Q: As an organizational data user, we would like to know whether we shall report any data loss or leakage incident to the Privacy Commissioner for Personal Data (the "Commissioner") under the Personal Data (Privacy) Ordinance (the "Ordinance").
A: The Ordinance does not contain any provision requiring a data user to inform the Commissioner of any personal data loss or data breach incident.
However, it would be seen as a good practice for a responsible data user to take appropriate actions to inform the affected data subjects of such personal data loss or leakage incident and to report the matter to the Commissioner and/or other relevant authorities such as the police as soon as practicable depending on the circumstances of the case, for instance, the sensitivity of the personal data being involved, the number of affected data subjects and the seriousness of harm or damage that have been/may be done to those affected data subjects, etc. The data user should also investigate the case and take remedial actions to enhance the data security system and to minimize the risk of future occurrence as soon as possible.
The Commissioner takes the view that a notification system, in some situations, may help to contain, at an early stage, the spread of loss or leakage of personal data, which in turn may minimize the potential harm or damage that the data subject concerned might suffer. This is particularly so in situation involving significant number of affected data subjects, sensitive personal data and identity theft or fraud.
Generally speaking, the notification might include the following:
(i) Information about the incident;
(ii) Description of the personal data involved;
(iii) Account for remedial steps taken by the data user;
(iv) What the data user can do to assist the data subjects;
(v) What the data subjects can do to protect the data and mitigate potential damages; and
(vi) Person to contact and useful addresses.
uploaded on web in February 2010