Hong Kong Updates Cloud Computing Guidelines to Protect Personal Data

The Privacy Commissioner for Personal Data (PCPD) in Hong Kong has released updated guidelines on cloud computing to help organizations better protect personal data and comply with the Personal Data (Privacy) Ordinance (PDPO).

Released on January 9, 2025, the new guidance includes recommendations to improve data security when using cloud services. Here are some key points:

• Choosing Cloud Services: Organizations should consider using private cloud options for better control over data and stay informed about updates from cloud providers. Using Software as a Service (SaaS) requires careful risk assessment.

• Service Agreements: If standard contracts from cloud providers don't meet security needs, companies should request tailored agreements. They should also verify providers’ security measures through audits or declarations.

• Outsourcing: When outsourcing to cloud providers, organizations must ensure contracts include safeguards to make sure subcontractors comply with data protection rules.

• Additional Security Steps: Businesses should keep records of access (audit trails), set proper access controls, encrypt data during storage and transfer, use multi-factor authentication, and ensure contracts cover data erasure or return when services end.

The PCPD highlighted that protecting personal data is a shared responsibility between organizations and cloud service providers. Companies are encouraged to adopt these best practices to ensure data security and compliance with the PDPO.

Press release is officially published - here