Guidance Note on Data Security Measures for Information and Communications Technology

PCPD issued the “Guidance Note on Data Security Measures for Information and Communications Technology” on 30 Aug 2022 to provide data users with recommended data security measures for ICT to facilitate their compliance with the requirements of the Personal Data (Privacy) Ordinance (Cap. 486).

 

The Guidance provides recommendations on data security measures for ICT in the following 7 areas.

  1. Data Governance and Organisational Measures, including the appointment of a suitable personnel in a leadership role to bear specific responsibility for data security, and ensure sufficient training is provided for staff members.
  2. Risk Assessments on data security for new systems and applications before launch, as well as periodically thereafter.
  3. A Recommended Series of Technical and Operational Security Measures.
  4. Data Processor Management: A data user must adopt contractual or other means to prevent unauthorised or accidental access, processing, erasure, loss or use of the data transferred to the data processor.
  5. Remedial actions in the event of Data Security Incidents, thereby reducing the gravity of harm that may be caused to the organisation and affected individuals.
  6. Regularly Monitoring, Evaluating and Improving compliance with data security policies.
  7. Recommended Data Security Measures for Cloud Services, “Bring Your Own Devices” and Portable Storage Devices.

 

More details can be found at “Guidance Note on Data Security Measures for Information and Communications Technology”.

 

 

 

 

Published on: Oct 2022