Skip to content

Case Notes

Case Notes

This case related to DPP4 - Security of personal data

Case No.:2021DB04

Unencrypted personal data transmitted in mobile applications – DPP 4 – security of personal data


In monitoring personal data risks, the PCPD may inspect the activities of a data user involving large-scale collection and use of personal data.

In the second half of 2020, the PCPD conducted security testing to determine whether the mobile applications (apps) developed or operated by local enterprises which involved the collection of customers’ personal data complied with DPP 4.

The PCPD found that 14 apps did not use adequate encryption to securely transmit personal data. As such, attackers could secretly eavesdrop or modify the transmission data.

Remedial Measures

All enterprises concerned took the PCPD’s advice and implemented adequate encryption in their apps to protect personal data transmission.

Lesson learnt

Online activities and transactions are convenient but carry nonnegligible risks to personal data privacy. Personal data collected by different apps may end up in the hands of hackers if such data is not protected by stringent security measures.

Organisations must protect and respect personal data to garner the trust of their customers to remain competitive. Organisations should regularly review and update their apps to ensure the security of personal data.

(Uploaded in June 2022)

Category : Provisions/DPPs/COPs/Guidelines : Topic/Subject Matter :