Tips on personal data protection for Hong Kong companies

July 12, 2022 09:42

Hong Kong's Privacy Commissioner for Personal Data (PCPD), was set up in 1996 to secure the protection of privacy for the individual with respect to personal data and enforces the Personal Data (Privacy) Ordinance – one of Asia’s longest standing comprehensive personal data protection laws.

In its 2021 report, the PCPD noted a 36% increase in personal data breach notifications year-on-year and this trend is expected to continue. Most recently, Hong Kong has seen high profile leaks such as the breach on Nikkei China’s email system, which exposed the personal data of 1,600 customers, and the cyberattack on Harbour Plaza hotels in Hong Kong which exposed personal data of more than 1.2 million guests.

There are many factors contributing to the rising frequency of breaches in Hong Kong; one being that organisations were not prepared for the unique cybersecurity needs of now-remote workers who are connecting to potentially unsecured home networks, while accessing company resources from personal devices. More than ever, the pressure is on organisations to keep pace with the everchanging threat landscape that requires pro-active measures for prevention and mitigation of cyber incidents.

PCPD is now actively regulating organisations to ensure compliance, in addition to enhancing protection against cyberattacks, particularly those which expose personal data. This is reflected in a recent publication of the PCPD's Guidance Note to help organisations, employees and other data subjects in Hong Kong understand the obligations under the Ordinance when it comes to the collection, use and retention of personal data.

The Ordinance imposes financial penalties of up to HK$1M in the event of a breach of use of personal data. Other than the financial penalties, a personal data breach often results in organisations suffering from the consequent reputational damage. With that in mind, organisations should understand the full scope of the Ordinance to avoid falling foul of the law.

The cost of personal data protection flaws

According to the CIA triad – a model designed to guide policies on information security within an organisation – the core elements of personal data security are confidentiality, integrity and availability. Organisations are highly encouraged to consider the following best practice policies and procedures, which are guided by these elements, to ensure compliance.


In this context, confidentiality refers to a set of rules that limits access to information. Once organisations receive personal data from their employees or other data subjects, measures should be set in place to prevent the sensitive information from attempts to gain unauthorised access. A written Personal Information Collection Statement should also be provided to the employees or other data subjects which explains what and how their personal data is collected, stored, used and transferred.

Organisations should ensure that staff tasked with keeping the personal data secure are not simply aware of the policies and practices, but are able to maintain compliance with them. The PCPD suggest that companies should adopt, amongst other things, a strong password management policy, maintain a practice of regular deletion of obsolete email accounts and auditing the use of email accounts.

To maintain confidentiality, it is crucial to have a robust data protection plan that also includes a detailed response mechanism in the event of personal data breaches. For example, some commonly used practices and technologies that can help restrict access, monitor suspicious activity and respond to threats are:
• Backups – This creates copies of personal data and stores them separately, ensuring that personal data can be restored later in case of loss or modification
• Firewalls – Enables the monitoring and filtering of network traffic, which means only authorised users are allowed to access or transfer personal data
• Disaster recovery – A process that determines how an organisation responds to a disaster such as a data breach. This usually involves setting up a remote disaster recovery site with copies of protected systems, and switching operations to those systems in case of disaster.

Integrity refers to the maintenance of consistency, accuracy, and trustworthiness of personal data over its entire lifecycle. When organizations engage data processors to process personal data collected from its employees or other data subjects, this must be communicated to that individual, and express consent must be obtained, ideally in writing. Organizations should also adopt contractual or other means to prevent unauthorized or accidental use or access of any transferred personal data to external data processors and ensure that the data processor is compliant with the same personal data security requirements.


Personal data must be consistently and readily accessible for authorised parties, including the employees or data subject themselves. Organisations should put in place a procedure for handling personal data access requests (for example, for an employee to access their personal data) and a mechanism to correct any inaccurate record.

Upon satisfying itself of the authenticity and validity of the data access request, organisations have a legal obligation to comply with and respond to the request within the period set under Hong Kong law.

Be prepared

The reality is that a personal data breach may occur by accident and can take place anytime. Given that companies cannot avoid collecting personal data, it is important that organisations are aware of the latest legal requirements of the Ordinance. Setting in place rigorous compliance, getting professional guidance where required and having in place preventative measures are all crucial steps to ensuring that organisations are doing everything in their power to prevent personal data from falling into the wrong hands.

-- Contact us at [email protected]


Andrea Randall is Partner, Head of Employment Practice, RPC Hong Kong. Lillian Wong is Associate, Commercial Disputes, RPC Hong Kong