DPP4 – Security of data processing
- Appropriate Security Measures
We have generally talked about the principles in relation to holding of personal data governed under the Ordinance in the previous article, including accuracy and retention. Another area of public concern is the security of data processing, in particular data leakage these days can lead to horrible nightmares, including attacks via phishing, ransomware. Data loss not only will cause serious disruption to daily business operation, but also make company properties vanish in a split second.
Data Protection Principle 4 (“DPP4”) requires data users to take all practicable steps to ensure that any personal data held is protected against unauthorized or accidental access, processing, erasure, loss or use, having regard to the kind of data and the harm that could result; physical location of the data stored; any security measures incorporated; any measures taken for ensuring the integrity, prudence and competence of persons having access to the data; and any measures taken for ensuring the secure transmission. Similar to the new amendments introduced to DPP1 in respect of engagement of data processor, under DPP4, data users must adopt contractual or other means to prevent unauthorized or accidental access, processing, erasure, loss or use of data transferred to data processor for processing.
Seemingly, it is not entirely clear from the wordings on the level of security measures required for compliance of DPP4. Nonetheless, when reading the case notes prepared by the Commissioner’s office on complaints in relation to DPP4, one may notice that everything just goes back to the standard of reasonableness. In one recent case note of a complaint lodged in 2017, a law firm, acting on behalf of the complainant’s husband, sent a letter regarding the complainant’s divorce, which was underway, to a general email address of her workplace. It was the Commissioner’s finding that the law firm had failed to ascertain in advance if the complainant personally checked the emails received via that office email address, or send the letter encrypted. By failing to ensure that the complainant would be the only one who could access the documents with personal data and sensitive information before delivery, the law firm has contravened DPP4.
- Data Breaches
The Ordinance does not punish data users for data leakage. Instead, in the event of data breach incident, the Commissioner will examine whether the data users have carried out their own due diligence exercise to ensure that they have identified potential risks and take appropriate security measures to minimize such risks. In January 2019, the Commissioner issued a Guidance on Data Breach Handling and the Giving of Breach Notifications to assist data users in handling data breaches and to mitigate loss and damage caused to data subjects.
A Data Breach Incident Response Plan is the most valuable asset to have when a company comes across data breach and cyber attack incidents. In brief, the plan should cover the following four broad aspects: communication, analysis, containment, post-incident review.
Our data protection team is more than happy to work with you on building a response plan for your business and guiding you throughout the implementation stage (including day to day administration).
DPP5 – Openness
A data user must take practicable steps to make personal data policies and practices known to the public regarding the types of personal data it holds and how the data is used.
In addition to the specific types of information stated under DPP5, the Commissioner recommends data users to include the following information:
- Retention and erasure policy
- Security measures adopted
- Policy in handling data access request and data correction request: this will be further discussed in our next article.
Given the increasing awareness on the need for data privacy protection in the modern world, businesses that can demonstrate to their customers they can manage their personal data responsibly and securely are capable of building and maintaining trust with their clients. Sustainable business relationships can flourish when data flow is being handled in safe manner.
For more information on data privacy, please contact us.
This article is for information purposes only. Its contents do not constitute legal advice and readers should not regard this article as a substitute for detailed advice in individual instances.