Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Back
May 2023
LinkedIn Created with Sketch. Twitter Created with Sketch.

Hong Kong: Key takeaways from the guidance on data security measures for ICT

Privacy Impact AssessmentsCybersecurityIncident and BreachInformation Technology

On 9 February 2023, the Privacy Commissioner for Personal Data ('PCPD') published a Guidance Note on Data Security Measures for Information and Communications Technology ('the Guidance') to provide data users with some practicable recommendations on data security measures to help data users to comply relevant requirements.

Dominic Wai, Partner at ONC Lawyers, analyses the Guidance and provides an overview of its main recommendations, practical strategies, and best practices.

olaser / Signature collection / istockphoto.com

Background

Data breach incidents continue to be a serious problem and threat to businesses and people in Hong Kong in 2023. The PCPD reported that in 2019 and 2020, its office has handled reported data breaches with around a quarter of the reports involving cyberattack incidents, including ransomware attacks. The percentage increased 29% in 2022, and over 600,000 Hong Kong citizens were affected in various cybersecurity incidents.

Based on the reported incidents, the PCPD noted that phishing and unpatched vulnerabilities are the two most common causes of data breaches. For data breaches that relate to personal data, the PCPD has a statutory duty to ensure that data users abide by the Data Protection Principles ('DPPs') set out in the Personal Data (Privacy) Ordinance (Cap. 486) as amended in 2021 ('PDPO'), with DPP4 imposing a positive duty on data users to safeguard the security of personal data by taking all practicable steps with respect to data security measures.

Overview of the Guidance

The Guidance provides data users with recommended data security measures for ICT.

The Guidance sets out seven key recommendations:

  • data governance and organisational measures;
  • risk assessments;
  • technical and operational security measures;
  • data processor management;
  • remedial actions in the event of data security incidents;
  • monitoring, evaluation, and improvement; and
  • other considerations, including cloud services, bring your own devices ('BYOD'), and portable storage devices ('PSDs').

The PCPD is mindful that the requirements of each data user in protecting the personal data that the data user holds vary and does not seek to provide a 'one-size-fits-all' approach. It aims to set out a framework in terms of incorporating organisational and management commitment, data security, and the handling of data breaches for general application.

The key recommendations

Data governance and organisational measures

The PCPD suggests that a data user (including corporations) should have clear internal policies and procedures on data governance and data security covering the following areas:

  • roles and responsibilities of staff;
  • data security risk assessments;
  • accessing data in, and exporting data from, systems;
  • outsourcing of data processing and data security;
  • handling data security incidents; and
  • destruction of data.

A data user should review and revise its policies and procedures on data governance and data security periodically and in a timely manner based on the prevailing circumstances, such as new industry standards and new threats to data security.

Workforce

Suitable personnel in a leadership role should be appointed (e.g. a Chief Information Officer or Chief Privacy Officer) to bear specific responsibility for data security. There should be guidelines setting out:

  • the life cycle of the personal data handled by the data user, from its collection to its destruction;
  • roles and responsibilities of relevant staff;
  • lines of authority for decision-making; and
  • accountability and power of oversight concerning access and transfer of personal data.

Proportionate staff allocation

The number, seniority, and technical competence of the staff members allocated for data security should be proportional to the nature, scale, and complexity of the relevant functions and the data processing activities, as well as data security risks.

Training

Training should be provided to all staff when they join and at regular intervals covering the following (not exhaustive):

  • password management;
  • encryption software;
  • portable storage and remote access;
  • data sanitisation;
  • fraud risks;
  • use of approved software; and
  • use of social media and internet.

Risk assessments

Conduct risk assessments on data security for new systems and applications before launch. If necessary (e.g. small and medium-sized enterprises ('SMEs') that do not have the workforce or expertise), engage third-party specialists to conduct the risk assessments.

Report results of risk assessments to senior management regularly.

If security risks have been identified, act promptly to address such risks.

Technical and operational security measures

Based on the risk assessment results, a data user should put in place adequate and effective security measures to protect the systems and data. The following technical and operational measures (not exhaustive) should be considered:

  • securing computer networks:
    • physical access controls;
  • database management:
    • separation of servers that hold data; and
    • dataset partitioning;
  • access control:
    • adopting the 'least privilege' principle to grant as few access rights as possible to complete a task and assign users to appropriate roles;
  • firewalls and anti-malware;
  • protecting online applications:
    • ensuring that no unnecessary personal data is stored online;
  • encryption:
    • data in transit and storage;
    • in mobile devices and PSDs; and
    • effective management and protection of the encryption keys;
  • emails and file transfers:
    • email and spam filters; and
    • tools to prevent accidental disclosure of data through email; and
  • backup, destruction, and anonymisation.

Data processor management

If personal data is outsourced to third parties (including cloud services) for processing, pursuant to the PDPO, the data user still has the responsibility to comply with DPP4 and may incur liability if the breach of the DPPs or the PDPO is by the third-party processor.

