Hong Kong is one of the world’s premier financial centers and an e-commerce hub, making Data hk one of the premier data science courses available today. Cross-border data flows have created an increasing need for talented data science professionals with reputable courses providing high salaries on average in the market. If you are curious to become one, there are numerous courses that offer help making an educated choice on which field or courses might best suit you for success in data science careers.
In December 2014, Hong Kong’s Privacy Commissioner for Personal Data (“PCPD”) published recommendations for model clauses to include in contracts involving transfer of personal data. Unfortunately, implementation has been slow due to concerns over potential adverse impacts on business operations as well as costs and difficulties of compliance; additionally, no evidence has emerged to demonstrate cross-border data flows undermine personal data privacy in Hong Kong.
In order to comply with the PCPD’s recommended model clauses, data users must conduct an assessment of local laws and practices where the entity receiving personal data resides in order to identify additional measures that bring its level of protection into line with that required by the PDPO. Such additional measures might include technical measures like encryption, anonymisation or pseudonymisation as well as contractual ones like audit, inspection and reporting obligations or beach notifications that provide compliance support and co-operation services.
This requirement to conduct an assessment applies to any data user that transfers personal data outside Hong Kong, regardless of whether they qualify as “data controller” under PDPO or not; hence it will encompass most major players in the data industry.
To facilitate transfer assessment, “personal data” is defined broadly under PDPO as information related to an identified or identifiable individual, similar to what other legislative regimes such as mainland China’s Personal Information Protection Law and European GDPR provide.
The PDPO also mandates that any data user providing personal data collection services expressly inform each data subject of its purpose(s), recipients and transfer routes (DPP1). This obligation must be fulfilled through written notice sent directly by data users to data subjects; for instance, they could include this information in their PICS documents issued to data subjects; unfortunately in practice this obligation is often not fully fulfilled. Lack of clear data retention policies and an unwillingness to publicly reveal how long personal data is kept can leave data subjects in the dark about how long their data is kept unless they ask directly of their data user – who may then respond that it will only be kept for as long as permitted under PDPO.