Background

Data breach incidents continue to be a serious problem and threat to the business and people in Hong Kong in 2023. The Privacy Commissioner for Personal Data in Hong Kong (the “Commissioner”) reported that in 2019 and 2020, her office has handled reported data breaches with around a quarter of the reports involving cyberattack incidents including ransomware attacks. The percentage increased 29% last year and over 600,000 Hong Kong citizens was affected in various cybersecurity incidents.

Based on the reported incidents, the Commissioner noted that phishing and unpatched vulnerabilities are the 2 most common causes of data breaches. For data breaches that relate to personal data, the Commissioner has a statutory duty to ensure that data users abide by the Data Protection Principles (“DPP”) set out in the Personal Data (Privacy) Ordinance, Cap 486 (the “Ordinance”) with DPP4 imposing a positive duty on data user to safeguard the security of personal data by taking all practicable steps with respect to data security measures.

Against this background, the Commissioner published a Guidance Note on Data Security Measures for Information and Communications Technology (the “Guidance”) to provide data users with some practicable recommendations on data security measures to help data users to comply with DPP4 and the relevant requirements under the Ordinance.

Overview of the Guidance

The Guidance provides data users with recommended data security measures for information and communications technology. The Guidance sets out 7 key recommendations:

1.       Data governance and organizational measures

2.       Risk assessments

3.       Technical and operational security measures

4.       Data processor management

5.       Remedial actions in the event of data security incidents

6.       Monitoring, evaluation and improvement

7.       Other considerations: Cloud services; “bring your own devices” (“BYOD”) and portable storage devices (“PSD”).

 

The Commissioner is mindful that the requirements of each data user in protecting the personal data that the data user holds vary and does not seek to provide a “one-size-fits-all” approach. It aims to set out a framework in terms of incorporating organizational and management commitment, data security and the handling of data breaches for general application.

Key recommendations

A.    Data governance and organizational measures

1.       The Commissioner suggests that a data user (including corporations) should have clear internal policies and procedures on data governance and data security covering the following areas:

a.       Roles and responsibilities of staff

b.       Data security risk assessments

c.       Accessing data in and exporting data from systems

d.       Outsourcing of data processing and data security

e.       Handling data security incidents

f.        Destruction of data

 

2.       A data user should review and revise its policies and procedures on data governance and data security periodically and in a timely manner based on the prevailing circumstances, such as new industry standards and new threats to data security.

 

3.       Manpower – suitable personnel in a leadership role should be appointed (e.g. Chief Information Officer, Chief Privacy Officer etc.) to bear specific responsibility for data security. There should be guidelines setting out:

a.       the life cycle of the personal data handled by the data user, from its collection to its destruction;

b.       roles and responsibilities of relevant staff;

c.       lines of authority for decision-making; and

d.       accountability and power of oversight concerning access and transfer of personal data.

 

4.       Proportionate staff allocation – the number, seniority and technical competence of the staff members allocated for data security should be proportional to the nature, scale and complexity of the relevant functions and the data processing activities, as well as data security risks.

 

5.       Training – should be provided to all staff when they joined and at regular intervals covering the following (not exhaustive):

a.       Password management

b.       Encryption software

c.       Portable storage and remote access

d.       Data sanitization

e.       Fraud risks

f.        Use of approved software

g.       Use of social media and internet

B.    Risk assessments

1.       Conduct risk assessments on data security for new systems and applications before launch. If necessary (e.g. SMEs that do not have the manpower or expertise etc.), engage 3^rd party specialists to conduct the risk assessments.

2.       Report results of risk assessments to senior management regularly.

3.       If security risks have been identified, act promptly to address such risks.

C.   Technical and operational security measures

1.       Based on the risk assessment results, a data user should put in place adequate and effective security measures to protect the systems and data. The following technical and operational measures (not exhaustive) should be considered:

a.       Securing computer networks – including physical access controls

b.       Database management – separation of servers that hold data; dataset partitioning

c.       Access control – adopting the “least privilege” principle to grant as few access rights as possible to complete a task and assign users to appropriate roles

d.       Firewalls and Anti-malware

e.       Protecting online applications – ensuring that no unnecessary personal data is stored online

f.        Encryption – encryption of data in transit and storage; in mobile devices and portable storage devices; effective management and protection of the encryption keys

g.       Emails and file transfers – Email and spam filters; adopt tools to prevent accidental disclosure of data through email

h.       Backup, destruction and anonymization

D.   Data processor management

1.       If personal data is outsourced to 3^rd parties (including Cloud services) for processing, pursuant to the Ordinance, the data user still has the responsibility to comply with DPP 4 and may incur liability if the breach of DPP/the Ordinance is by the 3^rd party processor.

 

2.       A data user may consider taking the following actions (not exhaustive) before and when engaging a data processor:

a.       implementing policy and procedures to ensure that only competent and reliable data processors will be engaged (conduct due diligence on the data processor);

b.       conducting assessment to ensure that only necessary personal data is transferred to the data processor;

c.       clearly stipulating the security measures required to be taken by the data processor in the data processing contract;

d.       requiring the data processor to immediately notify all data security incidents; and

e.       conducting field audits to ensure compliance with the data processing contract by the data processor and impose consequences for breach of contract.

