Privacy and Data Protection

Privacy and Data Protection

Regardless of which industry you are in, privacy and data protection issues affect us all. The Privacy and Data Protection module identifies and guides your organisation through the compliance obligations surrounding the secure collection, management and maintenance of personal information within the Australian legal framework.

To pay or not to pay – the rise of ransomware in 2021

A recent spate of ransomware attacks has brought into sharp relief the critical question – to pay or not to pay. With some notable but limited exceptions, traditional advice from law enforcement and cyber experts has always largely been don't pay the ransom.

Regulatory Compliance Webinar Series


Topic: GDPR After The Pandemic - Do you need to review your privacy obligations?

Speaker: Michael Rasmussen l The CURA Pundit

Regulatory Compliance Webinar Series


Topic: Compliance Conversations on Privacy in Hong Kong

Speaker: Dominic Wai | Partner, ONC Lawyers

Complementary International Privacy Checklist


Knowing your international privacy compliance requirements is vital to ensure your business is meeting its obligations. This complimentary checklist has been developed in conjunction with Dudley Kneller, Partner at Gadens.

Hong Kong

Core Obligations

Objectives, Definitions and Governing Principles

Data Protection Principles

Access to Personal Data

Correction of Personal Data

General Maintenance

Codes of Practice

Qualifying Criterion for Matching Procedures and Transfer of Personal Data

Provision of Personal Data in Direct Marketing

Grievances Protocol

Offences and Penalties

Interpretation of Prescribed Public Officer

Governing Rules covering PDPO

Interpretation of Prescribed Public Officer and Ex Officio Member

Performance of the Administrative Appeals Board

Who can perform a Transfer of Record

General Matters

General Secrecy

Provision of Prescribed Information on Demand

Inspection of Company’s Records

Parameters that cover PDPO

Code of Confidentiality and Protection of Council

Permitted Disclosure of Information by Authority

Delegation of Powers of the Ombudsman

Legal Landscape

The District Court Ordinance Chapter 336

The Personal Data (Privacy) Ordinance Chapter 486

The Insurance Ordinance Chapter 41

The Communications Authority Ordinance Chapter 616

The Securities and Futures Ordinance Chapter 571

The Construction Industry Council Ordinance Chapter 587

The Companies Ordinance Chapter 622

The Electronic Health Record Sharing System Ordinance Chapter 625

The Independent Police Complaints Council Ordinance Chapter 604

and 9 other compliance sources


Cap.397 Ombudsman Ordinance

Publications_2nd Edition Data Protection Principles

Cap.136 Mental Health Ordinance

Cap.221 Criminal Procedure Ordinance

Compliance with Data Access and Correction Requests

Data Access Request Form (Form OPS003)

PCPD Compliance Guide for Data Users

PCPD Codes of Practice/ Guidelines - Index

PCPD Code of Practice on the Identity Card Number and other Personal Identifiers – Compliance Guide for Data Users

PCPD Code of Practice on the Identity Card Number and Other Personal Identifiers (Revised April 2016)

Cap.177 Registration of Persons Ordinance

Cap.115 Immigration Ordinance

Hong Kong Monetary Authority - Money Laundering Guidelines

PCPD Compliance Guide for Employers and Human Resource Management Practitioners

PCPD Code of Practice on Human Resource Management (Revised April 2016)

PCPD Code of Practice on Consumer Credit Data (Revised Jan 2013)

PCPD – Understanding the Code of Practice on Consumer Credit Data – Frequently Asked Questions on the Sharing of Mortgage Data for Credit Assessment Purpose

Cap.155 Banking Ordinance

PCPD Monitoring and Personal Data Privacy at Work: Points to Note for Employers of Domestic Helpers

PCPD Privacy Guidelines: Monitoring and Personal Data Privacy at Work (Revised in April 2016)

PCPD Resources Centre Information Leaflet - What is a Matching Procedure?

