On 9 October 2015, the Privacy Commissioner for Personal Data published a Guidance Note on “Data Breach Handling and the Giving of Breach Notifications“, a revised version of its June 2010 edition.
The Guidance Note gives guidance to data users (the concept of ‘data user’ is similar to the concept of ‘data controller’ under EU law) on how to deal with data breaches. In particular, the Guidance Note provides more of a focus on the relationship between data users and data processors (third parties engaged to process data on behalf of others and not for their own purposes). A data user engaging a data processor must adopt contractual or other means to ensure personal data security.
The Guidance Note advises data users to consider taking the following steps when facing a data breach:
- Identify the breach. A breach is where personal data is exposed to risks of unauthorised/ accidental access, erasure or loss. For example, the loss of USB or hard drives, sending data to the wrong recipients, being hacked, improper disclosures or file-sharing.
- Gather information immediately. Find out how, when, why, where the breach occurred, the extent of data involved, and how many data subjects (individuals) are affected. If necessary, appoint a coordinator to oversee this process. Contain. Take steps to stop the breach and contact interested parties, for example law enforcement agencies, regulators, the Privacy Commissioner, Internet companies, and IT experts. Containment measures may include suspending the relevant systems, changing passwords, stopping access rights and seeking technical assistance. If the breach was caused by a data processor, the data processor must take remedial measures immediately and notify the data user.
- Assess the risk. A data breach may pose threats to personal safety, reputation, financial loss, identity theft, business or employment opportunities. The amount/type of data involved, the frequency of the breach, and the ability to retrieve data before it has been accessed, are all factors that affect the risk to data subjects and the extent of harm.
- Give data breach notifications. Notify affected data subjects and interested parties (mentioned above) as soon as possible, once the situation has been assessed. Where contact information for data subjects is not readily available, a public notification may be required. Depending on individual circumstances, a notification should generally include a description of the breach, the type of personal data involved, and an assessment of the risk of harm. However, a data user should ensure that the method and extent of the notification does not prejudice any investigative work being undertaken or potentially increase the risk of harm to data subjects. A completed “Data Breach Notification Form” should also be submitted to the Privacy Commissioner.
- Review. Finally, a data user should devise a clear strategy to prevent future recurrence of the breach. Consider: improving personal data security, controlling access rights, increasing IT security measures, keeping access logs, appropriate training, and monitoring of employees/agents/ data processors. When deciding to engage a data processor, a data user should carry out due diligence on their data privacy track record and carefully review their contractual terms.
Data users can draw valuable lessons from the Guidance Note. In particular, they should consider whether they have a sound data breach handling policy. Organised, consistent data breach handling not only minimises the damage caused, but also demonstrates a responsible attitude to tackling problems when they occur. In addition, the Guidance Note advises that giving data breach notifications in appropriate cases may also help to reduce the risk of litigation and regain goodwill, business relationships and public confidence.
Eugene Low was interviewed by Nymity on Data Breach Notification in Hong Kong: Why is it important for Companies? To read the interview, click here.
Cathy Yuen, a trainee solicitor in our Hong Kong office, contributed to this post.