CMS Expert Guide: Data Law Navigator

Data protection

1. Local data protection laws and scope

The Personal Data (Privacy) Ordinance (Cap. 486)  (the "PDPO") is a comprehensive set of laws that is technology-neutral and provides a set of Data Protection Principles outlining how data users should collect, handle and use personal data.

2. Data protection authority

The Office of the Privacy Commissioner for Personal Data www.pcpd.org.hk

Information Commissioner: www.ico.org.uk

3. Anticipated changes to local laws

The legislation is due for amendment since its last substantive amendment in 2012.

The Constitutional and Mainland Affairs Bureau released LC Paper. No. CB(2) 512/19-20(03), a discussion paper seeking the Legislative Council’s Panel on Constitutional Affairs’ (the Panel) views on proposed changes to the Personal Data (Privacy) Ordinance (Cap.486). The proposed changes follow proposals by the Privacy Commissioner for Personal Data, and include six proposed amendments:

  • Inclusion of a Mandatory Data Breach Notification Mechanism;
  • Requirement for retention policy and specified Data Retention Period; 
  • Provision of Sanctioning Powers to PCPD to impose administrative fines and raise relevant criminal fine levels; 
  • Regulation of Data Processors; 
  • Amending the Definition of Personal Data to cover information relating to an "identifiable" natural person; 
  • Regulation of Disclosure of Personal Data of Other Data Subjects to curb doxing;

Brexit – data protection

The Brexit Transition Period ended on 31 December 2020.  Following the end of the Brexit Transition Period, the TCA includes provisions that allow data transfers from the EEA to the UK to continue unrestricted for an interim period of up to six months.  

In the meantime, the UK has applied for an adequacy decision from the European Commission to recognise it as a jurisdiction to which EEA personal data can flow freely. Without such a decision, transfer of personal data from the EEA to the UK would require use of a transfer mechanism (such as standard contractual clauses) or a derogation would need to apply. 

For now, the UK GDPR is materially aligned with the EU GDPR, but divergence could happen over time. As the situation is fast-changing, we recommend speaking to your CMS contact in the UK for the most up-to-date position.

Brexit - ePrivacy

The new EU e-Privacy Regulation is set to replace the e-Privacy Directive in relation to the privacy of electronic communications. In effect, this will replace local EU Member State ePrivacy laws. This is still in the legislative process, with no definite timeframe for implementation agreed as yet.

The UK will not be automatically subject to the new ePrivacy Regulation. However, it is possible that the UK will seek to achieve alignment to some degree between PECR and the new ePrivacy Regulation.

Again, as the situation is fast-changing, we recommend speaking to your CMS contact in the UK for the most up-to-date position.

4. Sanctions & non-compliance

Administrative sanctions:

N/A

Criminal sanctions:  

A summary of various offences and penalties under the Ordinance can be found at: https://www.pcpd.org.hk/misc/files/table2_e.pdf

Others:  

N/A 

The UK GDPR together with Part 6, DPA contains details regarding enforcement.

Administrative sanctions:

The Information Commission has powers to impose fines of up to the greater of:

  • GBP 17.5m or 4% of the undertaking’s total annual worldwide turnover in the preceding financial year; or
  • GBP 8.7m or 2% of the undertaking’s total annual worldwide turnover in the preceding financial year. 
Criminal sanctions:

There are various criminal offences under the DPA including:

  • unlawful obtaining of personal data;
  • re-identification of de-identified personal data;
  • destroying or falsifying information and documents;
  • making false statements in response to an information notice; and 
  • altering personal data to prevent disclosure to the data subject.

In addition to the organisation, individual company directors can face criminal liability and unlimited fines (although custodial sentences cannot be imposed).

Others: 

The Information Commissioner has the following enforcement powers:

  • to impose information notices;
  • to impose assessment notices;
  • to impose enforcement notices, which can require the organisation to take or not take certain actions (including deleting or stopping processing data); and
  • entry and inspection. 

A data subject may (in addition to making a complaint to the Information Commissioner) also make a claim to the courts for compensation for material or non-material damage (which may include distress). There is the potential for class actions to be brought.

