If you want to improve the quality of your data governance program, you must create a vision and a business case. The vision identifies your broad strategic objective for building a data governance program, while the business case will articulate the specific opportunities your organization will have to deliver a return on your data investments. The vision will also be used to develop the policies that align your data governance programs with your business goals. It will also be the foundation for the roles (people), technologies and processes that you will need to support, sponsor, steward and operationalize your data governance programs.
In Hong Kong, personal data is defined in the Personal Data Protection Ordinance (“PDPO”). A person will be a “data user” if they control the collection, holding, processing or use of personal data. “Control” is a very broad term and includes the right to make decisions about how and why data will be used. It does not, however, include a right to share data with anyone else.
The PDPO contains several provisions to protect personal data in cross-border transfers. A key one is a requirement that a data user must obtain the voluntary and express consent of the data subject before they can transfer their personal data to another person or for use in respect of a new purpose. This means that data users must rethink how they collect and process data and ensure that the privacy of the personal information they hold is protected when it is shared with others.
Another important provision is a requirement that a data user shall take contractual or other measures to prevent personal data transferred to another person, whether inside or outside Hong Kong, from being subject to unauthorised access, processing, erasure, loss or use. This is designed to help protect against the risks of data breaches and other adverse consequences that may arise from the transfer of personal information.
Other important provisions in the PDPO relate to the definition of personal data. The PDPO defines personal data as “any information relating to an identified or identifiable individual”, which is in line with international norms and the meaning of that term in other legislative regimes, such as the Personal Information Protection Law that applies in mainland China and the General Data Protection Regulation that applies in the European Economic Area.
Finally, the PDPO requires data users to establish and implement a system of records to capture information about how personal data is collected, stored, processed and used. This is intended to provide transparency and accountability and help facilitate compliance with the PDPO and the enforcement of its principles. The record of activities and decisions should also be used to identify potential issues and risks. The record should be updated regularly and must be accessible to data subjects upon request. It is also a good idea to have procedures in place to deal with any complaints received by data subjects about the handling of their personal information.