A personal data breach is defined in the Law as a breach of security leading to accidental or unlawful destruction, loss or alteration of personal data or unauthorised disclosure of or access to personal data.
A breach can occur when personal data have been sent to the wrong person, there has been a cyber-attack on your organisations data, personal data have been lost etc.
Read about some common breach scenarios here.
Have a plan in place before that happens.
If you become aware of a breach, you are legally obliged to tell the ODPA within 72 hours after becoming aware unless the breach is unlikely to result in any harm to the individuals whose data are involved.
You may also be required to notify the individuals whose data have been breached in some circumstance.
We have prepared detailed guidance on breach reporting that you might find useful.
Please note: There are extra things to consider when a controller becomes aware of a breach under the Law Enforcement Ordinance. When processing personal data for a Law Enforcement purpose under the Law Enforcement Ordinance please consult section 34 of the Ordinance.