Security breaches of personal data in Hong Kong

01 February 2007

Marcus Vass, Sarah Fairweather, Anju Malik

The security of personal data in Hong Kong is governed by the Hong Kong Personal Data (Privacy) Ordinance (Cap 482) ("PDPO"), the primary purpose of which is to protect the privacy of living individuals in relation to their personal data. PDPO requires data users (a term which in the EU would cover data controllers) to safeguard the security of personal data, but does not impose any obligations on data users to notify either the Hong Kong Privacy Commissioner or data subjects of any security breaches that occur. This article sets out the security obligations of data users in Hong Kong and highlights some recent investigations by the Hong Kong Privacy Commissioner into security breaches.

Current position under Hong Kong law

Principle 4 of the PDPO states that a data user shall take all reasonably practicable steps to ensure that personal data held by it is protected against unauthorised or accidental access, processing, erasure or other use.

The PDPO requires a data user to put in place security safeguards to protect personal data in its possession. The degree of security protection should reflect the sensitivity of the data and the seriousness of the potential harm that may result from a security breach. According to the Privacy Commissioner's Office, serious consideration must be given to the necessity of posting personal information or data on the internet at all. As a result, the security measures which should be applied to protect such data also require serious consideration.

Personal data on the internet

Transmission of personal data on the internet is particularly susceptible to security risks. Organisations should apply a "harm test" to data collected or transmitted over the internet in order to assess the appropriate level of security measures. For example, where the information collected is sensitive personal data such as detailed resumes, credit card or bank account information, a more stringent level of security would be required than in the case of obtaining names or office addresses.

A practical measure that may be taken is the use of encryption to protect data transmitted via the internet .Where unencrypted data is used, data users are advised to take practicable steps to ensure that any sensitive personal data is not vulnerable to security breaches. For example, an organisation may provide a privacy warning message to alert users about the risks in transmission of their own personal data over the internet. This is especially relevant to organisations that own and operate their own web servers.

Where an ISP does not collect, hold, process or use the data for any of its own purposes the PDPO does not impose any duties on it in respect of security transmission. However, if it becomes a data user in relation to the personal data that it is transmitting on behalf of its customers then it will be required to comply with the data protection principles.

As noted above, the PDPO does not impose any statutory obligation on data users to notify the Privacy Commissioner's Office or data subjects of any instances of security breaches.

Examples of security breaches

The Hong Kong Privacy Commissioner's Office was recently asked to look into a security incident whereby the Leisure and Culture Services Department ("LCSD") leaked personal data. The leak arose when personal data of individuals participating in a slogan competition with the LCSD became accessible via the Google search engine. The data was subsequently removed from the internet.

The Privacy Commissioner's Office sought and obtained an explanation from the LCSD as to the data disclosure and discussed with the LCSD the underlying reasons for the leakage and what measures would be required to prevent data leaks in the future. The Privacy Commissioner's Office is expected to continue its enquiries into the matter and provide direction and guidance to the LCSD with respect to improving their procedures and practices for handling personal data.

The Privacy Commissioner has also recently released its report on its investigation into the release onto the internet of personal data relating to individuals who had filed complaints against the police. Personal data held by the Independent Police Complaints Council ("IPCC") relating to approximately 20,000 people who had filed complaints against the police, had been made public on the internet.

The Privacy Commissioner found that the IPCC had contravened Principle 4 of the PDPO and that the ICPP had failed to:

  • consider the necessity of leasing the data to the outsourced IT contractor or to prevent the data from being released;

  • take precautionary measures to safeguard the data that had been released to the outsourced contractor; and

  • take steps to ensure the suitability and competence of persons having access to the data, which resulted in the security breach.

The Privacy Commissioner issued an Enforcement Notice to the IPCC directing it to:

  • devise a policy and practical guidelines for the proper handling and protection of the complaint data when dealing with an outsourced contractor or agent;

  • implement effective measures to ensure compliance by its staff with those policies and guidelines; and

  • review the existing outsourcing contracts and endeavour to incorporate terms in its contracts to protect the complaint data handed to them by the IPCC.

In an effort to prevent any recurrence of similar incidents, the Privacy Commissioner, in conjunction with the Information Systems Audit and Control Association (HK Chapter) ("ISACA"), Internet Professional Association ("iProA") and the Hong Kong Institute of Engineers, has launched the "Information Security Enhancement Campaign", along with guidelines for IT Practitioners on handling personal data.

The guidelines outline the procedures to be followed where personal data collected by a data user is accessed or processed by an IT contractor. "Organisations must now determine what constitutes adequate security in the context of where their electronic business is conducted and who is accessing their services, instead of where the computer system is physically located…" (Susanna Chan, President and Director of ISACA (HK Chapter)).