A new inspection regime is being implemented under the Hong Kong Companies Ordinance. This will provide additional safeguards relating to the personal data of directors and other relevant individuals who appear on the Companies Registry. We set out what these protections are and the implementation timeline of the new structure.
On 3 March 2014, a new Companies Ordinance (Cap. 622) replaced the previous Companies Ordinance (Cap. 32). Under the revised guidelines, members of the public could access certain personal information about company directors, company secretaries, or liquidators in the event of a business being wound up. Such data included their usual residential addresses (“URA”) and full identification numbers (“IDN”) – referred to as Protected Information.
The New Personal Data Protection Provisions
Currently, if a person wishes to access personal material, they must make a statement setting out the purpose of their search and confirm that they will only use the data for its stated purpose.
With the advance of technology and a greater focus on data security, this approach is no longer considered sufficiently robust. The revised ordinance, therefore, makes provisions for a new inspection regime, under which the following additional protection would be introduced[1]:
Although such safeguards were included in the Companies Ordinance when it came into effect in 2014, the regime has yet to be implemented. The Companies Registry's information system must undergo substantial upgrades to accommodate the new rules. The upgrade project is slated to be completed by end-2023.
Implementation Timeline of the New Inspection Regime
In the meantime, certain aspects of the structure will be brought online before the end-2023 date. The full inspection regime will be implemented in three phases:
In addition to the new inspection system, the Companies Registry may, from time to time, amend the administrative measures relating to accessing documents filed on the Register – for example, requiring the purpose of the search to be stated. To date, no such amendments have been proposed.
How Should Companies Prepare?
Until Phase 2 commences in October 2022, companies can only exclude from public inspection the URAs and IDNs held in their own registers once the necessary legislative amendments have passed. Businesses will then need to decide whether this is something they want to do – and if so, introduce the necessary internal processes.
The Importance of Personal Data Protection
In January 2020, a discussion paper was published by the Hong Kong Constitutional and Mainland Affairs Bureau, which considered updates to the Personal Data (Privacy) Ordinance to account for modern trends such as "doxxing". This is where personal information is revealed on the internet. The paper also looked at the introduction of data processes to notify users of any such data breaches[2].
While no implementation plans have been put forward for these proposed amendments, companies should note the bigger trend: the increased regulatory emphasis on the importance of personal data. If your company is handling information in a way that could expose you to future regulatory scrutiny, the time to act is sooner rather than later.
[1] https://www.legco.gov.hk/yr20-21/english/panels/fa/papers/fa20210409cb1-737-7-e.pdf
[2] https://www.lexology.com/library/detail.aspx?g=710fd17d-6d02-413a-b238-e301747f5adc