3 / 6
6. Whether the data breach is ongoing and whether
there will be further exposure of the leaked data
7. Whether the breach is an isolated incident or a
systematical problem
8. In the case of a physical loss, whether the personal
data has been retrieved before it has the opportunity
to be accessed or copied
9. Whether effective mitigation / remedial measures
have been taken after the breach occurs
10. The ability of the data subjects to avoid or mitigate
possible harm
11. The reasonable expectation of personal data privacy
of the data subjects
The result of an assessment may indicate a real risk
of harm, for example, when a database containing
personal particulars, contact details and financial
data is accidentally leaked online through file-sharing
software. On the other hand, a lower risk of harm may
be involved in the loss of a USB flash drive containing
securely encrypted data which is not sensitive in nature,
or small number of data subjects are affected, or a lost
or misplaced instrument containing personal data has
subsequently been found and the personal data does
not appear to have been accessed.
Step 4: Considering the giving of data breach
notification
Where data subjects can be identified, a data user should
consider notifying the data subjects and the relevant
parties when real risk of harm is reasonably foreseeable
in a data breach. Before making the decision, the
consequences for failing to give notification should be
duly considered.
What is a data breach notification?
_______________________________________________
It is a formal notification given by the data user to
the data subjects affected and the relevant parties and
regulators in a data breach, and is useful in:
drawing the affected data subjects’ attention to
take proactive steps or measures to mitigate the
potential harm or damage, for example, to protect
their physical safety, reputation or financial position
allowing the relevant authorities to undertake
appropriate investigative or follow up actions
consequent to the breach
showing the data user’s commitment to proper
privacy management in adhering to the principles
of transparency and accountability
increasing public awareness, for example, in
situations when public health or security is affected
by the data breaches
Although it is not required by the Ordinance, the
Commissioner, like most overseas personal data
protection authorities, encourages data users, to adopt
a system of notification (especially organisational data
users) in handling a data breach.
To whom the notification be given?
The data user should consider the circumstances of
the case and decide whether any of the following
persons should be notified as soon as practicable:
1. The affected data subjects
2. The law enforcement agencies
3. The Commissioner
4. Any relevant regulators
5. Such other partieswhomay be able to take remedial
actions to protect the personal data privacy and the
interests of the data subjects affected (for example,
Internet companies like Google and Yahoo may
assist to remove the relevant cached link from its
search engine)
What should be included in the notification?
Depending on the circumstances of the case, a
notification may include the following information:
1. A general description of what occurred
2. The date and time of the breach, and its duration,
if applicable
3. The date and time the breach was discovered
4. The source of the breach (either the data user itself
or the third party that processed the personal data
on its behalf)
5. A list of the types of personal data involved
6. An assessment of the risk of harm (such as identity
theft or fraud) as a result of the breach
Guidance on Data Breach Handling and the Giving of Breach Notifications
October 2015
3