On June 30, 2023, Hong Kong’s Office of the Privacy Commissioner for Personal Data (PCPD) issued a new Guidance on Data Breach Handling and Data Breach Notifications recommending that organizations formulate a data breach response plan to enable them to respond to data breach incidents.
The new Guidance provides recommendations regarding data breach handling and data breach notifications to those individuals or entities that collect and/or handle personal information in or from Hong Kong.
On June 30, 2023, Hong Kong’s Office of the Privacy Commissioner for Personal Data (PCPD) issued a new Guidance on Data Breach Handling and Data Breach Notifications (“Guidance”) in response to an increasing number of data breach incidents in Hong Kong.
The new Guidance defines “data breach” as “a suspected or actual breach of the security of personal data
held by a data user, which exposes the personal data of data subject(s) to the risk of unauthorized or accidental access, processing, erasure, loss or use.” It lists the following examples: loss of personal data stored on devices; improper handling of personal data; database containing personal data that is hacked or accessed by outsiders without authorization; disclosure of personal data to a third party who obtained the data by deception; and leakage of data caused by the installation of file-sharing software on a computer.
The new Guidance recommends that organizations formulate a data breach response plan to enable them to respond to data breach incidents. The response plan should include a description of what constitutes a data breach, an internal incident notification procedure, breach response team, contact list, risk assessment workflow, containment strategy, communication plan, investigation procedure, record-keeping policy, post-incident review mechanism, and training or drill plan.
The new Guidance recommends the following step-by-step guide to assist organizations in handling a data breach:
Step 1: Immediate gathering of essential information
Step 2: Containing the data breach
Step 3: Assessing the risk of harm
Step 4: Considering giving data breach notifications
Step 5: Documenting the breach
While it is not a statutory requirement for organizations or other data users to inform the PCPD about a data breach incident, data users who choose to do so are advised to use the Data Breach Notification Form when reporting a data breach to the PCPD. The notification should be made as soon as practicable after becoming aware of the incident.
In sum, the new Guidance provides recommendations regarding data breach handling and data breach notifications that will be useful to those individuals or entities that collect and/or handle personal information in or from Hong Kong. At present, the recommendations in the new Guidance are non-binding; however, the PCPD periodically conducts investigations of data breaches and may issue enforcement notices to data users that fail to protect the security of data subjects’ personal data. For those U.S. universities that collect and/or handle personal information in or from Hong Kong, it is important to have a data breach response plan that outlines procedures to follow in the event of a data breach, along with an effective data breach handling policy. While the failure to report data breaches to the PCPD or affected data subjects is currently not an offense, the PCPD has announced plans to revise Hong Kong’s data privacy law, the Personal Data Privacy Ordinance. According to the PCPD, such revisions will include establishing a mandatory notification mechanism.