![Show Menu](styles/mobile-menu.png)
![Page Background](./../common/page-substrates/page0001.png)
Guidance on Data Breach Handling and
the Giving of Breach Notifications
1
“Data processor” means a person who processes personal data on behalf of another person; and does not process the data
for any of the person’s own purposes.
Introduction
_______________________________________________
This guidance note aims to assist data users in handling
data breaches, and to mitigate the loss and damage
caused to the data subjects concerned, particularly
when sensitive personal data is involved.
What is a data breach?
_______________________________________________
A data breach is generally taken to be a suspected
breach of data security of personal data held by a data
user, exposing the data to the risk of unauthorised or
accidental access, processing, erasure, loss or use.
The following are some examples of data breaches:
The loss of personal data kept in storage, e.g.
laptop computers, USB flash drives, portable
hard disks, backup tapes, paper files
The improper handling of personal data, such
as improper disposal, sending to the wrong
party or unauthorised access by an employee
A data user’s database containing personal data
being hacked or accessed by outsiders without
authorisation
The disclosure of personal data to a third party
who obtained it by deception
The leakage of data caused by the installation
of file-sharing software in the computer
A data breach may amount to a contravention of
Data
Protection Principle 4(1) and (2)
(“DPP4(1) and (2)”) in
Schedule 1 of the Personal Data (Privacy) Ordinance
(“the Ordinance”).
DPP4(1)
provides that a data user
shall take all reasonably practicable steps to ensure
that the personal data held by it is protected against
unauthorised or accidental access, processing, erasure,
loss or use, having particular regard to the kind of the
data and the harm that could result if any of those
things should occur.
DPP4(2)
provides that if a data user
engages a data processor
1
, whether within or outside
Hong Kong, to process personal data on the data user’s
behalf, the data user must adopt contractual or other
means to prevent unauthorised or accidental access,
processing, erasure, loss or use of the data transferred
to the data processor for processing.
How should a data breach
be handled?
_______________________________________________
A data user shall take remedial actions to lessen the harm
or damage that may be caused to the data subjects in a
data breach. The following action plan is recommended
for a data user’s consideration:
Step 1: Immediate gathering of essential information
relating to the breach
A data user shall promptly gather the following essential
information:
Guidance on Data Breach Handling and the Giving of Breach Notifications
October 2015
1
Guidance
Note