Data Retention Policy (Hong Kong)
Personal Data (Privacy) Ordinance (Cap. 486) — Data Protection Principle 2
Data Retention Policy
Organisation: [Organisation Name] Address: [Organisation Address] Data Protection Officer: [Data Protection Officer] Effective Date: [Policy Effective Date] Next Review: [Policy Review Date]
1. Purpose
This Data Retention Policy sets out how [Organisation Name] manages the retention and secure disposal of personal data and business records in accordance with Data Protection Principle 2 (DPP 2) of the Personal Data (Privacy) Ordinance (Cap. 486) ('PDPO') and other applicable Hong Kong legislation.
2. Retention Schedule
Customer / Client Data: [Customer Data Retention] Employee Data: [Employee Data Retention] Financial / Accounting Records: [Financial Records Retention] (Inland Revenue Ordinance Cap. 112) Contracts & Legal Documents: [Contracts Retention] (Limitation Ordinance Cap. 347) CCTV Footage: [Cctv Retention] (PCPD Guidance) Marketing / Prospect Data: [Marketing Data Retention]
3. Disposal Procedures
Paper records: [Paper Disposal Method]. Electronic records and storage media: [Electronic Disposal Method]. Disposal records: [Disposal Record Kept].
4. Responsibilities
This policy is owned by [Data Protection Officer] and implemented by [Responsible Department]. All staff handling personal data must comply with this policy. [Training Requirement].
5. Data Breach Procedure
[Breach Reporting Procedure] All data breaches involving personal data must be assessed promptly. If the breach is likely to result in significant harm to data subjects, the Privacy Commissioner for Personal Data (PCPD) should be notified.
6. Review
This policy will be reviewed on [Policy Review Date] or earlier if there are changes to applicable law, PCPD guidance, or the organisation's data processing activities.
Data Protection Officer / Authorised Signatory
________________
Signature
What Is a Data Retention Policy (Hong Kong)?
A Data Retention Policy in Hong Kong establishes the rules and responsibilities that govern the conduct it addresses.
Hong Kong's data retention obligations arise from multiple regulatory sources that must be reconciled in a single coherent policy. The Personal Data (Privacy) Ordinance (Cap. 486), administered by the Office of the Privacy Commissioner for Personal Data (PCPD), mandates data minimisation through DPP2 — personal data must be deleted or anonymised once the retention purpose is exhausted. Simultaneously, the Inland Revenue Ordinance (Cap. 112) requires businesses to retain accounting records, payroll data, and tax-relevant documents for at least seven years under Section 51C. The Limitation Ordinance (Cap. 347) requires retention of records supporting potential legal claims for at least six years from the date of accrual of the cause of action. The Employment Ordinance (Cap. 57) requires wage records to be kept for at least two years. A Data Retention Policy reconciles these potentially conflicting requirements by mapping each data category to its longest applicable mandatory retention period and scheduling secure disposal at the end of that period.
Data Protection Principle 5 (DPP5) of Cap. 486 requires data users to make their personal data policies and practices available to data subjects. A Data Retention Policy addressing how long personal data is held and when it will be deleted is a key component of the DPP5 disclosure obligation, and a summary of retention periods should be included in the organisation's public-facing Privacy Policy.
Section 50 of Cap. 486 empowers the PCPD to issue enforcement notices against organisations that contravene DPP2 by retaining personal data beyond the necessary period. Contravention of an enforcement notice is a criminal offence under Cap. 486 carrying a fine of HK$50,000 and imprisonment for two years. PCPD enforcement decisions have consistently required subject organisations to implement written retention policies with defined schedules and secure disposal procedures as part of mandatory remediation.
The HKMA Supervisory Policy Manual and HKEX Listing Rules impose additional retention requirements on regulated financial institutions and listed companies respectively — the Data Retention Policy should address these sector-specific obligations alongside the PDPO minimum standards. For Hong Kong subsidiaries of multinational groups, the policy should align with group-level retention schedules while meeting local statutory minimums.
The relationship between data retention and breach risk is direct: organisations that retain personal data beyond its useful life hold unnecessarily large data sets. When a breach occurs, those excess records are compromised along with current data, amplifying harm and regulatory exposure under Section 50 of Cap. 486. A written Data Retention Policy with defined schedules and automated deletion mechanisms directly reduces breach impact. The PCPD's published enforcement notices following data breaches consistently identify excessive retention as a contributing factor. Section 51C of the Inland Revenue Ordinance (Cap. 112) sets the floor for tax records at seven years. forms-legal.com provides this Data Retention Policy template for Hong Kong organisations covering personal data, employment records, financial records, and corporate documents.
When Do You Need a Data Retention Policy (Hong Kong)?
