Cyber risk has emerged as a pressing and material issue of concern for many governments and organisations around the globe. In Hong Kong, cyber risk is addressed most commonly in the context of personal data protection. Corporate data privacy accountability, in particular, has been under the spotlight.
Recently, in a bid to meet the ever-increasing public expectations in relation to personal data privacy protection, the Hong Kong Privacy Commissioner for Personal Data (the Commissioner) has introduced a new Privacy Management Programme (the PMP) in February 2014. The PMP aims to take privacy and data protection further through the introduction of an accountability framework in both the public and private sector. Organisations are now encouraged to, on top of compliance with the legal requirements, proactively embrace privacy and data protection as part of their corporate governance responsibilities through the new programme.
Currently, punitive legal and regulatory measures and guidelines are in place in Hong Kong to encourage proper gathering, use, transfer and/or storage of personal information. The primary piece of legislation governing the collection and use of personal data is the Personal Data (Privacy) Ordinance (Cap.486) (PDPO). The PDPO sets out six fundamental Data Protection Principles (the DPPs), governing the collection, retention and use of personal data, as well as security requirements and transparency towards data subjects. The PDPO is overseen by the Commissioner and must be strictly observed by all data users. Non-compliance with the DPPs may constitute an offence under the PDPO.
The privacy management programmes Following several high-profile cases relating to the improper use, collection and transfer of customers’ personal data to third parties, the Commissioner is now advocating a different approach to personal data protection in what is described as “a strategic shift from compliance to accountability”. This is an active response to the past regulatory experience where privacy and data protection were poorly managed with minimal involvement from the top management. It is strongly encouraged by the Commissioner that preventative rather than remedial efforts should be taken.
On 18 February 2014, the Commissioner released the Privacy Management Programme: A Best Practice Guide (the Guide), which provides organisations with insight and guidance on ways to develop their personal data protection framework. The Guide is comprehensive and provides recommendations for corporations to promote the proper handling of personal data. The recommendations mainly address two aspects. The first aspect is in relation to the governance structure of a corporation. It covers the engagement of the top management to oversee the PMP and the appointment of data protection officer. The second aspect is in relation to the internal controls of a corporation. It covers the development of internal policies, risk assessment tools, training programmes and breach handling processes.
The introduction of the PMP coincided with the growing concern over the protection of sensitive and personal data.
Security experts have suggested that many businesses in Hong Kong are ill-prepared against cyber attacks.
A recent study by the government-backed Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) suggests that, owing to the risk of increasing security threats, organisations should pay greater attention towards cyber protection. The focus is placed, in particular, on the four sectors (government and public bodies, banking, telecommunications and insurance) that regularly collect, use and store personal information of the general public.
The ultimate aim of the introduction of PMP is to raise the standard and awareness of privacy protection in organisations through an accountability framework. To date, all bureaux and departments of the Hong Kong government, together with 25 companies from the insurance sector (including ACE, AIA, AXA and QBE), nine companies from the telecommunications sector and five organisations from other sectors have pledged to implement the PMP. The Hong Kong Association of Banks has also expressed its support towards a voluntary PMP framework.
Although cyber losses may be monitored and/or mitigated through appropriate risk management or insurance policies that provide adequate cover towards cyber risks, a sound internal accountability compliance system in relation to personal data protection, can greatly reduce the risk of cyber attacks and wrongful disclosure of personal data and sensitive information to third parties.
Although the PMP is still at its early stage, with the active participation of organisations across multiple industries, we anticipate it will become a prominent feature in the field of corporate data privacy protection.