Personal Data (Privacy) Law in Hong Kong – A Practical Guide on Compliance

security measures being taken by the data processors to protect the personal data

entrusted to them. This may cause substantial and irrecoverable damage to the data

subjects whose personal data was leaked online as a result.

8.35

The Amendment Ordinance seeks to tighten the control and supervision of data

processors through the data users by imposing a new obligation on data users under

DPP4(2) to enhance data security as follows:

(2) Without limiting subsection (1), if a data user engages a data processor, whether within

or outside Hong Kong, to process personal data on the data user’s behalf, the data user

must adopt contractual or other means to prevent unauthorised or accidental access,

processing, erasure, loss or use of the data transferred to the data processor for processing.

8.36

“Data processor” has the same meaning as that provided by DPP2(4),

i.e. “a person

who:

(a) processes personal data on behalf of another person; and

(b) does not process the data for any of the person’s own purposes”.

8.37

By virtue of this definition, data processors are not limited to providers of IT processing

service. They also include other contractors engaged to process personal data on

behalf of the data user, for example, a business services company engaged by an

organisation to administer its employee payroll function; a marketing company

appointed by the organisation to carry out customer opinion survey; or contractors

engaged by a data user to shred confidential documents which contain personal data.

8.38

Data users often define their rights and obligations and those of the data processers by

way of a contract. To discharge the obligations under DPP4(2), data users may consider

incorporating contractual clauses in the service contract, such as the following:

• specifying the security measures required to be taken by the data processor to

protect the personal data entrusted to it for processing;

• prohibiting use or disclosure of the personal data for other purposes;

• restricting further sub-contracting of the service that it is engaged to provide; where

sub-contracting is allowed by the data user, the data processor shall remain fully

liable to the data user for the discharge of its obligations;

• immediate reporting of any sign of abnormality or security breach by the data

processor; and

• data user’s right to audit and inspect how the data processor handles and stores

personal data.

For instance, see online personal data leakage caused by file-sharing software installed in the computer of the IT

contractor reported in Investigation Report No. R06-2599, available on the Website

). See also

paragraph 8.30 above for the personal data leakage through the travel assistant apps in mobile device (the

Investigation Report R14-6453)

DPP4(3)