New data protection guidelines could just be the beginning
The mainland’s Ministry of Industry and Information Technology earlier this year issued new guidelines on data protection. These took effect on February 1 and, while they are not legally binding, mainland businesses are expected to follow them as a matter of best practice. They may also give insight into the likely content of more comprehensive laws which are widely expected to follow. They are relevant to any group with a mainland presence.
Like Hong Kong’s Personal Data (Privacy) Ordinance (PDPO), the guidelines set out minimum obligations regarding the collection, use, processing, transfer, retention and deletion of personal information. The definition of personal information is essentially computer data related to, or which can be used to identify, an individual – the “data subject”.
The provisions apply to all such personal information, but are, as is globally the case, of particular significance in an employment context, due to the volume and range of personal information an employer is likely to collect. It is therefore important to compare key issues arising under the PDPO and the new guidelines.
The Key Features
The guidelines apply to all commercial enterprises in the mainland and regulate the collection and processing of personal information held electronically. In contrast to the PDPO, the guidelines do not extend to information held only in hard copy although, in practice, businesses may choose to adopt a uniform approach to managing personal information.
As in many European countries – although not as yet in Hong Kong – the guidelines prescribe special protection for “sensitive” personal information. Sensitive personal information is described as, in effect, information which will have an adverse effect on the data subject if disclosed or altered. This should not be collected without the data subject’s express consent.
The guidelines make clear that this sort of information could include identification numbers, mobile phone numbers, and descriptions of a person’s race, political views, religion, genetic information and biometric data. Information may be “sensitive” for some uses but not others; for example, circulation of an employee’s mobile phone number between colleagues may be unobjectionable, but the same data could be “sensitive” if provided to a third party for marketing purposes.
The guidelines provide that a data subject’s express consent must be obtained before sensitive personal information is collected or any personal information – whether sensitive or not – is transferred to a jurisdiction outside the mainland. For these purposes, this includes transfers of information to Hong Kong, unless such transfer is authorised by law.
In contrast, the PDPO largely requires only unilateral notification to data subjects on initial collection of data, except where data is used for direct-marketing purposes. If, and when, section 33 of the PDPO comes into force, transfer of personal information outside Hong Kong will require, usually, express consent. This section, however, continues to remain in a state of limbo. In Hong Kong, requirements to notify data subjects are usually dealt with by the issue of “Personal Information Collection Statements”, or PICS.
Where the guidelines require express consent, such consent must be unequivocal and specify each purpose for which the information is collected, as well as each person or entity to which the information may be transferred. Original copies should be kept as evidence. PICS drafted for use in Hong Kong or other jurisdictions are unlikely to be adequate. Adaptation for the mainland will be required, and fresh consents may be needed more often to keep pace with developments in business operations there.
All businesses with mainland operations should familiarise themselves with the guidelines. Some will wish to carry out a data-protection audit to assess the impact of compliance. It should not be assumed that existing notices and practices in Hong Kong or elsewhere can be adopted without modification, especially regarding the areas outlined, and care must be taken to observe requirements. Re-assessment of practices will be required as mainland law in this area develops and early implementation will assist in dealing with changes moving forward.
Fiona Loughrey is based in Hong Kong and has headed Simmons & Simmons’ award-winning China employment group since 1999. Lesli Ligorner is another of the firm’s employment partners and is resident in the firm’s Shanghai office.
The information contained in this article should not be relied on as legal advice and should not be regarded as a substitute for detailed advice in individual cases. If advice concerning individual problems or other expert assistance is required, the service of a competent professional adviser should be sought.