Guidance on Data Breach Handling and the Giving of Breach Notifications

Guidance on Data Breach Handling and

the Giving of Breach Notifications

“Data processor” means a person who processes personal data on behalf of another person; and does not process the data

for any of the person’s own purposes.

Introduction

_______________________________________________

This guidance note aims to assist data users in handling

data breaches, and to mitigate the loss and damage

caused to the data subjects concerned, particularly

when sensitive personal data is involved.

What is a data breach?

_______________________________________________

A data breach is generally taken to be a suspected

breach of data security of personal data held by a data

user, exposing the data to the risk of unauthorised or

accidental access, processing, erasure, loss or use.

The following are some examples of data breaches:

The loss of personal data kept in storage, e.g.

laptop computers, USB flash drives, portable

hard disks, backup tapes, paper files

The improper handling of personal data, such

as improper disposal, sending to the wrong

party or unauthorised access by an employee

A data user’s database containing personal data

being hacked or accessed by outsiders without

authorisation

The disclosure of personal data to a third party

who obtained it by deception

The leakage of data caused by the installation

of file-sharing software in the computer

A data breach may amount to a contravention of

Data

Protection Principle 4(1) and (2)

(“DPP4(1) and (2)”) in

Schedule 1 of the Personal Data (Privacy) Ordinance

(“the Ordinance”).

DPP4(1)

provides that a data user

shall take all reasonably practicable steps to ensure

that the personal data held by it is protected against

unauthorised or accidental access, processing, erasure,

loss or use, having particular regard to the kind of the

data and the harm that could result if any of those

things should occur.

DPP4(2)

provides that if a data user

engages a data processor

, whether within or outside

Hong Kong, to process personal data on the data user’s

behalf, the data user must adopt contractual or other

means to prevent unauthorised or accidental access,

processing, erasure, loss or use of the data transferred

to the data processor for processing.

How should a data breach

be handled?

_______________________________________________

A data user shall take remedial actions to lessen the harm

or damage that may be caused to the data subjects in a

data breach. The following action plan is recommended

for a data user’s consideration:

Step 1: Immediate gathering of essential information

relating to the breach

A data user shall promptly gather the following essential

information:

Guidance on Data Breach Handling and the Giving of Breach Notifications

October 2015

Guidance

Note