Are there any restrictions on transferring personal data and how can these be overcome?
Cross-border data transfers affect all organizations that engage online IT services, cloud-based services, remote access services and global HR databases. Understanding the applications of lawful data transfer mechanisms is essential to validate recipients located in other nations.
Data transfers typically include the following examples:
- personal data communicated over the telephone, by email, fax, letter, through a web tool or in person;
- IT systems or data feeds which lead to personal data being stored on databases hosted outside Hong Kong;
- people/entities outside Hong Kong being able to access or "see" personal data; and
- the use of personal data by third parties through external solutions, e.g., outsourcing, offshoring and cloud computing.
While cross-border data transfer rules have not been activated under Hong Kong’s Personal Data (Privacy) Ordinance, (Cap. 486) employers are responsible for protecting data that is transferred to third-party processors, regardless of location. In cases where personal data is transferred, HR teams should ensure that the transfer is to fulfill the purpose for which the personal data was collected or a directly related purpose and, the transferred data is appropriate considering that objective (unless the employer receives the employee’s voluntary, express consent).
Employers must adopt contractual or other means to protect employees’ personal information and to ensure data is not kept longer than necessary for the purpose, nor is put at risk of unauthorized/accidental processing, access, erasure, loss or use. In advance of collecting personal data from a job applicant or employee, employers are required to explicitly inform the individual that the collected data may be transferred to a third party.
HR Best Practices: In cases where an employer transfers personal employee data to a third party, the liability remains with the employer. Ensure contractual agreements are in place in order to ensure the protection of the data. The use of applications in the cloud frequently results in the international transfer of employee data. Personal data should only be transferred to third parties when an adequate level of protection is ensured and employees are notified in advance.
Led by PeopleDoc’s Chief Legal & Compliance Officer, the HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers, including the global law firm Morgan Lewis, to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where PeopleDoc’s customers have employees. HR Compliance Assist is a service exclusively available to PeopleDoc customers.