recently, in 2019 the city's second largest fixed-line residential broadband provider was found to have contravened DPP 2 due to its failure to delete an inactive database involving approximately 380,000 customers as of 2012. In addition to the requirement of altering the data retention policy, the provider was also ordered to devise a clear data security policy to cover regular review of user privileges and security controls for remote access service.

In view of the range of documents that financial institutions are required to keep to comply with various laws and regulations, it is important that they have a comprehensive document retention policy in place to justify the retention periods for each category of documents. Likewise, it is critical to ensure that all staff members comply with any such document retention policy, and that there are mechanisms and procedures to destroy documents immediately after the retention period.

The Banking Industry Guidance also provides information on the retention policies necessary to comply with DPP 2.

DPP 3 – Use of Personal Data

DPP 3 provides that personal data shall not, without the prescribed consent of the data subject, be used for a new purpose beyond that which the data was to be used for at the time of the collection or for a purpose directly related to the original purpose. 'Prescribed consent' means express consent given voluntarily, and which has not been withdrawn by notice in writing.

The PDPO has tighter restrictions on the use of personal data for direct marketing purposes. The data subject's consent or 'no objection' must be obtained for such purposes. The data user must inform the data subject in advance of:

  • the intended use of their personal data in direct marketing;
  • the types of personal data that will be used;
  • the classes of goods, facilities, or services offered or the purposes for which any donation or contribution is solicited; and
  • the method through which the data subject may give consent.

In the PCPD investigations into the transfer of customers' personal data to insurance companies discussed above, the PCPD found that certain banks were in contravention of DPP 3 on the ground that such use was not within reasonable customer expectations and thus fell outside the scope of their PICS. As customer personal data was disclosed to third parties without the necessary customer consent, the banks were found to have breached DPP 3.

The Banking Industry Guidance provides a few practical examples of the application of DPP 3 in the financial sector. In particular, it states that unless prescribed consent has been obtained from the customer, financial institutions should not disclose a customer's account data to their employer or family member. Also, previous employees of a financial institution should not use personal information belonging to customers of their former employer to solicit business for their new employer.

DPP 4 – Data Security Requirements

DPP 4 provides that data users must use all practicable steps to ensure that personal data held is protected against unauthorised or accidental access, processing, erasure, loss, or use.

DPP 4 also provides that if a data user engages a data processor, whether within or outside Hong Kong, the data user must adopt contractual or other protections to ensure the security of data.

If a financial institution engages a data processor, such as a third-party IT provider, to process the personal data of its employees or customers, it must adopt contractual or other protective measures to ensure data security. This is important because, under Section 65(2) of the PDPO, the financial institution is liable for any act done, or practice engaged in, by its data processor.

The Banking Industry Guidance further provides guidelines on data security in different fields. In relation to intra-group sharing of customer personal data, it is recommended that financial institutions keep proper logs to record the movement of customer personal data in order to keep track of shared data, and ensure the security and proper disposal of the personal data shared within the group.

The Banking Industry Guidance also provides practicable measures in relation to the collection of customer personal data during on-site marketing campaigns. It is recommended that application documents received from customers be properly recorded by the use of a control sheet, and staff should be prohibited from bringing home any of the application documents. Furthermore, application documents should be securely stored in a locked container in the custody of a designated officer, and precautionary measures should be taken to ensure secure transmission of the application documents to the bank's premises.

In relation to e-banking services, banks are recommended to refer to the PCPD's guidance for Data Users on the Collection and Use of Personal Data through the Internet (revised in April 2014), which provides detailed guidance on the collection, display, or transmission of personal data through the internet. The PCPD also published an information leaflet entitled Online Behavioural Tracking, which provides recommended practices for organisations that deploy online tracking on their websites. Where cookies are used, the leaflet recommends that good practice involves pre-setting a reasonable expiry date for cookies, encrypting the contents of cookies where appropriate, and not deploying techniques that ignore browser settings on cookies unless options are available for customers to disable or reject such cookies.

In view of the increased use of third-party data centres and the growth of IT outsourcing and cloud computing, the PCPD has issued guidance to address outsourcing and cloud computing. These include the Outsourcing the Processing of Personal Data to Data Processors and Cloud Computing informational leaflets, which recommend that data users incorporate contractual clauses in their service contracts with data processors to impose obligations on them to protect the personal data transferred to them. Other protection measures include selecting reputable data processors and conducting audits and inspections of data processors.

