This post was written by Cynthia O’Donoghue.

Last month, Hong Kong’s Office of the Privacy Commissioner for Personal Data (OPCP) released a Best Practice Guide on Privacy Management Programmes (PMP) (the Guide). Striking a similar chord to the UK Information Commissioner’s Office in the recently released code of practice on conducting Privacy Impact Assessments, the OPCP notes that despite no requirement within the Personal Data (Privacy) Ordinance (the Ordinance) for PMPs, organisations that do adopt them are likely to benefit from increased levels of trust among their customers and employees, as well as demonstrating compliance with the Ordinance.

The Guide does not provide a “one-size-fits-all” solution, and organisations will need to consider their size and nature when developing a PMP. To this end, the Guide addresses both the fundamental components of a PMP and the ongoing assessment and revision.

The Guide notes that implementation of PMPs will require organisations to consider their policies, staff training, and the processes that are followed when contracting with third parties. The Guide states that the key components of a PMP are:

  1. Organisational commitment: this includes buy-in from top management, designating a member of staff to manage the PMP (this could be a full-time member in a large organisation, or a business owner in a small organisation), and establishing reporting lines.
  2. Program controls: an inventory of personal data held by the organization should be made. Internal policies should also be put in place to address obligations under the Ordinance, with risk-assessment tools to allow new or altered projects to be assessed.

The Guide is a welcome development for Hong Kong organisations, which, by following its terms, will be able to demonstrate their compliance with the Ordinance. However, organisations should also note that the Guide indicates that the OPCP expects organisations to take positive steps towards fulfilling their obligations.