CSj reviews a two-part guidance note issued by the Technology Interest Group of the Hong Kong Chartered Governance Institute (the Institute), looking at the all-important issue of data protection in today's highly data-dependent business environment.

Good data management and protection has increasingly become one of the most important determinants of success in the current business environment. Not surprisingly then, a plethora of new roles have emerged to specialise in this area, including: Head of Data Management, Chief Data Officer, Data Architect, Chief Information Officer and Data Protection Officer. So what is the role of the governance professional in this context? Should data protection even be under the remit of the governance professional? The simple answer is yes. To begin with, data governance is an enterprise-wide undertaking – everyone from operational staff up to board directors need to be involved in data management and protection. However, in addition, there are many specific areas within this area, in particular regulatory compliance and board advisory, that are directly relevant to governance professionals.  The Guidance Note on Data Protection, published by the Institute Technology Interest Group, offers advice to practitioners on how to address this timely and critical part of their work. The guidance note, available from the publications section of the Institute's website (www.hkcgi.org.hk), is divided into two parts – the first part looks at the principles of data protection and addresses key concerns for governance professionals, and the second part looks at the handling of data breaches. 

1. Key concerns for governance professionals

The compliance perspective

The guidance points out that governance professionals will often be in a facilitative role in addressing data management and protection issues, but the most obvious area where data governance will be relevant to practitioners is in their overall responsibility for regulatory compliance. In particular, organisations in Hong Kong need to comply with the Personal Data (Privacy) Ordinance (Cap 486) (PDPO). The PDPO took effect in 1996 and regulates any person or company (data user) that collects, holds or uses personal data, and aims to prevent abuse or negligence in handling personal data by data users in Hong Kong. The guidance points out, however, that organisations involved in the collection and processing of personal data from overseas countries may also need to consider overseas data privacy laws with extraterritorial application. A prominent example is the European Union’s (EU)General Data Protection Regulation that took effect on 25 May 2018 and has extraterritorial application to non-EU companies that conduct data processing activities relating to persons located in EU member states. Ensuring compliance with local and overseas data protection regulations may often necessitate seeking professional legal advice. 'When in doubt, professional advice should be sought, especially in relation to the use of exemptions under the PDPO for disclosures of personal data that are collected or processed,' the guidance note states.

Board support and data handling

Another area where data management and protection will be a key issues for governance professionals is in their board support and advisory work. The guidance note highlights the need for governance professionals to ensure that directors are aware of data privacy requirements and whether the company has complied with the relevant data privacy laws affecting its business. Directors will also be involved, of course, in preparing the organisation's data protection guidelines. Governance professionals may also need to work with data protection staff (for example, the company’s Data Protection Officer) to ensure sufficient awareness of data privacy requirements among operational staff. This may include the facilitation of relevant training. Governance professionals, whether acting as company secretaries or in some other capacity, will also be custodians of sensitive data themselves. This might include the names, addresses and identity card numbers of the directors to be stated on the company’s annual return, names and contact information of shareholders to be used for convening general meetings, and the identity information and remuneration packages of the senior staff members of the company. Governance professionals will therefore need to build their own awareness of data protection and ensure that they follow data protection principles in their own work. At a minimum, to prevent unauthorised or accidental access to such sensitive information, proper security measures must be put in place.

2. Preventing and handling data breaches 

Preventing data breaches 

The second part of the guidance note focuses on the roles of governance professionals in preventing and handling data breaches. Since Data Protection Principle 4 of the PDPO requires data users to take proper security measures to protect any personal data they possess, data breaches are highly relevant to governance professionals' compliance role.  There are various practical measures that can be taken to minimise the risk of data breaches, but organisations need to consider which measures will work best for them. As a first step, the guidance note recommends practitioners promote the advantages of implementing a Privacy Management Programme (PMP), as recommended by The Office of the Privacy Commissioner for Personal Data (PCPD).  The process of implementing a PMP helps organisations build the necessary internal controls to minimise the risk of data breaches. A PMP, for example, requires organisations to carry out a comprehensive review of existing personal data handling practices, establish proper data handling guidelines and procedures, and appoint a Data Protection Officer to oversee all data privacy related matters. A PMP also requires the setting up of a data breach reporting mechanism and a training programme to improve awareness within the organisation of the requirements of the PDPO, IT security measures and the handling of personal data.  Practitioners can also consider promoting the implementation of a Privacy Impact Assessment (PIA) for projects that involve the collection and use of personal data. A PIA generally involves:

• a fact-finding exercise to discover what kinds of personal data will be collected from which parties and to assess the data flow
• a privacy risk analysis to identify the privacy risks involved in each stage of the data flow
• an analysis of possible privacy risks mitigation measures, and  
• an assessment of reporting and continuous monitoring obligations.  

