Data protection principle 4 (“DPP 4”) of the Personal Data (Privacy) Ordinance stipulates that data users are required to take all practical steps to ensure that personal data held by them is protected against unauthorised or accidental access, processing, erasure or use. 

However, just because a system has been hacked, does not automatically mean that a data user is in breach of DPP 4. Whether or not a data user is in breach depends on the level of security and safeguarding measures the data user had in place and whether or not they were reasonably sufficient, taking into account the type of personal data concerned and the harm that could occur if there was a data breach. If such measures are considered by the Privacy Commissioner to be sufficient, then the relevant data user may not be found to be in breach of DPP 4. 

According to the “Guidance on Data Breach Handling and the Giving of Breach Notifications” issued by the Privacy Commissioner, a data user is encouraged to report a data breach to the Privacy Commissioner by filing a formal notification at nt/data_breach_notification/dbn.html. Please note, however, that self-reporting on data breach is not a mandatory legal obligation. In some cases it may trigger investigation by the Commissioner into the matter for suspected breach of DPP 4.  

A breach of the data protection principles is not immediately an offence. The Privacy Commissioner is empowered under law to issue an enforcement notice and/or disclose the investigation report to the public upon finding of breach. A data user should therefore make a decision on reporting data breach taking into account the seriousness of the matter, potential reputational damage and possible legal consequences.