Skip to content

Newspaper Column

PCPD in Media

“PCPD’s Updated Guidance On Data Breach” – Privacy Commissioner’s article contribution at Hong Kong Lawyer (July 2023)

While the first half of 2023 has seen an unprecedented surge of technological innovations and breakthroughs, the risks inherent in such advancements have also attracted attention worldwide. According to a study by Check Point, an international software security company, the global average weekly cyberattacks during the first quarter of 2023 has increased by 7% as compared to that in 2022. Against this background, we consider that it is opportune to issue an updated “Guidance on Data Breach Handling and Data Breach Notifications” (“the Guidance”) to assist organisations in responding to data breaches by preparing for both the “BEFORE” and “AFTER” scenarios – with recommendations on formulating a personal data breach response plan before data breaches and a step-by-step approach to contain damage and harm after the occurrence of a breach.

The Guidance
 
Data Breach

A data breach is generally taken as a suspected or actual breach of the security of personal data held by a data user, which exposes the personal data of data subject(s) to the risk of unauthorised or accidental access, processing, erasure, loss or use. A data breach may amount to a contravention of Data Protection Principle 4 in Schedule 1 to the Personal Data (Privacy) Ordinance (“PDPO”). Some common causes of data breaches in Hong Kong include cyberattacks, system misconfigurations and loss of physical documents or portable devices.

“BEFORE” – Data Breach Response Plan

Data breaches can have serious consequences for an organisation in terms of reputational damage, financial losses and operational disruptions. A well thought-out data breach response plan is therefore crucial for data users to minimise and contain the potential impacts of a data breach.

A comprehensive plan should outline a set of procedures to be followed in the event of a data breach and the data user’s strategy for identifying, containing, assessing and managing its impacts. These include, among others:
  • A description of the criteria that trigger the implementation of the plan;
  • An internal incident notification procedure to escalate the breach to the senior management, the data protection officer and/or other designated staff;
  • A risk assessment workflow to assess the likelihood and severity of harm; and
  • A containment strategy for containing and remedying the breach.
“AFTER” – Handling Data Breaches

To substantially reduce the impact of a data breach, data users are recommended to follow 5 key steps:
  • Step 1: Immediate gathering of essential information;
  • Step 2: Containing the data breach;
  • Step 3: Assessing the risk of harm;
  • Step 4: Considering giving data breach notifications; and
  • Step 5: Documenting the breach.
A data breach notification is a formal notification given by the data user to relevant parties including the affected data subjects and the Office of the Privacy Commissioner for Personal Data (“PCPD”). Depending on the circumstances, a notification may include:
  • the date, time, duration and source of the breach;
  • the types of personal data involved;
  • the categories and approximate number of data subjects involved;
  • an assessment of the risk of harm; and
  • mitigation measures taken.
In general, a data user should notify the PCPD and the affected data subjects as soon as practicable after becoming aware of the data breach incident, regardless of the progress of any internal investigation.

The data subjects can be notified directly by phone, in writing, via email or in person. When a direct data breach notification is not practicable in the circumstances, public announcements, newspaper advertisements or announcements on websites or social media platforms may be more effective.

Data users are advised to use the PCPD’s Data Breach Notification form when reporting a data breach to the PCPD. Oral notifications are not accepted. To encourage timely notification, the PCPD has launched an e-Data Breach Notification Form in June 2023 to provide for a more convenient means of notification. Data users should take note of the key information required for filling in the electronic Form, including:
  • basic information of the data user;
  • particulars of the breach (including the types of personal data involved and the estimated number of Hong Kong residents affected); and
  • an assessment of the breach and remedial actions taken (including the cause(s) of the breach, the risk(s) of harm to data subject(s) and the remedial actions taken).
Conclusion

In the light of the increasing cybersecurity threats and evolving technological developments, the importance of data and data security cannot be overstated. Data users are strongly advised to adopt a comprehensive data breach handling policy as part of their Personal Data Privacy Management Programme. While it is important to handle and report data breach incidents promptly, it is equally crucial to prepare for the contingencies of a data breach by devising a data breach response plan in advance and keep it up your sleeve.