The second investigation report recently released by the Office of the Privacy Commissioner for Personal Data (PCPD) of Hong Kong focuses on a popular online marketplace. According to the published information, the investigation was initiated after it reported a data breach incident involving the sale of personal data belonging to 2.6 million users, including 324,232 user accounts in Hong Kong. The Privacy Commissioner identified several deficiencies on the part of the company, such as the absence of a privacy impact assessment, inadequate code review processes, insufficient security assessments during the system migration, and a lack of effective detection measures. The company was found to have contravened Data Protection Principle 4(1) concerning the security of personal data.
The Privacy Commissioner has provided recommendations for organizations undertaking information system migration involving personal data. These recommendations include
- Conducting privacy impact assessments
- Developing migration plans prioritizing data protection
- Implementing effective vulnerability assessments
- Providing employee training
- Establishing mechanisms for detecting abnormal activities
- Formulating localized policies to ensure compliance with the PDPO
Overall, the investigation report and recommendations aim to enhance data security practices and promote compliance with personal data protection regulations in Hong Kong.
These investigation reports highlight the critical need for organizations to prioritize the effective management of personal data privacy. In light of these challenges, it becomes crucial for organizations to establish a Privacy Information Management System (PIMS) that adheres to international standards and best practices. One such framework that provides a comprehensive roadmap for achieving this is ISO 27701 certification.
Compliance with Privacy Regulations
The investigation reports highlighted instances where organizations failed to comply with Data Protection Principles (DPP) outlined in privacy regulations. The ISO 27701 standard provides implementers with a control framework to ensure compliance with relevant privacy regulations, such as the Personal Data (Privacy) Ordinance (PDPO) in Hong Kong, the Personal Information Protection Law (PIPL) in Mainland China and the General Data Protection Regulation (GDPR) in Europe.
Data Retention and Use
Improper retention and use of personal data by employers were significant concerns in the investigation reports. ISO 27701 certification emphasizes the implementation of policies and procedures for appropriate data retention and use, ensuring that personal data is handled in accordance with legal requirements and individual consent.
Security and Incident Prevention
The unauthorized scraping of personal data from the platform users highlighted the need for robust security measures. ISO 27701 certification provides framework on conducting privacy impact assessments, vulnerability assessments, and implementing effective detection measures to prevent data breaches and incidents.
Employee Training and Awareness
The investigation reports emphasized the importance of training employees on personal data privacy. ISO 27701 certification encourages organizations to develop a training strategy that educates employees about their responsibilities in protecting personal data, fostering a privacy-conscious culture within the organization.
The recent investigation reports published by the Privacy Commissioner's Office shed light on the critical importance of effectively managing personal data privacy. ISO 27701 certification offers organizations a comprehensive framework to address these challenges by establishing a Privacy Information Management System aligned with international standards. By obtaining ISO 27701 certification, organizations can demonstrate their commitment to protecting personal data, ensuring compliance with privacy regulations, and building trust with stakeholders.
Relevant Services:
- DQS provides accredited ISO 27001 Certification and ISO 27701 Certification services
- DQS HK provides Penetration Testing service
- DQS HK provides Privacy Impact Assessment (PIA)
- DQS Academy provides ISO 27001:2022 Internal Auditor Training
- DQS Academy provides ISO 27701:2019 PIMS Understanding Training
DQS Newsletter
Blog Author of DQS HK
DQS HK