PCPD – Common Questions on Matching Procedure

PCPD – Past Seminars on Direct Marketing

PCPD Guidance Note – Guidance on the Collection and Use of Personal Data in Direct Marketing

PCPD – Exercising Your Right of Consent to and Opt-out from Direct Marketing Activities under the PDPO

PDPO – Complaint Handling Flowchart

Cap. 589 Interception of Communications and Surveillance Ordinance

Cap. 561 Human Reproductive Technology Ordinance

Cap. 227 Magistrates Ordinance

The Department of Justice – Legal System in Hong Kong

Mission, values and roles of the Financial Reporting Council

PCPD on Data Privacy Law – The Personal Data (Privacy) Ordinance

Criminal offences and respective penalties under the PDPO

Legal Expert


Partner | ONC Lawyers

PRACTICE AREAS: Litigation & Dispute Resolution, Regulatory, Compliance & Internal Investigations, Criminal Litigation, Trade & Customs Litigation, Shareholders’ Dispute and Insolvency matters, Domestic and International Arbitration, Cybersecurity & Privacy Law matters

Before joining the legal profession, DOMINIC has worked in the banking sector and as well as in the Independent Commission Against Corruption (ICAC).

Dominic’s practice focuses on advising clients on matters relating to anti-corruption, white collar crime, law enforcement, regulatory and compliance matters in Hong Kong, including advice on anti-money laundering. He also handles cases involving corporate litigation, shareholders’ disputes and insolvency matters, defamation cases, domestic and international arbitration cases, cybersecurity, data security and privacy law issues, competition law matters, e-Discovery and forensic investigation issues as well as property litigation. His expertise includes:

  • Advised Hong Kong listed, US multinational companies and money service operators (MSO) on anti-money laundering matters and practices.
  • Advised major international companies and Hong Kong listed companies on anticorruption and bribery and other white-collar crime issues.
  • Advised and assisted clients on urgent asset freezing injunctions and liaising with law enforcement agencies concerning fraudulent fund transfers due to business email scams and hacked email systems.
  • Advised the joint and several liquidators of a liquidation matter for over 10 years with considerable recovery for the creditors over the years.
  • Advised a major broadcasting company on defamation issues, judicial review applications, investigation by regulators and shareholders’ dispute issues.

Dominic is currently a board member of a charity that provides a home service for sick children and their families. He is supportive and actively participating in the activities of the charity.


Core Obligations

Privacy & Data Protection Overview

Applicability of Data Privacy Laws

Organisational Governance

Consumer Data Rights

Openness and Transparency

Collecting Personal and Sensitive Information

Anonymity and Pseudonymity

Using and Disclosing Personal Information and Identifiers

Cross-border Transfers of Personal Information

Ensuring the Quality of Personal Information

Ensuring the Security of Personal Information

Enabling Access and Correction of Personal Data

Managing Complaints and Investigations



Health Information and the My Health Record System

Workplace Privacy

Complying with the Payment Card Industry Data Security Standard

Legal Landscape

Archives Act 1983 (Cth)

Crimes Act 1914 (Cth)

Criminal Code Act 1995 (Cth)

Do Not Call Register Act 2006 (Cth)

Freedom of Information Act 1982 (Cth)

Privacy Act 1988 (Cth)

Privacy Regulation 2013 (Cth)

Privacy (Tax File Number) Rule 2015 (Cth)

Spam Act 2003 (Cth)

Surveillance Devices Act 2004 (Cth)

Taxation Administration Act 1953 (Cth)

Telecommunications Act 1997 (Cth)

includes over 110 compliance sources


State Records Office of Western Australia (WA, Australia)

Information Commissioner's Office (United Kingdom)

Payment Card Industry Security Standards Council (International)

NSW State Archives (NSW, Australia)

ACT Territory Records Office (ACT, Australia)

State Records of South Australia (SA, Australia)

Queensland Public Records Review Committee (QLD, Australia)

Attorney General's Department (Australia)

Australian Communications and Media Authority (Australia)

