Skip to content

Media Statements

Media Statements

Date: 27 September 2012

Privacy Commissioner Published Information Leaflet - Outsourcing the Processing of Personal Data to Data Processors

1.The Privacy Commissioner for Personal Data Mr. Allan Chiang today (27 September) published an Information Leaflet entitled “Outsourcing the Processing of Personal Data to Data Processors” (“the Leaflet”). The Leaflet provides information on the data users’ new legal obligations (with effect from 1 October 2012) when entrusting personal data to third parties for processing, and the recommended means of compliance with the requirements.

2.Mr. Chiang said, “The trend of outsourcing and entrusting personal data processing work by data users to their agents is increasingly common nowadays. If insufficient measures are taken by the data processors to protect the personal data entrusted to them, data breaches may result thus causing substantial and irrecoverable damage to the affected data subjects. The Personal Data (Privacy) (Amendment) Ordinance 2012 provides enhanced protection in this respect by requiring, with effect from 1 October 2012, data users to use contractual or other means to (i) prevent any personal data transferred to the data processor from being kept longer than is necessary for processing of the data; and (ii) prevent unauthorized or accidental access, processing, erasure, loss or use of the data transferred to the data processor for processing.”

3. “Ideally I would like to have the power to directly regulate the data processors and sub-contracting activities. However, the Administration has, after public consultation, opted for strengthening the regulation of data processors and sub-contracting activities by indirect regulation. We may need to consider reviewing the effectiveness of this indirect regulation approach in due course in light of actual enforcement experience,” Mr. Chiang commented.

4. The Leaflet covers, among other things, the following:-
i) Meaning of “data processor”;
ii) Obligations of data users;
iii) How to comply with the requirements (through contractual means and through other means);
iv) Good practice recommendations; and
v) Redress of Data Subjects.

5.The Leaflet can be obtained from the Office of the Privacy Commissioner for Personal Data at 12/F., Sunlight Tower, 248 Queen’s Road East, Wan Chai, Hong Kong, or downloaded from its website at