Version 2019.

03

HONG KONG LAW SOCIETY

RISK MANAGEMENT EDUCATION PROGRAMME

LEGAL TECHNOLOGY SERIES

MODULE 1

DATA PRIVACY & THE LAW FIRM

[WORKSHOP 3.5 hours]

DELEGATE PROGRAMME & NOTES

50 minutes LECTURE 1
SESSION 1 DATA PRIVACY LAWS AFFECTING LAW FIRMS

This is a general lecture to discuss the scope of data privacy laws as it may affect the
operation of a HK law firm with regard to all sources of personal data, be it from clients,
employees, third parties, and for purposes such as marketing or data breach situations.

First of all is a recount of the general development of data privacy laws in the aftermath of
WWII. Essentially starting at the EU Directive 1995, a number of factors came about to see
the European data privacy laws in need of reform, not least of which were pressures
around search engines, the Max Schrems case, safe harbour arrangements with the US,
and the fact that the 1995 directive was becoming unsuitable to cope with modern
problems in the light of technology changes and societal changes. The lead up to GDPR.

Second, to see a recount of the salient features of the HK PDPO and PCPD and the
amendments to the HK law to deal with professional marketing situations, including
issues around consent.

Third, a comparison of the principles of GDPR and PDPO and the situations in which they
differ and in which GDPR could in theory apply to Hong Kong.

Fourth, situations in which data privacy may impact upon the general systems in a law
firm as they apply to client data, and the overlap with other law firm procedures (keeping
records, privilege, confidentiality and so on).

Some questions to mull over:

 What practical issues does data privacy regulation create for law firms?
 What are the pitfalls and advantages presented by current technologies?

Part 1 – History of Data Privacy

1. Historical Origins in Europe

2. EU 1995 Directive and aftermath

Copyright  2019 by The Law Society of Hong Kong. All rights reserved.
Page 1 of 16
 Version 2019.03

3. HK PDPO & Asian development

a. Initial enactment
b. Amendments
c. Notable cases
d. Procedures
e. PDPO vs GDPR

4. Privacy Shield / Schrems Cases

a. Max Schrems
b. Privacy Shield
c. Practical difficulties / contradictions

5. Leadup to GDPR
a. Scope of coverage
b. Salient features
c. Jurisdiction / long arm statute
d. Fines
e. Reporting of data breaches

6. Post GDPR Situations

a. Google Fine
b. Cathay Pacific breach
c. Possible areas for reform
7 Major areas of Law firm concern
a. Client data
b. Data of third parties
c. Data with third parties
d. Investigations
e. Responding to breaches
f. Assisting on client’s breaches

Copyright  2019 by The Law Society of Hong Kong. All rights reserved.
Page 2 of 16
 Version 2019.03

45 minutes WORKSHOP 1
SESSION 2 DATA MANAGEMENT & GOVERNANCE

SCENARIO 1 NONE OF YOUR BUSINESS

HK Law firm is an aggressive developer of business. They get business cards from
attending conferences, sponsor conferences to get attendee lists, buy databases of email
addresses, and then use the business development team to cold call these prospects. They
also put all these people on mailing lists and email them once a week with a “What’s new
in HK” newsletter. They do database searches and send people happy birthday cards
based on research they did on Facebook. They keep IP addresses from the website visitors
and have an expert track down who the visitors were (doing web research) and cold call
them. What issues might HK Law firm want to consider?

SCENARIO 2 THE WEBS WE WEAVE

HK Law firm has systems around privilege and confidentiality and file storage but no
systems around personal data. What issues might HK Law firm might to consider?

SCENARIO 3 ANY WHICHWAY BUT LOOSE

HK law firm receives a letter from the Privacy Commissioner for Personal Data stating it
read in Apple Daily that information regarding a client (Happy HK Ltd) deal was leaked
and the article alleged only the law firm had this information. Information leaked
included the net worth of the C-suite. The CEO denied the leak could have come from
within the company. Privacy Commissioner asks if the firm can confirm it was not the
source of the leak as it has obligations to keep personal data secure under data principle 4.
What might you do in preparation for answering the PCPD?

