Organizations in Hong Kong are required under the Personal Data (Privacy) Ordinance to erase personal data when the data is no longer required for the purpose for which it was collected. A failure to erase personal data at the end of the relevant retention period not only is a contravention of the Ordinance, but also creates the potential for significant reputational damage to the organisation and irreversible harm to the data subject.
The Hong Kong Privacy Commissioner for Personal Data recently has published a Guidance Note, entitled “Guidance on Personal Data Erasure and Anonymisation,” which is relevant to compliance under the Ordinance.
Section 26 of the Ordinance stipulates that personal data should be erased when it is no longer necessary for the purpose for which the data was collected. Data Protection Principle, or DPP, 2 of the Ordinance requires that data users do not retain personal data for longer than necessary to carry out the purpose of collection. DPP4 requires data users to take reasonable steps to protect personal information from unauthorised or accidental erasure. Contravention of Section 26 amounts to an offence and is punishable by a fine up to HK$10,000 (approximately US$1,300). The Commissioner may also choose to investigate any contravention of the Ordinance and may issue an enforcement notice if he is satisfied that the contravention is likely to continue or be repeated (NB. under the amendments to the Ordinance set to be introduced later this year the Commissioner will be able to issue an enforcement notice even if the contravention is unlikely to continue or be repeated).
The Guidance Note sets out a number of recommendations for "best-practices" when erasing personal data in order to help data users comply with the obligations relating to retention and erasure under the Ordinance, including the following:
- Organisations should adopt a "top-down" approach to managing data erasure and to develop policies, guidelines and procedures which apply organisation-wide. Such policies should be regularly reviewed and updated where necessary to account for technological advances.
- In particular, organisations should develop a data retention policy setting out the appropriate retention period for personal data as well as an erasure policy setting out how often personal data should be deleted or destroyed according to the retention policy. The erasure policy should address the secure destruction of both digital and paper records and how to handle obsolete or damaged storage devices.
- Organisations should keep an erasure record to ensure that the retention/erasure policies are being complied with.
- Guidelines should be established setting out the appropriate erasure method for the specific types of information held by the organisation (e.g. for paper records cross-cut shredding, rather than strip shredding should be used; for electronic records dedicated software should be used to permanently delete files, rather than simply deleting the file or re-formatting the hard drive).
- In order to comply with the Ordinance, all copies of a data record (eg. photocopies, backup copies and digital copies) have to be erased when they are no longer necessary for the purpose for which they were collected.
- The Guidance Note warns organisations of the risks associated with the recycling of print-outs of data records in that personal information may be exposed to unauthorised readers.
- Organisations should raise awareness amongst employees of the importance of erasing personal data in compliance with the organisation’s retention and erasure policies.
It is important to note that organisations will be liable under the Ordinance for acts of third parties to whom they outsource the erasure of personal data. Given this, it is recommended that organisations take steps to ensure that the third party has adequate safeguards to protect the personal data, including entering into a formal agreement with the third party setting out the security requirements relating to the transportation and deletion of personal data, the erasure standard and a mechanism to ensure that personal data is erased in accordance with the agreement (e.g. audit mechanisms).
The Ordinance only applies to data from which it is possible to identify a living individual. Data which has been effectively anonymised falls outside the scope of the Ordinance and no retention requirements apply to such data. Given this, anonymisation may be a better alternative to erasure in certain circumstances (e.g. where an organisation wishes to retain the information for statistical or research purposes). If an organisation elects to anonymise, rather than erase, it is important that the data is permanently anonymised (i.e. all information from which it is possible to identify the individual is completely removed). However the risk remains that the individual may be able to be re-identified from other existing or future information relating to the individual, and accordingly the anonymity of the data needs to be reviewed periodically and especially whenever new information is collected relating to the specific individual.
Gabriela Kennedy (Partner), Hogan Lovells, Hong Kong (firstname.lastname@example.org), Heidi Gleeson (Foreign Registered Lawyer), Hogan Lovells, Hong Kong (email@example.com), and Fiona Chan (Trainee Solicitor), Hogan Lovells, Hong Kong (firstname.lastname@example.org)