On 30 July 2015, the updated Cloud Computing leaflet advises cloud users on privacy issues, the importance of fully assessing the benefits and risks of cloud services, and implications for safeguarding personal data privacy. The revised leaflet includes advice to organisations on what types of assurances or support they should obtain from cloud service providers to protect the personal data entrusted to them, and also the implications of the ISO/IEC 27018:2014 revised by ISO/IEC 27018:2019, a code of practice released by the International Organization for Standardization that includes specific guidance for cloud providers.

In relation to authorised institutions (namely licensed banks, restricted licence banks, and deposit-taking companies), the Hong Kong Monetary Authority ('HKMA') issued the Supervisory Policy Manual, Outsourcing (SA-2) ('the HKMA Outsourcing Manual') in 28 December 2001 which sets out the HKMA's supervisory approach to outsourcing and the areas which authorised institutions need to address when outsourcing their activities. Authorised institutions which intend to outsource their banking-related business, including back office activities (e.g. data processing, call centres, and customer-related services), are required to discuss their plans with the HKMA in advance, and satisfy that all major issues set out in the HKMA Outsourcing Manual are properly addressed before they implement any plans. For outsourcing to overseas jurisdictions, the HKMA may communicate directly with an authorised institution's home or host regulators to seek confirmation on various matters.

In relation to authorised insurers, the Office of the Commissioner of Insurance ('OCI') issued its Guidance Note on Outsourcing, which came into operation on 1 January 2013. Although the statutory functions of the OCI were taken over by the Insurance Authority ('IA') on 26 June 2017, the Guidance Note on Outsourcing continues to have an effect, and requires authorised insurers to notify the IA at least three months before entering into any outsourcing arrangement, and the IA must be satisfied that all major issues set out in the guidance note have been properly addressed.

DPP 5 – Privacy Policies

DPP 5 provides that data users must make generally available information that would allow a person to know the kind of personal data held by the data user, the main purposes for which such personal data is used or is to be used, and the data user's policies and practices in relation to personal data.

A privacy policy statement ('PPS') (or its equivalent) is a general statement about a data user's privacy policies for the purpose of complying with DPP 5.

As mentioned above, the PCPD has published the Privacy Policy Guidance, which serves as guidance for data users when preparing their PPS (see the discussion below).

DPP 6 – Data Access and Correction

Under DPP 6, data subjects are entitled to ascertain whether a data user holds any of their personal data, and to request access to such personal data. Data subjects are also entitled to request correction of their personal data.

Data users are required to respond to data access or correction request within a statutory period of 40 days. If the data user does not hold the requested data, it must still inform the requestor within 40 days that it does not hold the data. Failure to comply with such a request constitutes an offence under the PDPO.

In response to a substantial number of disputes under the PDPO in relation to data access requests, the PCPD has published guidance entitled Proper Handling of Data Access Request and Charging of Data Access Request Fee by Data Users (revised in 2020) to address the relevant issues relating to access requests. In May 2017, the PCPD also revised its Proper Handling of Data Correction Request by Data Users leaflet, which contains guidance on the steps to assess and handle a data correction request, including where the data held by the data user was provided by a third party.

1.2. Supervisory authorities

The PCPD is the regulator responsible for enforcing the PDPO. However, financial regulators such as the HKMA (i.e. the government authority in Hong Kong responsible for maintaining monetary and banking stability) and the Securities and Futures Commission ('SFC') (i.e. the independent regulator of Hong Kong's securities and futures markets) have increasingly taken enforcement steps under the PDPO. Such actions have resulted in the imposition of community service orders, fines, and disciplinary action in relation to organisations and/or individuals found to be in breach of the PDPO.

2. Personal and Financial Data Management

2.1. Legal basis for processing

Under the PDPO, 'processing' is defined to include amending, augmenting, deleting, or rearranging data, whether by automated means or otherwise. Data users are required to comply with the six DPPs when processing personal data.

As established by DPP 3, personal data may be used or disclosed (other than for direct marketing purposes) for:

  • the purpose for which the personal data was to be used at the time of its collection;
  • a purpose directly related to the original purpose; or
  • a purpose for which the data subject has given prescribed consent; consent is not a pre-requisite for the collection of personal data unless the personal data is used for a new purpose or for the purposes of direct marketing.

