Privacy Commissioner Publishes Guidance Note on Data Breach Handling and the Giving of Breach Notifications

1.    The Personal Data (Privacy) Ordinance (“the Ordinance”) does not require the giving of data breach notifications by data users.  The Privacy Commissioner for Personal Data (“the Commissioner”) has however consistently advised data users to consider giving notification whenever their personal data are discovered to have been compromised.  He has also suggested to the Government that a system of data breach notification be considered when the Ordinance is reviewed.  He is pleased that the Government has in the meantime instituted a notification mechanism to require bureaux and departments to notify the Commissioner and affected individuals in the event of electronic data leakage.  It is hoped that the mechanism will be strictly adhered to by all public organizations.

2.    The Commissioner, Mr. Roderick B. Woo to-day published a new Guidance Note, titled “Data Breach Handling and the Giving of Breach Notifications” (“the Guidance Note”) to assist data users in handling data breaches and to mitigate the loss and damage that may be caused to the data subjects concerned.

3.    Mr. Woo said, “With the development of technology, large volumes of personal data are often stored and transmitted electronically, resulting in increasing the possibility of data leakage.  In recent years, many data leakage incidents happened due to the loss of USB flash drives and the use of file-sharing softwares.”

4.    Mr. Woo said, “The Guidance Note provides good policies and practices to assist data users in taking remedial actions promptly to mitigate the damage that may be caused to the affected individuals.  By following these good policies and practices the data user can demonstrate its responsible and accountable attitude.”

5.    In handling a data breach, the data user should consider :
(i)    gathering of essential information relating to the breach as soon as possible;
(ii)   adopting appropriate measures to contain the breach;
(iii)  assessing the possible damage to data subjects; and
(iv)  considering the giving of data breach notification.

6.    In some situations, data users are encouraged to handle the data breach by giving data breach notifications after assessing the seriousness and the extent of damage caused by the breach.  While informing and enabling the data subjects affected by the data breach to take appropriate protective measures, the giving of a data breach notification may reduce the risk of potential litigations and in the long run help the data user to regain public confidence in some cases.

7.    In this month’s meeting of Asia Pacific Privacy Authorities Forum the subject of data breach notification was once again addressed.  Even though the giving of notification is not mandatory in any member’s jurisdiction, all agreed on the importance of such a practice.  The meeting considered the development of a template for data breach notifications to data protection authorities.  Based on the discussion, the Commissioner has prepared a template for Hong Kong data users to use when notification to the Commissioner is called for.  The template can be accessed from the Commissioner's official website   (www.pcpd.org.hk/english/publications/files/Notification_Form_e.pdf).

8.    Noting recent data breaches, the Commissioner wishes to take this opportunity to urge organizations to ensure that their employees are made well aware of the importance of data security and to provide them with adequate training in how to give protection to personal data.

9.    The Guidance Note is available for download from the website of the Commissioner's  Office   (www.pcpd.org.hk/english/publications/guid_note.html). Copies are also available from the Commissioner's Office at 12/F., 248 Queen's Road East, Wan Chai, Hong Kong.

END