Australian Competition and Consumer Commission (Australia)

Australian Taxation Office (Australia)

Department of Home Affairs (Australia)

Department of Communications and the Arts (Australia)

The Treasury (Australia)

Office of the Australian Information Commissioner (Australia)

Public Record Office Victoria (VIC, Australia)

and 50 other regulators

Legal Expert


Partner | Gadens

DUDLEY is a highly experienced lawyer with international and domestic experience advising on commercial, regulatory and technology matters with specialisations in financial technology, cyber risk, privacy and strategic sourcing and supply projects. Dudley has over 20 years’ experience practising across Australia, Europe and the UK, and has worked on projects based in a range of countries, including the Philippines, India and across South America.

Dudley publishes and presents extensively. He has been nominated and selected as a ‘Best Lawyer’ in Australia in the area of Information Technology Law since 2020 and has been listed as a Recommended Technology, Media and Telecommunications Lawyer in Victoria in Doyle’s Guide every year from 2015 to 2020.


Core Obligations


Related Laws

Personal Information Utilisation Restriction, Acquisition, Control

A Third-Party Provision

Anonymously Processed Information

Guidelines for each field

Specific Personal Information

Legal Landscape

Act on the Protection of Personal Information

Act on the Use of Numbers to Identify a Specific Individual In Administrative Procedures

Cabinet Order to Enforce the Act on the Protection of Personal Information Act

General Rules Guidelines for the Act on the Protection of Personal Information

and 25 other compliance sources


Personal Information Protection Commission

Financial Services Agency

Ministry of Economy, Trade and Industry

and 4 other regulators

Legal Expert


Senior Associate | TMI Associates

PRACTICE AREAS: IT and Communications Matters, M&A, Alliances, Corporate Finance, Corporate Governance

SHOHEI is a Senior Associate at TMI Associates, one of the largest law firms in Japan. He has extensive experience in helping clients comply with privacy and data protection requirements. In particular, he has continuously advised numerous domestic and international advertising technology companies and advertisers with regard to their usage of consumers’ personal information as well as with contract negotiations. He also has
substantial expertise in M&A transactions targeting companies utilizing consumers’ personal data.

Shohei has previously served as a legal counsel for a company operating one of the largest web portals and advertising networks in Japan. Due to this background, he is qualified to advise his clients based on not only his legal knowledge but also on his deep understanding of the mechanisms of online advertising. Shohei has substantial experience helping companies to comply with international privacy laws, such as the GDPR, the California Consumer Privacy Act and China’s Cybersecurity Law, which enables him to effectively approach legal issues arising out of the uniqueness of each country’s privacy law.

Shohei received his Bachelor’s degree in law at Waseda University, his Juris Doctor’s degree in law at Chuo University Law School and his Master’s Degree at the University of Texas School of Law. He is licensed to practice law in both Japan and California state and has also been certified as a Certified Information Privacy Professional (United Sates) by the IAPP.

New Zealand

Core Obligations

New Zealand Privacy Overview

Collecting Personal Information

Using and Disclosing Personal Information and Identifiers

Ensuring the Security of Personal Information

Enabling Access and Correction of Personal Data

Workplace Privacy

Applicability of Privacy Laws

Cross-border Transfers of Information

Organisational Governance and Privacy Program

Managing Complaints and Investigations

Information Matching Programs

Ensuring the Accuracy of Personal Information

Protecting Confidential Information from Disclosure

Investigations and Enforcement

Legal Landscape

Privacy Act 1993 (NZ)

Official Information Act 1982 (NZ)

Contract and Commercial Law Act 2017 (NZ)

Crimes Act 1961 (NZ)

Criminal Procedure Act 2011 (NZ)

Criminal Records (Clean Slate) Act 2004 (NZ)

Data Protection Act 1998 (UK)

Harassment Act 1997 (NZ)

Protected Disclosures Act 2000 (NZ)

