Are there any restrictions on transferring personal data and how can these be overcome?
Cross-border data transfers affect all organizations that engage online IT services, cloud-based services, remote access services and global HR databases. Understanding the applications of lawful data transfer mechanisms is essential to validate recipients located in other nations.
Data transfers typically include the following examples:
- personal data communicated over the telephone, by email, fax, letter, through a web tool or in person;
- IT systems or data feeds which lead to personal data being stored on databases hosted outside Hong Kong;
- people/entities outside Hong Kong being able to access or "see" personal data; and
- the use of personal data by third parties through external solutions, e.g., outsourcing, offshoring and cloud computing.
While cross-border data transfer rules have not been activated under Hong Kong’s Personal Data (Privacy) Ordinance, (Cap. 486) employers are responsible for protecting data that is transferred to third-party processors, regardless of location. In cases where personal data is transferred, HR teams should ensure that the transfer is to fulfill the purpose for which the personal data was collected or a directly related purpose and, the transferred data is appropriate considering that objective (unless the employer receives the employee’s voluntary, express consent).
When transferring personal data to third-party processors, employers must adopt contractual or other means to protect employees’ personal information and to ensure data is not kept longer than necessary for the purpose, nor is put at risk of unauthorized/accidental processing, access, erasure, loss or use. In advance of collecting personal data from a job applicant or employee, employers are required to explicitly inform the individual that the collected data may be transferred to a third party.
HR Best Practices: In cases where an employer transfers personal employee data to a third party, the liability remains with the employer. Ensure contractual agreements are in place in order to ensure the protection of the data. The use of applications in the cloud frequently results in the international transfer of employee data. Personal data should only be transferred to third parties when an adequate level of protection is ensured and employees are notified in advance.