SCENARIO 4 AN OLD HACK

A HK law firm encounters a hacking event which they became aware of because suddenly
35,000 of their clients were sent an email from their servers. The email was from the law
firm’s address and called “Test One”. The IT team stopped the hacker access and are
confident the hacker threat is over.
Advise HK Law firm of any data privacy issues they may need to consider, including
client communications.

SCENARIO 5 THE CUSTOMER IS ALWAYS RIGHT

Chan’s firm has two major global tech company clients for which it is handling multiple
engagements.
1. US1 is a company locked in an internal investigation which involves the law firm
investigating several of the company’s employees in a covert environment.
Advise US1 of any data privacy issues they may need to consider
2. XY1 is a company looking to sell itself to a bigger multinational. They are
providing information to virtual data rooms including a large amount of personal
data regarding the directors. Also as the staff are not informed of the secret merger
talks they may need to disclose information about the staff to any prospective
buyers. Advise XY1 of any data privacy issues they may need to consider

Copyright  2019 by The Law Society of Hong Kong. All rights reserved.
Page 3 of 16
 Version 2019.03

15 minutes Coffee Break

50 minutes LECTURE 2
SESSION 3 BUILDING A CULTURE OF SECURITY & RESPONSE IN
CHANGING CONDITIONS

This is a general lecture on how data privacy standards are likely to change with emerging
technologies, mediums of communication and methods of working.

After considering these areas, a discussion of the breach procedures under HK law by the
PCPD and wider considerations around a general investigation across the region.

A general discussion around issues that will need to be considered for internal
investigations given data privacy concerns. The basic points that need to be covered are
where a firm may or may not be able to investigate different aspects of a data breach.

Part 3 – Developments in Privacy & Technology

1. Changing data privacy definitions

2. Cloud
a. Legal issues & data privacy issues
b. Hybrid cloud protection
3. Internet of Things
a. Security risks
b. Data synchronisation / storage
4. BYOD
a. Policies and legal issues
i. Technology to support policies
5. IP Addresses
a.
6. AI / Analytics

Part 4 – Modern problems

1. Law firm data risks

a. Client data
b. HR data

2. Cyber data breaches

a. Investigations
b. Client breach scenarios

3. Keeping track of data / culling data

4. Jurisdictional issues in Asia / Europe / US

Copyright  2019 by The Law Society of Hong Kong. All rights reserved.
Page 4 of 16
 Version 2019.03

45 minutes WORKSHOP 2
SESSION 4 DATA BREACH

SCENARIO 1 WAIVER YOUR PROBLEMS GOODBYE

HK Law firm has a commercial team which has been managing a group of Hong Kong
and Mainland China clients which have cross border connections with Mainland China
and Europe. For all these clients the process is like this:
1. Pay a HK marketing company for lead generation and prospects and then pitch the
prospect. The marketing company buys personal data from all over the world.
2. Once the prospect becomes a client the law firm refuse to proceed unless the client
signs off a “data privacy waiver” consenting to anything being done with the client’s
personal data. Specifically, the waiver will state the client waives all rights and gives
all consents to use of personal data.
3. Deal with the client via WeChat and Whatsapp – customer is always right.
4. For law firm safety, have a clause in the engagement letter stating client can
communicate with the law firm however they like, but there are risks in doing so
which the client agrees to bear in every situation, HK Law firm will never be liable.
5. Store data in Hong Kong with a backup facility in Shenzhen.

Law firm is investigated by the PCPD, as one client complained that a media story
demonstrated that its personal data had been leaked into the public domain through
insecure social media use (without stating details about how the data was leaked). Further
an EU citizen at the Paris office of the HK client was horrified to find his personal data is
replicated in China, and complained directly to the law firm about this practice. Discuss
the liability / next steps for HK law firm, including any procedures it should reconsider.

SCENARIO 2 SORRY ABOUT THAT

A Hong Kong marketing company (the client) has a data breach and asks HK Law firm to
deal with the PCPD. The client had sent customers a link in an email, and one customer
had discovered it could manipulate the link information and see another customer’s
account. A week later the client had discovered its insecure website had posted customer
transaction details which had been indexed by google. Finally, the client suspected that an
employee may have done these acts, and wishes to investigate further. The employment
contract allows monitoring of employees during work hours and on company devices and
on devices subject to a “bring your own device” policy.
PCPD writes a letter to the client which law firm responds to requesting additional time to
reply. Letter from PCPD comes back with the following questions:
1. What personal data was affected?
2. What policies and procedures did you have in place?
3. How did the breach occur?
4. What are you planning to do about it?
5. How can you stop this happening again?
6. What systems are you going to put in place now as a result?

How would you go about finding the answers to these questions and what advice might
you give to your client to help successfully close off the PCPD investigation.

Copyright  2019 by The Law Society of Hong Kong. All rights reserved.
Page 5 of 16
 Version 2019.03

5 minutes QUIZ / CONCLUSION OF THE COURSE

Quick quiz on GDPR as it signals likely direction for future in HK.

Recap the basic principles of data protection and the likely direction of legal &
technology development.

Copyright  2019 by The Law Society of Hong Kong. All rights reserved.
Page 6 of 16
 Version 2019.03

ALPHABETICAL LIST OF DATA PRIVACY TERMS DISCUSSED

Article 29 Working The Article 29 Working Party (WP29) was a European Union organization that
Party (WP29) functioned as an independent advisory body on data protection and privacy
and consisted of the collected data protection authorities of the member states.
It was replaced by the similarly constituted European Data Protection Board
(EDPB) on May 25, 2018, when the General Data Protection Regulation (GDPR)
went into effect.
Bring Your Own Use of employees’ own personal computing devices for work purposes.
Device (BYOD)
Data Protection While the title of data protection officer has long been in use, particularly in
Officer (DPO) Germany and France, the General Data Protection Regulation introduced a new
legal definition of a DPO with specific tasks. Certain organizations, particularly
those that process personal data as part of their business model or those who
process special categories of data as outlined in Article 9, are obligated to
designate a DPO on the basis of professional qualities and, in particular, expert
knowledge of data protection law and practices. The DPO has a variety of
mandated tasks, including communication with the supervisory authority,
conducting DPIAs, and advising the organization on the mandates of the GDPR
and how to comply with it..
Data Protection An official or governmental body that oversees compliance with privacy and
Authority data protection laws and investigates alleged breaches of the laws’ provisions.
Data Protection by When developing, designing, selecting and using applications, services and
Design products that are based on the processing of personal data or process personal
data to fulfil their task, producers of the products, services and applications
should be encouraged to take into account the right to data protection when
developing and designing such products, services and applications and, with
due regard to the state of the art, to make sure that controllers and processors
are able to fulfil their data protection obligations.
Data Breach The unauthorized acquisition of computerized data that compromises the
security, confidentiality, or integrity of personal information maintained by a
data collector. Breaches do not include good faith acquisitions of personal
information by an employee or agent of the data collector for a legitimate
purpose of the data collector—provided the personal information is not used
for a purpose unrelated to the data collector's business or subject to further
unauthorized disclosure.
Data User A person who, either alone or jointly or in common with other persons, controls
(Personal Data the collection, holding, processing or use of the data. The Data User is liable as
Privacy Ordinance) the principal for the wrongful act of its authorised data processor.
Gap Analysis Performed to determine the capability of current privacy management to
support each of the business and technical requirements uncovered during an
audit or privacy assessment, if any exist; requires reviewing the capabilities of
current systems, management tools, hardware, operating systems,
administrator expertise, system locations, outsourced services and physical
infrastructure.
GDPR General Data Protection Regulation. An EU piece of legislation in force from 25
May 2018 in member states with extraterritorial effect.
ISO 27001 The ISO (International Organization for Standardization) 27001 standard is a
code of practice for implementing an information security management system,
against which organizations can be certified.

Copyright  2019 by The Law Society of Hong Kong. All rights reserved.
Page 7 of 16
 Version 2019.03

Processing Refers to any operation or any set of operations performed upon personal
information including, but not limited to, the collection, recording,
organization, storage, updating or modification, retrieval, consultation, use,
consolidation, blocking, erasure or destruction of data.
Privacy Impact An analysis of how information is handled: (i) to ensure handling conforms to
Assessment applicable legal, regulatory and policy requirements regarding privacy; (ii) to
determine the risks and effects of collecting, maintaining and disseminating
information in identifiable form in an electronic information system, and (iii) to
examine and evaluate protections and alternative processes for handling
information to mitigate potential privacy risks
Pseudonymisation The processing of personal data in such a manner that the personal data can no
longer be attributed to a specific data subject without the use of additional
information, provided that such additional information is kept separately and is
subject to technical and organizational measures to ensure that the personal
data are not attributed to an identified or identifiable natural person.
Right to Be Under the General Data Protection Regulation, data subjects have the right to be
forgotten (Right to forgotten and have their personal data deleted, where the personal data is no
erasure) longer necessary in relation to the purposes for which it was collected or
otherwise processed, where a data subject has withdrawn their consent or
objects to the processing of personal data concerning them, or where the
processing of their personal data does not otherwise comply with the GDPR,
unless there are other legal obligations or reasons of the public interest to retain
their personal data.
Six Data Protection 1) Data Collection 2) Accuracy & Retention 3) Data Use 4) Data Security 5)
Principles (PDPO) Openness 6) Data Access & Correction.

Copyright  2019 by The Law Society of Hong Kong. All rights reserved.
Page 8 of 16
 Version 2019.03

TIMELINE OF DATA PRIVACY

DATE JURISDICTION EVENT

1086 Domesday book – William the Conqueror collects records of
individuals in England for taxation. The primary purpose of
the survey was to ascertain and record the fiscal rights of the
king.
1215 Magna Carta – governing feudal relationships between
English King and Barons / serfs
(39) No free man shall be seized or imprisoned, or stripped of
his rights or possessions, or outlawed or exiled, or deprived of
his standing in any way, nor will we proceed with force
against him, or send others to do so, except by the lawful
judgment of his equals or by the law of the land.
(40) To no one will we sell, to no one deny or delay right or
justice.
1890 Two United States lawyers, Samuel D. Warren and Louis
Brandeis, write The Right to Privacy, an article that argues the
"right to be left alone", using the phrase as a definition of
privacy.
1948 UN The Universal Declaration of Human Rights is adopted,
including the 12th fundamental right, i.e. the Right to Privacy.
1967 USA The Freedom of Information Act (FOIA) comes into effect in
the US and gives everyone the right to request access to
documents from state agencies. Other countries follow suit.
11 May 1973 Sweden Data Act (Sw. Datalagen) enacted in Sweden coming into
force 1 July 1974 required licenses by the Swedish Data
Protection Authority for information systems handling
personal data.
1980 OECD OECD issues guidelines on data protection, reflecting the
increasing use of computers to process business transactions.
1981 The Council of Europe adopts the Data Protection Convention
(Treaty 108), rendering the right to privacy a legal imperative.
1983 Germany The Federal Constitutional Court of Germany reaches a
fundamental decision regarding the census judgment. The
verdict is considered a milestone of data protection.
24 October EU / Directive EU Privacy directive reflecting technological advances and
1995 95/46/EC introducing new terms including processing, sensitive
personal data and consent
20 December HK Personal Data (Privacy) Ordinance comes into force
1996
July 2000 USA / EU Safe harbour arrangement created over the last two years as a
way for U.S. companies to comply with European privacy
laws.
June 2006 HK / PCPD A PDPO internal Ordinance Review Working Group was
formed.
April 2009 HK / PCPD The Government issued the Consultation Document and the
leaflet to seek views from the public on various proposals to
amend the Personal Data (Privacy) Ordinance.
2010 The international non-profit organisation Wikileaks publishes

