1 February, 2016
Data privacy and cybersecurity are two of the biggest concerns that companies holding personal data face in 2016. This is no surprise as 2015 saw an alarming increase in data breaches worldwide and a number of incidents in Hong Kong.
For example, just before Christmas, Sanrio Digital (HK) Limited announced that personal data of up to 3.3 million members of the SanrioTown website – which may have included children’s data – may have been the subject of a data breach.
SanrioTown is currently being investigated by the Hong Kong Privacy Commissioner for Personal Data (“Privacy Commissioner”).
However, as recent data breach cases have shown, if your organisation is collecting personal data online the affected data will rarely be confined to data subjects in one region. Other major hacks in 2015 affected customers worldwide, prompting investigations in multiple jurisdictions.
In this Client Alert we highlight a number of practical lessons to help minimise the risk and lessen the impact of a data breach should your organisation suffer an incident in 2016.
Lesson 1: Know what type of personal data your company is collecting and how it is being used
Do you know exactly the types of personal data your company holds? And do you know how personal data is being used, stored and transferred? Who is responsible for the different types of data (marketing, IT, HR)? Understanding and documenting the types of personal data that your organisation collects will assist with an assessment of the most effective and appropriate security and access controls to protect the data.
Maintaining such a detailed document, known as a ‘Personal Data Inventory’, is the first key step to effective data governance. This
was highlighted by the Privacy Commissioner in Privacy Management Programme: A Best Practice Guide (February 2014) where he commented that every component of an accountable, effective privacy management programme begins with this assessment.
An up-to-date Personal Data Inventory is also crucial in the event of a breach. The Privacy Commissioner’s Guidance on Data Breach Handling and the Giving of Breach Notifications, updated in October 2015, (“Data
Breach Guidance”) provides that whether a company decides to notify affected data subjects/the Privacy Commissioner of a breach depends on the severity of the breach and the “risk of harm” to the data subject. Knowledge of the type and extent of personal data accessed in a breach is helpful in making this assessment quickly. A pre-prepared and detailed data inventory classifying the types of data held, the locations where the data is stored, who maintains the data and who has access to it is an essential tool to enable a speedy assessment.
Recommendation: Conduct an audit of your organisation’s current privacy collection, storage and transfer practices early in 2016 and maintain clear records of the types and extent of personal data kept by your organisation, along with other essential details such as where it is stored (physically and on-line), who is responsible for maintaining the data (key contacts) and who has access to it (minimising any leakage and helping to establish appropriate controls).
Lesson 2: Limit collection to only what is necessary
Does your company need all the data it holds? Under the Hong Kong Personal Data (Privacy) Ordinance (“PDPO”), data users must only collect personal data “for a lawful purpose directly related to the function and activity of the data user” (Data Protection Principle (“DPP”) 1 (1) (a)) and personal data which is adequate but not “excessive” (DPP1 (1) (c)).
The Best Practice Guide to Mobile App Development (December 2014) says: “Reducing the collection of personal data (particularly sensitive personal data) to the absolute minimum is the key”. The less personal data you access/collect/use, the less you have to worry about.
In light of recent attacks data users should consider reducing the type and extent of personal information collected where possible so that only essential data is retained. Not only does this minimise exposure in the case of a data breach but also reduces the risk of breaching the PDPO.
Recommendation: Consider what data is required for your organisation. For any data that is not necessary, or is no longer required, take proper steps to irrevocably erase or anonymise the data. Refer to the Privacy Commissioner’s Guidance on Personal Data Erasure and Anonymisation (April 2014) for guidance.
Lesson 3: Avoid collecting children’s data altogether where possible
In response to recent incidents involving children’s data the Office of the Privacy Commissioner issued a Guidance Note in December 2015 (Collection and Use of Personal Data through the Internet – Points to Note for Data Users Targeting at Children) which recommends data users avoid, not just limit, collecting personal data of children altogether where possible.
“[C]hildren may not fully understand all the privacy risks and may not know whether they should or how to refuse providing personal data. This is particularly relevant in relation to personal data that is more sensitive in nature, such as that related to health, biometrics, etc,” the Guidance says.
Where collection of personal data of children is essential, companies should consider the vulnerability of children and adopt “age-appropriate” practices. These include: clearly separating “mandatory” and “voluntary” data provision requirements; avoiding open response questions (where children may share more data than is necessary); including warning messages where too much data is being supplied; and stating when they need to obtain the consent of a parent or guardian before supplying their data. It should also be made easy for a child to irrevocably delete any accounts created which contain their personal data.
Recommendation: Consider whether collecting children’s data is necessary and avoid doing so where possible. Follow the Privacy Commissioner’s recommendations in the Guidance Note when handling children’s data.
Lesson 4: Review security measures – are they appropriate?
An organisation that collects, or controls the collection of, personal data is a “data user” and is required to comply with the six DPPs.
DPP 4 relates to security of personal data. It says that “All practicable steps shall be taken to ensure that personal data held by a data user are protected against unauthorised or accidental access, processing, erasure, loss or use…”
According to guidance issued by the Privacy Commissioner in 2010 (DPPs in the PDPO – from the Privacy Commissioner’s Perspective) (“2010 Guidance”) the relevant test to apply is to consider whether the security measures in place are proportionate to the degree of sensitivity of the data and potential harm from loss. The steps required to protect personal data will depend on the kind of data held and the harm that could result from a data breach.
The Privacy Commissioner considers children to be a vulnerable class of individuals and a robust level of security is encouraged to protect children’s data. If a company fails to comply with the security requirements set out in DPP4, the Privacy Commissioner may issue an enforcement notice to require the company to carry out remedial action. Failure to comply with an enforcement notice can result in a fine and/or imprisonment.
Recommendation: Ensure that your IT and security teams implement and update security controls and procedures appropriate to the type of data held. This should include robust controls for access to customer databases, particularly those containing children’s data.
Lesson 5: Have a clear data breach policy and contact person
It is not mandatory to report a data breach to data subjects or the Privacy Commissioner in Hong Kong. However, a voluntary notification regime does exist. As mentioned above, whether a company decides to notify a breach depends on the risk of harm to the data subjects. For example, a breach of sensitive data, such as HKID numbers and credit cards details, would generally indicate a higher risk of harm.
It is important for organisations to designate responsible individuals to handle any data breach and develop consistent incident response processes and protocols to ensure an effective response in the event of any data breach. A clear escalation process should also be incorporated to provide legal and compliance teams with the relevant information to assess whether a notification is required to the Privacy Commissioner / data subjects.
Whilst the Data Breach Guidance is not mandatory, the Privacy Commissioner is likely to take into account any failure to comply with its recommendations when considering whether or not to issue an enforcement notice.
Recommendation: Formulate a data breach incident response plan that incorporates the principles of the Data Breach Guidance Note and is capable of effective implementation within your organisation. Speed and consistency in a time of crisis can make a difference to corporate credibility, customer confidence and the risk of sanction by the Privacy Commissioner.
For further information, please contact:
Susan C. Kendall, Partner, Baker & McKenzie