BYOD Policy (Hong Kong)

A BYOD Policy in Hong Kong sets out the standards and procedures the organisation expects its people to follow.

The Personal Data (Privacy) Ordinance (Cap. 486) imposes six Data Protection Principles on data users — organisations that collect, hold, process, or use personal data. Data Protection Principle 4 (Security of Personal Data) under Schedule 1 to Cap. 486 requires every data user to take all practicable steps to protect personal data against unauthorised or accidental access, processing, erasure, loss, or use. Section 26 of Cap. 486 empowers the Privacy Commissioner for Personal Data (PCPD) to conduct investigations and issue enforcement notices against organisations that fail to comply. When employees access organisational systems containing personal data from personal devices outside the organisation’s direct control, the obligation under section 26 extends to those devices. Without a written BYOD policy specifying minimum security requirements, the organisation cannot demonstrate compliance with Schedule 1 Principle 4 in the event of a data breach.

The PCPD has published guidance noting that mobile devices represent a significant source of data breaches in Hong Kong, particularly through lost or stolen devices that contain or provide access to personal data. The PCPD recommends that organisations implement mobile device management (MDM) solutions, require device encryption, mandate strong authentication, and establish procedures for the remote wiping of company data in the event of loss, theft, or employment termination. Section 64 of Cap. 486 creates criminal liability for data users who contravene the data protection principles, and section 66 provides a civil right of action for data subjects who suffer damage.

Beyond data protection compliance, a BYOD policy addresses intellectual property protection — establishing that company data accessed on personal devices remains the organisation’s property — and employment law considerations under the Employment Ordinance (Cap. 57). Section 10 of Cap. 57 governs implied terms of the employment contract, including the employee’s duty of fidelity, which extends to protecting confidential company information accessed via personal devices. The policy must balance the organisation’s legitimate need to protect its data against the employee’s reasonable expectation of privacy in their personal device, a balance recognised by Hong Kong common law and reflected in the PCPD’s privacy impact assessment recommendations for MDM deployments.

Organisations in regulated sectors — including banks supervised by the Hong Kong Monetary Authority (HKMA) under the Banking Ordinance (Cap. 155), securities firms regulated by the Securities and Futures Commission (SFC) under the Securities and Futures Ordinance (Cap. 571), and insurance companies supervised by the Insurance Authority (IA) under the Insurance Ordinance (Cap. 41) — face additional requirements regarding data security and records management that interact with BYOD arrangements and must be addressed in the policy. The HKMA’s Supervisory Policy Manual TM-G-2 on Risk Management of E-Banking sets out specific expectations for mobile and remote access security controls applicable to HKMA-regulated institutions.

A BYOD Policy in Hong Kong is needed whenever employees use personal devices to access company systems, data, or networks — including company email, cloud applications, internal databases, or video conferencing platforms — regardless of whether the arrangement is formal or ad hoc.

An organisation implementing remote or hybrid working arrangements for the first time requires a BYOD policy before employees begin accessing company systems from home devices. Without a written policy in place before BYOD use commences, the organisation has no contractual basis for enforcing security requirements, no documented consent for remote wiping of company data, and no evidence of Schedule 1 Principle 4 compliance under the Personal Data (Privacy) Ordinance (Cap. 486) if a data breach occurs. Section 50 of Cap. 486 requires data users to maintain accurate records of their data protection practices, and a written BYOD policy is the primary mechanism for demonstrating compliance.

A company that has informally tolerated BYOD use without a written policy must formalise the arrangement by introducing a written BYOD policy to document compliance obligations and obtain employee consent to security monitoring and data management measures. Under section 18 of Cap. 486, data users must inform data subjects — including employees — of the purposes for which their personal data is collected and used, and the BYOD policy is the standard disclosure mechanism for data collected through MDM software on personal devices.

