Guidance Note on Data Security Measures for Information and Communications Technology issued by the Privacy Commissioner for Personal Data
Background
Data breach
incidents continue to be a serious problem and threat to the business and
people in Hong Kong in 2023. The Privacy Commissioner for Personal Data in Hong
Kong (the “Commissioner”) reported
that in 2019 and 2020, her office has handled reported data breaches with
around a quarter of the reports involving cyberattack incidents including
ransomware attacks. The percentage increased 29% last year and over 600,000
Hong Kong citizens was affected in various cybersecurity incidents.
Based on the
reported incidents, the Commissioner noted that phishing and unpatched
vulnerabilities are the 2 most common causes
of data breaches. For data breaches that relate to personal data, the
Commissioner has a statutory duty to ensure that data users abide by the Data
Protection Principles (“DPP”) set
out in the Personal Data (Privacy) Ordinance, Cap 486 (the “Ordinance”) with DPP4 imposing a
positive duty on data user to safeguard the security of personal data by taking
all practicable steps with respect to data security measures.
Against this
background, the Commissioner published a Guidance Note on Data Security
Measures for Information and Communications Technology (the “Guidance”) to provide data users with
some practicable recommendations on data security measures to help data users
to comply with DPP4 and the relevant requirements under the Ordinance.
Overview
of the Guidance
The Guidance
provides data users with recommended data security measures for information and
communications technology. The Guidance sets out 7 key recommendations:
1. Data governance and
organizational measures
2.
Risk assessments
3.
Technical and operational security
measures
4.
Data processor management
5.
Remedial actions in the event of data
security incidents
6.
Monitoring, evaluation and improvement
7. Other
considerations: Cloud services; “bring your own
devices” (“BYOD”) and portable
storage devices (“PSD”).
The Commissioner
is mindful that the requirements of each data user in protecting the personal
data that the data user holds vary and does not seek to provide a
“one-size-fits-all” approach. It aims to set out a framework in terms of
incorporating organizational and management commitment, data security and the
handling of data breaches for general application.
Key
recommendations
A. Data governance and
organizational measures
1. The Commissioner suggests that
a data user (including corporations) should have clear internal policies and
procedures on data governance and data security covering the following areas:
a. Roles and responsibilities of staff
b. Data security risk assessments
c. Accessing data in and exporting data from systems
d. Outsourcing of data processing and data security
e. Handling data security incidents
f.
Destruction of data
2. A data user should review and
revise its policies and procedures on data governance and data security
periodically and in a timely manner based on the prevailing circumstances, such
as new industry standards and new threats to data security.
3. Manpower – suitable personnel in a leadership role should be appointed (e.g.
Chief Information Officer, Chief Privacy Officer etc.) to bear specific
responsibility for data security. There should be guidelines setting out:
a. the life cycle of the personal data handled by the data user, from
its collection to its destruction;
b. roles and responsibilities of relevant staff;
c. lines of authority for decision-making; and
d. accountability and power of oversight concerning access and transfer
of personal data.
4. Proportionate staff allocation – the number, seniority and technical
competence of the staff members allocated for data security should be
proportional to the nature, scale and complexity of the relevant functions and
the data processing activities, as well as data security risks.
5. Training – should be provided to all staff when they joined and at
regular intervals covering the following (not exhaustive):
a. Password management
b. Encryption software
c. Portable storage and remote access
d. Data sanitization
e. Fraud risks
f.
Use of approved software
g. Use of social media and internet
B. Risk assessments
1. Conduct risk assessments on data security for new systems and
applications before launch. If necessary (e.g. SMEs that do not have the
manpower or expertise etc.), engage 3rd party specialists to conduct
the risk assessments.
2. Report results of risk assessments to senior management regularly.
3. If security risks have been identified, act promptly to address such
risks.
C. Technical and operational security
measures
1. Based on the risk assessment results, a data user should put in
place adequate and effective security measures to protect the systems and data.
The following technical and operational measures (not exhaustive) should be
considered:
a. Securing computer networks – including physical access controls
b. Database management – separation of servers that hold data; dataset
partitioning
c. Access control – adopting the “least privilege” principle to grant as
few access rights as possible to complete a task and assign users to
appropriate roles
d. Firewalls and Anti-malware
e. Protecting online applications – ensuring that no unnecessary
personal data is stored online
f.
Encryption – encryption of data
in transit and storage; in mobile devices and portable storage devices;
effective management and protection of the encryption keys
g. Emails and file transfers – Email and spam filters; adopt tools to
prevent accidental disclosure of data through email
h. Backup, destruction and anonymization
D. Data processor management
1. If personal data is outsourced to 3rd parties (including
Cloud services) for processing, pursuant to the Ordinance, the data user still
has the responsibility to comply with DPP 4 and may incur liability if the breach
of DPP/the Ordinance is by the 3rd party processor.
2. A data user may consider taking the following actions (not
exhaustive) before and when engaging a data processor:
a. implementing policy and procedures to ensure that only competent and
reliable data processors will be engaged (conduct due diligence on the data
processor);
b. conducting assessment to ensure that only necessary personal data is
transferred to the data processor;
c. clearly stipulating the security measures required to be taken by
the data processor in the data processing contract;
d. requiring the data processor to immediately notify all data security
incidents; and
e. conducting field audits to ensure compliance with the data
processing contract by the data processor and impose consequences for breach of
contract.
