The guidance encourages organisations to formulate a data breach response plan, and outlines recommendations for handling an increasing number of data breach incidents.

On 30 June 2023, the Office of the Privacy Commissioner for Personal Data of Hong Kong (PCPD) issued revised guidance titled “Guidance on Data Breach Handling And Data Breach Notifications” (the Guidance Note). While the Guidance Note broadly aligns with the last update in January 2019 (the 2019 Guidance), it also contains further details and recommendations to organisations on how to respond to data breaches.

The PCPD published the Guidance Note following a surge in reported data breach incidents, which have increased by more than 20% in the first half of this year compared to the second half of 2022.

Requirements Under the PDPO

The Guidance Note reminds organisations that data breaches (i.e., security incidents that expose personal data to the risk of unauthorised or accidental access, processing, erasure, loss, or use) may amount to a contravention of Data Protection Principle (DPP) 4 contained in Schedule 1 to the Personal Data (Privacy) Ordinance (Chapter 486) of Hong Kong (the PDPO). While contravention of a DPP is not in itself an offence, it may lead to an investigation and issuance of an enforcement notice by the PCPD. Non-compliance with an enforcement notice is a criminal offence under the PDPO.

DPP 4(1) requires data users to take reasonably practicable steps to safeguard personal data (with regard to various factors, including the type of data and potential harm, physical location where data is stored, and measures implemented to the equipment, access rights, and transmission). A data breach may also indicate a contravention of DPP 4(2), which requires data users to adopt contractual or other means when engaging data processors, to prevent unauthorised or accidental processing of data by data processors.

Organisations should note that the PCPD periodically conducts investigations of data breaches and may issue enforcement notices to data users who fail to adequately protect the security of their personal data. These enforcement notices may require data users to take remediation measures such as engaging an independent data security expert to review and audit security systems, conducting regular vulnerability scans, or organising periodic staff training on information security, and to provide evidence of compliance to the PCPD.

For more information on the PCPD’s increased monitoring and compliance actions during 2021-22, including in relation to data breach incidents, please refer to this Latham blog post.

Common Causes of Data Breaches

The Guidance Note identifies the common causes of data breaches in Hong Kong:

• Cyberattacks: This includes ransomware, brute force attacks, distributed denial-of-service attacks, or phishing. Please also refer to this Latham blog post summarising the PCPD’s recent guidelines on data security amid increased cyberattacks.
• System misconfigurations and administration errors: Examples include unauthorised access to personal data if data systems allow access without authentications or access right.
• Loss of physical documents or portable devices: Data processors contracted to handle personal data on a data user’s behalf may also inadvertently cause data loss.
• Improper/wrongful disposal of personal data: This includes accidental or improper disposal of data without adhering to organisational policies on document destruction.
• Inadvertent disclosure by email or by post: Sharing of files or documents to unintended recipients may result in unauthorised disclosure of personal data.
• Staff negligence/misconduct: Staff with valid access rights might mishandle personal data purposely, accidentally, and/or maliciously.

These common causes did not appear in the older 2019 Guidance, and are a reflection of the trends the PCPD has recently identified in Hong Kong. Organisations should therefore consider these causes when preparing and implementing security measures and policies, in order to mitigate the risk of them occurring.

Data Breach Response Plan

The PCPD recommends that organisations maintain a comprehensive data breach response plan that outlines procedures to follow in the event of a data breach. Notably, this is a new recommendation that was not contained in the 2019 Guidance.

The response plan should contain at least the following elements:

• a description of what constitutes a data breach and when the response plan will be triggered;
• an internal notification procedure to escalate the breach to senior management, the data protection officer, and/or dedicated data breach response team, and a standard form for such notification;
• a designation of the roles and responsibilities of the breach response team. The PCPD suggests that this team may comprise the data protection officer, as well as members of the IT department, customer service department, risk management department, and HR department;
• a contact list of the members of the breach response team;
• a risk assessment workflow and investigation procedure to assess the likelihood and severity of harm caused to data subjects;
• a containment strategy to mitigate the effects of the breach;
• a communication plan covering the criteria and threshold for informing data subjects and the regulatory authorities;
• a record-keeping policy to ensure that the incident is properly documented as may be required by regulatory or law enforcement agencies;
• a post-incident review mechanism to identify areas that require improvement to prevent future recurrence; and
• a training or drill plan to ensure all relevant staff can properly follow procedures when responding to data breaches.

Recommended Steps When Handling Data Breaches

The Guidance Note also provides step-by-step recommendations to organisations when handling data breaches:

1. Immediately gather essential information: Organisations should promptly gather all relevant information of the data breach to assess the impact on data subjects and identify appropriate mitigation measures. This step includes identifying when, where, and how the breach occurred, the likely impact of the breach, and considering escalating the incident to the relevant or dedicated personnel in line with procedures in the data breach response plan.
2. Contain the data breach: Organisations should immediately take remedial actions to contain and mitigate the effects of the breach. The appropriate containment measures may depend on the categories of personal data involved and severity of the breach.
3. Assess the risk of harm: Organisations should evaluate the impact of the data breach on affected individuals, considering factors such as (but not limited to) the nature of the data affected, the duration and extent of the breach, and the effectiveness of remedial measures.
4. Consider making data breach notifications: Organisations are recommended to notify the PCPD and affected data subjects as soon as practicable upon becoming aware of the data breach, particularly if it is likely to result in a real risk of harm to the affected data subjects. As a reminder, organisations may also be subject to other regulatory requirements, or trigger notification obligations under other jurisdictions.
5. Document the breach: Organisations should create a comprehensive record of the breach to facilitate a post-breach review. The review should help organisations learn from the breach, identify the root problem, devise a clear strategy to prevent future recurrence of similar incidents, and improve data handling practices going forward. Organisations should also consider whether they are subject to any mandatory documentation requirements under applicable laws.

Data Breach Notifications

The Guidance Note reiterates that organisations should follow best practice by formally notifying the PCPD, affected data subjects, and any other relevant parties (such as law enforcement agencies, other regulators, and parties that may take remedial actions) as soon as practicable after becoming aware of a data breach.

The PCPD has in parallel launched an electronic notification form by which it can be notified of data breach incidents. This tool contrasts the previous approach, which required organisations to download a paper form from the PCPD website and submit it by post, in person, fax, or email. The electronic form will enable organisations to report breaches to the PCPD in a more convenient and timeless manner.

While failure to report data breaches to the PCPD or affected data subjects is currently not an offence, the PCPD has announced it will be working to initiate legislative proposals to the PDPO, which will include establishing a mandatory notification mechanism. While the timeline of the amendments is unclear, organisations can expect more concrete proposals from the PDPO.

Conclusion

The Guidance Note is a helpful reminder for organisations to implement an effective data breach handling policy and plan, and to comply with requirements under the PDPO. The increase in data breach incidents, PDPO’s continued reporting and scrutiny on data security issues, and the proposed amendments to the PDPO for a compulsory data breach reporting regime, are encouraging organisations to formulate or review their data security and data breach procedures and practices as a matter of priority.