The term 'direct marketing' is broadly defined to the offering or advertising of the availability of goods, facilities, or services, or the solicitation of donations or contributions for charitable, cultural, philanthropic, recreational, political, or other purposes. A data subject may also, at any time, request a data user to cease using  their personal data in direct marketing. The data user must comply with such a request without charge.

There are a number of exemptions provided in the PDPO in relation to the restrictions on the use and disclosure of personal data under DPP 3, including, among others, in relation to the use or disclosure of personal data:

  • required or authorised under the law or court order;
  • required in connection with legal proceedings in Hong Kong or exercising or defending legal rights in Hong Kong; or
  • for the purpose of a due diligence exercise in connection with a proposed share sale, asset sale or merger.

In addition to the DPPs, financial institutions should also comply with the guidance, guidelines, and codes of practice issued by the PCPD and financial regulators which set out additional requirements in relation to the sector and the processing of specific types of personal data. The PCPD's Code of Practice on Consumer Credit Data ('the Code on Credit Data'), for example, sets out practical guidance in relation to the handling of consumer credit data and deals with the collection, accuracy, use, security, and access and correction of personal data of individuals who have applied for consumer credit. The Code on Credit Data covers credit reference agencies as well as credit providers such as banks and other financial institutions. The HKMA also stipulated that banks must comply with the relevant supervisory requirements set out in HKMA's Supervisory Policy Manual when providing credit referencing agencies with, and using, consumer credit data.

2.2. Privacy notices and policies

The Banking Industry Guidance requires banks to have a PPS in compliance with DPP 5. It outlines the categories of information that may be covered by the PPS, including bank policies and practices on the use, retention, disclosure, security, access, and correction of personal data, policies on direct marketing, on-site marketing activities, e-banking, debt collection, outsourcing of personal data processing, and contact details for making enquiries about the bank's privacy policies.

The privacy policies and practices should include all personal data to be collected and held by banks, including the personal data of their customers, staff, and business partners. Banks should also take all practicable steps to ensure that their privacy policies are available to the public, such as by posting their policies on their websites or through clearly labelled links. A paper form PPS should also be available at bank headquarters and branches.

2.3. Data security and risk management

Industry-specific guidance

In view of the increasing number of consumer complaints in relation to the banking industry, the PCPD published the Banking Industry Guidance to promote and reinforce banking industry compliance with the PDPO. The Banking Industry Guidance provides extensive examples of past complaint cases handled by the PCPD and decisions from the Administrative Appeals Board involving the banking industry. It also provides an explanation of how certain provisions of the PDPO, codes of practice, and other guidance notes apply to the banking industry. It covers various topics including the application of the six DPPs to various banking practices, intragroup sharing of customers' personal data, the collection of personal data during on-site marketing campaigns, and the security of personal data in e-banking.

The Banking Industry Guidance further deals with how banks and other financial institutions should handle requests for disclosure of customers' personal data from law enforcement agencies or financial regulators. While the PDPO provides a number of exemptions to the requirement to obtain customers' consent to disclose their personal data to the requesting body, financial institutions are recommended to treat such requests with caution and take steps to satisfy themselves that the exemptions under the PDPO are applicable. In case of doubt, financial institutions should ask the requesting body for further information, for example, the purpose for which the data is to be used, why the data is considered necessary, and how the failure to disclose the data would be likely to prejudice that purpose.

Although financial institutions are not legally obliged to follow the Banking Industry Guidance, it is strongly recommended that they do so, as compliance is an important factor taken into account by the PCPD in cases of complaints against financial institutions under the PDPO.

With regard to electronic banking, the HKMA's Supervisory Policy Manual: Risk Management of E-banking (TM-E-1) ('the E-banking Policy Manual') provides guidance to assist senior management at authorised institutions with key principles and recommended practices in managing security risks in their transactional e-banking services.

Industry codes

Financial institutions also have their own industry regulations in relation to data privacy protection.

The Code of Banking Practice ('the Banking Code') was issued jointly by the HKAB and the Hong Kong Association of Restricted Licence Banks and Deposit-taking Companies ('DTC Association') and endorsed by the HKMA. It is a non-statutory code that sets out the standard which authorised institutions should follow in their dealings with customers and it regulates the collection, use, and holding of customer personal data by authorised institutions.

Privacy management programs

As part of its campaign to encourage organisations to develop and improve their own privacy programmes, the PCPD issued the Privacy Management Programme: A Best Practice Guide on 18 February 2014, which was revised in March 2019 ('the Privacy Management Program'). The Privacy Management Program includes practical examples and template checklists to assist organisations in building comprehensive privacy programs. Both the HKAB and the Hong Kong Federation of Insurers ('HKFI') serve as supporting organisations of the Privacy Management Program. In addition, various companies in the insurance sector have also made a pledge to implement the Privacy Management Program.

