The guidance outlines steps that organizations should take to enhance data security as hybrid working and learning introduce new risks.

By Kieran Donovan and Malika Sajdik

On August 30, 2022, the Office of the Privacy Commissioner for Personal Data of Hong Kong (PCPD) issued a Guidance Note on Data Security Measures for Information and Communications Technology (the Guidance Note).

The Guidance Note was published in light of the “new normal” of hybrid working and learning, which has heightened personal data security risks from the increased digitization of data and use of information and communications technology (ICT). In 2021, the PCPD received a total of 140 personal data breach notifications from organizations, representing a year-on-year increase of 36%, and in the first seven months of 2022 alone, the PCPD received 68 data breach notifications. Common incidents reported included hacking, unauthorized access to personal data by employees, loss of documents or portable devices, and inadvertent disclosure of personal data via email.

In light of this trend, the Guidance Note provides organizations with recommended data security measures for the ICT industry to facilitate compliance with the Personal Data (Privacy) Ordinance (Chapter 486) of Hong Kong (the PDPO), and sets out best practices for organizations to strengthen their data security systems.

This Client Alert provides an overview of the PCPD’s recommended measures and what companies should be aware of to ensure compliance with data security rules.

Data Protection Principle 4 — Data Security

Data Protection Principle 4 which is contained in Schedule 1 to the PDPO, requires a data user to take all reasonably practicable steps to ensure that any personal data that the user holds is protected against unauthorized or accidental access, processing, erasure, loss, or use.

In determining whether all practicable steps have been taken to safeguard the security of personal data in a data user’s control, the PCPD will adopt a holistic approach and take into account various factors, such as the volume, type, and sensitivity of the personal data involved. It will also take into account the potential harm from a data security incident, the physical location of the data stored, the nature and complexity of the ICT used, how robust security measures are, and the state of development of ICT and data security.

PCPD’s Recommendations for Data Security Measures for ICT

The Guidance Note provides specific recommendations for data security measures for ICT in seven areas, whilst acknowledging that a one-size-fits-all approach for managing data security is unfeasible.

  1. Data Governance and Organizational Measures: Organizations should establish clear internal policies and procedures on data governance and data security. Such policies should cover, among other things, the staff roles and responsibilities in safeguarding data security, data security risk assessments, outsourcing of data processing and security work, handling data security incidents (including an incident response plan and reporting mechanism), and destruction of unnecessary data. The Guidance Note also recommends appointing suitable personnel in leadership positions relating to personal data security (e.g., a chief information officer and a chief privacy officer), and to train staff on data security.
  2. Risk Assessments: Organizations are advised to conduct risk assessments on data security for new systems and applications both before and after launch on a periodic basis. An inventory of the personal data controlled by data users should be kept, and the nature of such data and potential harm from leakage should be assessed. In particular, data users should ensure that robust protections are afforded to “sensitive data”, which generally refers to genetic data, biometric data, or data revealing racial or ethnic origin, political leanings, health status, sex life, or sexual orientation.
  3. Technical and Operational Security Measures: A data user should implement adequate and effective security measures to safeguard information and communications systems and personal data in its control or possession. These measures include adopting safe access control measures, implementing firewalls and anti-malware, protecting online applications, encrypting data, backing up systems, and destroying or anonymizing unnecessary or expired personal data in a timely manner.
  4. Data Processor Management: Data processors, such as cloud and data analytics service providers, are commonly engaged to process personal data. The Guidance Note recommends that before and when engaging data processors, data users should assess the competency and reliability of data processors, ensure only necessary personal data is transferred, stipulate security measures to be taken by the data processor in the data processing contract (DPC), require notification of all data security incidents, and conduct field audits to ensure compliance with the DPC.
  5. Data Security Incidents: When data security accidents occur, the organization can take timely and effective remedial actions to reduce the gravity of harm to data subjects. Common remedial actions include immediately stopping the affected information and communications systems and disconnecting them from the internet and other systems, immediately ceasing access rights of persons who may have caused the incident, changing system configurations to control access to the affected systems, promptly notifying affected individuals and law enforcement agencies, fixing the security weakness in a timely manner, and scanning systems for other unknown security vulnerabilities.
  6. Monitoring, Evaluation, and Improvement: An organization may commission an independent task force (e.g., an internal or external audit team) to periodically monitor its compliance with its data security policy and evaluate the effectiveness of its data security measures. Non-compliant practices and ineffective measures should be corrected through appropriate improvement actions.
  7. Other Considerations: As remote working becomes increasingly prevalent, the Guidance Note highlights three additional considerations: cloud services, bring your own device (BYOD), and portable storage devices (PSDs).
    • Cloud services: To ensure the security of the cloud-based environment and personal data, data users should assess the capability of cloud service providers, set up strong access control and authentication procedures, and review the available cloud-based security features.
    • BYOD: Administrative and technical measures should be established to ensure personal data is protected, and this protection should be enforced through written policies and training. Possible security measures that can be adopted include preventing storage of personal data in BYOD equipment if possible, implementing access control to personal data stored in BYOD equipment, encrypting personal data stored in BYOD equipment, and installing appropriate software on BYOD equipment that allows for remote erasure of data.
    • PSDs: Organizations should avoid using PSDs — such as portable hard disks, USB flash drives, and SD cards — to store personal data if possible. If such storage is necessary, organizations should set out the permitted use of PSDs in a policy, use end-point security software, keep inventory and tracking of PSDs, and erase data in PSDs after use.

Conclusion

The Guidance Note serves as a helpful guideline as to specific measures that organizations should take to reduce personal data security risks and to comply with the requirements under the PDPO. Personal data privacy and data security are closely connected, as personal data privacy will be jeopardized if data security fails and personal data can be accessed by unintended persons. Organizations are encouraged to consult their own data security experts and legal advisers on whether their systems and procedures meet the requirements under the PDPO.

This post was prepared with the assistance of Michelle Wong in the Hong Kong office of Latham & Watkins.