A data user may consider taking the following actions (not exhaustive) before and when engaging a data processor:

  • implementing a policy and procedures to ensure that only competent and reliable data processors will be engaged (conduct due diligence on the data processor);
  • conducting assessment to ensure that only necessary personal data is transferred to the data processor;
  • clearly stipulating the security measures required to be taken by the data processor in the data processing contract;
  • requiring the data processor to immediately notify all data security incidents; and
  • conducting field audits to ensure compliance with the data processing contract by the data processor and impose consequences for breach of contract.

Remedial actions in the event of data security incidents

Pursuant to DPP4, the PCPD considers that the data user has a duty to take timely and effective remedial actions after the occurrence of a data security incident to reduce the gravity of the harm that may be caused to the data subjects.

The PCPD suggested some remedial actions for data users to consider taking in the event of a data security incident:

  • where practicable, immediately stopping the affected information and communications systems and disconnecting them from the internet and other systems of the data user;
  • immediately changing the passwords or ceasing the access rights of the users suspected to have caused or contributed to the data security incident;
  • immediately changing system configurations in order to control access to the affected information and communications systems;
  • notifying the affected individuals without undue delay and providing them with suggestions on possible actions for self-protection;
  • notifying the PCPD and other law enforcement agencies or regulators, where applicable, without undue delay;
  • fixing the security weaknesses in a timely manner; and
  • where practicable, and to the extent that it does not affect future forensics analysis, scanning the information and communications systems for any other unknown security vulnerabilities.

Monitoring, evaluation, and improvement

The PCPD suggests that a data user may commission an independent task force, such as an internal or external audit team, to monitor the compliance with the data security policy and practices. Improvement actions, including training, should be taken for any non-compliant practices or ineffective measures.

Other considerations: cloud services, BYOD, and PSDs

For cloud services, the PCPD suggests that data user should take the following measures:

  • assessing the capability of cloud service providers, and seeking formal assurance from the providers on the security controls of the cloud-based environment;
  • setting up strong access control and authentication procedures for the cloud-based environment, such as strong password policies, multi-factor authentication, proper documentation, and regular review of access rights; and
  • reviewing the cloud-based security features available and applying the features as appropriate, instead of merely relying on default security settings.

For BYOD, the PCPD proposes that data users may deploy the following measures and policies:

  • preventing data user-collected personal data from being stored in BYOD equipment, where possible;
  • controlling access to personal data stored in BYOD equipment (e.g. requiring separate log-in, in addition to the screen locks of employees' smart phones);
  • encrypting personal data stored in BYOD equipment by using an encryption method that is not built-in for the BYOD equipment; and
  • installing appropriate software on BYOD equipment that will allow remote erasure of data stored within the equipment, in case the BYOD equipment is lost or stolen.

For PSDs, such as hard drives or USB flash drives, the PCPD suggests that data users may implement the following measures:

  • establishing a policy to set out:
    • the circumstances under which PSDs may be used;
    • the types and amount of personal data that may be transferred to PSDs;
    • the approval process for the use of PSDs; and
    • the encryption requirements for the data transferred to PSDs;
  • using end-point security software to prevent the transfer of data from the data user's information and communications systems to insecure (e.g. without encryption function) or unauthorised PSDs;
  • keeping inventory of PSDs and tracking their uses and whereabouts; and
  • erasing data in PSDs securely (data sanitisation) after each use.

Practical strategies and best practices

The Guidance is not law, and failure to follow the Guidance's recommendations does not constitute a breach of a DPP or the PDPO. However, in the event of an investigation of a data breach or complaint, the PCPD and its officers may assess compliance with the PDPO based on the recommendations in the Guidance. Thus, it is advisable for data users, including corporations, to follow the recommendations of the Guidance to show compliance with the DPPs in the event of an investigation or complaint.

Each data user/company is different in terms of sizes, business (whether regulated or not), and the data that it collects, uses, and processes. It is therefore important for each data user/company to assess what data they are holding, assess the risks involved in relation to a data breach incident, and consider how best to address the risks and needs. In terms of technical standards and best practices, the PCPD recommends that data users could make reference to the standards and best practices set by reputable organisations, such as the International Organization for Standardization's ('ISO') ISO/IEC 27000 family of standards on security management systems, as well as guidance or recommended practices issued by other jurisdictions, such as China's Information Security Technology - Personal Information Security Specification (GB/T 35273-2020), setting out the technical standards on data security measures at various stages of the data lift cycle.

Apart from the technical and technology aspect, the human side is also important and often vulnerable with threats from phishing and spam emails. It is therefore important to have proper training and regularly refresh the training with all staff and new staff on the relevant data security policies and procedures. System monitoring and penetration testing would also ensure that staff and users follow the policies and procedures when communicating via emails and messages and handling hyperlinks and data. Management support and top-down commitment in data security is also essential.

The Guidance provides clear recommendations to help data users to strengthen their data security measures and responses and to comply with the requirements under the PDPO. With the ever-changing new threats, data users need to constantly assess their risk and update their existing data security measures to ensure that they are adequately protected.

Dominic Wai Partner
[email protected]
ONC Lawyers, Hong Kong

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.
Feedback