A new inspection regime is being implemented under the Hong Kong Companies Ordinance. This will provide additional safeguards relating to the personal data of directors and other relevant individuals who appear on the Companies Registry. We set out what these protections are and the implementation timeline of the new structure.
On 3 March 2014, a new Companies Ordinance (Cap. 622) replaced the previous Companies Ordinance (Cap. 32). Under the revised guidelines, members of the public could access certain personal information about company directors, company secretaries, or liquidators in the event of a business being wound up. Such data included their usual residential addresses (“URA”) and full identification numbers (“IDN”) – referred to as Protected Information.
The New Personal Data Protection Provisions
Currently, if a person wishes to access personal material, they must make a statement setting out the purpose of their search and confirm that they will only use the data for its stated purpose.
With the advance of technology and a greater focus on data security, this approach is no longer considered sufficiently robust. The revised ordinance, therefore, makes provisions for a new inspection regime, under which the following additional protection would be introduced[1]:
- Only the correspondence addresses of directors and company secretaries, as well as the partial IDN of directors, company secretaries, and other relevant individuals, will be shown in the Companies Register maintained by the Companies Registry (“the Register”). This applies to documents filed after the new inspection regime commences.
- The URA and full IDN of the individuals will only be made accessible to specified persons upon application. The court may disclose such information if it considers it appropriate. The Register may also reveal the URA if it cannot effectively communicate with the director using the correspondence address provided.
- Individuals whose Protected Information is contained in documents filed before the new inspection regime's commencement can apply to the Companies Registry to withhold such material from inspection.
- A company may also withhold Protected Information contained in its own registers from public scrutiny.
Although such safeguards were included in the Companies Ordinance when it came into effect in 2014, the regime has yet to be implemented. The Companies Registry's information system must undergo substantial upgrades to accommodate the new rules. The upgrade project is slated to be completed by end-2023.
Implementation Timeline of the New Inspection Regime
In the meantime, certain aspects of the structure will be brought online before the end-2023 date. The full inspection regime will be implemented in three phases:
- Phase 1 – Companies Ordinance provisions will allow companies to withhold the URA of directors and the full IDN of directors and company secretaries from public inspection of their private registers. This phase will commence with specific subsidiary legislation due to be introduced to the Legislative Council in Aug 2021.
- Phase 2 – Starting in October 2022, Companies Ordinance provisions will be expanded to allow Protected Information in the Companies Registry to be withheld from public inspection (only applicable to documents filed for registration after this phase commences).
- Phase 3 – Starting in December 2023, all remaining Companies Ordinance Provisions will come into effect. People can apply to the registry if they wish to suppress Protected Information already filed in the registry from public inspection.
In addition to the new inspection system, the Companies Registry may, from time to time, amend the administrative measures relating to accessing documents filed on the Register – for example, requiring the purpose of the search to be stated. To date, no such amendments have been proposed.
How Should Companies Prepare?
Until Phase 2 commences in October 2022, companies can only exclude from public inspection the URAs and IDNs held in their own registers once the necessary legislative amendments have passed. Businesses will then need to decide whether this is something they want to do – and if so, introduce the necessary internal processes.
The Importance of Personal Data Protection
In January 2020, a discussion paper was published by the Hong Kong Constitutional and Mainland Affairs Bureau, which considered updates to the Personal Data (Privacy) Ordinance to account for modern trends such as "doxxing". This is where personal information is revealed on the internet. The paper also looked at the introduction of data processes to notify users of any such data breaches[2].
While no implementation plans have been put forward for these proposed amendments, companies should note the bigger trend: the increased regulatory emphasis on the importance of personal data. If your company is handling information in a way that could expose you to future regulatory scrutiny, the time to act is sooner rather than later.
[1] https://www.legco.gov.hk/yr20-21/english/panels/fa/papers/fa20210409cb1-737-7-e.pdf
[2] https://www.lexology.com/library/detail.aspx?g=710fd17d-6d02-413a-b238-e301747f5adc
