Tips on personal data protection for Hong Kong companies
Hong Kong's Privacy Commissioner for Personal Data (PCPD), was set up in 1996 to secure the protection of privacy for the individual with respect to personal data and enforces the Personal Data (Privacy) Ordinance – one of Asia’s longest standing comprehensive personal data protection laws.
In its 2021 report, the PCPD noted a 36% increase in personal data breach notifications year-on-year and this trend is expected to continue. Most recently, Hong Kong has seen high profile leaks such as the breach on Nikkei China’s email system, which exposed the personal data of 1,600 customers, and the cyberattack on Harbour Plaza hotels in Hong Kong which exposed personal data of more than 1.2 million guests.
There are many factors contributing to the rising frequency of breaches in Hong Kong; one being that organisations were not prepared for the unique cybersecurity needs of now-remote workers who are connecting to potentially unsecured home networks, while accessing company resources from personal devices. More than ever, the pressure is on organisations to keep pace with the everchanging threat landscape that requires pro-active measures for prevention and mitigation of cyber incidents.
PCPD is now actively regulating organisations to ensure compliance, in addition to enhancing protection against cyberattacks, particularly those which expose personal data. This is reflected in a recent publication of the PCPD's Guidance Note to help organisations, employees and other data subjects in Hong Kong understand the obligations under the Ordinance when it comes to the collection, use and retention of personal data.
The Ordinance imposes financial penalties of up to HK$1M in the event of a breach of use of personal data. Other than the financial penalties, a personal data breach often results in organisations suffering from the consequent reputational damage. With that in mind, organisations should understand the full scope of the Ordinance to avoid falling foul of the law.
The cost of personal data protection flaws
According to the CIA triad – a model designed to guide policies on information security within an organisation – the core elements of personal data security are confidentiality, integrity and availability. Organisations are highly encouraged to consider the following best practice policies and procedures, which are guided by these elements, to ensure compliance.
Confidentiality
In this context, confidentiality refers to a set of rules that limits access to information. Once organisations receive personal data from their employees or other data subjects, measures should be set in place to prevent the sensitive information from attempts to gain unauthorised access. A written Personal Information Collection Statement should also be provided to the employees or other data subjects which explains what and how their personal data is collected, stored, used and transferred.
Organisations should ensure that staff tasked with keeping the personal data secure are not simply aware of the policies and practices, but are able to maintain compliance with them. The PCPD suggest that companies should adopt, amongst other things, a strong password management policy, maintain a practice of regular deletion of obsolete email accounts and auditing the use of email accounts.
To maintain confidentiality, it is crucial to have a robust data protection plan that also includes a detailed response mechanism in the event of personal data breaches. For example, some commonly used practices and technologies that can help restrict access, monitor suspicious activity and respond to threats are:
• Backups – This creates copies of personal data and stores them separately, ensuring that personal data can be restored later in case of loss or modification
• Firewalls – Enables the monitoring and filtering of network traffic, which means only authorised users are allowed to access or transfer personal data
• Disaster recovery – A process that determines how an organisation responds to a disaster such as a data breach. This usually involves setting up a remote disaster recovery site with copies of protected systems, and switching operations to those systems in case of disaster.
Integrity
Integrity refers to the maintenance of consistency, accuracy, and trustworthiness of personal data over its entire lifecycle. When organizations engage data processors to process personal data collected from its employees or other data subjects, this must be communicated to that individual, and express consent must be obtained, ideally in writing. Organizations should also adopt contractual or other means to prevent unauthorized or accidental use or access of any transferred personal data to external data processors and ensure that the data processor is compliant with the same personal data security requirements.
Availability
Personal data must be consistently and readily accessible for authorised parties, including the employees or data subject themselves. Organisations should put in place a procedure for handling personal data access requests (for example, for an employee to access their personal data) and a mechanism to correct any inaccurate record.
Upon satisfying itself of the authenticity and validity of the data access request, organisations have a legal obligation to comply with and respond to the request within the period set under Hong Kong law.
Be prepared
The reality is that a personal data breach may occur by accident and can take place anytime. Given that companies cannot avoid collecting personal data, it is important that organisations are aware of the latest legal requirements of the Ordinance. Setting in place rigorous compliance, getting professional guidance where required and having in place preventative measures are all crucial steps to ensuring that organisations are doing everything in their power to prevent personal data from falling into the wrong hands.
-- Contact us at [email protected]
-
Integration of GIS and BIM can drive development of smart city Dr. Winnie Tang
The China Association for Geospatial Industry and Sciences (“the CAGIS”) released the Top Ten Highlights of China's Geographic Information Industry in 2023, which provides much inspiration. The
-
Equip young people for the future Dr. Winnie Tang
In late February, the inaugural flight of an air taxi from Shenzhen Shekou Cruise Homeport to Zhuhai Jiuzhou Port took only 20 minutes with an estimated one-way ticket price of 200 to 300 yuan per
-
Are we raising a generation of leaders, or of followers? Brian YS Wong
The essence of education is defined not by the facts it imparts, but the potential knowledge it inspires students to individually pursue on their own. Put it this way – the ideal form of education
-
The urgent need for reforms to sex education in Hong Kong Sharon Chau
Nearly one in every four university students (23%) in Hong Kong has been sexually harassed, according to a 2019 report published by the Equal Opportunities Commission (EOC). A 2019 study found that
-
STEAM should be linked to real life Dr. Winnie Tang
In the 2017 Policy Address, STEM (science, technology, engineering and mathematics) education was proposed as one of the eight major directions to promote I&T development. Since then, funding has
-
第五屆台北當代藝術博覽會 5月回歸南港展覽館
-
Integration of GIS and BIM can drive development of smart city
-
香港霹靂舞運動員:團隊並肩同行 走上國際舞台
-
THE FUTURE ROCKS打造K11 MUSEA快閃店
-
街頭演唱者:BUSKING歷練場 成就登台大將之風
-
心流藝術家:旋環登上舞台才能真正被看見
-
Russia’s nightmare – loss of Far East
-
尚品~即食花膠靚湯
-
My Brief Remarks – at the HKS China Conference
-
The perils of self-censorship