5. Registration / notification / authorisation

There is no requirement for notification/registration/authorisation for processing personal data (i.e. no mechanism similar to that in UK Notification to process personal data - GOV.UK (www.gov.uk))

Under the Data Protection (Charges and Information) Regulations 2018, controllers must pay a data protection fee to the Information Commissioner. This is set on a sliding scale depending on the size and turnover of the organisation, and there are some exemptions. Organisations can be fined for not paying the fee where required.

6. Main obligations and processing requirements

Data users shall comply with the six principles set out in Schedule 1 to the Ordinance: 

  • personal data shall only be collected for a lawful purpose directly related to a function or activity of the data user. The data collected should be necessary and adequate but not excessive for such purpose. The means of collection should be lawful and fair; 
  • data users are required to take all practicable steps to ensure that personal data is accurate and not kept longer than is necessary for the fulfilment of the purpose for which the data is used. If data users engage a data processor for handling personal data of other persons, data users should adopt contractual or other means to ensure that the data processor comply with the mentioned retention requirement; 
  • data users shall not use personal data for any new purpose which is not or is unrelated to the original purpose when collecting the data, unless with the data subject’s express and voluntary consent; 
  • data users shall take all practicable steps to protect the personal data they hold against unauthorised or accidental access, processing, erasure, loss or use; 
  • data users are required to take all practicable steps to ensure openness of their personal data policies and practices, the kind of personal data held and the main purposes for holding it; and 
  • data users shall provide data subjects with the right to request access to and correction of their own personal data.

For the most part, the UK GDPR remains materially aligned with the EU GDPR. However, the following derogations from the EU GDPR are set out in the DPA:

Consent of children in relation to the use of information society services

The GDPR sets the minimum age that a subject must be to give valid consent to the processing of their data at 16, but gives EU Member States the ability to lower this to as young as 13. The UK chose to lower the threshold to 13 years old in relation to the use of information society services.

Special categories of personal data and criminal convictions personal data

Where special categories of personal data are processed, a lawful basis under Article 6, UK GDPR must be met plus one of a further list of more stringent conditions in Article 9, UK GDPR. “Special categories of personal data” refers to information about an individual’s race; ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetics or biometrics (where used for identification purposes); health; sex life or sexual orientation.  There are ten conditions in the UK GDPR itself pursuant to which special category data may be able to be processed. 

Where personal data relating to criminal offences or convictions (or related security measures) (“criminal data”) is processed, a lawful basis under Article 6, UK GDPR must be met plus the processing must either be carried out under the control of official authority or be authorised under UK law (Article 10, UK GDPR and Sections 10 and 11, DPA).  

Section 10 and Schedule 1, DPA introduce additional conditions and safeguards for processing both special categories of personal data and criminal data, in certain circumstances an “appropriate policy document” may be required.

UK representatives

Organisations without an establishment in the UK, but offering goods or services to, and/or monitoring the behaviour of, individuals located in the UK, may need to appoint a UK representative under the UK GDPR.

Penalties for breaches of the UK GDPR

See ‘Sanctions & non-compliance’ above.

7. Data subject rights

Data subjects are given the right to access and make correction to their data.

There are no substantive derogations from the EU GDPR.

8. Processing by third parties

No direct regulation on data processors.  However, data are required to adopt contractual means to ensure that data processors or sub-contractors adopt measures to ensure the safety of personal data.

There are no substantive derogations from the EU GDPR.