Organisations subject to sector-specific regulatory requirements from the HKMA, SFC, or Insurance Authority (IA) require a BYOD policy that addresses the specific data security and records management requirements of their regulator. HKMA-supervised banks are required under section 48 of the Banking Ordinance (Cap. 155) to maintain systems and controls adequate to manage operational risk, including risks arising from remote and mobile device access.

A company that has experienced a personal data breach involving a personal device must introduce or strengthen its BYOD policy as part of the remediation measures recommended by the PCPD following a breach investigation under section 38 of Cap. 486. The PCPD may issue enforcement notices requiring specific remediation steps, and organisations that fail to comply with enforcement notices commit an offence under section 52 of Cap. 486.

Organisations employing contractors, part-time staff, or temporary workers who use their own devices to access company systems require BYOD policy terms to be included in or annexed to their contractor or employment agreements, confirming that non-permanent staff are subject to the same security obligations as permanent employees under the Employment Ordinance (Cap. 57).

A BYOD Policy for Hong Kong organisations must address the following key elements to comply with the Personal Data (Privacy) Ordinance (Cap. 486), meet regulatory expectations, and protect the organisation’s data and intellectual property.

The scope section defines which employees, contractors, and other personnel are covered by the policy, and which categories of personal devices are included — smartphones, tablets, laptops, and wearables. The policy should specify whether the BYOD arrangement is voluntary or mandatory for certain roles, and whether the organisation provides a stipend or allowance to offset the cost of using personal devices for work. Under section 4 of the Employment Ordinance (Cap. 57), any policy terms that reduce statutory employee entitlements are void, and the BYOD policy must not purport to restrict employees from exercising rights under Cap. 57.

The eligible device requirements section sets minimum technical standards: a supported and currently patched operating system; full device encryption enabled; screen lock with a minimum PIN length or biometric authentication; automatic screen lock after a maximum inactivity period (typically two minutes); no jailbreaking or rooting of the device; and up-to-date antivirus or endpoint protection where available. Devices failing these requirements must not be used to access company systems. These requirements implement the organisation’s obligation under Schedule 1 Principle 4 of Cap. 486 to take all practicable steps to protect personal data.

The mobile device management (MDM) and containerisation section specifies whether employees are required to install MDM software on their personal devices. The policy must comply with Schedule 1 Principle 1 of Cap. 486 (Purpose and Manner of Collection) — cited as section 26 in the enforcement context — by informing employees of precisely what data the MDM software collects and how it is used. MDM should be configured to create a secure container separating company data from personal data so that a remote wipe targets only company data, leaving the employee’s personal photos, apps, and messages intact.

The data handling rules must prohibit storing unencrypted company data locally on personal devices; require the use of organisation-approved cloud storage and collaboration tools; prohibit transferring company data to personal cloud storage accounts, personal email, or messaging applications; and require the use of VPN when accessing company systems over public Wi-Fi networks. Failure to enforce these rules may constitute a breach of Schedule 1 Principle 4 of Cap. 486, exposing the organisation to enforcement action under section 52 of Cap. 486.

The monitoring and privacy section must be transparent about what the organisation can and cannot access on personal devices. Consistent with Schedule 1 Principle 5 (Openness) under Cap. 486, the policy must disclose the purpose of any monitoring, the types of data that may be accessed, and the limits on access to personal data on the device. Monitoring beyond what is necessary to protect company data may engage liability under section 64 of Cap. 486, which creates criminal liability for contravention of the data protection principles.

The lost or stolen device procedure requires employees to report any lost or stolen device used for BYOD promptly. Upon report, the organisation will initiate a remote wipe of company data from the device container. Section 26 of Cap. 486 requires data users to take remedial steps upon becoming aware of a data breach, and a prompt remote wipe is the primary technical remediation available for a lost device containing personal data.

The termination and off-boarding procedure requires that upon resignation, retirement, or termination of employment under the Employment Ordinance (Cap. 57), all company data must be removed from the employee’s personal device. The employee must confirm in writing that company data has been deleted. Forms-legal.com also provides the Data Protection Policy and Acceptable Use Policy templates for information security governance in Hong Kong organisations.