Skip to content

Media Statements

Media Statement - Privacy Commissioners Office Issues Guidance Note on Data Security Measures for ICT

Date: 30 August 2022

Privacy Commissioner’s Office Issues Guidance Note
on Data Security Measures for ICT

Amidst the widespread use of information and communications technology, accompanied by the new normal of hybrid working and hybrid learning, data users are confronted with considerable challenges to the protection of personal data privacy, in particular as regards data security. In the first seven months of this year, the Office of the Privacy Commissioner for Personal Data (PCPD) received 68 data breach notifications from organisations.  More than a quarter of these involved vulnerabilities in data users’ information and communications technology (ICT) systems. Against this background, the PCPD today (30 August) issued the “Guidance Note on Data Security Measures for Information and Communications Technology” (Guidance) to provide data users with recommended data security measures for ICT to facilitate their compliance with the requirements of the Personal Data (Privacy) Ordinance (Cap. 486).
The Privacy Commissioner for Personal Data, Ms Ada CHUNG Lai-ling, said, “In the light of the increase in cybersecurity incidents, data users should step up their data security measures to prevent malicious attacks on their information systems.   As a matter of fact, a robust data security system is a core element of good data governance. The Guidance provides comprehensive recommendations on best practices in strengthening data security systems to organisations, especially small and medium-sized enterprises.”
The Guidance provides, among others, recommendations on data security measures for ICT in the following areas, supplemented by case studies and infographic illustrations:
1. Data Governance and Organisational Measures, including the appointment of a suitable personnel in a leadership role to bear specific responsibility for data security, and ensure sufficient training is provided for staff members.
2. Risk Assessments on data security for new systems and applications before launch, as well as periodically thereafter.
3. A Recommended Series of Technical and Operational Security Measures.
4. Data Processor Management: A data user must adopt contractual or other means to prevent unauthorised or accidental access, processing, erasure, loss or use of the data transferred to the data processor.
5. Remedial actions in the event of Data Security Incidents, thereby reducing the gravity of harm that may be caused to the organisation and affected individuals.
6. Regularly Monitoring, Evaluating and Improving compliance with data security policies.
7. Recommended Data Security Measures for Cloud Services, “Bring Your Own Devices” and Portable Storage Devices.
Download “Guidance Note on Data Security Measures for Information and Communications Technology”: