Data Security

Recent high-profile data security incidents in Hong Kong and overseas have put personal data protection in the spotlight and heightened concerns in the community.

Whilst cyberattacks, which could be criminal of themselves being regulated by other legislative instruments, may in some cases be out of the reach of businesses, the Ordinance requires that “all practicable steps” be taken to ensure personal data security in the case of a data breach. What these steps are would naturally turn on the facts and circumstances of each case.

When my office (PCPD) is called upon to consider whether a data user has taken “all practicable steps” to discharge its data security obligations, it will adopt a ‘totality of facts’ approach, taking into account a wide range of factors including but not limited to:

• whether the data user has clear internal policy and guidelines on data governance and data security;

• whether appropriate staffing level has been provided for IT security, and suitable personnel in a leadership role appointed to bear specific responsibility for personal data security;

• whether periodic risk assessments are conducted on the information systems pursuant to established policy and procedures; in particular, the collection of sensitive data should be minimised and subject to more robust protection;

• depending on the nature, scale and complexity of the data processing activities, whether adequate technical and operational security measures have been put in place to safeguard the security of the information systems and the personal data (see further elaboration below);

• if data processors are engaged, whether contractual or other means are adopted to maintain oversight of their data security practices; and

• in the event of a data security incident, whether adequate actions have been taken to contain and remedy the matter, and to minimise the harm to the affected individuals, including timely notifying the individuals and the PCPD.

In the current state of technology, key technical data security measures should include typically, for instance:

• the implementation of ICT security to protect system hardware and software from misuse or unauthorised access;

• the use of encryption for data in transit and in storage, and effective management of encryption keys;

• regular backup of data;

• irreversible destruction of expired or unnecessary data;

• effective access controls for the information systems; and

• regular penetration testing for Internet facing systems.

It goes without saying that the onus of discharging data security obligations varies, depending on the industry sector, the size and complexity of the particular business, the volume and sensitivity of personal data involved, and so on. In any event, it is imperative for organisations to conduct risk assessment periodically in order to deploy adequate security measures to safeguard personal data held by it.

From our enforcement experience, it occurs to us that businesses and organisations need to particularly pay heed to the following:

(a) While most organisations are alerted of the growing vulnerabilities of data security, as data breach incidents continue to rise and become complex, businesses have the added pressure, if not responsibilities, to keep personal data of their customers secure in order to remain competitive in the trade;

(b) Organisations should be well aware that customers’ personal data is collected from the customers who arguably own it, and businesses undeniably take it as an asset, deriving somewhat benefits out of it. The fact that personal data is less tangible than other personalty (eg bank notes) or realty does not absolve businesses of their failures to keep it safely and to obliterate it when it is no longer necessary for the fulfilment of the purpose for which the data is or is to be used. To give effect to the legal requirements, there is also an expectation of comprehensive, effective and evidenced privacy compliance policies and programmes being put in place, relevant and scalable for the businesses concerned, as well as demonstrable internally and externally. This legitimate expectation comes from both the customers, who are the data subjects, and the regulators; and

(c) The idea of good data stewardship and governance, or accountability has also been incorporated in the new laws and regulations of many jurisdictions, notably the EU GDPR implemented in May 2018. Notwithstanding that similar principle of accountability is yet to be provided for in the law of Hong Kong, businesses in Hong Kong should be well poised to adopt proactive data management as corporate digital values, ethics and responsibilities in this era of data driven economy, translating legal requirements into risk-based, verifiable and enforceable corporate practices and controls, to address regulatory changes worldwide; enable updated business models, digitalisation, globalisation and ensure data protection, sustainability and trust.

All in all, organisations should respect and protect the individual’s personal data privacy right, which is a fundamental human right in Hong Kong, thereby developing a corporate digital responsibility fit for the 21st century with a view to helping cultivate the right privacy culture.


Barrister, Privacy Commissioner for Personal Data, Hong Kong