9. Transfers out of country

A data user shall not transfer personal data outside Hong Kong unless one of the following conditions is met: 

  • the place is specified by the Commissioner by notice in the Gazette that there is in force any law which is substantially similar to, or serves the same purposes as, the Ordinance – no place has satisfied this condition up to date. 
  • The data user has reasonable grounds for believing that there is in force in that place any law which is substantially similar to, or serves the same purposes as, the Ordinance;
  • The data subject has consented in writing to the transfer;
  • The data user has reasonable grounds for believing that the transfer is for the avoidance or mitigation of adverse action against the data subject; it is not practicable to obtain the consent in writing of the data subject to that transfer; but if it was practicable, such consent would be given;
  • The data is exempt from Data Protection Principle 3 by virtue of an exemption under Part VIII of the Ordinance (such as personal data held for news activities, for domestic use, for purpose of prevention of crime etc.); or
  • The data user has taken all reasonable precautions and exercised all due diligence to ensure that the data will not, in that place, be collected, held, processed, or used in any manner which, if that place were Hong Kong, would be a contravention of a requirement under the Ordinance. Please note that use of recommended model data transfer clauses to develop an enforceable data transfer contract by data users is one method to satisfy the required due diligence requirement. 

There are currently no substantive differences from the EU GDPR but there are some differences.

The main provisions allow:

  • the transfer of personal data from the UK to the EEA and to any countries which, as at 31 December 2020, were covered by a European Commission adequacy decision;
  • the UK Government to make its own adequacy decisions;
  • the continued use of any EU Standard Contractual Clauses (“SCCs”), valid as at 31 December 2020, both for existing restricted transfers and for new restricted transfers; and
  • some EU GDPR-approved binding corporate rules (BCRs) to transition into the UK regime. 

The Information Commissioner also plans to develop UK standard contractual clauses (“UK SCCs”) for data transfers to jurisdictions for which an adequacy decision has not been granted. The EEA has been granted adequacy on an interim basis. Until the UK SCCs are released, the existing European Commission-approved SCCs should be used (i.e. the pre-GDPR versions). 

See also ‘Anticipated changes to local laws’ above. 

10. Data Protection Officer

N/A

There are no substantive derogations from the EU GDPR.

11. Security

There is no mandatory requirement.  However, it is required that a data subject is informed of the name or job title, and address, of the individual who is to handle the data access or correction request made to the data user.

There are no substantive derogations from the EU GDPR.

12. Breach notification

There is no mandatory requirement, but a data breach may amount to a contravention of 

  • Data Protection Principle 4(1); and in Schedule 1 of the Ordinance;

The following action plan is recommended as practice to be adopted by data users: 

  • immediate gathering of essential information relating to the breach; 
  • contacting the interested parties and adopting measures to contain the breach; 
  • assessing the risk of harm; 
  • considering the giving of data breach notification: notifying the affected data subjects, the relevant parties, the law enforcement agencies, the Commissioner, relevant regulators and such other parties who may be able to take remedial actions as soon as practicable after the defection of the data breach.  For notifying the Commissioner, a “Data Breach Notification Form” can be used.

There are no substantive derogations from the EU GDPR.

13. Direct marketing

The data user must:

  • inform the data subject (i) that the data user intends to so use the personal data; and (ii) that the data user may not so use the data unless the data user has received the data subject’s consent to the intended use – this “consent” needs to be “an indication of no objection to the use or provision” and hence, silence or lack of response will not be deemed to be consent;
  • provide the data subject with the following information in relation to the intended use (i) the kinds of personal data to be used; and (ii) the classes of marketing subjects in relation to which the data is to be used –  the description of such classes should be specific, making reference to the distinctive features of the goods, facilities or services so that it is practicable for the customers to ascertain the goods, facilities or services to be marketed with a reasonable degree of certainty; and
  • provide the data subject with a channel through which the data subject may, without charge by the data user, communicate the data subject’s consent to the intended use – a data user can only elect a response channel that enables the data subject’s consent to be made in writing.

For B2C direct marketing, PECR prohibits unsolicited electronic communications for direct marketing purposes without prior consent from the individual, unless:

  • the consumer has provided their relevant contact details in the course of purchasing a product or service from the person proposing to undertake the marketing;
  • the marketing relates to offering a similar product or service; and
  • the consumer was given a means to readily opt out of the use of their details for direct marketing purposes, both when their details were collected and in each subsequent marketing communication.  

