Date: 22 September 2023
Privacy Commissioner’s Office Recommends Organisations to Strengthen
Data Security Measures to Ensure Data Security
The Office of the Privacy Commissioner for Personal Data (PCPD) noted the successive hacker attacks on the information systems of organisations recently which involved the leakage of personal data. The PCPD condemns such attacks and expresses grave concern about the incidents. The PCPD wishes to remind all organisations, whether public/private organisations, to comply with the relevant requirements under the Personal Data (Privacy) Ordinance (PDPO), in particular, Data Protection Principle 4 of the PDPO, which requires that all practicable steps shall be taken by data users to ensure that any personal data held by a data user is protected against unauthorised or accidental access, processing, erasure, loss or use.
The PCPD recommends that organisations holding personal data should regularly conduct data security risk assessments, and put in place adequate and effective security measures to safeguard the information and communications systems and personal data in its control or possession, based on the nature, scale and complexity of the data procession activities, as well as the results of risk assessments. The PCPD reminds all organisations to take precautionary measures and raise their awareness of cyber security and review their data security systems. To strengthen data security and prevent malicious attacks on their information systems, organisations should adopt the following data security measures in a timely manner:
Secure computer networks: Using security devices or software such as firewalls and/or antimalware applications to protect computer networks. Software (including mobile apps and anti-malware applications) should be regularly updated to detect new viruses and emerging threats;
Regularly conduct vulnerability assessments and penetration tests, in particular for those internetfacing systems;
Implement patch management to fix security vulnerabilities in a timely manner;
Encryption of data in transit and storage, and effective management and protection of the encryption keys;
Database management: Separating database servers from web servers by firewalls to protect the internal servers in case the web servers are compromised;
Adopt the "least privilege" principle to grant as few access rights as possible to complete a task and assign users to appropriate roles (including restriction of the volume of data to be accessed and the duration of access); and
Timely destruction of unnecessary or expired personal data.
To strengthen data security system, the PCPD issued the “Guidance Note on Data Security Measures for Information and Communications Technology” (the Guidance Note) in August 2022, to provide data users with recommended data security measures. For details, please download the Guidance Note:
In parallel, the PCPD has set up a dedicated hotline and email service for small and medium enterprises (SMEs) (telephone: 2110 1155, email: email@example.com), which aims to provide SMEs with a readily available channel to make enquiries about how to ensure compliance with the PDPO. To enhance publicity and education, the PCPD arranges seminars for members of the public and organisations from time to time to explain the importance of protecting personal data privacy. Organisations interested in arranging the in-house seminars can contact the PCPD (email: firstname.lastname@example.org).
The PCPD strongly advises organisations to notify the PCPD of any data breach incident as soon as practicable. Early notification of a data breach incident to the PCPD will enable the PCPD to help the organisation and the affected parties to take appropriate and timely measures to minimise the damage caused by the incident to the organisation and the affected parties. Organisations are also strongly advised to notify the affected data subjects as soon as possible of any data breach incident.
To assist organisations in preparing themselves in the event a data breach occurs, the PCPD has also updated the “Guidance on Data Breach Handling and Data Breach Notifications” (the Guidance) in June 2023, which contains practical recommendations to help organisations prepare data breach response plans and handle data breach incidents. Please download the Guidance from the website: