Additional safeguards for the personal data of individuals listed on Hong Kong’s Companies Registry

Hong Kong introduces a new inspection regime designed to safeguard the personal data of directors and relevant individuals listed on the Companies Registry

Hong Kong’s regulators are placing more emphasis on the importance of personal data and are implementing a new inspection regime under the Hong Kong Companies Ordinance, offering more protections for relevant individuals over a multi-phase process. Under the new regime, the personal information of Directors and other individuals will be better protected and harder to access by members of the public. Stipulated under the previous 2014 Ordinance, personal data of relevant individuals, such as residential addresses and full identification numbers, could be accessed by members of the public.

Affected individuals included liquidators, company secretaries and directors. Members of the public would only be required to provide a purpose for their search, as well as confirming that they will only use this data for their intended purpose by making a statement.

However, with the growth of the internet and increased attention on online privacy and personal information, Hong Kong has taken steps to provide more robust protections for these individuals. Under this new inspection regime, they will enjoy the following protections:

  • Only the partial ID number and correspondence addresses of directors, company secretaries and relevant individuals will be included in the Companies Register. The residential address will no longer be provided.
  • Full addresses (correspondence and residential) of all relevant individuals and full ID numbers will only be made available through an application process, with disclosure decided by a court. Applications to the court can only be made by specified persons, such as members of a company, public officers, public bodies, persons who use protected information for executing statutory functions, practising lawyers and accountants, financial institutions and designated non-financial business and professions regulated under Hong Kong’s anti-money laundering laws
  • For those whose information is included in documents filed prior to this new ordinance, they can apply to the Companies Registry to withhold such information from inspection.
  • Companies may also avoid public scrutiny of protected information contained in its registers

These protections will not come into effect immediately in full as there will need to be a number of upgrades to the Companies Registry so that it can accommodate these new requirements. The full inspection regime will be implemented online by end of 2023, though some aspects will be effective beforehand.

As of 23 August 2021, firms will be able to replace the addresses of Directors with correspondence address, and replace the ID numbers of directors and company secretaries with partial ID numbers on their registers for public inspection. From 24 October 2022, firms may replace protected information on the index of directors with correspondence addresses and partial ID numbers; protected information filed after this phase will not be allowed for public inspection. Specified persons may apply to registry for inspection.

Lastly, from 27 December 2023 onwards, the final parts of the ordinance will be implemented. Data subjects, with protected information contained in documents already filed before commencement of phase two (24 October 2022), will be able to apply to the registry for withholding protected information from public inspection. Only specified persons may apply to the registry for accessing protected information.

A greater attention to privacy

The new ordinance reflects a greater importance in respect to privacy in Hong Kong. In a recent seminar, the Privacy Commissioner for Personal Data of Hong Kong, Ada Chung Lai-ling, advised companies to implement the Privacy Management Programme (PMP) which will help companies comply with six Data Protection Principles, the core requirements of Personal Data (Privacy) Ordinance.

The PMP advises that organisations should appoint a Data Protection Officer (DPO), build up a personal data inventory, conduct privacy impact assessment and establish reporting mechanisms for privacy breaches, ensure there is adequate training and education and there are processes in place for the handling of data breaches, among other actions. Organisations are also encouraged to notify affected individuals of data breaches to minimise potential damages. Common causes of breaches include malicious acts such as cyberattacks or inadvertent disclosure through mail/email, accidents or employee misconduct.

For more information and guidance on the new privacy ordinances, contact Alpadis Group in Hong Kong.