Case Notes

Storing clients’ documents and ex-employee’s personal data in outsourced storage facilities

The Enquiry

An enquirer asked whether a company storing clients’ documents and ex-employees’ personal data in outsourced storage facilities contravened the requirements under the Ordinance.

Our Response

There is no provision under the Ordinance specifying the requirements for the storing location of personal data held by data users. However, all data users should comply with the requirements under Data Protection Principle (DPP) 4(1) of Schedule 1 to the Ordinance, which stipulates that all practicable steps shall be taken to ensure that personal data held by a data user is protected against unauthorised or accidental access, processing, erasure, loss or other use, having particular regard to:-

1. the kind of data and the harm that could result if any of those things should occur;
2. the physical location where the data is stored;
3. any security measures incorporated (whether by automated means or otherwise) into any equipment in which the data is stored;
4. any measures taken for ensuring the integrity, prudence and competence of persons having access to the data; and
5. any measures taken for ensuring the secure transmission of the data.

According to paragraph 4.4.1 of the “The Code of Practice on Human Resource Management” (the Code), an employer should take all practicable steps to ensure that necessary security measures are in place in their own or other buildings to prevent unauthorised or accidental access to the retained personal data of former employees.

There are no hard and fast rules governing the type and level of the security measures that should be adopted. The adequacy of security measures depends on the circumstances of each case. Generally speaking, the more sensitive the data and the greater the potential harm from unauthorised or accidental access, processing, erasure, loss, or use, the higher the level of security measures that should be implemented.

(Uploaded in August 2024)