Personal Data Protection – Important Reminder

Personal Data Protection – Important Reminder 2025-10-30 

This is the half-yearly reminder (as in DPO-HKU System and Practices-07) to all staff members of the importance of personal data protection and the rising public expectation on the matter. Please refer to HKU-DPO for all related information and inquiries.

 1. HKU Data Protection Practice:

• New staff members should be thoroughly briefed on the requirements in HKU practices especially ISDM policy of data classification and life cycle management, HKU Code of Practice in respect of the Personal Data (Privacy) Ordinance (“Ordinance”) as general guidance, training and awareness events. HKU Data Leakage Prevention is enforced.
• All staff are directed to the DPO website for the latest news, and HKU awareness events and regular workshops, PCPD professional trainings, AI framework and guidelines, HK SAR Digital Policy Office cybersecurity news, HKPC alert news HKCert warns public of data breach incidents.
• The Privacy Management Program, with ongoing assessment and revision in the following areas:
  • Data Inventory
  • Internal Policies, CCTV guidelines
  • Privacy Impact Assessment
  • Training & Resources especially Mandatory Training, DPO training
  • Incident Handling with Remediation Plan
  • Data Processor Management including cloud privacy guidelines, vendor evaluation, information security
  • Communication with Data Protection Coordinators 

2. HKU Data Protection Coordinator: Since November 2011, the University has introduced the system of Personal Data Protection Coordinators (“PDPCs”) to further improve the system and practices of the University in respect of personal data protection. Please refer DPO-PDPCs for the accountable roles and responsibilities and nominated list for your offices and work units.

3. The Personal Data (Privacy) Ordinance in Hong Kong (“PD(P)O”) and the Office of the Privacy Commissioner for Personal Data (“PCPD”)

• PCPD published Data Protection Principles perspective and Privacy at work guidelines are published with sanctions of disciplinary actions highlighted (fines up to HK$500,000 for first offenses, or HK$1,000,000 for more serious offenses, and imprisonment up to 5 years for the most serious offenses).
• Artificial Intelligence AI Framework:
  
  Please refer here in DPO website with summary
  • PCPD AI framework
  • Digital Policy Office Ethical AI Framework
• Artificial Intelligence AI Guidelines and Use of GenAI:
  • PCPD AI Guidelines for checklist and use of generative AI; Checklist on Guidelines for the Use of Generative AI by Employees
    Direct marketing Guidelines: Please refer to PCPD-Mktg and DPO-PCPD.
• Code of Practice on the Identity Card Number and other Personal Identifier: Please refer to Compliance Guide for Data Users
• Selected headlines in DPO website

4. The Personal Data (Amendment) Ordinance in Hong Kong was made effective from October 8, 2021 that included Criminalise Doxxing Acts. The new ss.64 (3A) and (3C) create criminal offences of disclosing any personal data of a data subject without the relevant consent (the doxxing offences). Please refer to PCPD media.

Other Key Data Protection / Privacy Laws outside of HKSAR – in the light of the extra-territorial effect provisions, offices and independent centres should conduct reviews if there is any impact on their activities and take necessary actions. Please submit inquiries to HKU-DPO. 

5. Mainland China

• The Standing Committee of the National People’s Congress has passed the Personal Information Protection Law (“PIPL”) and Cybersecurity Law which have been in effect since November 1, 2021.
• 有關 內地《個人信息保護法》的全文，可參閱中华人民共和国 国家互联网信息办公室 網頁
• Please refer to DPO-PIPL for more information.

6. The European Union’s (EU) General Data Protection Regulation (“GDPR”), adopted in 2016, has been in effect since May 25, 2018. The GDPR applies extraterritorially with strict rules on data transfers outside the EU.  The GDPR can be accessed at Data protection in the EU – European Commission (europa.eu) and Data Protection in EU. Please refer to DPO-GDPR and PCPD-GDPR, HKU GDPR for more information.

• When it gets to data transfer or cross border data transfer, EU Data Act which is the related law with GDPR that is taken into consideration however it covers a broader range of data. EU Data Act promotes data access/sharing for a fair and innovative data economy but it includes both personal and non-personal data generated by connected products and services.

7. The European Union’s Artificial Intelligence AI Act Summary posted on February 27, 2024, the first global act in AI that stated classification of AI according to its risk, general purpose AI (GPAI) and prohibited AI systems. 

Data Protection Office