Cautionary tales for privacy compliance from Hong Kong’s Privacy Commissioner

At the end of 2023 Hong Kong’s Office of the Privacy Commissioner for Personal Data (PCPD) published two investigation reports with useful reminders for organisations: 

Instant messaging and failure to maintain employee records

Over the past five years the PCPD has received, on average, 100 complaints annually in relation to employee data concerns. Highlighting this, and seeking to better prepare organisations going forward, it issued an investigation report into four organisations for breaches relating to: (i) improper disclosure of personal health information through instant messaging apps, and (ii) failure to maintain accurate employee records. 

In issuing a warning to human resource managers of the risks involved in handling vast amounts of data, Commissioner Ada Chung Lai-Ling suggested organisations reinforce internal accountability by introducing a “Personal Data Privacy Management Programme” (PMP), which aims to champion privacy principles at board level and to ensure privacy is seen as a business imperative through training and programme controls. Also acknowledged was the need to properly update staff training. The reminder to review staff training follows the Hong Kong Cyber Readiness Index dropping by its largest annual decrease in 2023, raising concerns about staff awareness of cyber risks, with only just over half (51%) of corporates implementing the PMP.

To support organisations in problem spotting, the report is accompanied by a user friendly information leaflet containing practical advice on common questions for human resources managers dealing with issues related to applying Hong Kong’s privacy laws. 

Security failures and lack of planning result in data scraping breach

The second report issued by the PCPD related to a data breach affecting e-commerce provider Carousell in August 2022, after a software migration caused a security vulnerability that enabled an attacker to scrape the personal information of 2.6 million users (324,000 in Hong Kong). During its investigation the PCPD discovered that Carousell failed to conduct both privacy impact and vulnerability assessments in anticipation of the planned migration, which meant the vulnerability that caused the breach was missed. 

Whilst Carousell was praised for its quick incident response and cooperation with the PCPD, the incident reflected the implications of not proactively considering privacy risks when updating services. The breach also reignited the PCPD’s focus on data scraping, after it issued a joint statement in August 2023 alongside eleven other national authorities (including the ICO) warning social media firms that in many jurisdictions data scraping is a reportable breach. The statement also linked the practice of data scraping with an increased risk of cyberattacks and data fraud. Meanwhile the ICO has announced data scraping to train AI models as the first of a series of consultations on generative AI and data protection, which we discuss in more detail in our blog.

The PCPD has demonstrated its focus both on employee as well as customer data breaches in this announcement, acting as a reminder to look inward as well as out.