For B2B direct marketing, the requirements generally are less stringent and such marketing can be done on an “opt out” basis.  The rules still require that the sender must identify itself and provide contact details. Sole traders and some partnerships have the same rights as consumers (see above).
For both B2B and B2C direct marketing, individuals always have a right to object at any time (Article 21(3), UK GDPR).

The Information Commissioner has published specific guidance on direct marketing. 

14. Cookies and adtech

There are no specific requirements in relation to use of cookies.  

However, the use of cookies to collect personal data needs to be in compliance with Data Protection Principle 1(3) in Schedule 1 to the Ordinance that requires: 

  • the data subject is explicitly or implicitly informed, on or before collecting the data, of (i) whether it is obligatory or voluntary for him or her to supply the data; and (ii) where it is obligatory for him or her to supply the data, the consequences for him or her if he or she fails to supply the data; and 
  • he or she is explicitly informed: (i) on or before collecting the data, of (A) the purpose (in general or specific terms) for which the data is to be used; and (B) the classes of persons to whom the data may be transferred; and (ii) on or before first use of the data for the purpose for which it was collected, of (A) his or her rights to request access to and to request the correction of the data; and (B) the name or job title, and address, of the individual who is to handle any such request made to the data user.

Cookies and similar technologies are covered by PECR. The basic rule is that organisations must:

  • notify users that cookies are used;
  • explain what the cookies are used for and why;
  • get the user’s consent to store a cookie on their device unless the cookie is:
    • used for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
    • strictly necessary for the provision of a service requested by the user.   

Duration of cookies should also be specified. 

Cookies consent under PECR means consent to the same standard as is required under the UK GDPR. (See Article 4(11), UK GDPR.)

These rules will apply to adtech and online marketing that is cookies-based (whether or not personal data is used). Where personal data is processed, the requirements of the UK GDPR will also need to be complied with.

The Information Commissioner has published specific guidance on use of cookies and similar technologies. 

15. Risk scale

Moderate

Severe

Cybersecurity

1. Local cybersecurity laws and scope

  • The most significant laws that cover cybersecurity matters include provisions under: 
  • Crimes Ordinance (Cap 200): (1) s.161 Access to computer with criminal or dishonest intent; and (2) s.60 Destroying or damaging property; 
  • s.27 A (unauthorised access to computer by telecommunications) under Telecommunications Ordinance (Cap 106); 
  • Control of Obscene and Indecent Articles Ordinance (Cap. 390); 
  • Prevention of Child Pornography Ordinance (Cap 579); and 
  • The Unsolicited Electronic Messages Ordinance (Cap 593)

The key cybersecurity laws that apply in the UK include the following:

2. Anticipated changes to local laws

There are no anticipated changes to local laws, although there has been more pressure to introduce laws against doxing

Brexit - NISD Regulations / NISD

There is a proposal before the European Commission to update the NISD. Once the proposal is agreed and then adopted, the EU Member States will have 18 months to transpose the updated Directive into their domestic legislation.

The UK NISD Regulations implement the EU NISD into UK law. Following the end of the Brexit transition period, the UK is now a “third country”, meaning that some of the current mechanisms (such as regards to competent authorities and appointment of representatives) have changed. 
It is up to the UK whether it adopts wholly or in part the updated NISD once agreed. However, there would generally be common interests in achieving alignment on cyber security.

Brexit – data protection

See “Data Protection” section for full details of changes to data protection laws.  As the situation is fast-changing, we recommend speaking to your CMS contact in the UK for the most up-to-date position. 

3. Application 

It mainly criminalises conduct around unauthorised access to computer and disseminating obscene, child pornography and unsolicited electronic messages. 

NISD Regulations / NISD:

The NISD was implemented in the UK on 10 May 2018 by the NIS Regulations. The NIS Regulations applies to Operators of Essential Services (OES), and Digital Service Providers (DSPs).

OES

  • OES are organisations (public or private) within vital sectors that provide services essential to the economy and society which place a heavy reliance on information networks.
  • OES are operators in the following sectors that meet certain threshold requirements:
    • sector (energy, transport, health sector, drinking water supply and distribution and digital infrastructure);
    • subsector – specific elements within an individual sector;
    • essentials service – describing the specific type of service;
    • identification thresholds – size or impact of incident.
  • Banking and financial markets infrastructure are omitted as they are already in subject to equivalent regulatory requirements. 

