Yes.
The Hong Kong Personal Data (Privacy) Ordinance (Chapter 486 of the Laws of Hong Kong) ("PDPO") governs the handling of personal data by data users, a similar concept to data controllers under the EU General Data Protection Regulation. The PDPO requires data users to comply with six Data Protection Principles ("DPPs"):
However, if a cloud service provider is purely processing personal data on behalf of a financial institution as its customer and not for any of its own purposes, it would be considered a data processor and not a data user. Data processors are not directly regulated under the PDPO.
In such circumstance, the financial institution, as the data user, will remain liable for the actions or omissions of its authorized data processors (including the cloud service provider) and must monitor and control those data processors. Other requirements of particular relevance in a cloud context are that the financial institution, as a data user, would be obliged under the PDPO to adopt contractual or other means to ensure that the cloud service provider it engages does not retain data for longer than is necessary, and prevents unauthorized or accidental access, processing, erasure, loss or use of the data.
In practice, the regulator expects these requirements to be included as obligations in the written agreement with the cloud service provider, although a written agreement is not strictly mandatory.
As the PDPO is intended to be technology-neutral, there are no requirements that are specific to cloud services. However, the Privacy Commissioner for Personal Data has published an information leaflet on Cloud Computing (revised July 2015) ("Leaflet"), which provides an interpretation of how the DPPs apply to cloud service providers. The Leaflet sets out data privacy concerns in the cloud and how to address them. Key recommendations are as follows:
There is also a more general information leaflet on Outsourcing the Processing of Personal Data to Data Processors (September 2012). This provides guidance to data users on the use of data processors and recommendations for their engagement.
On the other hand, if the cloud service provider will be processing personal data for its own purposes (and not purely on behalf of its customer), it will be considered a data user under the PDPO and must comply with the PDPO's requirements, including the six DPPs.