The PCPD commented in a media statement on 12 February 2014 (accessible here) that the Privacy Management Program marked a strategic shift in the focus from compliance to accountability, and has since advocated that organisations should embrace data privacy protection as part of their corporate governance responsibilities and apply it as a top-down business requirement.

In 2018, the PCPD noted that the European Union's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), which came into force on 25 May 2018, expressly incorporates an accountability principle, and that the adoption of the accountability approach in handling personal data through implementation of the Privacy Management Program has become a global trend.

Cybersecurity risk management

On 15 September 2015, the HKMA issued Circular – Cybersecurity Risk Management (the 'HKMA Circular').

The HKMA Circular states that the board and senior management of authorised institutions should play a proactive role in establishing effective cybersecurity risk management measures by covering at least the following areas:

  • establish clear ownership and management accountability;
  • periodic evaluations and monitoring of the cybersecurity controls;
  • explore opportunities for industry collaboration and enhancing the incidence response mechanism; and
  • conduct independent assessments of senior management evaluations and monitoring of cybersecurity controls.

Enhanced competency framework on cybersecurity

In 2019, the HKMA issued the updated Circular - Enhanced Competency Framework on Cybersecurity to authorised institutions, which sets out the key qualities that cybersecurity professionals in Hong Kong's banking sector should possess, with the objective of:

  • training more cybersecurity practitioners; and
  • raising and maintaining the professional competence of cybersecurity practitioners in the banking industry.

While the enhanced competency framework on cybersecurity is not a mandatory licensing regime, authorised institutions are encouraged to adopt this framework for the following purposes:

  • to serve as a benchmark to determine and assess the abilities of employees;
  • to support employees to attend training programmes to meet the benchmark;
  • to support the continuing professional development of individual employees; and
  • as a recruitment criterion for cybersecurity practitioners.

The CFI

In November 2020, the HKMA issued the Circular – Cybersecurity Fortification Initiative 2.0 to authorised institutions and announced the launch of the Cybersecurity Fortification Initiative ('CFI') 2.0, following consultation with the industry. The CFI was first introduced by the HKMA in 2016, with the aim of raising the cyber resilience of Hong Kong's banking system. The CFI is underpinned by three pillars:

  • the Cyber Resilience Assessment Framework, a risk-based framework for authorised institutions to assess their risk profiles and benchmarking of the level of protection against cyberattacks;
  • the Professional Development Programme, a certification scheme and training program for cybersecurity professionals; and
  • the Cyber Intelligence Sharing Platform, which can be used to share intelligence on cyberattacks.

The aim of CFI 2.0, which was introduced on 1 January 2021, is to reflect the latest international developments in cybersecurity practices.

The Anti-Hacking Guidelines

Following public consultation, in October 2017, the SFC issued Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading ('the Anti-Hacking Guidelines'), which requires all licensed or registered persons engaged in internet trading (for instance, such persons licensed by, or registered with, the SFC who, through internet-based trading facilities, are engaged in dealing in securities or futures contracts, in leveraged foreign exchange trading, or in distributing funds under management) to implement 20 baseline requirements to enhance their cybersecurity resilience, and to reduce and mitigate hacking risks. One of the key additional controls implemented by the SFC Anti-Hacking Guidelines, was the implementation of two-factor authentication for client system logins, which took effect on 27 April 2018, while other requirements took effect on 27 July 2018.

The SFC also published in October 2017 a circular attaching Good Industry Practices for IT Risk Management and Cybersecurity, which internet brokers may wish to incorporate into their information technology and cybersecurity risk management frameworks.

On the same day as the SFC Anti-Hacking Guidelines were issued, HKMA issued its Security Controls for Internet Trading Services circular requiring registered institutions to enhance the security of their internet trading services, having regard to the Anti-Hacking Guidelines.

2.4. Data retention/record keeping

The requirements in relation to retention periods for the personal data collected are discussed under DPP 2 – Accuracy and Duration of Retention (see section on legislation above).

