In brief
In June 2023, the Office of the Privacy Commissioner for Personal Data (PCPD) issued an updated Guidance on Data Breach Handling and Data Breach Notifications (“Guidance“). The Guidance updates a non-binding, end-to-end framework for data users to tackle data breaches, including recommended elements that go into a data breach response plan, questions that need to be addressed in the course of investigating a data breach incident, how to make a data breach notification and tips for preventing recurrence of data breaches.
There is currently no obligation under the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO) for data users to notify the PCPD, affected data subjects or others of a data breach. Depending on the circumstances, a data breach may amount to a violation by the data user of the security principle (Data Protection Principle 4) under the PDPO. This could result in an investigation by the PCPD (and the publication of an investigation report if it is in the public interest to do so), and potentially leading to an enforcement notice.
The PCPD, in its work report released in February 2023, included the establishment of a mandatory data breach notification mechanism as one of the proposed amendments to the PDPO in its comprehensive review of the legislation. The work report also disclosed that the Government and the PCPD are aiming to consult the Legislative Council on specific legislative proposals concerning the PDPO in the second quarter of 2023.
While we await further updates on the proposed amendments to the PDPO, the increased emphasis on data breach notification in the Guidance indicates that mandatory breach notification requirements may be forthcoming in Hong Kong. Should this be the case, Hong Kong would join many other jurisdictions in the Asia Pacific region, such as Singapore and Japan, that mandate data breach notifications in specified circumstances. Businesses should be proactive to prepare for possible mandatory notification requirements in the future.
Overview of the Guidance
The Guidance provides a comprehensive framework in relation to preparing for, handling, and preventing data breaches:
- Definition of a data breach: The PDPO does not include a definition of a “data breach”. The Guidance defines a data breach generally as a suspected or actual breach of the security of personal data held by a data user, which exposes the personal data of data subject(s) to the risk of unauthorised or accidental access, processing, erasure, loss or use.
- Preparing for data breaches: A comprehensive data breach response plan is essential, and the Guidance discusses various aspects recommended to be covered by the plan. In brief, the plan should set out who will be responsible for handling a data breach, how a data breach will be notified internally (e.g., escalation to senior management) and externally (e.g., to affected data subjects, regulatory authorities and other relevant parties), how a breach will be investigated, contained, evidenced, and reviewed, as well as how to ensure the procedures will be followed properly (meaning that employee training is key).
- Handling data breaches: A 5-step approach is recommended, in order for data users to take swift action to reduce the impact of a data breach:
- Immediately gather essential information about the data breach, such as when, where and how it occurred
- Take immediate steps to contain the data breach, such as shutting down or disabling relevant system functions, or fixing any bugs or errors that caused the breach
- Assess the risk of harm that may be caused by the data breach to affected data subjects, such as the type and extent of harm
- Consider giving data breach notifications to the affected data subjects and the PCPD as soon as practicable, particularly if the data breach is likely to result in a real risk of harm to the affected data subjects
- Document the breach, including details and effects of the breach as well as measures taken to contain and remediate the breach.
- Preventing future data breaches: Data users should learn from the breach by conducting an incident review, and the Guidance lists out various factors which should be considered in such review. This includes, for example, the adequacy of the data user’s IT security system, whether the relevant privacy policies and practices need to be revised in light of the incident, and whether the monitoring and supervision of its employees, agents or data processors should be strengthened.
All in all, the Guidance’s recommendation on the formulation of a comprehensive data breach response plan and emphasis on post-incident review highlights the importance of proactive preparation and prevention as opposed to merely reactive data breach responses.
Handling data breaches
The 2023 Guidance expands on its previous version (issued in January 2019) by providing more detailed guidance on data breach notification (step 4 of the 5-step approach):
- When to notify: The Guidance makes it clear that data users are generally recommended to notify the PCPD and the affected data subjects as soon as practicable after becoming aware of the data breach, particularly if the data breach is likely to result in a real risk of harm to those affected data subjects. The Guidance places greater emphasis on prompt notification, which should be made “regardless of the progress of any internal investigation“. Where full details of the incident are only revealed subsequent to the notification, such information should be submitted to the PCPD and other law enforcement agencies “without delay“.
- How to notify data subjects: The Guidance clarifies that for breaches resulting in particularly serious harm or affecting a large number of individuals, it would be reasonable to use multiple notification methods to publicise the breach.
- What to notify: The Guidance sets out further suggestions on the contents of a notification, such as the categories and approximate number of affected personal data records involved in the incident.
To give effect to the above, the PCPD has concurrently revamped its data breach notification form, which is recommended for use by data users when reporting a data breach to the PCPD.
- The form is re-designed to be more user-friendly: Instead of requiring data users to write up paragraphs describing the breach with reference to the information notes, the updated form now largely uses a fill-in-the-blanks format with pre-set suggested answers for easier completion.
- The form comes with pages of practical tips for handling data breach incidents: The updated form suggests various immediate remedial measures specific to the six common causes of data breaches, as well as various specific preventive measures.
The PCPD has also launched an e-Data Breach Notification Form to enable data users to notify it in a convenient and timely manner. All these align with the Guidance’s emphasis on prompt notification, even when internal investigation is ongoing.
Key takeaways
While the Guidance is not legally binding, it is a valuable and practical tool to assist data users prevent, prepare for and handle data breaches amidst growing data security risks. Following its comprehensive and practical recommendations will help data users build data breach resilience and readiness. In short, data users should:
- Take preventive measures, e.g., review existing data security systems, policies, and contracts with data processors and identify areas for improvement
- Develop a robust and comprehensive data breach response plan covering identification, containment, investigation, documentation, and prevention of data breaches
- Enhance data breach handling procedures – in particular, in the event of an incident, be prepared to give data breach notifications to affected data subjects, the PCPD and/or other law enforcement agencies (as applicable).
The increased emphasis on data breach notification in the Guidance signals that notifying a data breach to the PCPD and affected data subjects may become mandatory in Hong Kong. While the Guidance remains voluntary for the time being, it would be prudent for data users to proactively prepare for possible mandatory notification requirements, which would align Hong Kong with many other Asia Pacific jurisdictions, such as Singapore and Japan, that already have such requirements in place.