A Data Retention Policy in Hong Kong is needed by every organisation that holds personal data or business records, which in practice means every business, non-profit, educational institution, and government body operating in the territory.
A newly incorporated company should adopt a Data Retention Policy before collecting any personal data from employees, customers, or other data subjects. Without a defined retention schedule, the organisation cannot demonstrate DPP2 compliance from the outset and risks retaining personal data indefinitely through organisational inertia.
An established organisation that has accumulated years of personal data without systematic deletion procedures should adopt a policy as a matter of priority. The PCPD's enforcement activity has increasingly focused on organisations that retain excessive volumes of personal data, particularly following data breaches where the volume of compromised data reflects years of unnecessary accumulation.
Any organisation that receives a PCPD complaint related to excessive data retention or a DPP2 enforcement notice must adopt a written Data Retention Policy as part of the mandated remediation. PCPD enforcement notices routinely require subject organisations to implement documented retention schedules and secure disposal procedures within a specified period.
Organisations operating in regulated sectors — banking under HKMA supervision, securities under SFC regulation, healthcare under Hospital Authority governance — need a Data Retention Policy that addresses both PDPO DPP2 requirements and the sector-specific retention obligations imposed by their regulator. The HKMA expects authorised institutions to maintain documented records management policies consistent with both regulatory requirements and prudent risk management.
E-commerce businesses, digital platforms, and businesses that collect large volumes of customer personal data through websites, apps, or loyalty programmes particularly need a retention policy to manage the ongoing accumulation of customer data. Without defined retention periods and automated deletion mechanisms, these organisations risk holding years of personal data belonging to inactive customers — personal data that serves no current business purpose and creates disproportionate breach risk.
Organisations that engage data processors — cloud providers, payroll bureaus, marketing agencies — need a Data Retention Policy to define the instructions they give processors regarding data deletion at contract end, consistent with the data return and deletion clauses in their Data Processing Agreements.
What to Include in Your Data Retention Policy (Hong Kong)
A Data Retention Policy for Hong Kong organisations must address the following core elements to achieve DPP2 compliance under the Personal Data (Privacy) Ordinance (Cap. 486) and satisfy applicable statutory record-keeping requirements.
Scope and Data Categories defines all categories of personal and business data held by the organisation — customer personal data, employee personal data, financial and accounting records, legal correspondence, contracts and transaction records, CCTV footage, website analytics data, and any other identifiable data sets — and assigns each category to a defined retention period.
Retention Schedule is the operational heart of the policy, setting out the mandatory and recommended retention period for each data category. Standard Hong Kong retention periods include: accounting and tax records — seven years from the end of the relevant tax year under Section 51C of the Inland Revenue Ordinance (Cap. 112); employment records including payroll, HKID copies, and MPF records — seven years from termination of employment; contracts and transaction records — seven years from expiry or completion, consistent with the six-year limitation period under the Limitation Ordinance (Cap. 347) plus one year buffer; CCTV footage — no more than 31 days unless required for an ongoing investigation, per PCPD guidance; direct marketing consent records — three years after the individual opts out; and job applicant records — no more than two years from the date of the application unless the candidate is hired.
Legal Hold Procedures address the suspension of normal retention and deletion schedules when data is subject to an active or anticipated legal proceeding, regulatory investigation, or PCPD inquiry. The policy should specify the authority to issue legal holds, the process for identifying and preserving affected data, and the process for lifting holds when proceedings are concluded.
Secure Disposal Methods specifies the approved method for each storage format: cross-cut or micro-cut shredding for paper records; secure erasure software, degaussing, or physical destruction for electronic storage media; cloud provider-confirmed deletion for cloud-hosted data. The policy should prohibit inadequate disposal methods — strip-cut shredding, recycle bin deletion, or abandonment of storage media.
Disposal Register requires the organisation to maintain a written record of all data disposal activities, including the date, the categories and volume of data disposed of, the disposal method, and the identity of the person who performed or supervised the disposal. The Disposal Register should be retained for at least seven years as evidence of DPP2 compliance during any PCPD investigation.
Roles and Responsibilities assigns ownership of the Data Retention Policy to a named role — typically the Data Protection Officer, IT Manager, or Company Secretary — and specifies the responsibilities of each department for managing retention schedules within their data domains.
Policy Review Schedule requires annual review of the policy and retention schedule to account for changes in applicable law, new data categories, PCPD guidance updates, and changes in business operations.
Third-Party Processor Instructions: Where personal data is processed by third-party processors — cloud providers, payroll bureaus, marketing agencies — the Data Retention Policy must specify the deletion instructions issued to those processors at contract end. Under Section 26 of the Personal Data (Privacy) Ordinance (Cap. 486), the data user remains responsible for the personal data held by its processors. Data Processing Agreements with processors should incorporate the retention schedule and require written confirmation of deletion within a specified timeframe.