DSPs

  • A DSP is an organisation that: 
    • provides a digital service in the UK as a search engine, online marketplace or cloud computing service; and
    • has a head office or a nominated; and representative who is established in the UK; and
    • is not a micro and small enterprise.   

Both OES and DSPs must take appropriate and proportionate technical and organisational measures to manage risks posed to the security of the network and information systems. These measures taken must, having regard to the state of the art, ensure a level of security of network and information systems appropriate to the risk posed.

Communications Act 2003 (CA):

The CA provides that Public Electronic Communications Network (PECN) providers and Public Electronic Communications Service (PECS) providers take technical and organisational measures to manage risks to the security of PECNs and PECSs.

Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) / ePrivacy Directive:
The ePrivacy Directive was implemented in the UK on 11 December 2003 by PECR, and has been amended several times.

PECR compels PECS providers to take technical and organisational measures to ensure the security of its services by restricting who can access personal data and protect the way it is stored or transmitted.

Data Protection Act 2018 (DPA) / UK GDPR:

The DPA / UK GDPR applies when personal data is being processed, and imposes obligations: 

  • on controllers to process personal data in a manner that ensures appropriate security of the data (‘integrity and confidentiality’) (Article 5(1)(f), UK GDPR);
  • on controllers to observe data protection by design and default principles when building systems and processes (Article 35, UK GDPR);
  • on both controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (Article 32, UK GDPR); and
  • in certain circumstances, on controllers to report personal data breaches to data protection authorities (Article 33, UK GDPR) and inform affected individuals (Article 34, UK GDPR); processors are obliged to inform the controller if they become aware of a breach (Article 33(2), UK GDPR).

Computer Misuse Act 1990 (CMA):

The CMA does not impose security obligations on businesses or individuals as such, but creates various cybercrime offences, criminalising acts such as unauthorised access or interference with a computer.

eIDAS Regulation / UK eIDAS Regulation:

The eIDAS Regulation came into effect on 1 July 2016 and has been transposed in UK law. It is supplemented by additional requirements in the UK eIDAS Regulation.

The eIDAS Regulation provides a framework which allows people and businesses to use electronic identification to access online public services in other EU Member States.  It also sets out requirements for trust services, setting out what trust service providers need to do in order to gain qualified status, and allows them to use an EU trust mark. 

In practice, if a UK trust service provider, should assume that it still needs to comply with eIDAS rules. UK trust service providers providing trust services in the EU, may also still need to comply with EU eIDAS law in EU member states. 

4. Authority

Information Commissioner’s Office www.ico.org.uk

The Cyber Security and Technology Crime Bureau (Hong Kong Police) 
https://www.police.gov.hk/ppp_en/04_crime_matters/tcd/tcd.html

The Communications Authority (for reporting spam) Communications Authority - Home (coms-auth.hk)

A number of different authorities may be relevant depending on the relevant laws or regulations that apply:

NIS

OESs and DSPs will be regulated by their relevant Competent Authority. Schedule 1 of the NIS Regulations lists the Competent Authorities in respect of the OESs, which are sector specific, for example:

The Information Commissioner will be the Competent Authority in respect of the DSPs. 

CA

Ofcom regulates PECNs and PECS’s and must be notified by them if there is a breach of security.

PECR

The Information Commissioner is the regulator responsible for the administration of PECR.

DPA / UK GDPR

The Information Commissioner is the regulator responsible for the administration of applicable data protection laws in the UK.

eIDAS

The Information Commissioner is the UK supervisory body for the trust service provisions of the eIDAS Regulation as provided by the UK eIDAS Regulation. It reports on security breaches, can carry out audits and take enforcement action.

