Interviewed by CGj, Privacy Commissioner for Personal Data, Ada Chung Lai-ling FCG HKFCG, argues that ensuring best practice is followed in the handling of personal data is a crucial part of the governance professional’s role.

Some practitioners may argue that technology is not within their jurisdiction – particularly since most organisations have specialised IT officers handling tech issues. Do you think data governance should be a concern for governance professionals, and, if so, what contribution can they make to ensuring best practice in data governance? 

‘Given that data is increasingly recognised as the new oil in the digital age, I consider that data governance should not only be of concern to governance professionals, but a crucial part of their professional role, especially when nowadays many governance professionals would also be appointed as data protection officers (DPOs) of their respective companies. 

As the DPO, a governance professional has to ensure that the collection, holding, processing or use of the personal data of the company’s employees, customers or other stakeholders are in compliance with relevant privacy laws.   

Although the relevant technologies in data management may be managed or supervised by IT departments, governance professionals can make vital contributions by acting as a bridge between the board, management and IT colleagues and providing valuable advice on all data protection matters, including but not limited to offering advice to the board on the formulation of policies relating to data governance at a strategic level and assessment of the risks of data breaches, and the like.’

What’s your view of how governance professionals can assist organisations in ensuring regulatory compliance in the areas of data privacy, data protection and data retention? 

‘In ensuring that their companies comply with data protection laws, governance professionals have an indispensable role to play in establishing and implementing Personal Data Privacy Management Programmes (PMPs) within their respective companies. Implementing a PMP helps companies embrace personal data protection as part of their corporate policies and culture, and enhances accountability. 

Accountability means that organisations are required to put in place measures to ensure compliance. Accountability has been increasingly incorporated into data protection laws around the world, such as the European Union’s General Data Protection Regulation (GDPR), which was passed in 2016, Singapore’s Personal Data Protection Act, which was first passed in 2012 and amended in 2020, and the Mainland’s Personal Information Protection Law, recently passed in 2021. In Hong Kong, the accountability of the data user runs through practically all of the requirements under the Personal Data (Privacy) Ordinance (PDPO). It is important, therefore, for a company to put in place a PMP to illustrate that it has taken practical steps to safeguard the personal data handled by the company. 

A PMP has 12 major components, some of which may well be within the remit of governance professionals, such as: 

• the development of internal policies on personal data handling, and 
• the establishment of an internal reporting mechanism to make sure that top management is well informed about the operation of the PMP and any privacy risks identified by the PMP. 

I would call on governance professionals to impress upon their boards the importance of establishing and implementing a PMP in their respective companies.’

In addition to their involvement in regulatory compliance, can governance professionals also play a role in strategic issues relevant to data governance and digital transformation? 

‘Certainly. Given the rising expectations of individuals regarding their privacy, data protection authorities around the world consider that companies should think of privacy not just as a compliance issue. Companies are encouraged to weave privacy considerations into the planning and development of new technologies, products and services. This is often referred to as “privacy by design” and “privacy by default”. 

Adopting the privacy by design and privacy by default mindset elevates data governance and protection from a compliance issue to a strategic consideration, which will no doubt require greater involvement from governance professionals, such as offering assessment of the privacy risks of a project from an early stage and advising the board in this regard. 

This indeed applies to digital transformation. The increasing use of data analytics, artificial intelligence (AI), cloud computing and other digital technologies in Hong Kong illustrates that companies are embracing digital transformation. 

It is important to note that emerging technologies very often carry with them data privacy or ethical risks, such as risks of discrimination or bias against certain customers. My office issued guidance on this (Guidance on the Ethical Development and Use of AI) last August. We advocate three data stewardship values, seven commonly accepted principles and four major business processes for the ethical development and use of AI. Whether as advisers to the board or in their roles as DPOs, governance professionals should acquaint themselves with the developments in the area so that they are well prepared to cope with the challenges brought by emerging technologies. 

In the long term, I would call on governance professionals to strive to foster a culture of respect for personal data in their respective companies to ensure sustainable data protection and compliance.’

Do you have any advice on how governance professionals can assist the board to ensure effective board oversight of data governance? 

‘Buy-in from the top is a critical factor for the success of all major business initiatives. Personal data protection is no exception. In the Privacy Management Programme: A Best Practice Guide published by my office, we encourage companies to adopt a top-down approach. 

Top management, such as the board of directors, should support the PMP, actively participate in the assessment and review of the PMP, and receive timely reports on the critical issues of the PMP, such as any significant privacy risks identified. 

Governance professionals, with their access to top management and indispensable role in board meetings, can play the key bridging role of ensuring board oversight of the PMP, as well as facilitating the implementation of the PMP. 

I would encourage governance professionals to be proactive in terms of getting privacy issues onto the board’s agenda, and ensuring the board is fully aware of the significance of privacy issues and risks, including the risks of hacking or data breaches by other means.’

