There have been many cases of personal data leakage recently in private and public sectors. In this Article, we will discuss the privacy law and notification procedures in Hong Kong in the event of personal data leakage.
Data Protection Principles under the Personal Data (Privacy) Ordinance
Data Protection Principles (DPP) 4(1) and 4(2)
DPP 4(1) provides that a data user shall take all reasonably practicable steps to ensure that the personal data it holds is protected against unauthorized or accidental access, processing, erasure, loss or use.
DPP 4(2) provides that if a data user engages a data processor, whether within or outside Hong Kong, to process personal data on the data user’s behalf, the data user must adopt contractual or other means, to prevent unauthorized or accidental access, processing, erasure, loss or use of the data transferred to the data processor for processing.
Consequence of breach of DPP
The Privacy Commissioner’s Office (PCPD) may issue an enforcement notice to the company that committed the breach to direct the wrongdoer to stop violating the relevant DPP and take any necessary remedial action.
Non-compliance with the PCPD’s enforcement notice is an offence and is liable to a fine or imprisonment. Additionally, the victim who suffers damage, including injury to feelings, as a result of such violation may also be entitled to compensation from the wrongdoer through civil proceedings.
Notification procedures to PCPD
While notification is not compulsory, it is highly recommended that data users notify the PCPD as a best practice for managing such incidents effectively. Notifications should be submitted in written form.
Data Users are encouraged to use the online data breach notification form to notify the PCPD of any data breach incidents. In addition to the online form, data users can also download the paper version of the data breach notification form for completion. After completing the form, the data user should submit it and other relevant documents concerning the data breach (if any) by the following channels:
- By Email address: dbn@pcpd.org.hk
- By Post/In person:
Address: Room 1303, 13/F, Dah Sing Financial Centre, 248 Queen’s Road East, Wanchai, Hong Kong
- Opening hours of Reception Counter: Monday to Friday: 8:45 a.m. to 12:45 p.m. & 1:50 p.m. to 5:40 p.m.
- By Fax: Fax number: 2877 7026
Other Suggested Actions
- Information gathering: data users should immediately gather all relevant information relating to the breach, such as the date, time and place of the breach, how it has been detected, its cause, the kind and extent of personal data involved and the number of data subjects affected;
- Containment measures: data users should identify the cause of the breach and adopt measures to contain the breach – for example, shutting down the system which was causing a system failure, changing the security settings to prevent further unauthorised access, and seeking technical assistance to stop hacking activities;
- Contacting relevant parties: where appropriate, data users should consider contacting the relevant law enforcement agencies, regulators (e.g. the PCPD), Internet companies and IT experts, for reporting, advice and assistance;
- Risk assessment: an assessment should be conducted to evaluate the extent of harm that may be caused by the data breach to the data subjects and the data user, including potential threats to personal safety, identity theft and financial loss; and
- Evidence keeping: all evidence in relation to the data breach should be preserved to facilitate further investigations and corrective actions.
