Ernst & Young suggests “Privacy Assessment Approach” for Hong Kong companies to avoid compliance risks over new personal data privacy regulations
Hong Kong, 19 December 2011 — The Hong Kong SAR Government has recently released the Personal Data (Privacy) (Amendment) Bill 2011 (the Amendment Bill), which was introduced into the Legislative Council on 13 July 2011, aimed not only to address recent public outcry of the transfer of customers’ personal data by various organisations in exchange for money or other consideration, but to refine and strengthen the existing protection of personal data law in Hong Kong. Senior management of companies face a number of obligations regarding privacy and protection of personal information. Ernst & Young has devised a comprehensive “Privacy Assessment Approach” to help organisations to manage and minimize those risks.
Protection of personal information has been a hot topic in Hong Kong after the outbreak of a series of incidents concerning leakage and misuse of personal data. Public awareness of the problem has increased tremendously.
The Amendment Bill introduces a number of provisions including using of personal data for direct marketing, transferring of customer personal data by enterprises involve monetary gains and obtaining personal data from a data user without the data user's consent.
Vincent Chan, Advisory Services Partner of Ernst & Young says: “Offenders are liable up to a maximum penalty of a fine of $1 million and imprisonment for five years. Therefore, it is critical for organisations to have a set of effective and efficient procedures to ensure compliance and to avoid any risk of potential criminal obligations as well as adverse publicity and loss in public confidence.”
Winson Woo, Advisory Services Executive Director of Ernst & Young explains: “We see great concern from senior management of organisations. They are afraid that their business practices will violate the proposed new law. For instance, they would ask if it is appropriate to collect personal data relating to the gender and age of customers in a gift redemption form; a telecommunication service provider asked whether it could retain personal data of its ex-customers for the purpose of sending marketing or promotional materials. Based on our global experience, one of the best approaches to minimize the risk of breaching any personal data protection law is to conduct formal assessments to identify procedural or organizational deficiencies in processing personal data within and without an entity. Thereafter, to manage the risk and compliance obligations, organizations should develop a set of effective and efficient personal data processing policies and procedures. On top, regular compliance audit should be conducted to monitor the implementation of the policies and procedures.”
Ernst & Young suggests organisations to adopt a high level personal data privacy assessment approach to:
- identify the business operations within an organisation which involve processing of personal data
- identify the personal data protection frameworks, policies and procedures
- evaluate the personal data protection frameworks, policies and procedures with reference to the Personal Data (Privacy) Ordinance (“PDPO”) and relevant codes of practice
- walkthrough the life cycle of personal data from collection to disposal or destroy
- evaluate the organisational compliance with the PDPO and relevant codes of practice and the personal data protection frameworks, policies and procedures
Vincent Chan concludes: “To avoid possible negative impacts on reputations and possible criminal liabilities, organisations should take a proactive approach to review and strengthen their personal data processing policies and procedures to ensure the compliance with the existing and the proposed amendments .”
- ends -
About Ernst & Young
Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 152,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential.
Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. This news release has been issued by Ernst & Young LLP, a US client-serving member firm of Ernst & Young Global Limited.
For more information, please visit www.ey.com
This news release has been issued by Ernst & Young, China, a part of the Ernst & Young global network.
