2 / 6
1. When did the breach occur?
2. Where did the breach take place?
3. How was the breach detected and by whom?
4. What was the cause of the breach?
5. What kind and extent of personal data was involved?
6. How many data subjects were affected?
A data user should consider designating an appropriate
individual / team (“the coordinator”) to assume overall
responsibility in handling the data breach incident such
as leading the initial investigation, and the subsequent
production of a detailed report on the findings of the
investigation. The coordinator may need to report and
coordinate with different functional divisions / departments /
units and escalate the matter to senior management so
that remedial actions and executive decisions can be
made by the data user as soon as practicable.
Step 2: Contacting the interested parties and adopting
measures to contain the breach
Having detected the breach, the data user should take
steps to identify the cause of and stop the breach and to
do this it may be necessary to contact the law enforcement
agencies (for example, the police), the relevant regulators
(for example, the Privacy Commissioner for Personal Data
(“the Commissioner”)), the Internet company (for example,
Google and Yahoo) and / or IT experts for reporting,
advice and assistance. This contact list is not exhaustive,
and depending on the circumstances of each case,
other interested parties need to be considered.
The following containment measures should be
considered:
1. Stopping the system if the data breach is caused by
a system failure
2. Changing the users’ passwords and system
configurations to control access and use
3. Considering whether internal or outside technical
assistance is needed to remedy the system loopholes
and/or stop the hacking
4. Ceasing or changing the access rights of individuals
suspected to have committed or contributed to the
data breach
5. Notifying the relevant law enforcement agencies
if identity theft or other criminal activities are or
likely to be committed
6. Keeping the evidence of the data breach which
may be useful to facilitate investigation and the
taking of corrective actions
7. In the event that the data breach was caused by
the act or omission of the data processor, the data
processor is required to take immediate remedial
measures and to notify the data user of the progress
Step 3: Assessing the risk of harm
The potential damage caused by a data breach may
include:
Threat to personal safety
Identity theft
Financial loss
Humiliation or loss of dignity, damage to reputation
or relationship
Loss of business and employment opportunities
The extent of harm that may be suffered by the data
subjects in a data breach depends on:
1. The kind of personal data being leaked: generally
the more sensitive the data is, the greater the
damage it may cause to the data subjects
2. The amount of personal data involved: generally
the greater the amount of personal data being
leaked, the more serious the consequences will be
3. The circumstances of the data breach: online data
leakage is difficult to be effectively contained to
prevent further dissemination and use of the leaked
data. On the other hand, when the recipients of
the data are known and traceable, the data breach
may be easier to contain
4. The likelihood of identity theft or fraud: sometimes
the leaked data itself or when combined with other
data could facilitate the commission of identity theft
or fraud. For example, Hong Kong Identity Card
details, date of birth, address, credit card details,
bank account information, etc., when combined
together, are more susceptible to theft of identity
5. Whether the leaked data is adequately encrypted,
anonymised or otherwise rendered inaccessible,
e.g. if passwords are needed for access
Guidance on Data Breach Handling and the Giving of Breach Notifications
October 2015
2