top of page
dpo-bg2.jpg

PIA & Incident handling

Privacy Impact Assessment PIA

Will any personal information be collected, stored, used or disclosed in the project?

Complete the Privacy Impact Assessment (PIA.docx)

Assessment plan includes:

  • Plan

  • Analyze – identify and assess specific risks

  • Mitigate – Create privacy protective measures for potential risks identified

  • Report – Record due process for future audits and reviews

If NO, Please keep a record of your decision.

If YES, Please follow below handling task:

When there is Data Breach Incident

Data User

Department

Report the incident with detail info

Department

Head

Data Protection Office

  • Review & Report to the Head of Department and Data Protection Coordinator

  • Report to DPO office* with below information as specific as possible:

  • What personal data were concerned?

  • How many data subjects were/could be affected by the data breach?

  • What is the nature of the data breach (e.g. leakage, loss, unauthorized use, etc)?

  • When, where and how did the data breach take place?

  • What was the duration of the data breach?

  • When, where, how and by whom was the data breach discovered?

  • What was the cause of the data breach?

* Report incident to DPO office as soon as possible

Determine whether to escalate the incident

Head

Factors for Escalation

  1. No of Data Subjects Involved

  2. Personal Data being leaked

  3. Potential Harm to Data Subjects

  4. Other relevant factors

If incident is not determined to be serious

Head

Department will file the report for record. 

If incident is determined to be serious

Head

Relevant Parties

  • CPAO, DPO

  • PCPD

  • Police

Notify

  1. University Data Protection Officer

  2. PCPD Privacy Commissioner – report details, DPO practice in place, remedial actions

  3. Affected data subjects

  4. Develop and Execute remediation plan

When an incident happens,

  1. Do discovery and report by/in the Concerned Faculty / Department / Centre

  2. Inform/ Report the incident with DPO office and Head of Faculty / Department / Centre,  with consideration of Part VII of Code of Practice

  3. Assess and take actions including consideration of factors by the Concerned Faculty / Department / Centre head in Charge

  4. DPO office with IT Security to

    • Issue a Preliminary Written Advice to the Relevant Office/Work Unit with reference to here

    • Review and Consider the Formal Report if submitted pursuant to Part VII (with discussion with relevant colleagues)

  • Data user’s database containing personal data being accessed without authorization.

  • The improper handling of personal data such as improperly sending it to the wrong party or unauthorized access of the data.

  • The disclosure of personal data to a third party who obtained it by deception.

  • The loss of personal data kept in storage, eg. Portable devices, backup systems.

bottom of page