Practice Note: Data Breach Incident Response Planning
Updated: Sep 8, 2019
What is a data breach incident?
According to Guidance on Data Breach Handling and the Giving of Breach Notifications (the “Guidance Note”) revised by the Privacy Commissioner for Personal Data (“PCPD”) in January 2019, a data breach is a suspected or actual breach of data security of personal data held by a data user, and exposes the risk of unauthorized or accidental access, processing, erasure, loss or use. 
For example, one of the most common types of data breach is the loss of personal data kept in storage of laptop computers or portable hard drives. Most recently, the PCPD published an Investigation Report on the Loss of a Marked Final Register of Electors, dated 29 August 2019, where the PCPD issued an Enforcement Notice under s.50(2) of the Personal Data (Privacy) Ordinance (Cap. 486) (the “PDPO”) against the HKSAR’s Registration and Electoral Office, for the loss of marked final register of electors used in the 2016 LegCo General Election. 
Other types of breach include improper handling of personal data, unlawful hacking, accidental disclosure by third party processor etc.
HK’s PDPO and data breach
Under Data Protection Principle (“DPP”) 4(1) of Schedule 1 of the PDPO, data user shall take all practicable steps to ensure that any personal data (including data in a form in which access to or processing of the data is not practicable) held by a data user is protected against unauthorized or accidental access, processing, erasure, loss or use having particular regard to -
(a) the kind of data and the harm that could result if any of those things should occur;
(b) the physical location where the data is stored;
(c) any security measures incorporated into any equipment in which the data is stored;
(d) any measures taken for ensuring the integrity, prudence and competence of persons having access to the data; and
(e) any measures taken for ensuring the secure transmission of the data. 
It is important to note that the PDPO does not require the data user to give formal notification to data subjects affected, relevant parties or other regulatory bodies, in the event of a breach.
Responding to data breach
Data breach incidents should not be treated merely as a compliance matter, and handled it in the bigger context.
There are four steps that a data user should take in the event of a data breach:
(3) Reporting & Escalating; and
Once a data breach is discovered, the data user shall assign an incident owner and allocate roles and responsibilities for a team to handle the data breach. The data user should also set a timeframe for responding the breach.
Once the team is assembled, the team should immediately attempt to contain the breach, so to minimize the potential harm to the data user, data subjects and affected parties.
The team should then commence a fact-finding process, and to ascertain the basic facts of the breach, e.g. when/where/how did the breach occur, what was the cause of the breach, what kind of personal data was involved, and the number of affected data subjects, and to make an initial report to the senior management for further actions.
Once the Identification process is done, the team shall conduct a risk assessment, and to notify cyber insurance company (if any).
The risk assessment shall be documented, and report it to senior management as soon as possible.
It is also important to consider the following risk factors, such as, whether other jurisdictional frameworks are involved due to the nature of the data subjects (e.g. GDPR may be triggered because of EU data subjects), business contractual arrangements, other compliance or legal obligations.
The internal IT and legal team should be informed and consulted.
III. Reporting & Escalating
If the breach is assessed to be notifiable, the regulatory body, i.e. PCPD, and the data subjects may need to be informed. The data user should consider the suitability of such reporting regarding the extent, timing and content of communication.
Although there is no requirement nor consideration as to when a notification should be issued, the data user should consider whether a real risk is reasonable foreseeable in a data breach.
The PCPD has a Data Breach Notification Form  (“DBN Form”) which the data user may use for filing the notification.
According to the Guidance Note, the notification may include a general description of the event, date and time of the breach, the source of breach, types of personal data involved, assessment of risk, description of measures taken, contact and whether law enforcement agencies have been notified.
The DBN should be lodged as soon as practicable.
The data user should also contact the affected data subjects and other internal stakeholders. Once it is decided that the breach justifies communication to the data subjects, the communication should explain the nature of the breach and includes the contact details of the contact point, description of the consequences of the breach, and the measures taken to address the breach.
IV. Data breach handling policy
The PDPO does not require data user to have a data breach handling policy, but as part of good information security and governance practice, data user should adopt proper data breach handling policy and procedures in order to take appropriate measures when incident happens.
For more information regarding how to handle data breach or data breach handling policy, please contact ADG at firstname.lastname@example.org or Tel: +852 3725 4806.
 ‘Guidance on Data Breach Handling and the Giving of Breach Notifications’, PCPD, Jan 2019
 ‘Registration and Electoral Office - Loss of a Marked Final Register of Electors’, R19-15281, PCPD, 29 August 2019
 Personal Data (Privacy) Ordinance, Cap. 486
 Data Breach Notification Form, PCPD