Employee and Training Obligations: All staff who handle personal data must receive training on the Data Retention Policy, including the retention schedule for data categories relevant to their role, the secure disposal procedures, and the legal hold procedures. The PCPD expects data users to demonstrate that staff understand retention obligations — untrained staff who delete data prematurely or retain it excessively can both trigger compliance failures. Training records should themselves be retained for at least three years as evidence of compliance.
forms-legal.com also provides a Data Protection Policy and Data Consent Form as companion documents for a complete PDPO compliance framework for Hong Kong organisations.
Sources & Citations
Statutory citations link to official government sources.
- The Personal Data (Privacy) Ordinance (Cap. 486)HK official
- Simultaneously, the Inland Revenue Ordinance (Cap. 112)HK official
- The Limitation Ordinance (Cap. 347)HK official
- The Employment Ordinance (Cap. 57)HK official
- Inland Revenue Ordinance (Cap. 112)HK official
- Personal Data (Privacy) Ordinance (Cap. 486)HK official
- Limitation Ordinance (Cap. 347)HK official
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Data Retention Policy (Hong Kong) (Hong Kong) [Legal document template]. Forms Legal. https://forms-legal.com/hong-kong/business/policies/data-retention-policy-hong-kong
"Data Retention Policy (Hong Kong) (Hong Kong)." Forms Legal, 2026, https://forms-legal.com/hong-kong/business/policies/data-retention-policy-hong-kong.
@misc{formslegal-data-retention-policy-hong-kong,
author = {{Forms Legal}},
title = {Data Retention Policy (Hong Kong) (Hong Kong)},
year = {2026},
howpublished = {\url{https://forms-legal.com/hong-kong/business/policies/data-retention-policy-hong-kong}},
note = {Free legal document template. Based on Personal Data (Privacy) Ordinance (Cap. 486)}
}Also available for these jurisdictions:
Frequently Asked Questions
Data Protection Principle 2 (DPP2) of Schedule 1 to the Personal Data (Privacy) Ordinance (Cap. 486) requires that personal data must not be kept longer than is necessary for the fulfilment of the purpose for which it was collected. DPP2 imposes an affirmative obligation — organisations must actively delete or anonymise personal data when the retention purpose has expired, rather than simply ceasing to use it while retaining it.
The Office of the Privacy Commissioner for Personal Data (PCPD) recommends that organisations formalise their data retention practices in a written Data Retention Policy, specifying the retention period for each data category and the secure disposal method. The PCPD's enforcement decisions consistently identify excessive retention as a DPP2 compliance failure. Organisations that retain personal data indefinitely — former employee records or ex-customer data far beyond the relevant statutory period — face enforcement action under Section 50 of Cap. 486.
Retaining unnecessary personal data also amplifies breach exposure: a breach affecting a large historical data set harms more individuals than a breach affecting a minimised current data set. DPP2 should be read alongside DPP1 — which requires collection of only the minimum data necessary — to create a comprehensive data minimisation framework consistent with the EU GDPR and Singapore's PDPA storage limitation principles.
Retention periods in Hong Kong vary by data category and are determined by statutory requirements, regulatory guidance, and limitation periods under the Limitation Ordinance (Cap. 347).
Tax and financial records: at least seven years under Section 51C of the Inland Revenue Ordinance (Cap. 112). The IRD may audit profits tax assessments for up to six years from the end of the year of assessment.
Employment records: payroll records, HKID copies, MPF contribution records, and employment contracts should be retained for seven years from the date of the record. Under the Employment Ordinance (Cap. 57), wage records must be kept for at least two years, but the seven-year IRD standard is the recommended minimum.
Contract-related data: duration of contract plus six years, consistent with the general limitation period under Section 4 of the Limitation Ordinance (Cap. 347).
Medical records: seven years for adult patients under Hospital Authority practice; three years for minor patients.
CCTV footage: no more than 31 days per PCPD guidance on CCTV surveillance, unless required for an ongoing investigation.
Direct marketing consent records: as long as the individual is on the marketing list, plus three years after opting out for dispute resolution purposes.
Biometric data: only for the active period of use; deleted immediately upon expiry of the access or authentication purpose for which it was collected.
Retaining personal data beyond the necessary period is a contravention of Data Protection Principle 2 (DPP2) under the Personal Data (Privacy) Ordinance (Cap. 486). The PCPD may investigate DPP2 breaches following a complaint or through a Commissioner-initiated investigation. On investigation, the PCPD may issue an enforcement notice under Section 50 of Cap. 486 directing the organisation to delete excess data and implement a written retention policy with defined periods and secure disposal procedures.
Contravention of an enforcement notice is a criminal offence carrying a fine of HK$50,000 and imprisonment for two years on first conviction, and HK$100,000 on subsequent conviction, plus a daily fine of HK$2,000 for continuing contraventions.
