As a leading data governance consultancy firm, we regularly publish insights and practice notes to keep our clients and the community up to date with the newest market practice and changes to regulations. Below is a sample of our resource vault, please contact us if you are interested in receiving further details and updates.
SVF and Data Protection
Handling Unlawful Disclosure of Personal Data at Online Discussion Forum
Air Transport and Data Protection
Data Breach Incident Response Planning
How to Conduct a Data Risk Impact Assessment
'SVF and Data Protection' - Insight
(Published: 4 July 2019)
Despite the ease of making payment, the rise of mobile payment systems and stored value facilities ("SVF") have its own risk, particularly in respect of cybersecurity, data security and confidentiality. This primer provides a short summary of the new Payment Systems and Stored Value Facilities Ordinance (Cap. 584) ("PSSVFO"), and how it relates to the Personal Data (Privacy) Ordinance (Cap. 486) ("PDPO").
'Handling Unlawful Disclosure of Personal Data at Online Discussion Forum' - Practice Note
(Published: 2 August 2019)
ADG was recently engaged in a case where the Client's name, user names of social media and photos were collected without the Client's consent, and the personal data were subsequently posted on one of the online discussion forums in Hong Kong. The Practice Note explains the procedure of how to handle unlawful disclosure of personal data at online discussion forum in Hong Kong.
'Air Transport and Data Protection' - Insight
(Published: 8 August 2019)
The PCPD published an Investigation Report dated 6 June 2019 on the unauthorised access to personal data of passengers of an airline company and its subsidiary. According to the Report, approx. 9.4 million data subjects from over 260 countries were affected by the data breach. ADG analyses how data protection laws in Hong Kong affect the aviation industry.
'Data Breach Incident Planning' - Practice Note
(Published: 7 September 2019)
The PDPO does not require data user to have a data breach handling policy, but as part of good information security and governance practice, data user should adopt proper data breach handling policy and procedures in order to take the appropriate measures. This Practice Note provides a brief overview as to what steps data user should take when such incident occurs.
'How to Conduct a Data Risk Impact Assessment' - Practice Note
(Published: 20 October 2019)
It is more and more important for business to conduct Data Risk Impact Assessment (DRIA) in order to identify the relevant data protection risks and measures that need to put in place to mitigate those risks. This Practice Note will highlight the key features of the process for carrying out a DRIA.
California Consumer Privacy Act of 2018
'California Consumer Privacy Act of 2018' - Insight
(Published: 1 November 2019)
California, on 28 June 2018, has enacted the first comprehensive consumer privacy law in the US, known as the California Consumer Privacy Act of 2018 (CCPA). CCPA is expected to become effective 1 January 2020. This Insight article will highlight the key features of the CCPA.
How to Handle a Data Access Request (DAR)
'How to Handle a Data Access Request' - Practice Note
(Published: 4 November 2019)
Under s.18 of the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO), an individual may make a request to a data user as to whether the data user holds personal data of the individual, and this is called a data access request (DAR). This Practice Note will explain in detail the key compliance requirements under the PDPO and the OPS003 Form.
How to Appeal PCPD's Decision. (2.1 MB)
'How to Appeal PCPD's Decision' - Practice Note
(Published: 4 December 2019)
The Administrative Appeals Board (AAB) is established for the purpose of hearing appeals against certain administrative decisions. Under the Administrative Appeals Board Ordinance (Cap. 442) ("AABO"), the AAB can hear appeal from PCPD's decision. This Practice Note examines the details of how to make an appeal under the AABO regarding PCPD's decision.
Should there be a similar APEC Cross-Border Privacy Rules (CBPR) System in Hong Kong (3.4 MB)
'Should there be a similar APEC Cross-Border Privacy Rules ("CBPR") System in Hong Kong?' - Insight
(Published: 14 December 2019)
Should there be a similar APEC Cross-Border Privacy Rules ("CBPR") System in Hong Kong? This article explores the key features of the CBPR System and the pros-and-cons of having a similar model in Hong Kong to deal with section 33 of the PDPO.
Should Data Protection be part of Hotel Licensing Regime? (2.4 MB)
'Should Data Protection be part of Hotel Licensing Regime?' - Insight
(Published: 16 January 2020)
The ICO in UK issued a notice of its intention to fine Marriott GBP 99 million (approx. HK$ 1 billion) for infringements of the EU's General Data Protection Regulation (GDPR) related to a data breach incident discovered in Nov 2018.
This article examines whether the Office of the Licensing Authority (OLA") in Hong Kong should consider adding data protection and data governance as part of their hotel/guesthouse and bedspace licensing regime to reflect the need of safeguarding personal data in the hospitality sector in Hong Kong.