Date: 30 June 2023
Privacy Commissioner’s Office Issues New Guidance on
Data Breach Handling and Data Breach Notifications
To Safeguard Data Security
With the surge in cyberattacks owing to technological advancements, the number of data breach incidents reported to the Office of the Privacy Commissioner for Personal Data (PCPD) in the first half of 2023 (as of 29 June) has increased
by more than 20% to 55 cases when compared to the second half of 2022. The impact of data breaches goes beyond harm to the affected individuals as organisations can also suffer reputational damage and other losses. Against this background,
the PCPD today issued a new “Guidance on Data Breach Handling and Data Breach Notifications” (the Guidance) to assist organisations in preparing themselves in the event a data breach occurs. The Guidance also contains practical recommendations to help organisations handle data breaches so as to contain the damage and harm that follows from such incidents.
The Privacy Commissioner for Personal Data, Ms Ada CHUNG Lai-ling, said, “There has been an increase in data breach incidents in recent years, with organisations of all sizes and industries falling victim to cyberattacks, human errors and the like. To safeguard data security, the Guidance recommends that organisations should formulate a data breach response plan to enable them to respond to data breach incidents promptly and manage them effectively. The Guidance also provides a clear step-by-step guide to assist organisations in handling and managing data breach incidents properly, with a view to minimising the impact on the affected individuals as well as the potential damage to the organisations.”
Specifically, the Guidance recommends that organisations should follow the following key steps when handling a data breach:
-
Step 1: Immediate gathering of essential information
-
Step 2: Containing the data breach
-
Step 3: Assessing the risk of harm
-
Step 4: Considering giving data breach notifications
-
Step 5: Documenting the breach
The Guidance also points out that organisations should notify the PCPD and the affected data subjects as soon as practicable after becoming aware of the data breach, particularly if the data breach is likely to result in a real risk of harm to those affected data subjects.
Separately,
the PCPD has launched an e-Data Breach Notification Form (click here). The online form is a web-based form with guided questions and multiple-choice answers which enables organisations to grasp the details of data breach incidents more comprehensively and effectively, and report data breach incidents to the PCPD in a more convenient manner.
Please click
here to download the “Guidance on Data Breach Handling and Data Breach Notifications”.
-End-