Copyright  2019 by The Law Society of Hong Kong. All rights reserved.
Page 9 of 16
 Version 2019.03

secret information, news leaks, and classified media provided

by anonymous sources.
June 2011 UK Microsoft U.K.'s managing director Gordon Frazer said that
"cloud data, regardless of where it is in the world, is not
protected against the Patriot Act." One year later in 2012, a
legal research paper supported the notion that the Patriot Act
allowed U.S. law enforcement to bypass European privacy
laws.
1 October HK / PCPD The Amendment Ordinance was introduced in two phases;
2012 the majority of the new provisions took effect on 1 October
2012.
2013 EU / GDPR European Commission adopts the Regulation 611/2013 on the
measures applicable to the notification of personal data
breaches under Directive 2002/58/EC.
2013 HK / PCPD The PCPD issued a Guidance Note and a leaflet on the new
provisions on direct marketing.
1 April 2013 HK / PCPD The amended provisions relating to Direct Marketing and
Legal Assistance took effect
2014 EU / ECJ A ruling by the Court of Justice of the EU finds that European
law gives people the right to ask search engines like Google to
remove results for queries that include their name. The
concept becomes known as “the right to be forgotten”.
October 2015 EU / ECJ Max Schrems Case – safe harbour rendered invalid
2 February USA / EU EU–US Privacy Shield replaces International Safe Harbor
2016 Privacy Principles.
27 April EU / Regulation EU parliament enacts after 4 years of discussions, countdown
2016 2016/679 enacted, to GDPR coming into force in 2018
Directive 95/46/EC
repealed
25 May 2018 EU / GDPR GDPR enacted in EU. Its provisions became directly
applicable in all member states, two years after the regulations
enter into force
September EU / GDPR First GDPR fine a German social network operator – EU
2018 20,000 for a violation of Art. 32 GDPR (Security of Processing),
12 EU / GDPR Austrian DPA made its very first administrative penal
September decision for infringements of the GDPR and Austrian Data
2018 Protection Act.
23 October EU / GDPR Swedish Data Protection Authority has examined whether
2018 more than 350 companies and authorities have appointed a
data protection officer
25 October HK / Cathay Pacific Massive Data Breach reported (actual breach happened in
2018 March)
21 January EU / GDPR CNIL (French regulator) fines Google 50 million Euros for not
2019 properly disclosing to users how data is collected across its
services — including its search engine, Google Maps and
YouTube — to present personalized advertisements

Copyright  2019 by The Law Society of Hong Kong. All rights reserved.
Page 10 of 16
 Version 2019.03

