PCPD News 私隱專員公署通訊•

Issue no. 28

22

雲端運算對於商業機構具有吸引力，

尤其是中小企資源有限，難以大力投

資於伺服器硬體及內部資訊科技人員，

以管理資訊系統。不過，你是否真正

了解甚麼是雲端運算？以雲端處理個人

資料有何風險？聘用雲端服務供應商前

應考慮下列事宜。

Mark Your Diary

活動日誌

Resources Updates

資源快訊

Statistics

統計

Glossary

詞彙

Technology Updates

科技新知

1. 法律責任

Legal

responsibility

如儲存於雲端的資料包括個人資料，你的公司（資料使用者）便有責任根據《個人資料（私隱）條例》的規定，

保障個人資料的安全。根據條例，若資料使用者的承辦商（例如雲端服務供應商）外洩或濫用資料，須被視

為由該資料使用者作出。

根據法例，該資料使用者須採取合約規範方法或其他方法，以防止轉移予該雲端服務供應商的個人資料未

獲准許或意外地被查閱、處理、刪除、喪失或使用。

If data stored in the cloud includes personal data, then it is the responsibility of your company (the data user) to

safeguard the personal data according to the requirements under the Personal Data (Privacy) Ordinance. Under

the Ordinance, any data breach or misuse of personal data by a data user’s contractor (such as a cloud provider)

is treated as having been done by the data user.

According to the Ordinance, the data user must adopt contractual or other means to prevent unauthorised or

accidental access, processing, erasure, loss or use of the data transferred to the cloud provider.

2.

地方及資料轉移

Location and

data flow

對於在多個管轄區擁有數據中心的雲端服務供應商，受託的個人資料可能會由一個管轄區流至另一管轄區。

如你容許客戶╱用戶的個人資料轉移至香港以外地方，應確保有關資料獲得的保障跟在香港相若。

For cloud providers that have data centres distributed across multiple jurisdictions, personal data entrusted to them

may flow from one jurisdiction to another. If you allow the personal data that your customers/users entrusted to you

to be transferred to places outside of Hong Kong, you must ensure that such data is treated with a similar level of

protection as if it resides in Hong Kong.

3.

寬鬆的外判安排

Loose

outsourcing

arrangements

部分雲端服務供應商會透過承包及分包提供服務。此等外判安排可能會以寬鬆的合約或合作方式來維持，

以保持商業靈活性。

你應留意此等安排，以確保有效地遵從資料保障規定。例如，雲端服務供應商的支援人員是否只在「有需要」

的原則下才查閱有關資料？有甚麼措施確保保障資料原則獲得遵從？如承包商╱分包商沒有保護有關資料，

是否須按合約作出補救或受當地規管機構的制裁？

Some cloud providers may deliver their service through contracting/or sub-contracting. Such engagements may

be based on loosely formed contracts or partnerships, which give them flexibility.

You need to be aware of such arrangements to ensure that your data protection requirements are effectively met.

For example, is access restricted to those who need to know? What measures are in place to ensure compliance

with data protection principles? If contractors/sub-contractors fail to protect the data, will they be subject to any

contractual remedy obligation or sanctions from their local regulatory authorities?

4.

標準服務及合約

Standard services

and contracts

有些雲端服務供應商以薄利多銷形式營運，因此只向客戶提供類型有限的服務，並採用標準服務合約。

小心評估有關服務及合約是否符合所需的保安及資料私隱保障要求。如服務與需求存在差距，必須找方法

彌補這差距。此外，你亦應設法有效地執行雲端服務供應商的合約。

Some cloud providers operate their business in a “quick-turnover” and “thin-margin” manner so that they only

offer a small number of service types with standard contracts to their customers.

Carefully evaluate whether the services and the contracts meet your security and data privacy protection

requirements. If there is a gap between what is being offered and what is required, find ways to address the gap.

You will also need to find ways to enforce the contract with the cloud providers effectively.

5.

其他外判事宜

Other

outsourcing

issues

在「收集個人資料聲明」中通知資料當事人你有意把資料的處理外判予雲端服務供應商。

確保在與雲端服務供應商簽訂的合約中，有條文限制個人資料只可用於原本或有關的目的；規定雲端服務

供應商有責任通報資料外洩事件；規範雲端供應商在再沒有需要時刪除或歸還手上的個人資料。

Inform your data subjects in the Personal Information Collection Statement (PICS) of your intention to outsource

data processing to a cloud provider.

Ensure there are provisions in the contract with cloud providers to limit the use of personal data to the original

or directly related purpose; to require the cloud providers to notify you of data breaches, if any; and to erase or

return personal data when it is no longer required by the cloud providers

資料來源

Source

：

公署出版的《雲端運算》資料單張

www.pcpd.org.hk/chinese/publications/files/cloud_computing_c.pdf

Information Leaflet on “Cloud Computing” published by the PCPD

www.pcpd.org.hk/english/publications/files/cloud_computing_e.pdf

採用雲端運算處理公司資料前應考慮的私隱問題

Questions You Should Ask before Your Company Tries

Cloud Computing

C l oud compu t i ng i s a t t r ac t i ve t o

businesses, especially to small-to-

med i um en t e r p r i s e s wi t h l imi t ed

resources to invest in server hardware

and on-site technical personnel for IT

management. However, are you really

clear about what the cloud is and

what risks you take storing personal

information on the cloud? Here is a

checklist of what you should consider

be f o r e eng a g i ng a c l oud s e r v i c e

provider (cloud provider).