Review your content's performance and reach.
Become your target audience’s go-to resource for today’s hottest topics.
Understand your clients’ strategies and the most pressing issues they are facing.
Keep a step ahead of your key competitors and benchmark against them.
Questions? Please contact [email protected]
The guidance outlines steps that organizations should take to enhance data security as hybrid working and learning introduce new risks.
On August 30, 2022, the Office of the Privacy Commissioner for Personal Data of Hong Kong (PCPD) issued a Guidance Note on Data Security Measures for Information and Communications Technology (the Guidance Note).
The Guidance Note was published in light of the “new normal” of hybrid working and learning, which has heightened personal data security risks from the increased digitization of data and use of information and communications technology (ICT). In 2021, the PCPD received a total of 140 personal data breach notifications from organizations, representing a year-on-year increase of 36%, and in the first seven months of 2022 alone, the PCPD received 68 data breach notifications. Common incidents reported included hacking, unauthorized access to personal data by employees, loss of documents or portable devices, and inadvertent disclosure of personal data via email.
In light of this trend, the Guidance Note provides organizations with recommended data security measures for the ICT industry to facilitate compliance with the Personal Data (Privacy) Ordinance (Chapter 486) of Hong Kong (the PDPO), and sets out best practices for organizations to strengthen their data security systems.
This Client Alert provides an overview of the PCPD’s recommended measures and what companies should be aware of to ensure compliance with data security rules.
Data Protection Principle 4 — Data Security
Data Protection Principle 4 which is contained in Schedule 1 to the PDPO, requires a data user to take all reasonably practicable steps to ensure that any personal data that the user holds is protected against unauthorized or accidental access, processing, erasure, loss, or use.
In determining whether all practicable steps have been taken to safeguard the security of personal data in a data user’s control, the PCPD will adopt a holistic approach and take into account various factors, such as the volume, type, and sensitivity of the personal data involved. It will also take into account the potential harm from a data security incident, the physical location of the data stored, the nature and complexity of the ICT used, how robust security measures are, and the state of development of ICT and data security.
PCPD’s Recommendations for Data Security Measures for ICT
The Guidance Note provides specific recommendations for data security measures for ICT in seven areas, whilst acknowledging that a one-size-fits-all approach for managing data security is unfeasible.
The Guidance Note serves as a helpful guideline as to specific measures that organizations should take to reduce personal data security risks and to comply with the requirements under the PDPO. Personal data privacy and data security are closely connected, as personal data privacy will be jeopardized if data security fails and personal data can be accessed by unintended persons. Organizations are encouraged to consult their own data security experts and legal advisers on whether their systems and procedures meet the requirements under the PDPO.
This article is made available by Latham & Watkins for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. Your receipt of this communication alone creates no attorney client relationship between you and Latham & Watkins. Any content of this article should not be used as a substitute for competent legal advice from a licensed professional attorney in your jurisdiction.
If you would like to learn how Lexology can drive your content marketing strategy forward, please email [email protected] .
© Copyright 2006 - 2022 Law Business Research