Hong Kong: Data Security Measures Guidance published by the PCPD

As data breaches and cyber attacks continue to surge and attackers become more sophisticated, organisations are well aware that the need for robust data security measures is becoming increasingly important. 

In Hong Kong, the Office of the Privacy Commissioner for Personal Data (the PCPD) recently published a Guidance Note on Data Security Measures for Information and Communications Technology (the Guidance Note) to provide data users with recommended data security measures to facilitate their compliance with the requirements under the Personal Data (Privacy) Ordinance (PDPO) as well as good practices in strengthening their data security systems. 

The purpose of the Guidance Note is to provide practical guidance and recommendations for complying with the PDPO. Specifically, Data Protection Principle 4(1) of the PDPO requires a data user to take “all practicable steps” to ensure that any personal data held by it is protected against unauthorised or accidental access, processing, erasure, loss or us, having regard to a number of factors such as data type, potential harm, data storage location and measures taken to secure data transmission. The Guidance Note is intended to assist data users in assessing and understanding the steps they should take in order to comply with the law.

While failure to follow the Guidance Note does not in itself constitute a breach of PDPO, organisations are generally advised to follow the Guidance Note. In the event of an investigation or complaint, the PCPD may assess compliance with the PDPO based on the guidance set out in the Guidance Note. Organisations that do not follow the recommendations may find it more difficult to demonstrate compliance with the PCPD.

The Guidance Note sets out seven key recommendations for data security measures to data users in managing data security.

1. Data governance and organizational measures 
   
   Data users should establish policies and procedures on data governance and data security. They should also provide training for staff members and appoint dedicated personnel to manage data security.
2. Risk assessments
   
   Data users should conduct risk assessments on data security for new systems and applications. The results should be reported to senior management regularly and any risks identified should be promptly addressed.
3. Technical and operational security measures
   
   Data users should adopt appropriate technical and operational security measures, such as safeguarding computer networks, managing databases, enforcing access control, installing firewalls and anti-malware software, protecting online applications, encrypting data, securing emails and file transfers, and implementing secure backup, destruction, and anonymization procedures.
4. Data processor management
   
   Under the PDPO, a data user must adopt contractual or other means to prevent unauthorized or accidental access, processing, erasure, loss or use of the personal data transferred to its data processors for processing. To ensure compliance, data users should assess the competency and reliability of data processors, conduct audits, require notification of data security incidents, stipulate security measures required in contracts and transfer only minimal necessary data to processors.
5. Remedial actions in the event of data security incidents
   
   In the event of a data security incident, data users should take timely and effective remedial actions to reduce (i) the risks of unauthorized or accidental access, processing, or use of the personal data affected and (ii) the gravity of harm that may be caused to the affected individuals. Common remedial actions include changing passwords, stopping and disconnecting affected systems, notifying the PCPD and the affected individuals, scanning systems and fixing security weaknesses.
6. Monitoring, evaluation, and improvement
   
   Data users should commission an independent task force to monitor and evaluate data security compliance and take steps to address any non-compliant practices or ineffective measures.
7. Other considerations
   
   Data users should implement other appropriate security measures where cloud services are used, employees are permitted to use their own devices or portable storage devices are permitted.

Conclusion

As data breaches become more frequent and directly affect individuals, organizations must prioritize the security of personal data by implementing the appropriate measures to improve their data security systems. The Guidance Note provides clear recommendations to help data users take steps to strengthen their technical and organisational security measures and to comply with the requirements under the PCPD. Organizations should challenge themselves about their existing data security measures, consider whether they are adequate and how they can continue to be improved.