Table of Contents Table of Contents
Previous Page  112 / 192 Next Page
Information
Show Menu
Previous Page 112 / 192 Next Page
Page Background

Data Breaches

8.6

A data breach generally refers to a suspected or actual breach of data security

concerning personal data held by a data user; the exposure of the data to the risk of

loss, unauthorised or accidental access, processing, erasure or use (for example, the loss

of electronic devices containing or storing personal data); the unauthorised access and

transfer of personal data stored in a database by hackers; the improper disposal of

documents containing personal data, etc. A data user may contravene the

requirements under DPP4 if it fails to take all reasonably practicable steps to protect the

safety of personal data.

8.7

Although it is not mandatory under the Ordinance for data users to report a data

breach to the Commissioner or the relevant data subjects affected by the data breach,

the Commissioner has issued a Guidance on Data Breach Handling and the Giving of

Breach Notifications containing recommended steps to follow by the data users in the

event of a data breach.

4

8.8

Some data breaches committed by data users in different industries and handled by the

Commissioner are highlighted below as examples of when data users may find

themselves in breach of DPP4(1). These examples are set out to assist data users in

preparing their own security polices and safeguarding measures. Data users should carry

out their own due diligence exercise to ensure that they identify potential risks and

circumstances that may lead to unauthorised or accidental access, processing, erasure,

loss or use of personal data, and to take reasonably practicable steps and implement

appropriate security measures to minimise such risks. Some sectors, such as the financial

sector, have their own security requirements imposed on them by the relevant

regulatory bodies (e.g. the Hong Kong Monetary Authority). Data users are responsible

for ensuring that they comply with any such requirements in addition to their compliance

with the Ordinance.

(a) Banking and Insurance Industries

8.9

A bank was reported

5

to have lost a server containing tens of thousands of its customers’

personal data during the course of renovation of its branch office. The Commissioner

probed into the incident and, as a result, the bank stepped up security measures and

gave an undertaking to the Commissioner to the effect that:

• no computer server containing customers’ personal data would be left unattended

during office refurbishment or relocation;

• the staff or contractor entrusted by the bank to handle computer servers containing

customers’ personal data are reliable, prudent and competent; and

• customers’ personal data will not be stored in the branch office’s servers.

4

The Guidance is available on the Website:

https://www.pcpd.org.hk//english/resources_centre/publications/files/DataBreachHandling2015_e.pdf

5

See media statement released by the Commissioner on 14 August 2008, available on the Website:

https://www.pcpd.org.hk/english/news_events/media_statements/press_20080814.html
1 107 108 109 110 111 112 113 114 115 116 117 118 192  FlippingBook