Privacy Commission’s new Guidance on handling data breach
The Privacy Commissioner on Personal Data published an article promoting the Commission’s new “Guidance on Data Breach Handling and Data Breach Notifications”. (Article, Press Release, Guidance Note)
In light of the increase (by 20%) in data breach reported to it during 1H, the new Guidance Note was issued to assist organisations in preparing themselves in the event a data breach occurs.
What you should know/do:
Practical recommendations include
- Should formulate a data breach response plan
— Recommended components: e.g. risk assessment workflow, communication plan
- Handling data breaches: 5 steps
— Immediate gathering of essential information
— Containing the data breach
— Assessing the risk of harm
— Considering giving data breach notifications
— Documenting the breach
- “Data breach notifications”
— Formal notifications
— To affected data subjects and PCPD as soon as practicable after becoming aware of the breach
— Particularly if breach is likely to result in a real risk of harm to data subjects
— Guidance on other parties to be notified (e.g. other regulators)
— Guidance on contents of formal notifications
- e-Data Breach Notification Form launched
Also in this issue
(i) HKEX censures China Saite Group Limited, imposes a prejudice to investors’ statement on some named executive directors (“EDs”) and independent non-executive directors (“INEDs”); censures/or criticises some other named EDs and INEDs. (Announcement, Statement of Disciplinary Action)
Background: during 2014- 6, the company’s former chairman (“Chairman”) caused its wholly- owned subsidiary to take out a series of loans (“Loans”) for his personal benefit. These transactions had not been disclosed to the board of the company (i.e. parent company).
During 2017-9, he also caused the company to make advances (“Advances”) to him, which were reflected in the relevant annual reports.
The Loans and Advances constitute “connected transactions”, and were against the company’s articles of association. (Total: around RMB 150 m)
There were multiple failures to provide timely and accurate information to HKEX and the investing public, including:
- (Mar 2020) Auditor discovered the Loans and other transactions that were not recorded in the accounting records. Civil proceedings were taking place against the group in respect of some of these transactions
- Auditor raised concerns as material audit issues, resulting in delay in publishing the relevant annual results. Audit issues were communicated to the board
- Under the Chairman’s direction, the company’s announcement attributed the delay to COVID without disclosing the audit issues
- (Apr 2019) No timely announcements of a subscription of shares in an IPO
- (Apr 2019 – Jul 20) Not make timely announcements re: 14 winding up petitions against it
Our focus is on the duties of INEDs. HKEX’s announcement states that “INEDs, although not involved in day-to-day operations and management, have a key role to play in Listing Rule compliance and corporate governance. Serious failures to discharge their duties may lead to imposition of severe reputational sanctions on them.”
What you should watch out for:
Failures of relevant INEDs include
- Some Advances: reflected in annual reports approved by relevant INEDs
— Despite these were against its articles and indicative of internal controls deficiencies
— Did not take active steps to make enquiries of management about the nature of the Advances, or to procure its compliance with Listing Rules
- Failure to disclose winding up petitions
— Did not look into the reason for the delay or took any meaningful remedial steps to ensure compliance with Listing Rules
- Failure to disclose audit concerns
— Despite being aware of underlying cause of the audit Issues
— Did not object to/otherwise expressed concerns over the completeness of information contained in the relevant announcement
(ii) SFC published consultation conclusions on proposed amendments to enforcement-related provisions of the Securities and Futures Ordinance (“SFO”). (Press release, Consultation Conclusions)
SFC will proceed with the proposal to broaden the scope of the SFO’s insider dealing provisions, covering: (i) insider dealing in HK with respect to securities listed on overseas stock markets or their derivatives; and (ii) insider dealing outside of HK, if it involves any securities listed on HKEX, or their derivatives.
(iii) AFRC published “Audit Focus”, setting out its clear expectations that auditors, management and audit committees must fulfil their respective statutory duties, roles and responsibilities during the audit planning process.
It sets out key areas that require special attention during the audit planning process, including volatile economic environments and market conditions (e.g. rising interest rates, inflation).
As regards the audit committees, they are expected to review and approve the audit plans to ensure that the proposed audit procedures are sufficiently and appropriately designed to address the identified risks. This includes inquiring whether audits of their companies have been subject to AFRC’s inspections and if so, discussing the deficiencies identified and challenging how they are going to be addressed in the coming audits.
This Update in PDF