Whether you’re trying to develop a data governance program or simply implement one, there are many different considerations. You will need to think about how the program will work in terms of roles, responsibilities and accountability. It is essential that you have the right people in place, and you need to create a framework to guide the process. Ultimately, this will ensure that the project achieves its objectives and is successful.
Data governance programs involve a lot of people. Even a small initiative will impact large numbers of employees, customers and partners — in short, anyone who uses the data your team governs. Many of these individuals will have opinions, some of which may be very strong. To minimize conflicts and confusion, you can use a responsibility assignment matrix such as RACI (which stands for responsible, accountable, consulted and informed). This will help keep your project on track by ensuring that all stakeholders are aware of their individual responsibilities and that all decisions are made in accordance with their role.
A person who transfers personal data out of Hong Kong to a location outside Hong Kong must comply with a range of core data obligations under Hong Kong privacy law. This includes the obligation to provide a PICS to the data subject. The PICS must include a description of the purposes for which the transferred personal data will be used, and a statement that the transfer is necessary for those purposes.
In addition to the PICS, the data user must obtain the voluntary and express consent of the data subject before he can transfer personal data for a purpose that was not set out in the original PICS. This is an important safeguard in data transfers, as it prevents personal data from being used in ways that could be viewed as unauthorised or unwanted by the data subject.
A key issue in the context of data transfers is the definition of “personal data”. The PDPO defines this as information relating to an identified or identifiable person. This is consistent with the definition in other privacy regimes such as those that apply in mainland China and Europe. However, it is important to remember that this is a broad definition and does not exclude certain types of data, such as aggregated statistical data.
A data transfer can be facilitated through the use of contractual clauses that incorporate recommended model clauses under the PDPO. It is also possible to rely on the law of reciprocity, which requires that a foreign jurisdiction has similar data protection laws as those in Hong Kong. This is an important consideration in cross-border data transfers, as it means that the laws of another jurisdiction will likely provide sufficient protections for most data transfers.