News & Insights

Office of the Privacy Commissioner for Personal Data released guidance note on data security measures for information and communications technology

View PDF

Authored by: Simon Deane and Ruby Hui

In the light of the more extensive use of information and communications technology with the growth of hybrid working and hybrid learning, the Office of the Privacy Commissioner for Personal Data (“PCPD”) released the “Guidance Note on Data Security Measures for Information and Communications Technology” (“Guidance”) on 30 August 2022. The Guidance sets out recommendations relating to data security measures for data users’ information and communications technology (“ICT”) systems, so that data users can fully comply with the requirements of the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”).

The Guidance briefly discusses the requirements under the PDPO and lists recommended data security measures for ICT in the following areas through the use of case studies and illustration diagrams:

  1. data governance and organisation measures: formulation of internal policies on (i) data security risk assessments and (ii) handling data security incidents;

  2. risk assessments: (i) risk assessments of data security to test the new systems and applications and (ii) ongoing risk assessments after the launch of such systems and applications;

  3. technical and operational security measures: (i) adoption of physical access controls to limit access to locations of ICT assets and (ii) periodic reviews to make sure system settings meet the current requirements;

  4. data processor management: (i) assessments to assure engagement of qualified data processors only and (ii) requesting data processors to report all data security incidents promptly;

  5. remedial actions in the event of data security incidents: (i) termination of affected information and communication systems promptly where practicable and (ii) informing the PCPD and other law enforcement agencies or regulators, where applicable, in a timely manner;

  6. monitoring, evaluation and improvement: data users may engage external experts to monitor compliance with the data security policy and evaluation of the effectiveness of the data security measures regularly; and

  7. recommendations about data security measures for Cloud Services, “Bring Your Own Device” and Portable Storage Devices.

To access a full copy of the Guidance, please see here.

Key Contacts

Simon Deane

Consultant | Banking and Finance

Email or call +852 2825 9209

Related Services and Sectors:

Banking and Finance

Portfolio Builder

Select the legal services that you would like to download or add to the portfolio

Download    Add to portfolio   
Title Type CV Email

Remove All


Click here to share this shortlist.
(It will expire after 30 days.)