News & Insights

Office of the Privacy Commissioner for Personal Data released guidance note on data security measures for information and communications technology

View PDF

Authored by: Simon Deane and Ruby Hui

In the light of the more extensive use of information and communications technology with the growth of hybrid working and hybrid learning, the Office of the Privacy Commissioner for Personal Data (“PCPD”) released the “Guidance Note on Data Security Measures for Information and Communications Technology” (“Guidance”) on 30 August 2022. The Guidance sets out recommendations relating to data security measures for data users’ information and communications technology (“ICT”) systems, so that data users can fully comply with the requirements of the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”).

The Guidance briefly discusses the requirements under the PDPO and lists recommended data security measures for ICT in the following areas through the use of case studies and illustration diagrams:

  1. data governance and organisation measures: formulation of internal policies on (i) data security risk assessments and (ii) handling data security incidents;

  2. risk assessments: (i) risk assessments of data security to test the new systems and applications and (ii) ongoing risk assessments after the launch of such systems and applications;

  3. technical and operational security measures: (i) adoption of physical access controls to limit access to locations of ICT assets and (ii) periodic reviews to make sure system settings meet the current requirements;

  4. data processor management: (i) assessments to assure engagement of qualified data processors only and (ii) requesting data processors to report all data security incidents promptly;

  5. remedial actions in the event of data security incidents: (i) termination of affected information and communication systems promptly where practicable and (ii) informing the PCPD and other law enforcement agencies or regulators, where applicable, in a timely manner;

  6. monitoring, evaluation and improvement: data users may engage external experts to monitor compliance with the data security policy and evaluation of the effectiveness of the data security measures regularly; and

  7. recommendations about data security measures for Cloud Services, “Bring Your Own Device” and Portable Storage Devices.

To access a full copy of the Guidance, please see here.

Key Contacts

Simon Deane

Consultant | Banking and Finance

Email or call +852 2825 9209

Legal Updates
1 Sep 2022

Related Services and Sectors:

Banking and Finance

Filter News & Insights

Search News & Insights


Follow

Subscribe to Publications

Sign up for our regular updates covering the latest legal developments, regulations and case law.

Sign Up

Media Contact

For media enquiries please contact us at media.relations@deacons.com.

Tel: +852 2825 9211

Popular Insights

Solicitors’ Hourly Rates for Party and Party Taxations to increase

Legal Updates
11 Dec 2017

New corporate governance requirements for HK listed companies/listing applicants will come into effect in January 2022

Legal Updates
17 Dec 2021

Closing the operations of a solvent company in Hong Kong

Legal Updates
6 Apr 2020
Close

Menu

Services

Sectors

People

Careers

About Us

News & Insights

Terms of Use & Disclaimer

Remote Access Contact Us

Portfolio Builder

Select the legal services that you would like to download or add to the portfolio

Download    Add to portfolio   
Portfolio
Title Type CV Email

Remove All

Download

Click here to share this shortlist.
(It will expire after 30 days.)