LettersWhy Cathay Pacific data breach warranted an investigation from the outset, not a compliance check

While compliance checks are useful for relatively minor breaches, they need not precede an investigation in serious cases, former privacy commissioner says

Hong Kong’s privacy watchdog should make public the outcome of more compliance checks

2-MIN READ2-MIN

Cathay Pacific staff help out passengers at the airline’s check-in counters at Hong Kong International Airport on October 29. The company announced on October 24 that the personal data of 9.4 million customers had been compromised. Photo: Felix Wong

Published: 7:04am, 12 Nov 2018Updated: 7:04am, 12 Nov 2018

I refer to the letter from the acting privacy commissioner published on November 8 (“It is wrong to say compliance checks are ‘pointless’ when it comes to claims of data leaks”). The distinction between an investigation and a compliance check is important. The former comprises enforcement activities regulated by the Personal Data (Privacy) Ordinance.

Organisations’ failure to cooperate with the commissioner during the investigation, including the giving of false or misleading information, is a criminal offence. Organisations found to have contravened the ordinance are subject to an enforcement notice, issued by the commissioner to remedy the contravention, non-compliance with which is also an offence. The ordinance was reinforced in 2012 to enhance the effectiveness of these enforcement measures.

By contrast, compliance checks are administrative arrangements lacking the above sanctioning powers. Organisations are not criminally liable for misleading statements. The commissioner would not determine whether there was a contravention of the ordinance and the case would normally be closed if the organisation involved promised to follow the commissioner’s advice for improvement.

Compliance checks serve two purposes. First, due to resource constraints, the commissioner has to be “selective in order to be effective”. Hence, he undertakes investigations of serious breaches and resorts to compliance checks in relatively minor cases.

Secondly, where serious breaches are brought to light by third-party sources, it is fair to ascertain facts from the organisations concerned through compliance checks before deciding whether to initiate an investigation.