On 30 August 2022, the Privacy Commissioner of Personal Data (PCPD) issued the “Guidance Note on Data Security Measures for Information and Communications Technology” (the "ICT Guidance") to provide data users with recommended data security measures for ICT to facilitate compliance with the requirements of the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO).
Summary
Pursuant to Data Protection Principle 4 of the PDPO, data users in Hong Kong should take all practical steps to ensure that any personal data held by the data user is protected against unauthorised or accidental access, processing, erasure, loss or use having regard to a number of factors such as the kind of data held, the physical storage location, the security measures adopted in the storage medium, and the security measures taken in transmission and access. Data security is one of the key obligations of data users that is integral to a number of other data protection principles under the PDPO.
In the light of the increase in cybersecurity incidents, the ICT Guidance provides data users with recommended data security measures to prevent malicious attacks on their information systems and ensure compliance with the requirements under the PDPO.
The ICT Guidance provides recommendations on data security measures in the following seven (7) areas, supplemented by case studies:
Data Governance and Organisational Measures Data users are recommended to establish clear internal policy and procedures on data governance and data security, covering the following areas:
Respective roles and responsibilities of staff in maintaining the information and communications systems and safeguarding data security;
Data security risk assessments;
Accessing data in and exporting data from the information and communications systems;
Outsourcing of data processing and data security work;
Handling data security incidents, including incident response plan and reporting mechanism; and
Destruction of data that is no longer necessary for the original purposes of collection or related purposes.
While adoption of international best practices and standards (e.g. ISO/IEC 27000 family of Information Security Management Systems standards) may be used, the ICT Guidance emphasises that the adequacy of security measures will depend on the circumstances of each case, and a data user should review and revise its internal data security policies and procedures to keep up with new industry standards and address new threats to data security, as well appoint suitable personnel and conduct sufficient training to ensure ongoing compliance.
Risk Assessments on data security for new systems and applications
Consistent with the PCPD’s approaches in relation to data protection compliance, data users are recommended to conduct risk assessments on data security for new systems and applications before launch, and periodically in accordance with data security policy and procedures. The risk assessments will consider factors including the sensitivity of the data being processed by the new systems and applications, as well as potential harm arising from leakage or unauthorised access to such data. The ultimate objective is to ensure that security risks are addressed before new systems and applications commence collection and processing of personal data.
Technical and Operational Security Measures The ICT Guidance sets out a non-exhaustive list of technical and organisation measures that a data user may consider putting in place to ensure data security, including adopting:
Measures to secure computer networks;
Database management;
Access control measures;
Adoption of firewalls and anti-malware;
Protecting online applications;
Encryption measures in relation to data such as tokenisation and hashing;
Security measures relating to emails and file transfers;
Backup, destruction and anonymisation
Data Processor Management Data processors that solely process personal data on behalf of data users but do not process personal data for their own purposes are not directly regulated under the PDPO. Accordingly, the ICT Guidance provides some practical guidance on how data users may seek to adopt contractual or other means to prevent unauthorised or accidental access, processing, erasure, loss or use of data transferred to data processors for processing.
Remedial actions in the event of Data Security Incidents
Although the PDPO does not currently contain mandatory data breach reporting obligations, data users are recommended to take timely and effective remedial actions after the occurrence of a data security incident to reduce the risks of unauthorised or accidental access, processing or use of personal data. The ICT Guidance sets out some common remedial actions including changing system configurations, changing passwords, ceasing access rights of users, notifying affected individuals, notifying PCPD etc. In essence, it is recommended that data users follow the PCPD’s Guidance on Data Breach Handling and Giving of Breach Notifications.1
Monitoring, evaluating and improving compliance with data security policies The ICT Guidance suggests that a data user may commission an independent task force, such as an internal or external audit team, to periodically monitor compliance with the data security policy and evaluate the effectiveness of its data security measures.
Other recommended data security measures for cloud services, “Bring Your Own Devices” and portable storage devices
With the wide adoption of cloud technologies, BYOD and use of portable storage devices, the ICT Guidance also provides some specific recommendations on the adoption of data security measures in such scenarios, for example, setting up strong access control and authentication procedures for a cloud- based environment and reviewing cloud-based security features available to apply the appropriate features.
How could it be relevant for you?
Although compliance with the ICT Guidance is not mandatory, data users in Hong Kong are advised to refer to the ICT Guidance for practical guidance, as well as to work with data security experts and legal advisers to ensure relevant data security requirements under the PDPO are met. Further, in face of the rapid developments in the digital economy, IT consultants and advisers are suggested to refer to the ICT Guidance for insights and recommendations on how to assist data users in Hong Kong to comply with the data security obligations under the PDPO.
Next steps
The data security measures set out in the ICT Guidance are for general reference to assist data users to ensure data security in the data processing and data management life cycle. They give practical insights to data users on the technical and organizational measures that the PCPD considers appropriate and relevant.