Introduction

As data privacy concerns continue to grow, regulatory bodies are focusing more intently on proactive data protection. The Office of the Privacy Commissioner for Personal Data (PCPD) in Hong Kong has released comprehensive recommendations under their Data Security Measures for Information and Communication Technology, highlighting crucial steps data users must take to improve their cybersecurity and how they manage data.

About PCPD

The Office of the Privacy Commissioner for Personal Data (PCPD) is an independent statutory body established in 1996 to enforce the Personal Data (Privacy) Ordinance (Cap. 486) in Hong Kong. PCPD is dedicated to safeguarding individuals’ privacy rights in relation to personal data through a combination of promotion, monitoring, and enforcement activities. It plays a pivotal role in ensuring that both individuals and organizations understand their rights and responsibilities under the Ordinance. Through investigations, inspections, policy recommendations, and international collaboration, PCPD strengthens the legal framework for data protection, ensuring fairness and efficiency in addressing privacy concerns.

Key Recommendations from PCPD

PCPD’s latest guidance emphasizes the importance of setting up clear internal policies for data security and governance. The main point is to make sure data is accessed and moved securely within information and communications systems. Organizations are encouraged to:

• Establish clear internal policies and procedures for how data is accessed and exported.
  As stated in the Guidance Note: “Data users should establish clear internal policies and procedures on the access, export, and handling of personal data in ICT systems.” (Section 3.1, p.6)

• Put in place sound data governance structures that align with privacy best practices.
  The PCPD notes: “A sound data governance structure should be established to ensure the accountability of data security management.” (Section 3.1, p.6)

• Monitor and manage the flow of data within ICT systems to prevent unauthorized access or loss.
  The Guidance Note advises: “Data users should monitor and manage the flow of personal data within ICT systems to prevent unauthorized or accidental access, processing, erasure, loss or use.” (Section 3.3, p.11)

Endpoint Security for Emails and File Transfers

One of the most important parts of PCPD’s recommendations deals with emails and file transfers. Specifically, the guidelines advise organizations to use endpoint security solutions to:

• Stop data from being transferred to unauthorized or unsafe portable storage devices.
  The PCPD states: “Data users should implement endpoint security solutions to prevent data from being transferred to unauthorized or unsafe portable storage devices.” (Section 3.3.6, p.14)

• Ensure that only encrypted, authorized devices are used for storing or sharing data.
  According to the Guidance Note: “Only encrypted and authorized portable storage devices should be used for storing or transferring personal data.” (Section 3.3.6, p.14)

This is a direct response to the increasing danger posed by removable media, which can be easily lost, stolen, or accessed by bad actors if not properly secured.

Why This Matters

• Compliance and Accountability: By following PCPD’s recommendations, organizations show they are committed to data privacy and meeting regulatory requirements.
  The PCPD highlights: “Data users should demonstrate their commitment to data security and accountability by following the recommended measures.” (Section 2, p.3)

• Data Loss Prevention: Endpoint security tools reduce the risk of data leaking through physical devices, helping stop breaches before they happen.

• Organizational Trust: Good data governance and secure transfer policies build confidence among stakeholders and customers.

Final Thoughts

PCPD’s guidance serves as a timely reminder for organizations to re-evaluate their data governance plans and invest in reliable security technologies. With sensitive personal data increasingly targeted, making sure information is accessed safely and exported with control is no longer optional—it’s absolutely necessary.

References: 

PCPD, Guidance Note on Data Security Measures for Information and Communications Technology (August 2022): https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_datasecurity_e.pdf