5. Key obligations 

N/A – There is no prescribed obligation imposed on cyber users or operators to adopt security measures except those involving handling personal data as specified in Personal Data (Privacy) Ordinance (Cap 486) (the “Ordinance”)

NIS Regulations

  • An OES must notify their designated Competent Authority “about any incident which has a significant impact on the continuity of the essential service which that OES provides”. The NIS Regulations set out various factors an OES must have regard to in order to determine the significance of the impact of an incident.
  • A DSP must notify the Information Commissioner “about any incident having a substantial impact on the provision of any of the digital services …that it provides.” The requirement to notify is only if the DSP has access to information which enables it to assess whether the impact of an incident is substantial. The NIS Regulations provides a number of factors the DSP must take into account in order to determine whether the impact of an incident can be determined to be ‘substantial’   

CA

  • A PECN must notify Ofcom of a breach of security that has a significant impact on the operation of a PECN, and of a reduction in the availability of a PECN that has a significant impact on the network.
  • A service provider must notify Ofcom of a breach of security which has a significant impact on the operation of a PECS.
  • After such notification, Ofcom may notify national regulatory authorities in other Member States and the European Network Information Security Agency (ENISA). Ofcom may also inform the public of a notification either itself or require the PECN provider or PECS provider to do so if Ofcom considers this is in the public interest. 

PECR

  • In the case of a data breach, a PECS provider must notify the Information Commissioner of the breach within 24 hours of detection, notify the individuals affected in certain cases and maintain a log of personal data breaches.
  • If the breach is likely to adversely affect the personal data or privacy of a subscriber or user, they must also be notified of the breach without undue delay after its detection.
  • The PECS provider is required to maintain a log of personal data breaches to enable the Information Commissioner to verify compliance with PECR.    

DPA / UK GDPR

  • Where there is a personal data breach, there is an obligation on the Data Controller to make notifications to the Information Commissioner without undue delay and (where feasible) within 72 hours from when it becomes aware of the breach (unless the breach is unlikely to result in a risk to the rights and freedoms of individuals).
  • It may also be necessary to notify affected individuals that a data breach has occurred.
    CMA
  • Offences include unauthorised access to computer material (with or without intent to commit further offences); unauthorised acts with intent to impact the operation of a computer (viruses, malware, etc.) 

eIDAS

  • Trust service providers are obliged to take appropriate technical and organisational measures to manage the risks posed to the security of the trust services they provide, in particular measures to prevent and minimise the impact of security incidents.
  • Where an electronic identification scheme is breached or partly compromised and there is a “significant impact”, there is an obligation on the trust service provider to notify the Information Commissioner within 24 hours. 
  • If users are likely to be affected, they must also be notified.
  • In some circumstances, Information Commissioner may decide to inform the wider public about a breach or require the trust service provider to do so.

The Information Commissioner may also suspend or revoke the cross-border authentication or the parts concerned. Some level of cooperation with EU Member States is expected to continue post-Brexit.

6. Sanctions & non-compliance 

Administrative sanctions:

N/A

Criminal sanctions:

Hong Kong Police will enforce the provisions of the relevant Ordinances.  Penalties will range from a level 4 fine (HKD 25,000) to imprisonment for five years.

Others:

N/A

Administrative sanctions:

NIS Regulation

Organisations that contravene the NIS Regulation are subject to a maximum financial penalty of GBP 17m for a material contravention which the relevant enforcement authority determines has caused, or could cause, an incident resulting in an immediate threat to life or significant adverse impact on the UK economy.

It is possible to be fined under both the NIS Regulations and the GDPR for the same incident (so-called ‘double jeopardy’) provided there are distinct bases for doing so (i.e. there is a breach of data protection law, and a separate breach of the NIS Regulations).

Designated CAs will monitor OESs’ compliance through an auditing process to prevent non-compliance.  DSPs will not be audited, with enforcement being applied to DSPs after an incident has occurred, or if a DSP is reported to the CA as being non-compliant 

CA 

Ofcom can impose fines of up to GBP 2m and suspend entitlement to provide network or services, as audit and investigatory powers. 

