Hong Kong's Personal Data (Privacy) Ordinance (PDPO) came into force in 1996. However, one section of the PDPO has remained dormant ever since section 33, which covers the transfer of personal data outside Hong Kong, has never become law.
Hong Kong's Office for the Privacy Commissioner for Personal Data (PCPD) recently advised the government that it should consider bringing section 33 into force, and issued a guidance note on how to prepare for the implementation of the new law.
Section 33 covers any communication of an employee's data, Haswell said. This could include emailing CVs between offices, outsourcing HR functions or using cloud computing where the servers are in another country, he said.
"There practices are extremely common – it would be unusual for any employer not to engage in at least one of them. If employers don't pay attention and make sure that they satisfy the provisions, they may soon find themselves in breach of the PDPO," Haswell said.
To comply with the rules employers must be able to show reasonable grounds for: believing that the country to which they are sending the information has a law that is substantially similar to the PDPO, or serves the same purposes; or that they have taken all reasonable precautions to check that the data will not be used in a way that contravenes the PDPO. Data 'subjects' can also give consent in writing to their data being transferred.
The PCPD has said that it will produce a 'White list' of places outside Hong Kong which have data protection laws similar to, or service the same purpose as, the PDPO. However, this list has not been published yet, and it will be subject to change even after publication.
"This makes the test of whether an employer has complied with the rules rather subjective, and it will be difficult for any employer to be certain they are complying with the rules," Haswell said.
Haswell therefore recommends that employers get consent from employees in advance of the new law. This can be built into employment contracts for new staff, and current employees can be asked to sign consent forms.
"Some employers will no doubt prefer to wait until a date is announced before making changes. But written consent makes good business practice, and will ensure compliance with the PDPO with or without the new section," he said.
It is unclear why the section has been delayed this long, said Hong Kong-based Jolene Reimerson of Pinsent Masons.
"One explanation was that after the handover of Hong Kong in 1997, the law would have unreasonably impeded the transfer of data between Hong Kong and China, which didn't have – and still doesn't have – a comprehensive data protection regime in place," she said.
"Another theory was that the law would have been too much of a headache for employers, with the international mobility of Hong Kong's labour force. Or perhaps the law was waiting for the White list to be published. Whatever the reason, it looks as though section 33 is likely to finally be introduced and we encourage people to make sure that they are ready," Reimerson said.