CIRCULAR 12-475 (PA) 25 June 2012 LAW SOCIETY GUIDANCE NOTE

Storage and Destruction of Old Files (Revised June 2012)
1. Ownership of Papers
The first task which should take place upon the conclusion of the retainer is a thorough
review of the file to determine the ownership of the papers. Members should review the
following extracts on “Ownership, Storage and Destruction of documents” from Cordery on
Solicitors:-
“Is the client entitled to the whole file once the retainer is terminated?”
Not necessarily. Most files will contain some documents which belong to you, some which
belong to the client and possibly others belonging to a third party. Documents in existence
before the retainer, held by you as agent for and on behalf of the client or a third party, must
be dealt with in accordance with the instructions of the client or third party (subject to your
lien). Documents coming into existence during the retainer fall into four broad categories.
(a) Documents prepared by you for the benefit of the client and which have been paid
for by the client, either directly or indirectly, belong to the client.
Examples: instructions and briefs; most attendance notes; drafts; copies made for the client's
benefit of letters received by you; copies of letters written by you to third parties if contained
in the client's case file and used for the purpose of the client's business. There would appear
to be a distinction between copies of letters written to the client (which may be retained by
you) and copies of letters written to third parties.
(b) Documents prepared by you for your own benefit or protection, the preparation of
which is not regarded as an item chargeable against the client, belong to you.
Examples: copies of letters written to the client; copies made for your own benefit of letters
received by you; copies of letters written by you to third parties if contained only in a filing
system of all letters written in your office; tape recordings of conversations; inter-office
memoranda; entries in diaries; time sheets; computerised records; office journals; books of
account.
(c) Documents sent to you by the client during the retainer, the property in which was
intended at the date of despatch to pass from the client to you, belong to you.
Examples: letters, authorities and instructions written or given to you by the client.
(d) Documents prepared by a third party during the course of the retainer and sent to
you (other than at your expense) belong to the client.
Examples: receipts and vouchers for disbursements made by you on behalf of the client;
medical and witness reports; counsel's advice and opinions; letters received by you from
third parties."
2. Retention of Old Files
The following are guidelines on the minimum retention period of old files:-
Conveyancing * 15 years
Tenancy ** 7 years from expiration of the tenancy agreement
General files ** 7 years
Criminal cases 3 years from the expiration of any appeal period
*Title Deeds and other original documents
Members should clarify the scope of the retainer in relation to the retention of title deeds. If
the retainer does not extend to the safe custody of these documents, members should write
to the client and seek instructions on returning these documents. If the client fails to provide
instructions, members should write to the client to advise that a “storage charge” fee will be

Copyright  2019 by The Law Society of Hong Kong. All rights reserved.
Page 11 of 16
 Version 2019.03

charged for the safe custody of these documents. The level of any fee will be a matter for the
practitioner to decide and is obviously a contractual matter with the client. Members should
note however that it is not good conveyancing practice to hold original documents with the
file.
*See paragraphs 5(B)(a) and 8 below
** See Sections 51C and 51D of the Inland Revenue Ordinance Cap. 112
3. Storage of Old Physical Files in Hong Kong
Law Society’s Practice Direction D7 (June 2012)
All old physical files must be stored in Hong Kong in order to ensure inter alia the
preservation of confidentiality and easy retrieval.
Click here for a copy of Law Society’s Practice Direction D7
4. Storage of Electronic Documents/Files (June 2012)
(a) Storage of Electronic documents (June 2011)
Members can elect to store all their old files electronically, provided that:
(i) clients’ rights are preserved in respect of confidentiality and otherwise; and
(ii) appropriate access to copies in Hong Kong be maintained.
(b) Back-up Copies
Members should consider maintaining a duplicate set of disks with client information in a
suitably secure and off-site location.
5. Destruction of Original Documents
A. Generally
Original documents, such as deeds, guarantees or certificates, which are not your own
property, should not be destroyed without the express written permission of the owner.
Where the work has been completed and the bill paid, other documents, including your file,
may be scanned and then destroyed. In cases of doubt the owner's written permission
should always be sought. If it is not possible to obtain such permission you will have to
form a view and evaluate the risk.
B. Original Documents which should not be destroyed - Electronic Transactions
Ordinance (Cap.553)(“ETO”)
(a) Schedule 1 of the ETO
The Schedule identifies 13 types of documents which must be kept as originals: -
1. “The creation, execution, variation, revocation, revival or rectification of a will, codicil or
any other testamentary document.
2. The creation, execution, variation or revocation of a trust (other than resulting, implied
or constructive trusts).
3. The creation, execution, variation or revocation of a power of attorney.
4. The making, execution or making and execution of any instrument which is required to
be stamped or endorsed under the Stamp Duty Ordinance (Cap 117) other than a
contract note to which an agreement under section 5A of that Ordinance relates.
5. Government conditions of grant and Government leases.
6. Any deed, conveyance or other document or instrument in writing, judgments, and lis
pendens referred to in the Land Registration Ordinance (Cap 128) by which any parcels
of ground tenements or premises in Hong Kong may be affected.