3. Financial Reporting and Money Laundering

In addition to the data privacy requirements under the PDPO regulating the collection, processing, and transfer of data, the Hong Kong anti-money laundering ('AML') framework comprises various laws and regulations, including the Anti-Money Laundering and Counter-Terrorist Financing Ordinance ('AMLO') and the Guideline on Anti-Money Laundering and Counter Financing of Terrorism ('AML Guideline'). The AMLO and the AML Guideline set forth rules for, among other things, customer due diligence and ongoing monitoring.

AMLO provides that, except in the case of acts that have the purpose of carrying into effect a provision of AMLO, financial institutions have a legal obligation to maintain the confidentiality of the data collected. However, AMLO provides that disclosure of information is allowed when, among other circumstances, the information has already been made available to the public. AMLO also states that the original or copies of records and documents relating to customer accounts should be kept throughout the business relationship, and for a period of six years after the end of the relationship.

The AML Guideline advises financial institutions to maintain a database of names and particulars of terrorist suspects and designated parties. Alternatively, a financial institution may also consider making arrangements with third-party service providers for access to such a database. Where customer identification and verification documents are held by an intermediary on which a financial institution is relying to carry out due diligence measures, the financial institution is responsible for ensuring compliance with all record-keeping requirements, and must ensure that the intermediary passes the documents and records back to the financial institution upon termination of the intermediary's services.

The SFC has also published the Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (revised in December 2020) which lays out record-keeping requirements, including keeping comprehensive documentation of the company's risk management controls. Entities licensed or registered with the SFC include financial institutions such as banks and securities companies.

In relation to the collection of copies of identity ('ID') cards and other personal identifiers, the PCPD issued the Code of Practice on the Identity Card Number and other Personal Identifiers: Compliance Guide for Data Users (revised in July 2016). This permits the collection of such personal identifiers where it is required under any laws or guidelines issued by a regulatory or professional body and where such requirement has been endorsed in writing by the PCPD.

4. Banking Secrecy and Confidentiality

There is no specific bank secrecy law in Hong Kong. It should, however, be noted that banks are subject to common law confidentiality obligations under the general legal system adopted by Hong Kong. Also, as mentioned above, the PDPO imposes obligations on financial institutions to maintain the confidentiality of customer data. The type of personal data that falls within the scope of the PDPO is defined as data relating directly or indirectly to an individual, from which it is practicable for the identity of the individual to be ascertained, and in a form in which access to, or processing of, the data is practicable.

The Banking Code also reiterates the need for financial institutions to ensure compliance with the PDPO and provides that information transferred to a third-party service provider, e.g. as part of an outsourcing arrangement, should be treated as confidential and adequately safeguarded. As noted above, the HKMA published its Supervisory Policy Manual – Risk Management of E-Banking ('the E-Banking Policy Manual') in September 2015 (revised in October 2019) The E-Banking Policy Manual sets out the best risk management practices in e-banking, including adopting secure and internationally recognised encryption algorithms to protect the confidentiality of customer information that is transmitted over external networks.

5. Insurance

The Insurance Code

The Code of Conduct for Insurers ('the Insurance Code') was issued by the HKFI. It applies to all general insurance members and life insurance members of the HKFI, and applies to insurance affected in Hong Kong by individual policyholders resident in Hong Kong and insured in their private capacity. The Insurance Code sets out the expected standard of good insurance practice, and contains a number of provisions on data privacy protection.

The Insurance Guidance

The PCPD published the Guidance on the Proper Handling of Customers' Personal Data for the Insurance Industry ('the Insurance Guidance') in November 2012 to assist insurers in complying with the relevant requirements of the PDPO. It sets out practical applications of the six DPPs to the insurance industry and good practices that insurers are advised to adopt, such as providing customers with PICS containing information prescribed in DPP 1(3) and establishing policies and practices in relation to retention of personal data. The Insurance Guidance also emphasises that insurers may be held liable for the acts of their agents and staff, including private investigators hired to investigate suspicious claims.

6. Payment Services

The Payment Systems and Stored Value Facilities Ordinance (Cap. 584) (which came into effect on 13 November 2015) established a regulatory regime for stored value facilities ('SVFs') and payment systems. HKMA designates and oversees the payment systems in Hong Kong and is responsible for supervising and licensing the operation of SVFs.