Unsolicited Electronic Messages Act 2007 (NZ)

and 20 other compliance sources


Office of the Privacy Commissioner

Office of the Ombudsman

Human Rights Commission

and 6 other regulators

Legal Expert


Partner | Bell Gully

PRACTICE AREAS: Media, Consumer law, Intellectual property, Litigation and dispute resolution, Privacy and data protection, Information, communications and technology, Food, Beverage and Hospitality, Cybersecurity, Anti-Bribery and Corruption

TANIA advises on all aspects of advertising promotions, including impacts of the Gambling Act, Fair Trading Act and Privacy Act. She is also experienced in advising on food and wine labelling issues, involving advice on the Food Standards Australia New Zealand (FSANZ) Code, the Food Act, the Wine Act and related regulations and industry codes.

She has a strong media law background, advising on defamation claims, appearing in Court on name suppression issues, and providing media law training to journalists. She advises on all aspects of intellectual property law, including copyright, passing off and trade mark infringement disputes and litigation.

In addition to her particular areas of expertise, Tania provides general advice on commercial and contractual disputes and litigation with successful outcomes for her clients.

Tania is recommended for intellectual property by The Legal 500 Asia Pacific 2020, which notes her specialties as media, advertising, privacy law and IP matters. Tania is also recommended as a recognised practitioner by Chambers Asia Pacific 2020 for Technology, Media and Telecoms.


Core Obligations

Overview and application of the data privacy

Compliance, police and practices

Collection, use and disclosure of personal data

Purpose of data collection

Access and correction of personal data

Care of personal data

Enforcement and penalties

Do not call registry

Legal Landscape

Personal Data Protection Act 2012

Computer Misuse Act

Cyber Security Act 2018

Official Secrets Act

The Electronics Transactions Act

and 51 other compliance sources


Personal Data Protection Commission

Intellectual Property Office of Singapore

Cyber Security Agency

Legal Expert


Partner | Clyde & Co

PRACTICE AREAS: Commercial, Corporate, Education, Employment, Pensions & Immigration, Insurance & Reinsurance

Described in The Legal 500 Asia Pacific as "extremely prompt and responsive", commanding "astounding legal knowledge" and being "genuinely interested in developing long term relationships with clients", Thomas is a corporate transactional, private equity and employment lawyer focusing on domestic and cross-border acquisitions and divestitures, corporate and asset finance and employment. As part of his practice, he also leads both the Employment in Singapore and the Corporate Secretarial practices in Singapore and Hong Kong.

United Kingdom

Core Obligations


Applicability of Data Protection Law

Organisational Governance

Lawfulness, Fairness and Transparency

Purpose Limitation

Data Minimisation

Accuracy of Personal Data

Storage Limitation

Integrity and Confidentiality

Enabling Individuals' Rights

Managing Complaints and Investigations

Cross-border Transfers of Personal Information



Workplace Privacy

Complying with the Payment Card Industry Data Security Standard

Legal Landscape

Data Protection Act 2018

Regulation (EU) 2016/679 (General Data Protection Regulation)

Freedom of Information Act 2000

and 57 other compliance sources

Regulators & Enforcement agencies

Office of the UK Information Commissioner

The Information Commissioner's Office - Scotland

Information Commissioner’s Office - Wales

The Information Commissioner’s Office - Northern Ireland

Legal Experts


Commercial Technology Partner | Hamlins

PRACTICE AREAS: Data Protection, Privacy, Cyber Security

MATTHEW has extensive experience advising businesses on the full ambit of data protection, privacy and cyber security matters. He works closely with companies advising them on the best practical and legal measures to mitigate and manage security breaches and ensure compliance with the EU General Data Protection Regulations. He advises CEOs and senior management on how to create the best legal, technological and security governance strategies for the business. Matthew has worked as a CEO and understands the commercial and budgetary pressures businesses face when implementing strategic projects.

