Legal update: How employers can minimise data privacy risks during WFH

閱讀中文版本

By Carmen Tang, partner at Hugill & Ip

This article will appear in the upcoming issue of Hong Kong Human Resources Magazine.

To reduce the spread of coronavirus, work-from-home arrangements have become the norm. This has increased the reliance on the internet for remote access and has resulted in an escalation of data privacy risks. Employers should ensure that the IT infrastructure of the business is secure and aim to mitigate risks of a data breach.

Legal implications of privacy breaches

Under the Personal Data (Privacy) Ordinance, Cap 486 (“PDPO”), Data Protection Principle 4 (“DPP4”) concerns the security of personal data. DPP4 requires data users to take all practicable steps to ensure that any personal data held is protected against unauthorised or accidental access, processing, erasure, loss or use, having regard to the kind of data and the harm that could result.

Failure to comply with an enforcement notice issued by the Privacy Commissioner for Personal Data of Hong Kong (“Privacy Commissioner”) could result in criminal liability. In addition, data subjects may seek compensation by civil action where the data user has contravened the PDPO.

Reviewing IT service contracts

Businesses should consider the contractual rights they may have and obligations held by their IT service provider.

The current COVID-19 pandemic has highlighted the need for catch all provisions and referencing specific possible events, as well as unforeseeable events, when drafting commercial contracts. Unfortunately, many businesses may find themselves tied into a contract that is significantly difficult to complete and substantially expensive, hence drafting of future contracts and force majeure clauses within them, becomes a crucial element.

Additionally, in most contracts there exists exclusion of liability clauses, such as time bars, exclusion of consequential or indirect losses. These may limit the remedies your business can claim in the event of a data loss breach.

A data processor is not directly liable to a data subject for an infringement of personal data privacy.  Infringements of Data Protection Principle 2 (“DPP2”), which concerns the accuracy and duration of retention of personal data, or DPP4 should be avoided. Aggrieved data subjects may seek recourse from a data user who engaged the data processor.

To comply with DPP2 and DPP4, businesses, as data users must ensure that contractual means with processors are in place to ensure protection of personal data from unauthorised or accidental access, processing, loss of use, and is not retained for longer than necessary for the purpose of processing the data.

In 2012, The Privacy Commissioner issued an information leaflet on Outsourcing the Processing of Personal Data to Processors. Methods of compliance through contractual means are provided, for example “absolute prohibition or qualified prohibition (e.g. unless with the consent of the data users) on the data processor against sub-contracting the service that it is engaged to provide”.

Reviewing contractual protection with clients

Businesses may consider including indemnification or limitation of liabilities clauses to ensure risk allocation or including disclaimers in contracts and company websites to disclaim the risk associated with IT securities.

Reviewing internal privacy policies

Businesses should develop a comprehensive privacy management programme, published to the attention of employees. It should include:

• Guidance on compliance with the PDPO, including the six Data Protection Principles;
• Preliminary solutions to IT related difficulties; and
• Data breach incident response plan (see below).

Businesses may also consider their existing insurance policies and whether they have included sufficient coverage on disruptions or data loss due to IT service failures.

Response management and monitoring

Businesses should develop response frameworks and containment measures to be followed where data loss has occurred, in addition to plans for monitoring IT disruptions. It is best practice to keep a comprehensive record for future reference or relaying relevant information to relevant parties.

Data breach incident response plans should include four broad aspects: Communication, analysis, containment, post-incident review.

Measures to prevent data loss or hacking

Businesses will need to consider:

• Enhancing secure remote access, including properly configured firewalls, encrypting vulnerable client data, or limiting the means of data transmission. Installing ad-blockers can also mitigate the risks of viruses.
• Where possible, managed devices provided by the company may provide the most basic level of protection.
• Employees should regularly update the operating system for their devices to minimise risks associated with cloud-based storage systems.
• Prevention and control of unauthorised/authorised user access through methods such as multi-factor authentication or restricting risky user access may be able to prevent events of hacking into the cloud system. Clouds may also be restricted to browser access only.
• Employees should take extra care in the event of payment requests or change in bank account particulars. Where there is any doubt, it is recommended to contact the client or colleague orally to confirm such payment requests.

The Privacy Commissioner together with the Personal Data Protection Commission have released a jointly-developed Guide to Data Protection by Design (“DPbD”) for IT Systems. Companies may gain practical assistance in applying DPbD principles for all phases of software development and good practices for data protection for IT systems.

Key takeaways

Flexibility and having a response management procedure in place to deal with a data privacy breach enables businesses to operate more smoothly remotely. Businesses should be fully aware of their existing rights and obligations with IT service providers and clients to ensure that they are not running into legal issues that may have severe impacts on business operation.