Overview of the Guidance

The Guidance sets out the definition of personal data and provides examples of data breaches. A data breach might infringe Data Protection Principle (DPP) 4 of the Personal Data (Privacy) Ordinance (Cap 486) in relation to data security.

The Guidance sets out some common causes of data breaches in Hong Kong, including:

• cyberattacks;
• inadvertent disclosure by email or by post.
• improper/wrongful disposal of personal data;
• loss of physical documents or portable devices; and
• system misconfigurations.

The PCPD recommends that companies should have a data breach response plan such that if there is a data breach, companies can follow the plan and make prompt responses to minimize and contain the impact of the breach.

Practical recommendations provided by the PCPD

Data breach response plan

The PCPD recommends that organizations should have a comprehensive data breach response plan to ensure quick response to and effective management of a data breach.

The PCPD recommends that the plan should cover the following non-exhaustive aspects:

• A description of what constitutes a data breach with examples and the criteria that trigger the implementation of the plan.
• An internal incident notification procedure - who to contact and escalate the breach incident and devise a standard form to facilitate the reporting of the required information.
• Clear definition of the roles and responsibilities of members of the dedicated breach response team – who would do what e.g., the IT department for identifying the location of potentially compromised data and taking remedial measures; the customer service department for dealing with issues of affected individuals and for providing updates to customers and stakeholders.
• A contact list – with contact details of all breach response team members for easy contact and communication.
• A risk assessment workflow to assess the likelihood and severity of the harm caused to the affected data subjects as a result of the breach.
• A containment strategy for containing and remedying the breach.
• A communication plan covering:
  • the methods of notification;
  • the point of contact in the organization responsible for liaising with the stakeholders;
  • the kind of information that must be provided; and
  • the criteria and threshold for determining whether the affected data subjects, regulatory authorities, and other relevant parties should be notified.
• An investigation procedure for investigating the breach and reporting the results to the senior management.
• A record-keeping policy to ensure that the incident is properly documented as the relevant records may be required by regulatory authorities or law enforcement agencies.
• A post-incident review mechanism for identifying areas that require improvement to prevent future recurrence.
• A training or drill plan to ensure that all relevant staff can follow the procedures properly when dealing with a data breach.

Handling a data breach

The PCPD recommends the following steps when handling a data breach:

• Immediately gather essential information - as a starting point, the company (data user) shall promptly gather all relevant information of the data breach to assess the impact on data subjects and to identify appropriate mitigation measures.
• Contain the data breach - after detecting the breach and conducting an initial assessment, the data user should immediately take steps to contain the breach as effectively as possible. Remedial actions to lessen the harm or damage that may be caused to the affected data subjects should be taken.
• Assess the risk of harm - once all essential information has been gathered, the company should then ensure that it understands the risks of harm that may be caused to the affected individuals, so that they can take steps to limit the impact.
• Consider giving data breach notifications - when deciding whether to report a breach to the affected data subjects, the PCPD, and other law enforcement agencies, the company should take into account the potential consequences of a breach for the affected individuals, how serious or substantial these are, and how likely they are to happen. The consequences of failing to give notification should also be duly considered.
• Document the breach - the company should keep a comprehensive record of the incident, which should include all facts relating to the breach, ranging from details of the breach and its effects on the containment and remedial actions taken by the data user. Organizations that are required to comply with the laws and regulations of other jurisdictions should also consider whether there are any mandatory documentation requirements under those laws and regulations.

Best practices for organizations

Data breaches could have a devastating effect on a company's operations and may also affect others including the company's customers and stakeholders. It is therefore important for a company to have prompt and effective responses to data breaches.

To achieve this objective, the company needs to establish a robust data breach response plan as recommended by the PCPD.

In order to have the appropriate response measures, including the consideration of involving law enforcement agencies, it is important for a company to assess the severity and potential risks associated with a data breach, including but not limited to legal risks given that there could be subsequent claims by affected customers or individuals and possible investigations by law enforcement agencies or regulators.

If a company is regulated (e.g., banks, insurance companies, licensed intermediaries regulated by the Securities and Futures Commission (SFC), etc.), even though there might not be any legal requirements on notification of a data breach incident under the respective guidelines or code of conduct issued by the regulators, the regulators might have imposed a requirement for the regulated company to notify the regulator and/or the affected customers or stakeholders about the data breach incident within a certain timeframe from the time when the incident happened.

If a company chooses to notify affected individuals about the data breach incident, the notifications should be clear, concise, and provide relevant details about the breach, such as the types of data involved and the potential consequences. Additionally, companies should offer guidance on the steps individuals can take to mitigate risks, such as changing passwords or monitoring financial accounts.

Dominic Wai Partner
[email protected]
ONC Lawyers, Hong Kong