E.    Remedial actions in the event of data security incidents

1.       Pursuant to DPP4, the Commissioner considers that data user has a duty to take timely and effective remedial actions after the occurrence of a data security incident to reduce the gravity of the harm that may be caused to the data subjects.

 

2.       The Commissioner suggested some remedial actions for data users to consider taking in the event of a data security incident:

a.       where practicable, immediately stopping the affected information and communications systems and disconnecting them from the internet and other systems of the data user;

b.       immediately changing the passwords or ceasing the access rights of the users suspected to have caused or contributed to the data security incident;

c.       immediately changing system configurations in order to control access to the affected information and communications systems;

d.       notifying the affected individuals without undue delay and providing them with suggestions on possible actions for self-protection;

e.       notifying the Commissioner and other law enforcement agencies or regulators, where applicable, without undue delay;

f.        fixing the security weaknesses in a timely manner; and

g.       where practicable and to the extent that it does not affect future forensics analysis, scanning the information and communications systems for any other unknown security vulnerabilities.

F.    Monitoring, evaluation and improvement

1.       The Commissioner suggests that a data user may commission an independent task force such as an internal or external audit team to monitor the compliance with the data security policy and practices. Improvement actions including training should be taken for any non-compliant practices or ineffective measures.

G.   Other considerations: cloud services, BYOD and PSDs

1.       For Cloud services, the Commissioner suggests that data user should take the following measures:

a.       assessing the capability of cloud service providers, and seeking formal assurance from the providers on the security controls of the cloud-based environment;

b.       setting up strong access control and authentication procedures for the cloud-based environment, such as strong password policies, multi-factor authentication, proper documentation and regular review of access rights; and

c.       reviewing the cloud-based security features available and applying the features as appropriate; not merely relying on the default security settings.

 

2.       For BYOD, the Commissioner proposes that data users may deploy the following measures and policies:

a.       preventing data user-collected personal data from being stored in BYOD equipment, where possible;

b.       controlling access to personal data stored in BYOD equipment (e.g. requiring separate log-in in addition to the screen locks of employees' smart phones);

c.       encrypting personal data stored in BYOD equipment by using encryption method that is not built-in for the BYOD equipment; and

d.       installing appropriate software on BYOD equipment that will allow remote erasure of data stored within the equipment, in case the BYOD equipment is lost or stolen.

 

3.       For PSDs such as hard drives or USB flash drives, the Commissioner suggests that data user may implement the following measures:

a.       establishing a policy to set out (1) the circumstances under which PSDs may be used; (2) the types and amount of personal data that may be transferred to PSDs; (3) the approval process for the use of PSDs; and (4) the encryption requirements for the data transferred to PSDs, etc.;

b.       use of end-point security software to prevent transfer of data from the data user's information and communications systems to insecure (e.g. without encryption function) or unauthorized PSDs;

c.       keeping inventory of PSDs and tracking their uses and whereabouts; and

d.       erasing data in PSDs securely (data sanitization) after each use.

Practical strategies and best practices

The Guidance is not law and failure to follow the Guidance’s recommendations does not constitute a breach of DPP or the Ordinance. However, in the event of an investigation of a data breach or complaint, the Commissioner and her officers may assess compliance with the Ordinance based on the recommendations in the Guidance. Thus it is advisable for data users including corporations to follow the recommendations of the Guidance to show compliance with the DPP in the event of an investigation or complaint.

Each data user/company is different in terms of sizes, business (whether regulated or not) and the data that it collects, uses and processes. It is therefore important for each data user/company to assess what data they are holding, assess the risks involved in relation to a data breach incident and consider how best to address the risks and needs. In terms of technical standards and best practices, the Commissioner recommends that data users could make reference to the standards and best practices set by reputable organizations such as ISO/IEC 27000 family of information Security Management Systems standard as well as guidance or recommended practices issued by other jurisdictions such as the Personal Information Security Specification (GB/T 35273-2020) of China, setting out the technical standards on data security measures at various stages of the data lift cycle.

Apart from the technical and technology aspect, the human side is also important and often vulnerable with threats from phishing and spam emails. It is therefore important to have proper training and regularly refresh the training with all staff and new staff on the relevant data security policies and procedures. System monitoring and penetration testing would also ensure that staff and users follow the policies and procedures when communicating via emails and messages and handling hyperlinks and data. Management support and top down commitment in data security is also essential.

The Guidance provides clear recommendations to help data users to strengthen their data security measures and responses and to comply with the requirements under the Ordinance. With the ever changing new threats, data users need to constantly assess their risk and update their existing data security measures to ensure that they are adequately protected.

(This article, written by our Partner Mr Dominic Wai, was first published on the webpage of OneTrust DataGuidance.)

 

For enquiries, please feel free to contact us at:

E: technology@onc.hk                                                       T: (852) 2810 1212 W: www.onc.hk                                                                    F: (852) 2804 6311 19th Floor, Three Exchange Square, 8 Connaught Place, Central, Hong Kong

Important: The law and procedure on this subject are very specialised and complicated. This article is just a very general outline for reference and cannot be relied upon as legal advice in any individual case. If any advice or assistance is needed, please contact our solicitors.

Published by ONC Lawyers © 2023