Late last year, the Hong Kong Privacy Commissioner for Personal Data (the "Commissioner") published a Guidance Note, titled "Guidance on the Use of Portable Storage Devices" (the "Guidance Note") to assist data users with properly handling and protecting personal data contained in portable storage devices ("PSDs"), including USB memory sticks, tablet/notebook computers, mobile/smart phones, personal digital assistants, portable hard drives and optical discs such as DVDs. The Guidance Note follows a number of well publicized incidents of loss of data stored on portable storage devices in Hong Kong, including the loss of USB memory sticks containing patients’ medical records by doctors practicing at Hong Kong’s United Christian Hospital back in April 2009.
The Commissioner noted that Data Protection Principle 4 in Schedule 1 to the Personal Data (Privacy) Ordinance (Chapter 486) requires a data user to ensure that personal data held by it are protected against unauthorized or accidental access, processing, erasure or other use. The Guidance Note sets out various practical recommendations to help data users manage the security risks associated with the use of PSDs.
A top-down approach is recommended whereby an organization-wide policy should be adopted as an initial step to manage the risk associated with the use of PSDs. It is recommended that practical guidelines are developed for the use of PSDs and that procedures are drawn up to ensure those operations are performed correctly. It is further recommended that training with reference to the relevant guidelines and procedures should be provided to users.
The Commissioner has also provided advice on formulating policies concerning the use of PSDs and preventing unauthorized access via encryption algorithms and mechanisms. The Guidance Note discusses the detection of risks, the significance of keeping pace with technological change, the importance of having staff awareness and stipulating the consequence of non-compliance with policy-requirements, as well as the need for routine reviews and audits to regularly re-assess the risk associated with the use of PSDs.
There are several recommendations relating to the use of technical controls to assist in the implementation of PSD policy. End-point security software used to control the security of "end-point" devices such as personal computers and mobile phones can be installed on all computers and controlled centrally to prevent the use of storage devices such as USB storage, optical drives or floppy drives. Data loss prevention systems may be used to detect and block the saving of sensitive information to external storage devices or email systems. Inventory control should be conducted so as to ascertain the number, types and whereabouts of all PSDs. Technical arrangements in relation to the erasure, disposal or relocation of data stored in PSDs should be made so that data is securely erased after each and every use.
This blog post was prepared by Gabriela Kennedy (Partner) Hogan Lovells, Hong Kong (firstname.lastname@example.org), Heidi Gleeson (Foreign Registered Lawyer) Hogan Lovells, Hong Kong (email@example.com), and Fiona Chan (Trainee Solicitor), Hogan Lovells, Hong Kong (firstname.lastname@example.org)