Copyright  2019 by The Law Society of Hong Kong. All rights reserved.
Page 12 of 16
 Version 2019.03

7. Any assignment, mortgage or legal charge within the meaning of the Conveyancing and
Property Ordinance (Cap 219) or any other contract relating to or effecting the
disposition of immovable property or an interest in immovable property.
8. A document effecting a floating charge referred to in section 2A of the Land Registration
Ordinance (Cap 128).
9. Oaths and affidavits.
10. Statutory declarations.
11. Judgments (in addition to those referred to in section 6) or orders of court.
12. A warrant issued by a court or a magistrate.
13. Negotiable instruments.”

(b) Business Records in Electronic Format

The Inland Revenue Department (IRD) has advised that retention of business records in
electronic, format should meet the requirements set out in Sections 7 and 8 of the ETO.
Click here to view the IRD’s letter dated 10 December 2001 and Law Society circular 01-
371(PA)
6. Admissibility of Electronic Documents before the Courts
Members should review the provisions of Sections 46, 53 and 54 of the Evidence Ordinance
(Cap.8) (EO) which deals with admissibility of documents in court proceedings.
(a) Civil Proceedings
The broad and general definitions of “copy” and “document” in the EO will allow for the
admission of business records stored electronically.
(b) Criminal Proceedings
Documents produced by computer are admissible under Sections 22A and 22B of the EO.
7. Duty of Confidentiality
Members should review Principle 8 on the Duty of Confidentiality in The Hong Kong
Solicitors' Guide to Professional Conduct and ensure destruction of the file does not
jeopardise the confidentiality of its contents.
8. Destruction of Old Files
The responsibility for the decision to destroy a file remains with individual practitioners.
The Law Society recommends that once the retainer is terminated all documents, which
belong to the client, should be returned to the client. The failure to do so may cause future
difficulties as original documents, such as deeds, guarantees or certificates which belong to
the client should not be destroyed without the express written permission of the owner.
Upon expiration of the appropriate retention period for closed files, members should ensure
the files are destroyed in a secure manner by engaging a suitable commercial provider.
9. Commercial Providers of Record Management/Scanning Services
(a) Members who wish to engage commercial providers should ensure the
confidentiality of the file is maintained.
(b) Commercial Providers should provide an appropriate affidavit on the scanning
services provided in compliance with the requirements of the Evidence Ordinance:
• Identification of the document(s) scanned
• Date of scanning
• Identity of employee responsible for the scanning

Copyright  2019 by The Law Society of Hong Kong. All rights reserved.
Page 13 of 16
 Version 2019.03

• Type of machine used

• Whether the “hard copies” have been destroyed

Circular 02-385(COM) has been superseded (June 2012)

10. Retrieval Charges
Members should arrange to return all of the clients’ documents upon termination of the
retainer. However, if the client wishes the firm to retain his personal documents, the firm
should enter into a written agreement with the client that the firm will provide such service
upon payment of appropriate storage and retrieval charges.
11. Circular 02-384 (PA) has been superseded
Members should note the contents of Paragraph 3 of this circular are mandatory.

Copyright  2019 by The Law Society of Hong Kong. All rights reserved.
Page 14 of 16
 Version 2019.03

PDPO EXTRACTS

S18. Data access request

(1) An individual, or a relevant person on behalf of an individual, may make a request—
(a) to be informed by a data user whether the data user holds personal data of which the individual is
the data subject;
(b) if the data user holds such data, to be supplied by the data user with a copy of such data….

S22. Data correction request

(1) Subject to subsections (1A) and (2), where— (Amended 18 of 2012 s. 15)
(a) a copy of personal data has been supplied by a data user in compliance with a data access request;
and
(b) the individual, or a relevant person on behalf of the individual, who is the data subject considers
that the data is inaccurate, (Amended 18 of 2012 s. 15) then that individual or relevant person, as the
case may be, may make a request that the data user make the necessary correction to the data….

S60. Legal professional privilege

Personal data is exempt from the provisions of data protection principle 6 and section 18(1)(b) if the
data consists of information in respect of which a claim to legal professional privilege could be
maintained in law.