“Matthew Pryke is both smart and focused with an ability to find solutions that add value”
- Legal500


Defamation and Privacy Partner | Hamlins

PRACTICE AREAS: Reputation Management

CHRISTOPHER is an industry leading expert in the field of reputation management and has helped businesses resolve problems that threaten the reputation of the business or the privacy and integrity of those behind it. He has considerable experience in handling unprecedented crisis situations and is used to working to pressurised timescales.

“Christopher is incredibly good. He is very well organised and gets things done.”
- Legal500



PRACTICE AREAS: Anti-Corruption, AML/Financial Regulatory, Public International Law, International/Transactional Criminal Law

ARVINDER SAMBEI is a practising barrister of over 30 years’ experience and one of the directors of London-based Amicus Legal Consultants.

She has previously held the posts of Head of Criminal Law at the Commonwealth Secretariat, Legal Adviser to the Permanent Joint Headquarters (PJHQ) at the UK’s Ministry of Defence and Principal/Senior Crown Prosecutor (Crown Prosecution Service of England & Wales). As a prosecutor, she had conduct of many of the UK’s high profile extradition, counter-terrorism, transnational and war crimes cases. In addition, her responsibilities included liaison with other jurisdictions on treaty negotiations, extradition and mutual legal assistance requests.

As the Head of the Criminal Law Section at the Commonwealth Secretariat, she was responsible for ensuring design and delivery of programmes of assistance and training for member states to enhance criminal law systems.

Arvinder acts as an expert for many international and regional organisations (including Council of Europe, EU, IMF, and UN agencies) on anti-corruption & governance, AML/CFT, sanctions, international co-operation, asset recovery, economic crimes, corporate criminal liability, maritime crime and security, human rights and public international law. She has also been engaged in treaty and legislative drafting, state and project evaluation, and capacity building/technical assistance programmes.

She is a published author of legal texts (with Oxford University Press and others), an experienced trainer and has written articles, practitioner manuals and technical papers published by, inter alia, the Council of Europe, Commonwealth Secretariat, OECD, OSCE and UNODC on her areas of expertise.

United States

Core Obligations


Applicability of Data Privacy Laws

Organisational Governance

Collecting Personal and Sensitive Information

Using and Disclosing Personal Information

Ensuring the Security of Personal Information

Enabling Access to and Correction of Personal Data

Workplace Privacy

Managing Complaints and Investigations

Protecting Confidential Information from Disclosure

Legal Landscape

Gramm Leach Bliley Act (15 USC 6801 - 6827)

Title X of Dodd-Frank Wall Street Reform and Consumer Protection Act (12 USC 5491 - 5603)

Fair Credit Reporting Act - Credit Reporting Agencies (15 USC 1681 et seq)

Family Educational Rights and Privacy Act (20 USC 1232g)

Heath Insurance Portability and Accountability Act of 1996 (HIPAA) Public Law 104 -191

and 329 other compliance sources


Board of Governors of the Federal Reserve System

Federal Trade Commission

Securities and Exchange Commission

Attorney General (Federal)

and 122 other regulators

Experienced Attorney Author


Partner | Morris, Manning & Martin

PRACTICE AREAS: Corporate, Cybersecurity & Privacy, Internet of Things (IoT) Technology

ELIZABETH K. “Bess” HINSON makes planning for privacy and cybersecurity risks her top priority. As Chair of the Cybersecurity & Privacy Practice, her primary areas of concentration include cyber and data risk management and governance, breach preparedness and response, crisis management, and global data privacy compliance. Bess represents clients at all stages of incident response from investigation, notification, remediation, managing privacy class action risks, and defense of litigation and regulatory inquiry. She regularly counsels clients on cross-border data flows and navigating conflicts between foreign privacy laws and U.S. compliance obligations. She oversees and coordinates EU General Data Protection Regulation (GDPR) compliance assessment and implementation programs for clients. She has experience in privacy matters, including information governance and data management, online advertising, internal compliance policies, and consumer policies, including website and mobile application policies, vendor management, blockchain, and advising on privacy and security-related compliance strategies and programs.

Contact Us