1) In 2015/2016, the Office of the Privacy Commissioner for Personal Data, Hong Kong (“PCPD”) received 104 data breach notifications (“DBN”), affecting 854,476 individuals (as compared with 66 incidents involving 77,409 individuals in 2014/15).
2) Currently, it is not a statutory requirement for a data user (such as a bank or a telecommunication service provider) to notify the PCPD of a data breach incident. However, the breach may amount to a contravention of Data Protection Principle 4 under the Personal Data (Privacy) Ordinance (the “Ordinance”) that requires a data user to take practicable steps to safeguard personal data from unauthorised or accidental access, processing, erasure, loss or use. When facing a data breach incident, data users are strongly advised to give a DBN to the affected data subjects, the PCPD and any other relevant parties as a good practice for proper handling of such incident.
The PCPD has revised its “Guidance on Data Breach Handling and the Giving of Breach Notification” in October 2015. This guidance note aims to assist data users in handling data breaches and to mitigate the loss and damage caused to the data subjects concerned.
The PCPD will assess the information provided by a data user in a DBN and decide whether a compliance check[1] is warranted. After the check, the PCPD will point out to the relevant data user any deficiency in the steps taken by them in protecting the personal data, and advise them to take remedial actions to correct the suspected breach and prevent further breaches. For compliance check cases with results suggesting possible contravention of the Ordinance, the Privacy Commissioner may conduct investigations of the suspected breaches pursuant to section 38(b) of the Ordinance, and if appropriate, an enforcement notice may be served upon the relevant data user directing them to take appropriate remedial actions to prevent future recurrence. Non-compliance with an enforcement notice is an offence under the Ordinance.
The PCPD will keep reviewing the existing voluntary notification mechanism.
For further information, please visit our website at www.PCPD.org.hk.
(The above reply can be attributed to Mr Stephen Kai-yi Wong, Privacy Commissioner for Personal Data, Hong Kong)
[1] A compliance check is undertaken when the Privacy Commissioner identifies practices in an organisation that appears to be inconsistent with the requirements under the Ordinance.