Personal Data (Privacy) Ordinance (Amendments)
Arising out of social issues affecting office bearers in Hong Kong, the Hong Kong government determined in 2020 that company directors’ (and secretaries) sensitive personal information should be private. The Companies Ordinance (CAP622) (CO), has been amended accordingly. Under the amended CO, company directors’ and secretaries’ personal data will continue to be stored in the Companies Register Information System, under the control of the Companies Registry. However, only a few authorised persons will have access to this previously public information.
Naturally this is a big project, given the sheer volume of companies and the stored information. To ensure that company registry services are not affected, the information system must be re-programmed to accommodate these new changes. Due to the challenges presented in doing so, full rollout of this law will only take place by the end of 2023. In the meantime the Registrar will publish only correspondence addresses of directors in lieu of their residential addresses, as well as partial identification numbers (IDNs) of directors, company secretaries, and other relevant persons in lieu of full identification numbers.
The CO already has a set of rules to ensure only legitimate and essential access is given for such personal data, but they have yet to be implemented. The CO designates that on application to the Registrar the following categories of person, defined as Specified Persons, shall have access to personal data. The system will effectively create an audit trail of those accessing the data.
Specified Persons would include members of the company, public officers or public bodies, a person or organisation appointed or empowered by law, practicing solicitors, certified accountants, etc. The Registrar must also permit public examination for the purposes provided in section 45(1) of the CO, which includes determining the details of a company’s directors or other officers, or the details of a person who is appointed as the liquidator or provisional liquidator in a company’s winding up.
Implementation schedule of the new personal data laws
Incorporating the new personal data laws into the CO has been and is being rolled out in three phases:
Phase I: From 23 August 2021, companies could replace residential addresses of directors with correspondence addresses, and replace IDNs of directors and company secretaries with partial IDNs capable of public inspection.
Phase II: From 24 October 2022, all protected data will be replaced by correspondence addresses and partial IDNs for public viewing. Protected information contained in documents submitted for registration after the commencement of this phase will not be made public. The Companies Registry can grant access to sensitive personal data held on directors and other individuals on application.
Phase III: From 27 December 2023, persons which are the owners of their personal data may apply to the Companies Registry to have their protected data already registered before the start of Phase II shielded from public view.
Company action relating to Phase II for Marbury clients
To meet the Phase II requirements, Marbury will, unless otherwise instructed, (1) adopt the Company’s registered office address as the correspondence address of all natural person directors and (2) update the Register of Directors of the Company accordingly.
For companies otherwise, all filing requirements remain the same, and include annual returns, timely disclosure of any changes and general reporting to the Registrar of specified information about the company, its officers, and shareholders.
If you have any queries on Phase II or any other aspects of the new company personal data inspection regime, please do not hesitate to contact us via your usual Marbury advisor or at firstname.lastname@example.org.