S60B.Legal proceedings etc.

Personal data is exempt from the provisions of data protection principle 3 if the use of the data is—
(a) required or authorized by or under any enactment, by any rule of law or by an order of a court in
Hong Kong;
(b) required in connection with any legal proceedings in Hong Kong; or
(c) required for establishing, exercising or defending legal rights in Hong Kong.
(Added 18 of 2012 s. 34)

S63B. Due diligence exercise

(1) Personal data transferred or disclosed by a data user for the purpose of a due diligence exercise to
be conducted in connection with a proposed business transaction that involves—
(a) a transfer of the business or property of, or any shares in, the data user;
(b) a change in the shareholdings of the data user; or
(c) an amalgamation of the data user with another body,
is exempt from the provisions of data protection principle 3 if each of the conditions specified in
subsection (2) is satisfied.
(2) The conditions are—
(a) the personal data transferred or disclosed is not more than necessary for the purpose of the due
diligence exercise;
(b) goods, facilities or services which are the same as or similar to those provided by the data user to
the data subject are to be provided to the data subject, on completion of the proposed business
transaction, by a party to the transaction or a new body formed as a result of the transaction;
(c) it is not practicable to obtain the prescribed consent of the data subject for the transfer or
disclosure.
(3) Subsection (1) does not apply if the primary purpose of the proposed business transaction is the
transfer, disclosure or provision for gain of the personal data.
(4) If a data user transfers or discloses personal data to a person for the purpose of a due diligence
exercise to be conducted in connection with a proposed business transaction described in subsection
(1), the person—

Copyright  2019 by The Law Society of Hong Kong. All rights reserved.
Page 15 of 16
 Version 2019.03

(a) must only use the data for that purpose; and
(b) must, as soon as practicable after the completion of the due diligence exercise—
(i) return the personal data to the data user; and
(ii) destroy any record of the personal data that is kept by the person.
(5) A person who contravenes subsection (4) commits an offence and is liable on conviction to a fine at
level 5 and to imprisonment for 2 years.
(6) In this section—
due diligence exercise
(盡職審查), in relation to a proposed business transaction, means the examination of the subject
matter of the transaction to enable a party to decide whether to proceed with the transaction;
provision for gain
(為得益而提供), in relation to personal data, means provision of the data in return for money or other
property, irrespective of whether—
(a) the return is contingent on any condition; or
(b) the person who provides the data retains any control over the use of the data.
(Added 18 of 2012 s. 35)

SUMMARY OF DATA PROTECTION PRINCIPLES

Six Data Protection Principles

Everyone who is responsible for handling data (Data User) should follow the Six Data Protection
Principles ("DPPs") which represents the core of the Ordinance covering the life cycle of a piece of
personal data:

DPP1 - Data Collection Principle

Personal data must be collected in a lawful and fair way, for a purpose directly related to a function
/activity of the data user.
Data subjects must be notified of the purpose and the classes of persons to whom the data may be
transferred.
Data collected should be necessary but not excessive.

DPP2- Accuracy & Retention Principle

Practicable steps shall be taken to ensure personal data is accurate and not kept longer than is
necessary to fulfil the purpose for which it is used.

DPP3 - Data Use Principle

Personal data must be used for the purpose for which the data is collected or for a directly related
purpose, unless voluntary and explicit consent with a new purpose is obtained from the data subject.

DPP4 - Data Security Principle

A data user needs to take practicable steps to safeguard personal data from unauthorised or
accidental access, processing , erasure, loss or use.

DPP5 - Openness Principle

A data user must take practicable steps to make personal data policies and practices known to the
public regarding the types of personal data it holds and how the data is used.

DPP6 - Data Access & Correction Principle

A data subject must be given access to his/her personal data and allowed to make corrections if it is
inaccurate.

Copyright  2019 by The Law Society of Hong Kong. All rights reserved.
Page 16 of 16