Are there any data breach notification requirements?
A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Local data protection regulations have required data controllers to report such breaches in certain circumstances.
Hong Kong does not legally require businesses to notify the Privacy Commissioner for Personal Data (PCPD) or the affected individuals in the event of a breach. That said, it is recommended as good practice. In cases where a breach has occurred, employers (i.e. data users) are responsible for taking remedial actions to lessen the damage to data subjects.
Employers can notify the PCPD through a Data Breach Notification Form, available on the Commissioner’s site (https://www.pcpd.org.hk). In the event that data subjects may experience a reasonably foreseeable risk of harm as a result of a breach, employers should consider notifying the data subjects. Before making a decision, consider the potential consequences for failing to give notification.
HR Best Practices: While there is no legal requirement to notify impacted individuals or the PCPD in the event of a breach, providing a notification can reduce the risk of litigation. Employers should regularly assess how personal data is being handled, and in the event of a breach, strategize how similar breaches could be prevented in the future. It’s recommended to develop and implement a data breach action plan with notification, incident documentation and response procedures.