PECR

The Information Commissioner can: 

  • impose enforcement notices, information notices and monetary penalty notices of up to GBP 500,000 on PECS providers;
  • audit PECS providers;
  • prosecute PECS providers for failure to comply with a notice; and 
  • carry out 'dawn raid' search and seizure investigations with a warrant.   

A PECS provider that fails to comply with the breach notification requirement may be subject to a fixed monetary penalty notice of GBP 1,000.

UK eIDAS Regulation

The Information Commissioner has powers to:

  • issue a Monetary Penalty Notice requiring payment of GBP 1,000; 
  • do audits, and make recommendations;
  • serve an Enforcement Notice order if there has been a breach, requiring specified steps to be taken comply with the law; 
  • prosecute organisations that fail to comply with an Enforcement Notice (excluding in Scotland); and
  • make reports to Parliament on issues of concern.  

If an organisation fails to comply with an enforcement notice, assessment notice (for a compulsory audit) or information notice, the Information Commissioner can also invoke its powers to impose fines up to the higher of GBP 17.5m, or 4% of total worldwide annual turnover.

Criminal sanctions:

DPA / UK GDPR 

See “Data Protection” section above.

CMA

Offences under section 3ZA will be tried on indictment and are punishable by life imprisonment if the damage is in respect to life, loss of life or national security, or to 14 years for damage to the economy. This also extends to making articles intended for use in such offence. 

The Information Commissioner can also bring prosecutions under the CMA.

Others: 

PECR

Individuals who suffer damage as a result of a PECS provider's breach of the PECR may bring compensation claims.

DPA / UK GDPR 

See “Data Protection” section above.

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

No 

The National Cyber Security Centre (which is part of GCHQ) does not regulate the NIS Regulations but has a role in providing technical support and guidance by the following:

  • a Single Point of Contact (SPOC) – for engagement with EU partners, coordinating requests and submitting annual incident statistics
  • a Computer Security Incident Response Team (CSIRT) to provide advice and support where reported incidents are identified / suspected of having a cyber security aspect.
  • being a Technical Authority on Cyber Security – to support OESs and CAs with advice/ guidance and act as a source of technical expertise. For example, it provides:
    • a set of 14 NIS Security Principles for securing essential services; 
    • a collection of supporting guidance for each principle;
    • a Cyber Assessment Framework (CAF) incorporating indicators of good practice; and
    • implementation of guidance and support to CAs. 

8. National cybersecurity incident management structure

N/A

Yes, see above.

9. Other cybersecurity initiatives 

  • Hong Kong Monetary Authority has issued various non-binding cybersecurity guidelines for authorised institutions such as Cyber Resilience Assessment Framework and cybersecurity guidelines with respect to the use of stored value facilities, ebanking systems and artificial intelligence.
  •  Securities and Futures Commission has published guidelines and circulars such as the Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading and specific guidelines in relation to the use of external electronic data storage.
  • Insurance Authority has issued the Guideline on Cybersecurity laying down the minimum cybersecurity standards that authorised insurers must observe.
  • The Commissioner for the Electronic Health Record has issued codes of practice regarding the use of the electronic health record sharing system by healthcare providers to access and share patients’ electronic health records. 
  • The Office of the Government Chief Information Office has issued guidelines on cybersecurity controls and measures applicable to various government offices and departments.

The Cyber Security Information Sharing Partnership (CiSP) is a joint industry and government initiative set up to exchange cyber threat information in real time to increase awareness with the aim of reducing the impact of cybersecurity breaches on UK business.

Cyber Essentials is a government scheme aimed at highlighting security controls that will help organisations mitigate the risk to their IT systems from online threats. The scheme focuses on five essential mitigations within the context of the 10 Steps to Cyber Security. It provides organisations with guidance on implementation, as well as offering independent certification.

Portrait of Jonathan Chu
Jonathan Chu
Partner
Hong Kong (CMS CMNO - Lau, Horton & Wise LLP)
Portrait of Emma Burnett
Emma Burnett
Partner
London
Portrait of Loretta Pugh
Dr. Loretta Pugh
Partner
London
Katherine Eyres