E. Remedial actions in the event
of data security incidents
1. Pursuant to DPP4, the Commissioner considers that data user has a
duty to take timely and effective remedial actions after the occurrence of a
data security incident to reduce the gravity of the harm that may be caused to
the data subjects.
2. The Commissioner suggested some remedial actions for data users to
consider taking in the event of a data security incident:
a. where practicable, immediately stopping the affected information and
communications systems and disconnecting them from the internet and other
systems of the data user;
b. immediately changing the passwords or ceasing the access rights of
the users suspected to have caused or contributed to the data security
incident;
c. immediately changing system configurations in order to control
access to the affected information and communications systems;
d. notifying the affected individuals without undue delay and providing
them with suggestions on possible actions for self-protection;
e. notifying the Commissioner and other law enforcement agencies or
regulators, where applicable, without undue delay;
f.
fixing the security weaknesses
in a timely manner; and
g. where practicable and to the extent that it does not affect future
forensics analysis, scanning the information and communications systems for any
other unknown security vulnerabilities.
F. Monitoring, evaluation and improvement
1. The Commissioner suggests that a data user may commission an
independent task force such as an internal or external audit team to monitor
the compliance with the data security policy and practices. Improvement actions
including training should be taken for any non-compliant practices or
ineffective measures.
G. Other considerations: cloud
services, BYOD and PSDs
1. For Cloud services, the Commissioner suggests that data user should
take the following measures:
a. assessing the capability of cloud service providers, and seeking
formal assurance from the providers on the security controls of the cloud-based
environment;
b. setting up strong access control and authentication procedures for
the cloud-based environment, such as strong password policies, multi-factor
authentication, proper documentation and regular review of access rights; and
c. reviewing the cloud-based security features available and applying
the features as appropriate; not merely relying on the default security
settings.
2. For BYOD, the Commissioner proposes that data users may deploy the
following measures and policies:
a. preventing data user-collected personal data from being stored in
BYOD equipment, where possible;
b. controlling access to personal data stored in BYOD equipment (e.g.
requiring separate log-in in addition to the screen locks of employees' smart
phones);
c. encrypting personal data stored in BYOD equipment by using encryption
method that is not built-in for the BYOD equipment; and
d. installing appropriate software on BYOD equipment that will allow
remote erasure of data stored within the equipment, in case the BYOD equipment
is lost or stolen.
3. For PSDs such as hard drives or USB flash drives, the Commissioner
suggests that data user may implement the following measures:
a. establishing a policy to set out (1) the circumstances under which
PSDs may be used; (2) the types and amount of personal data that may be
transferred to PSDs; (3) the approval process for the use of PSDs; and (4) the
encryption requirements for the data transferred to PSDs, etc.;
b. use of end-point security software to prevent transfer of data from
the data user's information and communications systems to insecure (e.g.
without encryption function) or unauthorized PSDs;
c. keeping inventory of PSDs and tracking their uses and whereabouts;
and
d. erasing data in PSDs securely (data sanitization) after each use.
Practical
strategies and best practices
The Guidance is not law and failure to
follow the Guidance’s recommendations does not constitute a breach of DPP or
the Ordinance. However, in the event of an investigation of a data breach or
complaint, the Commissioner and her officers may assess compliance with the Ordinance
based on the recommendations in the Guidance. Thus it is advisable for data
users including corporations to follow the recommendations of the Guidance to
show compliance with the DPP in the event of an
investigation or complaint.
Each data
user/company is different in terms of sizes, business (whether regulated or
not) and the data that it collects, uses and processes. It is therefore
important for each data user/company to assess what data they are holding,
assess the risks involved in relation to a data breach incident and consider
how best to address the risks and needs. In terms of technical standards and
best practices, the Commissioner recommends that data users could make
reference to the standards and best practices set by reputable organizations
such as ISO/IEC 27000 family of information Security Management Systems
standard as well as guidance or recommended practices issued by other
jurisdictions such as the Personal Information Security Specification (GB/T
35273-2020) of China, setting out the technical standards on data security
measures at various stages of the data lift cycle.
Apart from the
technical and technology aspect, the human side is also important and often
vulnerable with threats from phishing and spam emails. It is therefore important
to have proper training and regularly refresh the training with all staff and
new staff on the relevant data security policies and procedures. System
monitoring and penetration testing would also ensure that staff and users
follow the policies and procedures when communicating via emails and messages
and handling hyperlinks and data. Management support and top down commitment in
data security is also essential.
The Guidance
provides clear recommendations to help data users to strengthen their data security
measures and responses and to comply with the requirements under the Ordinance.
With the ever changing new threats, data users need to constantly assess their
risk and update their existing data security measures to ensure that they are
adequately protected.
(This article, written by our Partner Mr Dominic Wai, was first
published on the webpage
of OneTrust DataGuidance.)
For enquiries,
please feel free to contact us at: |
E: technology@onc.hk T:
(852) 2810 1212 19th Floor, Three Exchange Square, 8 Connaught
Place, Central, Hong Kong |
Important: The law and procedure on
this subject are very specialised and
complicated. This article is just a very general outline for reference and
cannot be relied upon as legal advice in any individual case. If any advice
or assistance is needed, please contact our solicitors. |
Published by ONC Lawyers © 2023 |