Hong Kong’s Office of the Privacy Commissioner for Personal Data has released a guide for privacy management. “Privacy Management Programme: A Best Practice Guide” (pdf) “outlines the building blocks of Privacy Management Programmes (‘PMP’), a strategic framework to protect personal data privacy. It provides insight and guidance to organisations when they develop and improve their own programmes according to their specific circumstances, such as organisation size, nature of business, and the amount and sensitivity of the personal data they collect and manage,” the office said in a statement. Here’s an excerpt from the guide’s introduction:
Privacy Management Programme per se is not a requirement under the Personal Data (Privacy) Ordinance (“the Ordinance”). However, the Privacy Commissioner for Personal Data (“the Commissioner”) advocates that organisational data users should embrace personal data privacy protection as part of their corporate governance responsibilities and apply them as a business imperative throughout the organisation, covering business practices, operational processes, product and service design, physical architectures and networked infrastructure. To this end, a privacy management programme serves as a strategic framework to assist an organisation in building a robust privacy infrastructure supported by an effective on-going review and monitoring process to facilitate compliance with the requirements under the Ordinance. It also demonstrates the organisation’s commitment to good corporate governance and building trust with its employees and customers through open and transparent information policies and practices.
Constructing a privacy management programme within an organisation takes careful planning and consideration across disciplines and job functions. Employees should be aware of and understand the applicable parts of the organisation’s privacy management programme. Customers and business partners should likewise be made aware of and given assurance, where appropriate, in the relevant aspects of the privacy management programme. Privacy-related obligations and risks should be correctly identified and appropriately taken into account in developing business models and related technologies and business practices before new products or services are launched. Risks of data breaches should be minimised and the effects of any data breaches mitigated. […]
This Best Practice Guide (“this Guide”) outlines what the Commissioner advocates as good approaches for developing a sound privacy management programme, but it is not a “one-size-fits-all” solution. Each organisation will need to determine, taking into consideration its size and nature of business, how best to apply this Guide to develop its own privacy management programme.