The SVF Guideline

The HKMA published the Guideline on Supervision of Stored Value Facility Licensees ('the SVF Guideline') in September 2016, which sets out the high-level supervisory principles adopted by HKMA in assessing whether certain requirements imposed on SVF licensees are followed. Among other things, the SVF Guideline requires SVF licensees to have in place adequate measures to maintain appropriate segregation of databases for different purposes and to prevent unauthorised or unintended access or retrieval. There is also a requirement that robust access controls are in place to safeguard the confidentiality and integrity of the database. SVF licensees, when acting as personal data users, should also ensure compliance with the PDPO and relevant codes, guidelines, and best practices issued by the PCPD, including in ensuring that its outsourcing arrangements meet those requirements.

The HKMA's Practice Note on Supervision of Stored Value Facility Licensees ('the SVF Practice Note'), issued in December 2018, provides additional guidance in relation the requirements of the SVF Guideline, including in respect of database controls.

7. Data Transfers and Outsourcing

The Banking Code states that information should be treated as confidential and be adequately safeguarded when transferred to a third-party service provider. Contractual or other protections should be in place to protect the information transferred from being the subject of accidental or unauthorised access. Such data should also not be kept longer than is necessary for the purposes provided in the relevant outsourcing agreements. Financial institutions would be held accountable for complaints arising from the handling of customer information by service providers, and should not seek to disclaim responsibility for the breach of customer confidentiality by their service providers.

The HKMA Outsourcing Manual requires authorised institutions to establish control mechanisms to protect the confidentiality and integrity of customer information when engaged in outsourcing arrangements (including data processing activities). The major supervisory concerns include ensuring that authorised institutions retain accountability and control over outsourced activities, and maintaining customer data confidentiality pursuant to the PDPO and common law. Typical measures for authorised institutions to satisfy these requirements include requesting undertakings by service providers in relation to their compliance with the PDPO and relevant rules, establishing contractual rights to take action against the service providers, and maintaining the segregation of customer data from the authorised institutions and the service providers' own customers. Authorised institutions should notify their customers in general terms of the possibility that their data may be outsourced. Authorised institutions should also ensure that there is access to the outsourced data, by including a clause in the outsourcing agreement that allows inspection or review of the outsourced activities.

8. Breach Notification

At present, Hong Kong operates a voluntary data breach notification regime. Nevertheless, best practices on handling data breaches and the mitigation of damages caused, including timely notification of a data breach, are set out in the Guidance Note on Data Breach Handling and the Giving of Breach Notifications ('the Data Breach Guidance') issued by the PDPC and revised in January 2019. The Data Breach Guidance also states that reporting a breach will not preclude the PCPD from conducting an investigation, whether in response to a separate complaint or on its own motion. Upon submission of a data breach notification, the PCPD may decide to conduct a compliance check or investigation. In its Annual Report 2020-2021, the PCPD reported that it received 106 data breach notifications in the reporting year. – Compliance checks were conducted in each of these cases, upon completion of which the PCPD would point out any obvious deficiencies and suggest that the data user take remedial actions to prevent the reoccurrence of the data incident. Hong Kong businesses subject to the GDPR are separately required to comply with GDPR requirements in relation to data breach notification.

According to the Review of the Personal Data (Privacy) Ordinance issued by the Constitutional and Mainland Affairs Bureau ('CMAB') in January 2020 (the '2020 Discussion Paper'), the Hong Kong government had indicated that it was reviewing and studying possible amendments to the PDPO jointly with the PCPD, with a view to strengthening the protection for personal data. One of the amendments under consideration is the introduction of a mandatory data breach notification requirement. However, these amendments were not addressed in the 2021 Amendment Ordinance, which focused on doxxing (further discussed below).

9. Fintech

While there are no mandatory requirements specific to FinTech, Hong Kong regulators have clearly signalled their interest in regulating data protection issues in the FinTech space.

In March 2019, the PCPD published an information leaflet entitled Tips for Using Fintech ('the FinTech Leaflet'), which offers advice on the protection of data privacy in the use of FinTech and recommends good practices for FinTech providers or operators. For instance, the FinTech Leaflet recommends all data users to conduct a Privacy Impact Assessment ('PIA') at or before the development of FinTech products in order to identify potential privacy risks in the data processing life cycle.

On 3 May 2019, the HKMA issued a circular on the Use of Personal Data in Fintech Development to encourage authorised institutions to adopt and implement the PCPD's Ethical Accountability Framework ('EAF') for the collection and use of personal data. The Data Stewardship Accountability, Data Impact Assessments and Oversight Models ('the Models') were also developed by the PCPD to provide further guidance in relation to the EAF. Overall, the EAF aims to promote ethical and fair processing of data through fostering a culture of ethical data governance, and addressing the data privacy risks brought about by emerging information and communication technologies such as Big Data analytics, artificial intelligence ('AI'), and machine learning. Although the EAF is non-binding, the Models can assist authorised institutions in addressing privacy concerns of customers in using FinTech services.

