Data Breach Notification Policy (Hong Kong)

A Data Breach Notification Policy in Hong Kong sets out the standards and procedures the organisation expects its people to follow.

Hong Kong does not currently impose mandatory data breach notification on all organisations under the Personal Data (Privacy) Ordinance (Cap. 486). Unlike the European Union’s General Data Protection Regulation (GDPR), which requires notification to supervisory authorities within 72 hours, or Singapore’s Personal Data Protection Act, which introduced mandatory notification in 2022, Cap. 486 relies on voluntary notification encouraged by the Office of the Privacy Commissioner for Personal Data (PCPD). The PCPD published its Guidance on Data Breach Handling and the Giving of Breach Notifications, recommending that data users notify the Commissioner and affected individuals when a breach has occurred and there is a real risk of harm to the affected data subjects. Section 50A of Cap. 486 empowers the Privacy Commissioner to serve an enforcement notice requiring a data user to take steps to remedy a contravention of the Ordinance, including failures in data security.

Proposed amendments to Cap. 486 to introduce mandatory data breach notification have been under consideration by the Hong Kong government for several years. When enacted, these amendments are expected to require data users to notify the PCPD and affected individuals within a prescribed period following discovery of a notifiable breach. Organisations with a documented notification policy will be better positioned to comply with the mandatory regime when it takes effect.

For regulated organisations, sector-specific mandatory reporting requirements already apply. Authorised institutions regulated by the Hong Kong Monetary Authority (HKMA) must report material cybersecurity incidents — including data breaches — under the HKMA Supervisory Policy Manual module TM-E-1. The HKMA expects notification within a specified timeframe and may require follow-up reports as the investigation progresses. Licensed corporations regulated by the Securities and Futures Commission (SFC) must report operational incidents affecting client data under applicable SFC circulars and the requirements of the Securities and Futures Ordinance (Cap. 571).

The Crimes Ordinance (Cap. 200) is relevant when a data breach is caused by a criminal act — Section 161 of Cap. 200 criminalises access to computers with criminal or dishonest intent. Section 19 of Cap. 486 gives data subjects the right to request access to their personal data held by a data user, and Section 22 of Cap. 486 gives the right to correct inaccurate data. Where a breach involves criminal conduct, the Hong Kong Police Force’s Cyber Security and Technology Crime Bureau (CSTCB) should be notified alongside the PCPD. The Privacy Commissioner for Personal Data holds powers under Section 48 of Cap. 486 to investigate complaints and under Section 50 to conduct investigations on the Commissioner’s own initiative. Forms-legal.com provides this Data Breach Notification Policy template incorporating the PCPD’s breach notification guidance and HKMA reporting requirements.

A Data Breach Notification Policy in Hong Kong should be adopted before any data breach occurs. Organisations that attempt to manage a breach without pre-established procedures respond more slowly, make avoidable mistakes in notification content and timing, and present a weaker compliance posture to the PCPD in any subsequent investigation.

Every Hong Kong organisation that collects or processes personal data needs this policy to meet its DPP4 obligations under Cap. 486. The PCPD’s enforcement decisions following data breach complaints consistently reference the absence of documented breach response procedures as evidence of inadequate data security measures. A written policy demonstrates due diligence.

Organisations handling large volumes of sensitive personal data — HKID numbers, financial account details, health records, salary information — face heightened harm potential from breaches and require particularly detailed notification procedures that address the nature of the compromised data, the risk assessment methodology, and the specific content of notifications to affected individuals.

HKMA-regulated authorised institutions need the policy to satisfy SPM module TM-E-1 cybersecurity incident management requirements and to meet the HKMA’s expectations for timely incident reporting. Banks and other authorised institutions that suffer material data breaches must report to the HKMA within specified timeframes, and a policy that establishes internal escalation procedures confirms those timelines can be met.

