August 21 Legal Update
Top stories
HKEX Listing Newsletter: role of Directors
In its latest Listing Newsletter, HKEX addresses “the role of directors”. It highlights 5 areas directors should keep in mind, in light of their responsibilities:
(i) significant transactions, (ii) monitoring financial information, (iii) subsidiaries,
(iv) understand the roles played by each director (v) good documentation and record keeping. These are further explained below.
As regards corporate governance, HKEX stresses that it is “more than compliance”, focusing on directors’ independence, board refreshment, succession planning, as well as diversity. It also shared data on the current status of HK listed companies. E.g. 1/3 of our listed companies do not have a female director.
What you should do/ watch out for:
- Significant transactions
— Take care to reduce exposure to undue risk
— Particularly for transactions involving substantial financial obligations/ outflows of money
— Including: robust controls; limiting any individual’s power over assets; rule compliant disclosure, commensurate due diligence
- Monitoring financial information
— Ensure sufficient information received
— Review information critically, with an enquiring mind
— With particular care, around monies being paid out of the issuer, and assets/line items which appear/or change unexpectedly over time
- Don’t overlook the subsidiaries
- Understanding the roles played by each director
— Some directors (e.g. independent directors, audit committee members) may have particular responsibilities
— But ALL directors must pay attention to the board’s work, and ensure that delegated tasks are properly performed
- Good documentation and record keeping
— If directors have no evidence to support assertions they have performed certain steps, there is a “significant risk” that HKEX will view these with doubt
Also in this issue
Legislation
(i) Privacy Commissioner (“PCPD”): “Guidance on Ethical Development and Use of AI”; Inspection Report on customers’ personal data systems of 2 public utilities (Press Release)
(a) Artificial Intelligence
From the ethical perspective, the Guidance recommends 3 fundamental “data stewardship values” when AI is developed and used, namely, (i) respectful; (ii) beneficial; (iii) fair to stakeholders. In turn, there are 7 ethical principles which are in line with international standards. These principles are summarised below.
For implementation, it has a useful “practice guide” section (section 4, P.11), outlining 4 key business processes. Practical steps and examples are given:
(i) AI strategy and governance
(ii) Risk assessment and human oversight
(iii) Execute development of AI models and management of overall AI systems
(iv) Communication and engagement with stakeholders
For instance, underlying “AI strategy” is “accountability”. AI strategy may include elements like determining acceptable uses of AI, and what uses are disallowed.
As regards “governance”, a designated C-suite executive (“senior management participation”) should lead a cross-functional team.
What you should know/do:
7 ethical principles for AI
- Respectful
— Accountability
— Human oversight
— Transparency and interpretability
— Data privacy
- Beneficial
— Beneficial AI
— Reliability, robustness and security
- Fair
— Fairness
(b) Inspection report of 2 public utilities: personal data privacy management system
The report revealed that both CLP and HK Electric had implemented a “personal data privacy management programme” and had adopted good practices.
Through the findings, PCPD makes recommendations (para 45, P.24) for public utilities and other organisations that handle vast amount of customers’ persona data. These are summarized below.
What you should know/watch out for:
- Prepare for the unexpected
- Develop “personal data privacy management programme”
- Appoint “data protection officers”
— Designated staff members tasked with monitoring compliance with the Privacy Ordinance; clear reporting lines to senior management
- Establish personal data inventory
— “Corporate-wide” personal data inventory
- System security policies and procedures
— Regular security risk assessments; monitor the effectiveness of the security measures in place
- “Role-based access” to customer data
— Access to staff members who have a genuine need of the data to perform their duties
- Implement monitoring on top of preventive measures
— Comprehensive audit logs to capture users’ digital footprints
— Track staff members’ access to the data, including search and modification records
- Protect both electronic and paper records
- Measures to raise staff awareness
— Comprehensive data protection training programme
(ii) The Companies Registry issued an External Circular on the commencement of phase 1 of the new inspection regime. Its website also has a thematic section on the new regime, including frequently asked Q+As on detailed logistics.
For Phase 1 (from 23 Aug, 2021 to 23 Oct, 2022), companies may replace, for public inspection on their own registers (i) usual residential address of directors with their correspondence addresses; (ii) full identification numbers of directors and company secretaries with partial information.
(Read summary in our June 2021 legal update).