The Hong Kong Privacy Commissioner has published updated “Guidance on Data Breach Handling and Data Breach Notifications”, to provide enhanced practical guidance to businesses in preparing for and responding to personal data breaches.
The updated guidance has been issued in response to an increase in cyberattacks and data breaches in Hong Kong, including a 20% increase in the number of reported data breach incidents in the first half of 2023 (55 cases) when compared to the second half of 2022. Whether this will be enough to tackle the problem remains to be seen.
Non-binding best practice guidance
Unlike other APAC jurisdictions such as Singapore, Thailand and Korea, Hong Kong does not yet have a mandatory data breach notification regime under the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO).
At this stage Hong Kong is sticking with enhanced but non-binding recommendations from the Commissioner, in the hope of reducing incidents through better data practices. However Hong Kong is the regional outlier in this respect and the situation could change.
Data Breach definition
The Data Breach Guidance defines “data breach” as “a suspected or actual breach of the security of personal data held by a data user, which exposes the personal data of data subject(s) to the risk of unauthorised or accidental access, processing, erasure, loss or use”.
Although there is no penalty imposed on businesses for failing to notify data breaches to the Privacy Commissioner, a data breach may amount to a breach of the security principle (Data Protection Principle 4) under the PDPO. This could result in an investigation, leading to an enforcement notice and potential fine or even imprisonment.
The Data Breach Guidance reminds businesses that as well as cyberattacks, inadvertent or inappropriate internal uses by staff members may also cause data breaches, including examples such as: loss of physical documents or portable devices, improper/wrongful disposal of personal data in breach of organisational disposal policy, inadvertent disclosure by email, or staff negligence/ misconduct.
As readers may recall, the Registration and Electoral Office’s data breach incidents were caused by wrongful disclosure and the loss of physical devices by the Office’s staff.
Two-prong approach to data breaches
Businesses are advised to take a two-prong “Prepare” – “Respond” approach to data breaches under the Data Breach Guidance:
Prepare
Businesses are advised to put in place a comprehensive data breach response plan to respond quickly to and effectively manage data breaches. The response plan should set out, for example:
- Explanation of what constitutes a data breach with triggering criteria
- An internal incident escalation procedure
- Breach response team and contact list
- Risk assessment workflow
- Investigation procedure and containment strategy
- Communication plans regarding notifications to stakeholders
- A post-incident review mechanism
- A training or drill plan to ensure staff’s compliance with the response plan.
Respond
Businesses are then advised to follow these 5 steps to respond to a data breach:
- Step 1: Immediately gather essential data breach information
- Step 2: Contain the data breach
- Step 3: Assess of the risk of harm to data subjects
- Step 4: Consider giving data breach notifications
- Step 5: Document the breach
When should businesses notify breaches?
Businesses are advised to notify the Privacy Commissioner and the affected data subjects as soon as practicable after becoming aware of the data breach - particularly if the data breach is likely to result in a real risk of harm to those affected data subjects.
Risks of harms may include: threats to personal safety, identity theft, financial loss, humiliation or loss of dignity, damage to reputation or relationships, loss of business or employment opportunities.
In assessing the risk of harm, businesses should consider e.g.:
- the type and sensitivity of data leaked
- the amount of data involved
- whether leaked data is encrypted
- the likelihood of identity theft or fraud
- whether effective mitigation/remedial measures have been taken
- the ability of the data subjects to avoid or mitigate possible harm.
Note for financial institutions and international businesses
For financial institutions regulated by the Hong Kong Monetary Authority and the Securities and Futures Commission, it is important to consider whether any data breach notification obligations will be triggered under those regimes.
For businesses operating across jurisdictions, they should consider if data breach obligations under other jurisdictions (e.g. EU GDPR, China’s Personal Information Protection Law) may be triggered.
What information should be in data breach notifications?
If businesses do decide to provide a data breach notification to data subjects, they are advised to include the below information in the notification:
- Description of what occurred including the source, date and time, duration, and cause of data breach
- The type of breach and list of the types of personal data involved
- The categories and approximate number of data subjects involved
- Assessment of the risk of harm that could result from the breach
- Description of mitigating or remedial measures taken by the company
- Advice on the actions the data subjects can take to protect themselves.
Businesses reporting data breaches to the Commissioner may utilise the newly launched e-Data Breach Notification Form or complete the Data Breach Notification Form.
Looking ahead
As we reported, the Privacy Commissioner and the HK Government have initially indicated that they would consult LegCo regarding legislative proposals concerning the PDPO reform, including the introduction of a mandatory data breach notification regime, in the second quarter of 2023. However, to date we have not seen any further updates.
These latest moves by the Commissioner’s office in both issuing updated Data Breach Guidance, and introducing the online data breach notification form, demonstrate the regulatory focus on the escalating problem of data breaches. Taken together, it could be seen as a step forward to formal reform of the PDPO, to finally contain a mandatory data breach notification obligation - and to bring Hong Kong in line with other regimes in the region.
Watch this space and follow our Tech Insights updates on Linklaters Tech in LinkedIn!