Handling data breaches

The guidance recommends organisations consider five steps in the handling data breaches.  1. Information gathering and escalation. Staff members who commit or discover the data breach should gather key information relating to the breach and notify their immediate supervisors. This information then needs to be passed on to heads of departments and the Data Protection Offer. The Data Protection Officer should then make an assessment as to the seriousness of the incident and determine whether it has to be reported to senior management staff, including the governance professional and the board of directors. 2. Determine feasible interim actions to mitigate the loss. Action should be taken to mitigate the potential damage caused by the data breach, for example temporarily suspending the organisation's computer system where the breach was caused by a computer system failure or hacking incident. If the incident involves external service providers, the organisation should work with them to tackle the issue. If the incident involves criminal activities, the Data Protection Officer should consider seeking legal advice and notifying the relevant law enforcement agencies. 3. Notifying the affected data subjects and the PCPD. The PDPO does not currently require data users to notify affected data subjects where data breaches occur. However, the guidance note recommends doing so as the affected data subjects should be warned about any such incidents and may need to take necessary precautions to avoid further loss. If the Data Protection Officer is of the view that the data breach is serious, a notification should also be made to the PCPD via its Data Breach Notification Form (available from the PCPD website). A notification of the breach may also need to be sent to relevant law enforcement agencies and regulatory bodies. The guidance note suggests organisations seek legal advice to determine when such a notification will be legally required. 4. Implement remedial actions. In addition to the interim actions suggested above, organisations should consider further remedial actions. For example, where the data breach indicates a systematic or persistent problem, the responsible department must review and make necessary amendments to existing guidelines. New equipment or IT infrastructure may also be required to prevent a repeat of the incident. Where the breach involves a significant loss of customers’ personal data, the organisation will need to work with the administrative or corporate communication staff in preparing relevant disclosures for the affected customers and the media.  5. Monitor the progress of the tasks above. This will involve recording all the relevant details and will be an essential step in the process of not only dealing with the immediate fallout, but also ensuring better defences against any repeated breach.  The guidance note reviewed in this article is available from the Publications section of the Institute's website: www.hkcgi.org.hk. More information on the process of implementing a PMP is available in the PMP Manual produced by the the PCPD.  

SIDEBAR: Serious data breach incidents

If a data breach incident is serious, governance professionals should request the Data Protection Officer to regularly report on the status of the incident to the appropriate persons. Governance professionals may also need to monitor the progress of remedial actions. This may involve whether:

• the affected data subjects and the Office of the Privacy Commissioner for Personal Data (PCPD) have been notified
• any complaints have been received from data subjects
• any feedback has been received from the PCPD – for example whether it has commenced an investigation, and 
• there has been any involvement from other law enforcement agencies.

Governance professionals should in turn report on the status of the incident to the board of directors on a regular basis. In addition to the disclosure of factual information, governance professionals may need to make recommendations to the board regarding any suggested further actions that may be advisable, and to then implement any directions from the board on the matter.  

SIDEBAR: Credits

The Institute would like to thank the members of the Institute’s Technology Interest Group: Dylan Williams FCG FCS (Chairman), Gabriela Kennedy, Philip Miller FCG FCS, Ricky Cheng and Sheena Loi. Gratitude is expressed to Ricky Cheng, Director and Head of Risk Advisory, BDO Ltd, as the author of the paper. The paper was edited by Dylan Williams FCG FCS, General Counsel & Company Secretary, Sands China Ltd, and Mohan Datwani FCG FCS(PE). Mohan Datwani FCG FCS(PE), Institute Deputy Chief Executive, serves as Secretary to the Institute’s Interest Groups. If you have any comments and/or suggestions relating to the Institute’s Interest Groups, he can be contacted at: mohan.datwani@hkcgi.org.hk.