In July 2018, the HKMA introduced the Open API Framework for the Banking Sector, with the aim of facilitating the development and wider adoption of application programming interface ('API') by the banking sector. In November 2019, the HKAB issued guidance in the form of the Open API Framework for the Hong Kong Banking Sector: Phase II Common Baseline ('the Common Baseline'), which outlines seven key areas that financial institutions should take into account when deciding on potential partnership with a third parties ('TSP') in the use of APIs. This includes requesting TSPs to furnish documentation and information to banks with respect to their general and technology risk management policies and procedures, customer care, and business management practices, as well as to demonstrate that sufficient PDPO compliance mechanisms and applicable data protection policies and procedures are in place.

Regarding the promotion of Regtech within the banking industry, on 3 November 2020, the HKMA published a white paper titled Transforming Risk Management and Compliance: Harnessing the Power of Regtech, which outlines a two-year roadmap aimed at improving risk management and compliance, increasing efficiency, and reducing costs in the banking sector through the use of technology. As of November 2021, some of the HKMA's proposed initiatives in this white paper have been rolled out, including the publication of a series of the following 'Regtech Adoption Practice Guides':

which focus on Cloud-based Regtech solutions, Anti-Money Laundering/Counter-Financing of Terrorism, and Governance, Risk and Compliance, respectively), and the launch of a Regtech Adoption Index. Notably, the paper acknowledges that Regtech solutions can help companies combat challenges with respect to data leakage, and provide better data protection against increasing cyberattacks. Further, the SFC published its Guidelines on Online Distribution and Advisory Platforms in July 2019, which addresses issues in relation to the provision of financial advice using algorithms, in particular, the use of algorithms to profile clients and devise responses.

10. Enforcement

Enforcement powers of the PCPD

The PCPD may serve an enforcement notice on data users for contravention of the DPPs, and a data user who contravenes an enforcement notice commits an offence.

Prior to the PDPO amendment in 2012, the PCPD was only empowered to issue an enforcement notice where, following an investigation, it had been of the opinion that a data user is contravening or is likely to continue to contravene the PDPO. Accordingly, in a number of investigations into banks (mentioned above), as the contraventions had ceased and the data users had given the PCPD written undertakings to remedy the contravention and to ensure that the contravention would not continue or recur, the PCPD could not serve an enforcement notice on them as continued or repeated contraventions were unlikely.

Since the 2012 amendments to the PDPO came into force, the PCPD has been empowered to issue an enforcement notice where a data user is contravening or has contravened the PDPO, regardless of whether the contravention has ceased or is likely to be repeated. An enforcement notice served by the PCPD may direct the data user to remedy and prevent any recurrence of the contraventions.

It is important to note that a breach of the DPPs in the PDPO does not itself constitute an offence or result in penalties. Fines are only imposed on a data user who contravenes an enforcement notice or commits a new breach on the same facts. Upon first conviction, a fine of up to HKD 50,000 (approx. €5,700) and imprisonment for two years may be imposed. A daily penalty of HKD 1,000 (approx. €114) will apply for each continued offence after the conviction. Upon subsequent conviction, the data user would be liable for a fine of up to HKD 100,000 (approx. €11,400) and imprisonment for two years, with a daily penalty of HKD 2,000 (approximately €228).

Besides complying with an enforcement notice, a person who without lawful excuse fails to comply with any lawful requirement of the PCPD also commits a criminal offence, and is liable upon conviction to a fine of HKD 10,000 (approx. €1,100) and to imprisonment for six months. In June 2017, a company director became the first offender convicted of this offence since the PDPO came into effect for failing to comply with a PCPD summons.

The 2021 Amendment further enhances the power of the PCPD to combat doxxing. In addition to creating new offences for the disclosure of personal data without consent, the 2021 Amendment Ordinance authorizes the PCPD to conduct criminal investigations and prosecute doxxing and doxxing-related offences (Section 64C, and Divisions 1 to 3 under Part 9A of the PDPO), and to demand the cessation or restriction of doxxing content by persons both within and outside of Hong Kong (Divisions 4 and 5 under Part 9A of the PDPO).  The PCPD is also conferred very broad powers to carry out doxxing-related investigations, including powers to request materials and assistance from any person upon written notice (Section 66D), to apply for a warrant to enter and search premises and to seize evidence (Section 66G), and even to stop, search and arrest any person reasonably suspected to have committed doxxing or doxxing-related offences without a warrant (Section 66H). 

