Risk assessment and management for non-authorised institutions
Although data users are responsible for the actions of their data processors and are required to have adequate systems of control in place, the general data privacy regulations don’t prescribe what form the controls should take.
The Office of the Privacy Commissioner for Personal Data, Hong Kong has, however, published an information leaflet with recommendations on the content of a data
processing agreement necessary to adequately protect personal data under the PDPO. A contract could impose the following obligations on a data processor:
• to take measures to protect the personal data entrusted to it and to comply with the data protection principles under the PDPO
• to return, destroy or delete the personal data when it’s no longer required • to not use or disclose the personal data other than in the way intended by the
data user
• to not subcontract the service it’s engaged to provide
• to immediately report any signs of abnormalities or security breaches • to allow the data user to audit and inspect the way it handles and stores the
personal data
• to face sanctions for violating the contract.
29 Paragraphs 10 and 12, Schedule 7, Banking Ordinance (Cap. 155).
30 Sections 55 and 56, Banking Ordinance (Cap.155).
Data users should also consider non-contractual ways to make sure their data processors comply with data protection requirements. For example, data users could: • only choose reputable data processors that have a good track record on data
protection and guarantee their competency in this area; and
• make sure data processors have robust policies and procedures in place, including
adequate training for their staff.
Risk assessment and management for authorised institutions
AI’s have to follow both the general risk assessment and management procedures in the
section above and the industry specific ones set out in this section.
The HKMA acknowledges that data processing is one of the typical functions AIs outsource31. In general, because outsourcing can bring significant benefits to AIs
and their customers, the HKMA will let AIs use outsourcing arrangements so long as they are well structured, properly managed and the interests of customers will not be compromised32. As a result, the HKMA requires AIs to adopt the following measures:
• The board and management of an AI should be ultimately accountable for the outsourced processing of personal data. So outsourcing can only allow them to transfer their day-to-day managerial responsibility, and not accountability, for the processing of personal data to a cloud services provider33.
• Before taking on a cloud services provider, the board and management of the AI should make sure a comprehensive risk assessment of the proposed outsourcing
arrangement has been carried out and that all the risks identified have been
adequately addressed before launch. Among other things, the risk assessment should look at:
— how important the processing of the relevant personal data is — the reasons for outsourcing the task
— what operational, legal and reputational risks outsourcing might create34.
31 Section 1.1.2, Supervisory Policy Manual (SA-2) on Outsourcing issued by HKMA.
32 Section 1.3.1, Supervisory Policy Manual (SA-2) on Outsourcing issued by HKMA.
33 Section 2.1.1, Supervisory Policy Manual (SA-2) on Outsourcing issued by HKMA.
• Before choosing a cloud services provider, the AI should carry out appropriate due diligence. As well as the cost and quality of service, the AI should take into
account: the provider’s financial soundness; reputation; managerial skills;
technical capabilities; operational capability and capacity; compatibility with its own corporate culture and future development plans; familiarity with the banking industry; and, ability to keep pace with innovation in the market35.
• The AI and its provider should maintain and regularly test their contingency plans36.
The AI should make sure it fully understands its provider’s contingency plan
and how the plan will affect its own contingency planning in the event the cloud
computing service fails37.
• The AI should put in place proper safeguards to protect the integrity and
confidentiality of customer information. Some of these are:
— undertakings from the provider that the company and its staff will comply with confidentiality rules and observe the data protection principles set out
in the PDPO
— contractual rights to take action against the provider in the event of a breach
of confidentiality
— segregation of its data from that of the provider and their other clients
— access rights to its data given to the minimum number necessary of the provider’s employees38.
• The AI should tell their customers in general terms about the possibility that their
data might be outsourced, and specifically about any significant outsourcing
initiatives, particularly those in an overseas jurisdiction39.
35 Section 2.3.1, Supervisory Policy Manual (SA-2) on Outsourcing issued by HKMA.
36 Section 2.7.1, Supervisory Policy Manual (SA-2) on Outsourcing issued by HKMA.
37 Section 2.7.2, Supervisory Policy Manual (SA-2) on Outsourcing issued by HKMA.
38 Section 2.5.2, Supervisory Policy Manual (SA-2) on Outsourcing issued by HKMA.
39 Section 2.5.3, Supervisory Policy Manual (SA-2) on Outsourcing issued by HKMA.
• If the outsourcing agreement is terminated, for whatever reason, the AI should make sure all its customer data is either retrieved from the provider or destroyed40.
• The AI should have effective procedures in place for managing the relationship
with the provider and the risks associated with the outsourcing, and monitoring the provider’s performance41. Among other things, the AI should look at:
— contract performance
— any material problems the provider has
— the provider’s financial condition and risk profile
— the provider’s contingency plan, the results of testing it and how to improve it42.
• The AI should have suitable reporting procedures in place so that problems are quickly brought to the attention of its management and the provider43.
• The AI’s internal audit department should regularly review the outsourcing arrangement’s control procedures44.
40 Section 2.5.4, Supervisory Policy Manual (SA-2) on Outsourcing issued by HKMA.
41 Section 2.6.1, Supervisory Policy Manual (SA-2) on Outsourcing issued by HKMA.
42 Section 2.6.2, Supervisory Policy Manual (SA-2) on Outsourcing issued by HKMA.
43 Section 2.6.4, Supervisory Policy Manual (SA-2) on Outsourcing issued by HKMA.