SFC-licensed corporations need the policy to satisfy SFC circular requirements on cybersecurity incident response. The SFC has taken disciplinary action against licensed persons for failing to maintain adequate cybersecurity incident management procedures, making a written policy a regulatory necessity rather than a best-practice recommendation.

Healthcare providers — hospitals, clinics, and diagnostic laboratories — processing patient data must have a notification policy that addresses the PCPD’s guidance on medical data sensitivity and the reporting expectations of the Hospital Authority and the Department of Health for incidents affecting patient records.

Organisations preparing for the eventual introduction of mandatory data breach notification under proposed Cap. 486 amendments should adopt a notification policy now that mirrors the likely mandatory requirements — including notification timelines, content standards, and the distinction between notifiable and non-notifiable breaches — so that no remediation is required when the amendments take effect.

A Data Breach Notification Policy for Hong Kong organisations must address the following core elements to satisfy DPP4 of Cap. 486, PCPD guidance, and, for regulated entities, HKMA and SFC incident reporting requirements.

Definition of Data Breach specifies what the policy treats as a data breach — any incident resulting in unauthorised or accidental access to, processing, erasure, loss, or use of personal data held by the organisation, whether caused by external attack, employee error, system failure, physical loss of devices, or third-party processor incident. The definition should align with the PCPD’s guidance to avoid ambiguity about when the policy is triggered.

Detection and Internal Reporting establishes the channels through which potential breaches are detected — security monitoring systems, employee reports, vendor notifications, regulatory alerts — and the internal escalation procedure specifying who must be notified and within what timeframe. Every employee should know the designated breach reporting contact and the obligation to report suspected incidents promptly.

Initial Assessment and Severity Classification requires the Data Protection Officer (or designated breach response lead) to conduct an initial assessment within a defined period (typically 24–48 hours) covering: the nature of the compromised personal data; the number and categories of affected data subjects; whether the data was encrypted or otherwise protected; whether the data has been recovered; the likely cause of the breach; and the potential risk of harm to affected individuals — identity theft, financial loss, reputational damage, physical harm, or loss of employment.

Containment and Interim Measures specifies the immediate steps to stop the breach from continuing — revoking compromised credentials, isolating affected systems, blocking unauthorised access, recovering lost devices, or instructing a data processor to cease processing. Evidence preservation for potential law enforcement referral must be balanced against the need for rapid containment.

Notification Decision Criteria sets out the framework for deciding whether to notify the PCPD, affected individuals, the HKMA, the SFC, the Hong Kong Police CSTCB, or overseas regulators. The PCPD recommends notification when there is a real risk of harm to affected data subjects — the policy should apply a consistent risk assessment methodology. For HKMA-regulated institutions, notification within the required timeframe is mandatory for material incidents regardless of harm assessment.

PCPD Notification Procedure describes the process for voluntarily notifying the PCPD — using the PCPD’s Data Breach Notification Form, specifying the breach nature, personal data categories, number of affected individuals, likely consequences, and measures taken. Initial notification may be preliminary with a follow-up report as the investigation is completed.

Individual Notification Procedure establishes the content, format, and delivery method for notifications to affected data subjects — plain language description of what occurred, what personal data was affected, what individuals can do to protect themselves, what the organisation is doing in response, and who to contact for further information. Notifications should be sent by the most effective available method (email, letter, or public notice where direct contact is impractical).

Record Keeping requires documentation of all breach handling activities — detection records, assessment records, containment actions, notification decisions, notification content, and post-incident review findings — retained for at least seven years under Inland Revenue Ordinance (Cap. 112) record-keeping practice and consistent with Section 26 of the Personal Data (Privacy) Ordinance (Cap. 486), which prohibits retaining personal data longer than is necessary for the purpose for which it was collected. Post-incident review findings should be used to update the policy and close identified control gaps. The PCPD and the Hong Kong Monetary Authority (HKMA) may request inspection of breach records in the course of regulatory investigations. Forms-legal.com provides a related Cybersecurity Incident Response Plan template that addresses the technical response to incidents underlying data breaches.