Data breaches in Hong Kong: To notify or not?
31 August 2023
In July 2023, the Office of the Privacy Commissioner for Personal Data issued a revised guidance note on Data Breach Handling and Data Breach Notifications. The guidance note sets out practical recommendations on how data users can effectively prepare for and manage data breaches.
A data breach is generally considered as a suspected or actual breach of the security of personal data held by a data user, which exposes the individual’s personal data to the risk of unauthorised or accidental access, processing, erasure, loss or use. A data breach may occur in situations where the data user’s system is compromised, or where the data user’s employee discloses personal data to third parties without authorisation or misuses such personal data.
Whilst there is currently no mandatory data breach notification requirement under the Personal Data (Privacy) Ordinance (“PDPO”), data users are strongly recommended to consider the guidance note when deciding whether to give a data breach notification.
Preparing a data breach response plan
Unlike the previous version of the guidance note, the revised guidance note provides recommendations on how to formulate and prepare a comprehensive data breach response plan which should include aspects such as:
1. the internal incident notification procedure and investigation procedure;
2. the risk assessment workflow to assess the likelihood and severity of harm;
3. the containment strategy for containing and remedying the breach; and
4. the communication plan for determining whether a notification should be given.
By adopting a preventive approach, data users can better manage and contain the adverse impact of data breaches.
Handling a data breach
In the event of a data breach, data users are recommended to implement the following five steps:
1. gather essential information immediately;
2. contain the data breach;
3. assess the risk of harm;
4. consider giving data breach notifications; and
5. document the breach.
Data users should notify the affected individuals, the Commissioner and any other relevant law enforcement bodies and/or regulatory bodies of the data breach as soon as practicable, regardless of the progress of any internal investigation. This is particularly the case when the assessment of the data breach reveals a real risk of harm to the affected individuals.
The documentation of the data breach is an additional step which was not included in the previous version of the guidance. This step aims to facilitate the data user’s post-breach review and improve its personal data handling policies and practices.
Notifications to affected individuals can be done by phone, in writing, or in person. If the affected individuals are not immediately identifiable or if the data breach concerns public interest, then public announcements may be more effective. Data users should notify the Commissioner by using the prescribed data breach notification form. The Commissioner has now made it clear that they do not accept oral notifications.
Conclusion
In the revised guidance note, the Commissioner has placed a greater emphasis on the importance of taking preventive and remedial measures. This includes devising a plan to avert the potential risks and harm from data breaches and documenting the data breach to help prevent future recurrence of similar incidents. Whilst non-compliance with the guidance note does not itself amount to a breach of the PDPO, the Commissioner may take this into account when conducting an investigation against the data user. As such, data users are recommended to consider and implement the recommendations set out in the revised guidance note.