Jurisdiction - Hong Kong
Reports and Analysis
Hong Kong – Privacy Management Programme: The New Regulatory Trend.

10 March, 2014

On 18 February 2014, Hong Kong’s Office of the Privacy Commissioner for Personal Data (the PCPD) released the Privacy Management Programme: A Best Practice Guide (the Guide). Organisations are now encouraged to, on top of compliance with the legal requirements, proactively embrace privacy and data protection as part of their corporate governance responsibilities through the new Privacy Management Programme (the PMP).

The release of the Guide is a clear signal of the PCPD’s determination to change corporate culture on personal data protection and to tighten the supervision of data users, particularly those with large databases of customers.




In 2011, due to heightened public awareness in Hong Kong of privacy and corporate sensitivity about customers’ or clients’ data, the PCPD attempted to implement the Data User Return Scheme (DURS) set out in Part IV of the Personal Data (Privacy) Ordinance (Cap.486) (the PDPO).  The proposed DURS would require data users to file an annual return regarding the personal data controlled by them and other relevant information.  In 2013, the PCPD decided to put the DURS project on hold until the reforms of the EU privacy law have been finalised.


As an interim measure, the PCPD has encouraged the banking, telecommunications and insurance sectors to implement a PMP.  The objective of this project is to shift corporate perceptions on personal data protection “from compliance to accountability”.  The Guide provides details as to how a corporation can develop sound internal systems and controls on personal data protection.


PCPD has made it clear that the PMP is an interim measure only.  PCPD will roll out the DURS at some point in the future.  The PMP is designed to assist corporations to comply with the necessary statutory requirements when the DURS is in place.  Therefore, implementing a PMP should reduce the risk of privacy breaches, and also can save costs and time / resources in addressing any future regulatory changes, such as the DURS.


Introduction Of The Guide


The Guide has no legal binding effect and does not constitute a Code of Practice under section 12 of the PDPO or a Guidance Note.  The Guide provides recommendations for corporations to ensure that they handle personal data appropriately.


The recommendations mainly address two aspects.  The first aspect is in relation to the governance structure of a corporation.  It covers the engagement of the top management to oversee the PMP, the appointment of data protection officer and the establishment of reporting mechanisms.  The second aspect is in relation to the internal controls of a corporation.  It covers the development of proper databases, internal policies, risk assessment tools, training programmes, breach handling processes and obligations to be imposed on data processors.  The Guide also highlights the importance of the continuing monitor and maintenance of a PMP to ensure ongoing effectiveness, compliance and accountability.


Although these are high level recommendations, a corporation will be able to develop an internal regulatory system that is suitable for its size and business nature by following the Guide.


Implementation Of PMP


Since the introduction of PMP in mid February 2014, the Hong Kong Special Administrative Region Government, together with twenty five companies from the insurance sector (eg- ACE, AIA, AXA and QBE), nine companies from the telecommunications sector and five organisations from other sectors (eg- the Hospital Authority), have all pledged to implement the PMP.  The Hong Kong Association of Banks has also expressed its support towards a voluntary PMP framework and indicated that individual banks will take necessary steps to implement the principles of PMP.


The PMP has broad governmental and market support.  We expect that support to grow consistently over time.




With the active participation of organisations across multiple industries, we anticipate the PMP to become a prominent feature in the field of corporate data privacy protection.


Although the Guide has no legal binding effect, it sets the regulator’s expectations as to how corporations should comply with the requirements under the PDPO.  With the potential implementation of the DURS in the future, we expect that the Guide identifies the parameters of future binding data protection regulations in Hong Kong.


In view of the new regulatory trend, corporations – in particular those with a large database of customers – should consider implementing the PMP.  Corporations that wish to implement PMP should:


  • Gather and review all personal data controlled by them and to keep a proper record of such data
  • Consider a governance structure that is suitable for them in view of their business size, business nature and the volume of personal data they hold
  • Review their personal information collection statements and internal policies in relation to privacy and data protection to ensure that they comply with the PDPO
  • Conduct risk assessment for all projects involving the collection, use or disclosure of personal data


Clyde & Co


For further information, please contact:


Mun Yeow, Partner, Clyde & Co

[email protected]


Simon McConnell, Partner, Clyde & Co

[email protected]


Homegrown Regulatory & Compliance Law Firms in Hong Kong


Comments are closed.