Up Again Hong Kong: Privacy and Data

Intellectual Property and Technology

1. Does the Personal Data (Privacy) Ordinance remain applicable?

Yes, organisations should continue, as far as possible, to comply with relevant data protection laws. This said, there are circumstances in which, given the current situation, entities (in particular government and healthcare bodies) may not need to full comply with all privacy obligations in the context of COVID-19 prevention and control.

2. Is notice and/or consent required to collect personal data in the context of COVID-19 prevention and control?

Yes, though whether consent will be required will depend on the measures adopted and whether these are necessary, appropriate and proportionate. The Privacy Commissioner for Personal Data in Hong Kong has released a statement recognising the need for employers to collect and process additional data during this time, but stressed that this must be related to and used for purposes in relation to public health, and such use should be limited in duration and scope. Any collection and processing of personal data in this context must also not be excessive and still be necessary, appropriate and proportionate.

3. Can organisations disclose to colleagues and third parties (visitors / management office), the identity of the employees that have tested positive for COVID-19 for the purpose of prevent further infection?

Organisations should not disclose the identity of the underlying individual. However, from a practical perspective, organisations are able to notify colleagues and relevant third parties that there has been a positive case and that appropriate remediation measures are being taken.

4. Are security measures necessary in processing the personal data?

Yes, organisations should continue to adopt appropriate technical and organisational measures (such as encryption, access control, and ID verification) to protect the to protect personal data collected against unauthorised or accidental access, erasure, loss, or use. This is particularly important where more sensitive information is being collected, such as health information.

5. What privacy issues may arise by allowing our personnel to work from home? How can we manage these?

Working from home arrangements may increase the risks in privacy and cyber-related incidents. It is, therefore, important that organisations ensure  proper communication with employees around maintaining compliance with internal protocols and procedures. Organisations should also ensure that IT software and security systems are up to date and proper technical measures are adopted to minimise the occurrence and impact of any incident.