Data Privacy Focus Monday: Data Protection Principles (4) and (5) – Data Security and Openness

Data Privacy Focus Monday: Data Protection Principles (4) and (5) – Data Security and Openness

Data Privacy Focus Monday: Data Protection Principles (4) and (5) – Data Security and Openness 800 533 Hugill & Ip
Reading Time: 3 minutes
DPP4 – Security of data processing
  • Appropriate Security Measures

We have generally talked about the principles in relation to holding of personal data governed under the Ordinance in the previous article, including accuracy and retention.   Another area of public concern is the security of data processing, in particular data leakage these days can lead to horrible nightmares, including attacks via phishing, ransomware.  Data loss not only will cause serious disruption to daily business operation, but also make company properties vanish in a split second.

Data Protection Principle 4 (“DPP4”) requires data users to take all practicable steps to ensure that any personal data held is protected against unauthorized or accidental access, processing, erasure, loss or use, having regard to the kind of data and the harm that could result; physical location of the data stored; any security measures incorporated; any measures taken for ensuring the integrity, prudence and competence of persons having access to the data; and any measures taken for ensuring the secure transmission.   Similar to the new amendments introduced to DPP1 in respect of engagement of data processor, under DPP4, data users must adopt contractual or other means to prevent unauthorized or accidental access, processing, erasure, loss or use of data transferred to data processor for processing.

Seemingly, it is not entirely clear from the wordings on the level of security measures required for compliance of DPP4.   Nonetheless, when reading the case notes prepared by the Commissioner’s office on complaints in relation to DPP4, one may notice that everything just goes back to the standard of reasonableness.   In one recent case note of a complaint lodged in 2017, a law firm, acting on behalf of the complainant’s husband, sent a letter regarding the complainant’s divorce, which was underway, to a general email address of her workplace.  It was the Commissioner’s finding that the law firm had failed to ascertain in advance if the complainant personally checked the emails received via that office email address, or send the letter encrypted.   By failing to ensure that the complainant would be the only one who could access the documents with personal data and sensitive information before delivery, the law firm has contravened DPP4.

  • Data Breaches

The Ordinance does not punish data users for data leakage.  Instead, in the event of data breach incident, the Commissioner will examine whether the data users have carried out their own due diligence exercise to ensure that they have identified potential risks and take appropriate security measures to minimize such risks.     In January 2019, the Commissioner issued a Guidance on Data Breach Handling and the Giving of Breach Notifications to assist data users in handling data breaches and to mitigate loss and damage caused to data subjects.

A Data Breach Incident Response Plan is the most valuable asset to have when a company comes across data breach and cyber attack incidents.  In brief, the plan should cover the following four broad aspects: communication, analysis, containment, post-incident review.

Our data protection team is more than happy to work with you on building a response plan for your business and guiding you throughout the implementation stage (including day to day administration).

DPP5 – Openness

A data user must take practicable steps to make personal data policies and practices known to the public regarding the types of personal data it holds and how the data is used.

Data Protection Principle 5 (“DPP 5”) does not require the policies and practices be presented in written format.  The Commissioner considers that having a written statement, which is commonly known as a Privacy Policy Statement, being made generally available in an easily accessible manner, is a matter of good practice.

In addition to the specific types of information stated under DPP5, the Commissioner recommends data users to include the following information:

  1. Retention and erasure policy
  2. Security measures adopted
  3. Policy in handling data access request and data correction request: this will be further discussed in our next article.
Our take

Given the increasing awareness on the need for data privacy protection in the modern world, businesses that can demonstrate to their customers they can manage their personal data responsibly and securely are capable of building and maintaining trust with their clients.  Sustainable business relationships can flourish when data flow is being handled in safe manner.

For more information on data privacy, please contact us.

This article is for information purposes only. Its contents do not constitute legal advice and readers should not regard this article as a substitute for detailed advice in individual instances.

Privacy Preferences

When you visit our website, it may store information through your browser from specific services, usually in the form of cookies. Here you can change your Privacy preferences. It is worth noting that blocking some types of cookies may impact your experience on our website and the services we are able to offer.

For performance and security reasons we use Cloudflare
Google Analytics tracking code disabled/enabled
Google Fonts disabled/enabled
Google Maps disabled/enabled
video embeds (e.g. YouTube) disabled/enabled
View our Privacy Policy
We don't eat shark fin but our website does use cookies, mainly for analytics and provision of content from other websites. Define your Privacy Preferences and agree to our use of cookies. Privacy Policy