Security requirements may not always be included in the data protection law, but are key to guaranteeing lawful processing of personal data. The entity processing the data must take all useful precautions with respect to the nature of the data and the risk presented by the processing, to preserve the security of the data and prevent alteration, corruption or access by unauthorized third parties.
Security is one of the six principles of Hong Kong’s Personal Data (Privacy) Ordinance (Cap. 486). Employers, and other data users, must take reasonable steps to safeguard personal data and protect it from unauthorized/accidental access, processing, deletion loss and use. Employers should consider the most practical ways to protect the data given the: type of data being collected (and the potential for harm if not adequately protected); physical location where the data is housed; security measures incorporated into equipment; measures to ensure the integrity, prudence and competence of individuals who have access to personal data; and, measures to ensure secure transmission.
When using third-party data processors inside or outside Hong Kong, employers must adopt contractual or other means to protect the personal information.
Appropriate technical and organizational measures are recommended to ensure a level of security appropriate to the risk, including:
HR Best Practices: Ensure contracts with service providers detail the security and confidentiality measures that will be implemented. In addition, regularly train employees who may have access to personal information, to ensure that they are following all technical and organizational security measures that have been put in place.