4 / 6
7. A description of the measures already taken or
to be taken to prevent further loss, unauthorised
access to or leakage of the personal data
8. The contact information of a department or an
individual designated by the data users within the
organisation for affected data subjects to obtain
more information and assistance
9. Information and advice on actions the data
subjects can take to protect themselves from the
adverse effects of the breach and against identity
theft or fraud
10. Whether law enforcement agencies, the
Commissioner and such other parties have been
notified
A data user should exercise care and prudence in
determining the extent of the information, including
personal data, to be included in the notification so as
not to compromise the investigativeworks concurrently
undertaken.
When to notify?
Having assessed the situation and the impact of the
data breach, the notification should be made as soon
as practicable after the detection of the data breach,
except where law enforcement agencies have, for
investigative purpose, made a request for a delay.
How to notify?
The notification to data subjects can be done by phone,
in writing, via email or in person. When data subjects
are not identifiable immediately or where public interest
exists, public notification, such as through website or
media, would be more effective. Data users should
also consider as to whether the method of notification
adopted might increase the risk of harm.
Lesson to learn from the breach:
to prevent recurrence
______________________________________________
The investigation into a data breach can give insight
into the insufficiency or inadequacy of the handling
of personal data. A data user should therefore learn
from the data breach, review how personal data is
being handled to identify the roots of the problem and
devise a clear strategy to prevent future recurrence.
The review should take into consideration:
The improvement of security in the personal data
handling processes
The control of the access rights granted to
individuals to use personal data. The “need-to-
know” and “need-to-access” principle should be
adhered to
The adequacy of the IT security measures to
protect personal data from hacking, unauthorised or
accidental access, processing, erasure, loss or use
The revision or promulgation of the relevant privacy
policy and practice in the light of the data breach
The effective detection of the data breach. The
keeping of proper logs and trails of access will
facilitate early warning signs
The strengthening of the monitoring and
supervision mechanism of its employees, agents
and data processors
The provision of on-the-job training to promote
privacy awareness and to enhance the prudence,
competence and integrity of the employees who
are to handle personal data
The appointment policy of data processors
and the review of the contractual terms with a
data processor on protection of personal data
privacy, including obligating the data processor
to immediately report any data breach
2
.
Good data breach handling makes
good business sense
______________________________________________
A good data breach handling policy and practice
adopted by a data user will not only be useful to contain
the damage caused by a breach, but it also shows
the data user’s responsible and accountable attitude
in tackling the problem and in giving clear action
plan to be followed in the event of a data breach. In
addition to enabling the data subjects affected by the
data breach to take appropriate protective measures,
2
See the information leaflet on
Outsourcing the Processing of Personal Data to Data Processors
issued by
the Office of the Privacy Commissioner for Personal Data, which is available at
www.pcpd.org.hk/english/resources_centre/publications/files/dataprocessors_e.pdfGuidance on Data Breach Handling and the Giving of Breach Notifications
October 2015
4