11. Additional Areas of Interest

Employee monitoring

The PCPD revised its December 2004 publication in April 2016, entitled Privacy Guidelines: Monitoring and Personal Data Privacy at Work ('the Privacy at Work Guidelines'), which aids employers understand the steps they can take to assess the appropriateness of employee monitoring. The Privacy at Work Guidelines are applicable to monitoring by telecommunications equipment (e.g. telephones, computers, and mobile phones), company email services, internet browsing, video recording, and closed-circuit TV systems. Appendix I to the Privacy at Work Guidelines provides a sample PPS on email monitoring that employer organisations can consider adopting.

Doxxing

The 2021 Amendment Ordinance criminalises doxxing. While not a defined term in the PDPO, doxxing generally refers to the act of disclosing personal data of a data subject without their consent.  Under Section 64 of the PDPO, a person who discloses any personal data obtained from a data user without the consent of a data user, with the intent of gaining money or other property or to cause loss to the relevant data subject, commits an offence.  It is also an offence to disclose personal data without the data subject's consent, with the intent of causing a specified harm to the data subject or their family member or being reckless as to whether such harm would be caused. Specified harm in this context refers to harassment, bodily harm or psychological harm, causing a person reasonably to be concerned for their own safety or well-being, and damage to property.  

 

International transfers

Section 33 of the PDPO, dealing with the transfer of data outside Hong Kong, prohibits all transfers of personal data to a place outside Hong Kong except in specified circumstances, such as where the data protection laws of the destination country are similar to the PDPO, or the data subject has consented to the transfer in writing.

However, Section 33 of the PDPO has not been brought into force since its enactment in 1995. Currently, therefore, the transfer of personal data outside of Hong Kong is allowed provided that the other requirements of the PDPO (including that in relation to the notification of data subjects of the purpose for which their data is to be used) are met.

The PCPD issued a Guidance on Cross-Border transfer of Personal Data in December 2014 to assist data users in understanding the requirements on cross-border transfers that Section 33 of the PDPO would impose, and to encourage the adoption of such requirements. In a paper submitted to the Legislative Council Panel on Constitutional Affairs in May 2017, the Hong Kong Government also confirmed that it has commissioned a consultation on the implementation of Section 33, with a view to formulating the steps forward.

While Section 33 does not currently appear to be on the legislative agenda, it is foreseeable that it will be implemented eventually. As such, it is advisable for financial institutions to adopt data protection practices compliant with Section 33.

The GDPR

Since the GDPR came into force on 25 May 2018, the PCPD has urged Hong Kong organisations that collect and process personal data of EU individuals to be prepared to comply with GDPR requirements.

Organisations and businesses in Hong Kong may need to comply with the GDPR if:

  • it has an establishment in the EU, where personal data is processed in the context of activities of the establishment (regardless of whether the processing takes place in the EU); or
  • it does not have an establishment in the EU, but processes data when offering goods or services to or monitoring the behaviour of individuals in the EU.

In May 2020, PCPD published An Update on European Union General Data Protection Regulation 2016 ('the GDPR Booklet') to raise awareness among organisations and businesses in Hong Kong of the potential implications of the GDPR for their business. The GDPR Booklet highlights various provisions of the GDPR, including its extraterritorial application, mandatory breach notification, new data privacy governance requirements, and certain new and enhanced rights of individuals. The GDPR Booklet also contains a comparison of the key requirements under the GDPR and the PDPO.

Concluding remarks

The 2021 Amendment Ordinance, with its relatively narrow focus on doxxing, did not herald sweeping changes to the Hong Kong data protection landscape.  However, financial institutions should continue to be alert to possible steps by the government to align Hong Kong's data protection policy with international developments, such as the GDPR. As the reliance on Big Data, the Internet of Things, and AI continues to grow, there will undoubtedly be further challenges in the attempt to strike the right balance between the free flow of information and the protection of personal data privacy.

Yuet Ming Tham Partner
[email protected]
Shu Min Ho Counsel
[email protected]
Vienne Fung Associate
[email protected]
Beatrice Leung Trainee Associate
[email protected]
Sidley Austin LLP, Hong Kong

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.
Feedback