HONG KONG: Hong Kong’s Privacy Commissioner addresses privacy compliance and best practice for BYOD

Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the “HKAB Guidelines“), the trend towards Bring Your Own Device (“BYOD“) has come to the attention of Hong Kong’s Privacy Commissioner. The Commissioner published an information leaflet on 31 August 2016 (the “Information Leaflet“), which highlights the risks of data breaches where employees are using their own mobile phones or other personal devices to access work emails/systems, and suggests best practices for organisations allowing BYOD. Unlike previous industry-specific guidance, the Information Leaflet is generally applicable to all companies permitting BYOD in Hong Kong. It is clear from the Information Leaflet that organisations permitting BYOD remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap. 486) (the “Ordinance“) and the Data Protection Principles (“DPPs“).

The Information Leaflet suggests organisations adopt a risk-based approach to BYOD security, implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and likelihood of loss or unauthorised disclosure. This reflects the approach taken in the HKAB Guidelines, which recommend specific and distinct practices which differ depending on whether or not the organisation’s data is stored on the personal devices or within a “sandbox”. The Commissioner has suggested as best practice that organisations should, at the outset of any BYOD implementation, conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance.

The Commissioner has also outlined several critical issues that organisations should consider in order to remain compliant under the Ordinance. For instance, organisations should consider whether there is sufficient employee training regarding use of personal data stored in the BYOD device, and whether adequate security measures are in place to ensure secure transfer and storage of personal data in the BYOD equipment (e.g. sandboxing, password protection and independent encryption).

The Information Leaflet also highlights that respect for personal data should be mutual under the BYOD scheme, and any practices implemented to manage employees’ BYOD devices should respect the employees’ private information.

For more information, the Information Leaflet is available here.