With the increase digitisation of data and interconnection of information and communications technology (“ICT”) comes an upward trend in the number of data security incidents reported both in Hong Kong and other jurisdictions. Personal data privacy and data security are closely connected. In this connection, the Office of the Privacy Commissioner for Personal Data (“PCPD“) has recently published a Guidance Note on Data Security Measures for Information and Communications Technology (the “Guidance Note”), providing data users with recommended data security measures for the ICT industry to facilitate their compliance with the relevant requirements under the Personal Data (Privacy) Ordinance (Chapter 486 of the Laws of Hong Kong) (“PDPO“).
The Guidance Note provides recommended data security measures for ICT in the following seven areas:
- Data Governance and Organisational Measures: A data user should establish clear internal policy and procedures covering roles and responsibilities of staff in maintaining data systems and data security, risk assessments, accessing of data, outsourcing of data processing and data security work, handling data security incidents and destruction of data no longer necessary for the original purposes of collection and related purposes. The policies and procedures should also be revised and revises periodically and in a timely manner based on prevailing circumstances. In addition, sufficient training should be provided for staff members to help them under the data user’s internal policies.
- Risk Assessments: A data user should conduct risk assessments on data security for new systems and applications before launch, and conduct periodic reviews. Senior management should be kept informed of results of risk assessments.
- Technical and Operational Security Measures: A data user should put in place adequate and effective security measures to safeguard data and such measures should correspondence with the nature, scale and complexity of the ICT and data processing activities and any risk assessments. Some examples include securing computer networks , implementing database management such as dataset partitioning, implementing access control, encryptions, and backup, destruction and anonymization of data.
- Data Processor Management: Under section 65(2) of the PDPO, a data user may be liable for the acts of its agents (including data processors)26. DPP 4(2) also provides that a data user must adopt contractual or other means to prevent unauthorised or accidental access, processing, erasure, loss or use of the data transferred to its data processors for processing. Engaging contractors would therefore not absolve the data user of its obligation under the PDPO. A data user could consider taking actions such as (i) implementing internal policy to ensure only competent and reliable data processors will be engaged; (ii) clearly stipulating security measures required to be taken in the data processing contract; (iii) clearly stipulating incident report mechanism in the data processing contract; and (iv) conduct regular audit to ensure data processors’ compliance.
- Remedial Actions in the event of Data Security Incidents: Timely and effective remedial actions taken by a data user after the occurrence of a data security incident may reduce the risks of unauthorised or accidental access, processing or use of the personal data affected, thereby reducing the gravity of harm that may be caused to the affected individuals. Common methods would include (i) halting the affected ICT system; (ii) ceasing access rights of individuals suspected to have committed data breach; (iii) notifying affected individuals without delay; (iv) reporting the incident to PCPD; and (iv) fixing the security breach in a timely manner.
- Monitoring, Evaluation and Improvement: It is suggested that a data user implement an independent task force to monitor the compliance with the data security and to evaluation effectiveness of its security measures.
- Other Considerations: It is now increasingly common to work away from the office and under such circumstances, data may need to be transferred out from a data user’s information and communications system, creating a variety of data security issues. A few examples are:-
- Cloud Services: Cloud services providers are generally data processors. When using such services, a data user should assess the capability of the cloud service providers, set up strong access control and authentication procedures and reviewing the securities features available and not merely rely on the default settings.
- Personal Device: A data user should have strong written policies and trainings to ensure staff understands data security obligations under the PDPO.
- Portable Storage Device (“PSD”): A data user should establish policy to set out (1) the circumstances under which PSDs may be used; (2) the types and amount of personal data that may be transferred to PSDs; (3) the approval process for the use of PSDs; and (4) the encryption requirements for the data transferred to PSDs.
The Guidance Note represents the PCPD’s continued development of Hong Kong’s data privacy regulations in keeping up with the times, including by recognizing and addressing the widespread use of cloud services.
According to the PCPD’s website, in year 2020-21, the PCPD had received 18,253 enquiries and 3,157 complaints. The number of data breach notifications received between 2020 and 2021 is 106 and a total of 356 compliance actions were initiated. Comparisons with statistics with past years shows a steady increase in the number of compliance checks and investigations by the PCPD.
The Guidance Note is particularly timely given the recent data breach incident of the Shangri-La Group in which 8 of its hotels suffered cyber attacks, including 3 hotels in Hong Kong. The PCPD noted that the personal data of over 290,000 Hong Kong customers might have been affected. Having considered the nature of the incident and the significant number of data subjects involved, the PCPD has commenced a compliance check into the incident.