Whether customers’ personal data could be stored in a cloud system outside Hong Kong.
The Enquiry
An enquirer would like to know whether customers’ personal data could be stored in a cloud system outside Hong Kong.
Our Response
The Ordinance does not prohibit data users from storing personal data in a cloud system outside Hong Kong. Nevertheless, data users are required to comply with the Ordinance and the Data Protection Principles (DPPs) of Schedule 1 to the Ordinance when handling personal data through the use of cloud systems.
All data users are obliged to comply with the requirements under DPP3 when using (including disclosing and transferring) personal data, which prohibits the use of personal data for any new purpose which is not or is unrelated to the original purpose when collecting the data, unless with the data subject’s prescribed consent.
In relation to the security of personal data, all data users are obliged to comply with the requirements under DPP4(1), which stipulates that all practicable steps shall be taken to ensure that personal data held by a data user is protected against unauthorised or accidental access, processing, erasure, loss or use. Moreover, DPP4(2) provides that if a data user engages a data processor to process personal data on the data user’s behalf, the data user must adopt contractual or other means to prevent unauthorised or accidental access, processing, erasure, loss or use of the data transferred to the data processor for processing.
The PCPD has issued information leaflets on “Cloud Computing” and “Outsourcing the Processing of Personal Data to Data Processors”, providing guidance for organisations in the use of cloud computing and the engagement of data processors.
(Uploaded in August 2024)