The Privacy Commissioner highlighted improvement areas in its “2018 Study Report on Implementation of Privacy Management Programme by Data Users”. (Click: full report; press release)
The Commissioner examined 26 organizations from different sectors (including insurance, finance, telecommunications, public utilities and transportation) to understand their implementation of “Privacy Management Programme” (Background on the Commissioner’s guidance: our Aug 18 legal update).
Performance is generally satisfactory. However, improvement in specific areas was highlighted.
The list of questions used in the assessment is also useful for a self-assessment of your company’s privacy performance.
What you should know/do:
- Assess your privacy programme against the list of questions used (para 11, P.4 of the report)
- Improvement areas highlighted: (summary: para 45, P. 15 of the report)
i. Provide adequate data protection training (para 23, P.8 of the report)
— E.g. some organizations do not provide regular “refresher” training
ii. Conduct regular audit (para 25, P.9 of the report)
— Over 40% of participating organizations admitted that self-assessment or audit on performance is not done regularly
iii. Handling of data breach incidents and notification (para 30, P.10 of the report)
— Vast majority of companies have written data breach incident response procedures
— But fewer companies have written procedures to notify affected individuals and report to the regulator (e.g. cyber attacks)
iv. Maintain a comprehensive personal data inventory (para 35, P.11 of the report)
— Only a minority maintain a comprehensive personal data inventory covering all departments, recording categories of personal data held, storage location, retention period, use and security measures adopted
v. Maintain a record of data flow (para 36, P.11 of the report)
— Only adopted by a minority
— Organizations may transfer personal data to third parties due to business needs. Recording such data flow would help in understanding the source/details of data transfer and facilitate future checking
“Guangdong-Hong Kong- Macau -Greater Bay Area
– Well-poised for success” (EY)
- Useful background information
- 7 directions to become a world leader
[Link] Equip yourself for discussions in your company!
Also in this issue
(i) SFC commenced legal proceedings in the Court of First Instance for disqualification orders against the chairman and executive director of Luxey International (Holdings) Limited (GEM listed), and former CEO and executive director. (Click: Press release).
The focus is the company’s very substantial acquisition of a target company in 2011. The chairman is alleged to have procured intermediaries to first purchase the target, then re-sold it to the company at a profit (around $340m).
Former CEO’s alleged breach of director’s duties is noteworthy ─ (among other things) failing to make sufficient enquiries about the relationships among the chairman and the intermediaries, and to take steps to prevent the company from acquiring the target at such substantially higher price.
What you should watch out for:
- The high standard expected in directors’ duties, including making the necessary enquires
- Directors duties being an enforcement focus
(ii) Highlights in SFC’s latest Takeovers Bulletin include disclosure of “special deals” in Rule 3.5 announcements; and application of “presumption of acting in concert” (class (9): provision of finance/financial assistance).
There are significant implications of “concert party status” under the Takeovers and Share buy-backs Codes.
What you should know/watch out for:
Disclosure of “special deals” in Rule 3.5 announcements
- Background: Rule 25 (“Special deals with favourable conditions”)
— Save with the consent of the Executive Director, Corporate Finance Division, SFC, no “special deals” may be offered
— Spirit: all shareholders be treated even-handedly
- To assist in compliance of Rule 25, additional disclosures required; or a negative statement
— Including: any other consideration/compensation/benefit in whatever form paid or to be paid by the offeror/parties acting in concert, to the vendor/any party acting in concert
Application of “presumption of acting in concert” (Class (9))
- Background: Class (9) of the presumption covers a person who provides finance or financial assistance (directly or indirectly) to another in connection with an acquisition of voting rights
- Authorised institutions under the Banking Ordinance lending money in the ordinary course of business are expressly excluded
- An individual, private company, licensed money lender, licensed broker or person licensed by the SFC to carry out securities margin financing would normally be caught
- The original controlling shareholder who is prepared to receive deferred payment of consideration for the sale shares would also be caught
(iii) HKEX published new/updated guidance materials and withdrew outdated ones. It is part of its continuous eﬀort to streamline its guidance and related materials, to provide the market with guidance and clarity on the application of Listing Rules and practices. (Click: press release)
Our focus is on the “continuing obligations” of listed companies — two noteworthy updates (relating to issuers engaged in gambling business; suitability for continued listing (areas updated include trade or economic sanctions risks; material reliance on various parties) are highlighted below.
What you should know:
HKEX-GL71-14 (Gambling activities of new applicants and/or listed issuers)
- Where a listed issuer invests directly or indirectly in gambling activities, it must use its best endeavours to ensure that such gambling activities must comply with the “applicable laws” (i.e. applicable regulatory or licensing requirements, government policies that regulate the gambling activities, and relevant anti-money laundering laws)
- The issuer may otherwise be considered unsuitable for listing
HKEX-GL96-18 (Guidance on listed issuer’s suitability for continued listing)
Sanctions risks (para 25-8):
- Referencing new Guidance on Sanctions Risks (GL101-19), which provides guidance on suitability for listing of applicants engaging in activities relating to countries subject to sanctions imposed by overseas jurisdictions, and listing applicants which are sanctioned targets etc
- A listed issuer may become exposed to sanctions risks due to new business/activities, or a change in law or regulation making its existing business sanctionable
- It must timely disclose such risks and impact as required under the “inside information provisions”, and HKEX may seek further details and require additional actions be taken
- Issuer’s listing status might be in issue under certain “extreme cases” explained
- Issuer’s equity fundraisings and related listing applications: HKEX will consider listing applications case by case; unlikely to give approval if the funds are raised to finance sanctionable activities
The section on “material reliance on various parties” (para 32-5) has been expanded.
This Update in PDF