Excessive retention amplifies data breach risk. Holding more personal data than necessary means more individuals are harmed when a breach occurs, increasing both regulatory and reputational consequences. The PCPD's breach guidance identifies excessive retention as a contributing factor in severity assessments. Retention of HKID numbers, financial account details, and medical records beyond the necessary period attracts particularly serious attention given the potential for identity theft and financial fraud.
Civil liability: retaining personal data beyond its retention period weakens the data user's position in any civil claim by a data subject under Section 66 of Cap. 486 for compensation for loss suffered as a result of a PDPO contravention.
Personal data disposal in Hong Kong must prevent reconstruction, retrieval, or unauthorised access to the disposed data. The PCPD's guidance and DPP4 obligations under Cap. 486 apply to the disposal process as much as to ongoing storage.
Paper records — employment files, HKID copies, customer application forms, medical records — must be shredded using a cross-cut or micro-cut shredder (not strip-cut shredders, which produce strips that can be reassembled). For large volumes, many Hong Kong organisations engage certified document destruction companies that provide a certificate of destruction.
Electronic records on hard drives, solid-state drives, or removable media require: secure deletion software overwriting data to DoD 5220.22-M standard or equivalent; degaussing for hard drives; or physical destruction of the media. Deleting files and emptying the recycle bin is not sufficient — files can be recovered using standard forensic tools.
Cloud-hosted data: the data user must instruct the cloud provider to delete the data and obtain written confirmation under Section 26 of Cap. 486. The Data Processing Agreement should specify the deletion method and timeline.
Disposal Register: the PCPD recommends maintaining a written record of all disposal activities — date, categories of data, volume, disposal method, and supervisor. The Disposal Register should be retained for seven years as evidence of DPP2 compliance during any PCPD investigation.
The Personal Data (Privacy) Ordinance (Cap. 486) does not explicitly require a written data retention policy by name. However, several DPP obligations effectively make a written policy the expected compliance standard.
Data Protection Principle 2 (DPP2) requires that personal data not be retained longer than necessary — without a written retention schedule, an organisation cannot demonstrate systematic DPP2 compliance. Data Protection Principle 5 (DPP5) requires data users to make their personal data policies available to data subjects — a retention policy is part of this governance disclosure.
The PCPD's enforcement notices following DPP2 investigations routinely require the subject organisation to implement a written retention policy as a remediation measure under Section 50 of Cap. 486. Adopting a policy proactively reduces the severity of any sanction if a breach occurs.
Sector-specific requirements reinforce this obligation. HKMA-regulated institutions must comply with the Supervisory Policy Manual module on records management, which requires documented retention schedules. Listed companies must comply with HKEX requirements on records retention for corporate documents. The Inland Revenue Department (IRD) expects businesses to maintain and produce records for at least seven years under Section 51C of the Inland Revenue Ordinance (Cap. 112).
forms-legal.com provides this Data Retention Policy template covering personal data, employment records, financial records, and business records for Hong Kong organisations of all sizes.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Acceptable Use Policy (Hong Kong)
An Acceptable Use Policy (AUP) for Hong Kong organisations setting out the rules and guidelines for the proper use of company IT systems, networks, and digital resources. Governs employee conduct when accessing company technology, internet, email, and software under Hong Kong common law and practical compliance standards.
AI Acceptable Use Policy (Hong Kong)
An AI Acceptable Use Policy for Hong Kong organisations governing the responsible use of artificial intelligence tools and systems in the workplace. Addresses data protection under the Personal Data (Privacy) Ordinance (Cap. 486), ethical AI principles, and risk management for generative AI and machine learning technologies.
Anti-Bribery Policy (Hong Kong)
An Anti-Bribery Policy for Hong Kong organisations ensuring compliance with the Prevention of Bribery Ordinance (Cap. 201). Establishes clear rules on gifts, hospitality, facilitation payments, and reporting obligations. Covers both public and private sector bribery offences enforced by the ICAC.
Anti-Discrimination Policy (Hong Kong)
A comprehensive workplace Anti-Discrimination Policy for Hong Kong employers, covering obligations under the Sex Discrimination Ordinance (Cap. 480), Disability Discrimination Ordinance (Cap. 487), Family Status Discrimination Ordinance (Cap. 527), and Race Discrimination Ordinance (Cap. 602). Sets out complaint procedures and remedies consistent with Equal Opportunities Commission guidance.
Business Continuity Plan (Hong Kong)
A Business Continuity Plan (BCP) for Hong Kong organisations establishing procedures to maintain critical operations during disruptions. Covers risk assessment, recovery strategies, communication protocols, and testing procedures under Hong Kong common law and industry best practices.