What impact has Covid-19 had on the issues discussed above?  

‘The outbreak of Covid-19 led to various kinds of social distancing measures and restrictions. As a result, Covid-19 reshaped both the way we socialise and the way we work, which incidentally accelerates digital transformation, as well as the adoption of emerging technologies. 

The new normal, which comprises work-from-home or a hybrid mode of working, carries with it increased risks in terms of data security and personal data privacy. Under work-from-home or hybrid arrangements, organisations may have to access or transfer data through employees’ home networks and devices, which are generally less secure. Also, the use of video conferencing software has become prevalent since the outbreak of Covid-19. 

Indeed, according to a report published by the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) in August 2022, there was an increase of 94% in security events (which included malware and phishing) related to Hong Kong in the second quarter of 2022, when compared to the first quarter.    

To enhance the protection of data in the new normal, my office issued three guidance notes under the series Protecting Personal Data under Work-from-Home Arrangements for organisations, employees and users of video conferencing software. I believe that this series of guidance notes will serve as a good reference when governance professionals seek to formulate or modify their work-from-home policies. 

To cite another example, to address concerns relating to the collection of health data from employees, my office issued the Guidance for Employers on Collection and Use of Personal Data of Employees during the Covid-19 Pandemic in March 2022. Governance professionals may refer to our guidance to ensure the legitimate collection and use of personal data from employees.’ 

Where do you think the trends discussed above will be heading in the years ahead and how should governance professionals be preparing themselves for their future roles? 

‘The role of governance professionals has been evolving over the last decade. Nowadays, governance professionals have to deal with a business environment that is characterised by increasingly complex compliance requirements, as well as the rising expectations of the public regarding corporate governance and corporate social responsibility. 

The next decade, in my view, will see further transformation of our society through the rapid development and use of emerging technologies empowered by data. My advice for governance professionals is that they need to understand their responsibilities as gatekeepers of governance. This will mean being prepared and agile to cope with the changes ahead in order to provide proper advice to the board in ensuring good corporate governance, and data governance, in the new normal.  

As an example, the agility of governance professionals is best illustrated by the way the profession worked together to resolve the crisis relating to the holding of annual general meetings (AGMs) back in early 2020, when the world was very hard hit by the pandemic, and when people were still struggling with video-conferencing techniques. Thanks to the great efforts of the Institute and members of the profession, we weathered the storm and the 2020 AGMs for most companies, big or small, were held as scheduled, smoothly and successfully. 

As mentioned earlier, my office has issued different guidance notes that will assist governance professionals in dealing with emerging data protection and privacy issues. I would encourage governance professionals to make reference to these guidance materials whenever necessary in their day-to-day operations.’

What is the future for data privacy laws considering the evolving nature of technological infrastructure and potentially more biometric data being stored or used? 

‘Notwithstanding that the use of biometric data, together with emerging technologies, brings convenience to our daily lives, the use of such data or technology also brings with it unprecedented privacy risks that should be addressed.  

While some jurisdictions (for example, some states in the US) have introduced or proposed new laws to regulate the collection and use of biometric data and the use of, for example, facial recognition technology, some others seek to address the problems through guidance issued by the appropriate authorities.

Regarding the future of data privacy laws, instead of banning or placing unrealistic legal obstacles on the use of emerging technologies, I believe that we need laws and regulations that enable the responsible use of technologies that will uphold the protection of personal data privacy. In essence, future privacy laws should recognise the fundamental rights to personal data privacy while strengthening accountability in the use of technologies.’  

What will be your regulatory focus in the coming years? 

‘Since the amendments to the PDPO came into effect in October 2021, my office has spared no effort in enforcing the new provisions to combat doxxing acts that are intrusive to personal data privacy. 

In the coming years, we will continue to strengthen our capabilities to carry out criminal investigations and prosecutions to more effectively combat doxxing.  

In line with developments in other jurisdictions, we are also working with the government on a comprehensive review of the PDPO. I hope that the legislative amendments can cover, among other things, direct regulation of data processors, a mandatory data breach notification regime and empowering the Privacy Commissioner to impose administrative fines.  

For obvious reasons, privacy protection in the context of technological development and Covid-19 will be another focus in the coming years. In addition, data security will be a priority area. We issued the Guidance Note on Data Security Measures for Information and Communications Technology recently, and I envisage that much more attention and resources will be given to enhancing data security in the years to come.   

Needless to say, as many data privacy issues cut across borders, we will continue to foster our connections internationally, including establishing a closer network with our counterparts in other jurisdictions. I believe that, as the Co-Chair of the International Enforcement Working Group of the Global Privacy Assembly, we will play a more active role in coordinating with other authorities in taking enforcement work, or addressing privacy issues, in the international arena.’