Essay Available:
100% (1)
page:
7 pages/≈1925 words
Sources:
0
Style:
Other
Subject:
Law
Type:
Essay
Language:
English (U.S.)
Document:
MS Word
Date:
Total cost:
$ 34.02
Topic:

Data Protection, Cyber Security and Crime take home exam

Essay Instructions:
All references and citations in this essay must use OSCOLA reference guidelines (using footnotes) – see uploaded OSCOLA guideline. Any information that is not provided in the questions below, but which forms part of your answers or is key to your answers must be stated as “assumptions”, “expectations” or “concerns” in your essay. Note that you may NOT make assumptions about Hong Kong laws (meaning no made-up laws).  Question: The new Protection of Critical Infrastructure (Computer Systems) Ordinance (Cap. 653) is coming into effect on January 1, 2026. This law creates a regulatory requirement for companies classified as critical industries to enhance their cyber security. Likewise, principle 4 - security of personal data in Schedule 1 of the Personal Data (Privacy) Ordinance (Cap. 486) creates an obligation to protect personal data. (a) Explain what are the weaknesses in Principle 4 of Schedule 1 of the Personal Data (Privacy) Ordinance (Cap. 486) in protecting personal data (as in data security). (b) To improve and enhance data security (from part a); what are the lessons the new Protection of Critical Infrastructure (Computer Systems) Ordinance (Cap. 653) can bring to bear for companies in Hong Kong. In your explanation, please identify how the relevant sections of the new Protection of Critical Infrastructure (Computer Systems) Ordinance can be adapted to Principle 4 of Schedule 1 of the Personal Data (Privacy) Ordinance (Cap. 486). (c) Draft a new Principle 4 of Schedule 1 of the Personal Data (Privacy) Ordinance (Cap. 486) using comments and the text of the new Protection of Critical Infrastructure (Computer Systems) Ordinance. You will need to show what original wording of Principle 4 of Schedule 1 of the Personal Data (Privacy) Ordinance you have changed and explain why you have made those changes. Note that the aims and the justifications of the Personal Data (Privacy) Ordinance (Cap. 486) and Protection of Critical Infrastructure (Computer Systems) Ordinance (Cap. 653) are very different. Therefore, in answering question on Principle 4 of Schedule 1 of the Personal Data (Privacy) Ordinance (Cap. 486) and the Privacy Commissioner for Personal Data of Hong Kong, the focus is to retain the aims and goals of the Personal Data (Privacy) Ordinance (Cap. 486). As such, all recommendations made by you must be mindful not to put undue pressures on companies on the costs of compliance and not create too complex compliance requirements.
Essay Sample Content Preview:
Improving Data Security in Hong Kong: A Critical Disposition of DPP4 and the Protection of Critical Infrastructures Ordinance (Computer Systems) Student’s Name Institution of Affiliation Course Date \ Improving Data Security in Hong Kong: A Critical Disposition of DPP4 and the Protection of Critical Infrastructures Ordinance (Computer Systems) 1. Introduction Hong Kong has a digital economy as one of the pillars of its global financial capital. The new Protection of Critical Infrastructures (Computer Systems) Ordinance (CI Ordinance) will offer an opportune and educational comparison. Being a custom-crafted cybersecurity law initially, it has created a strict, active, and systematic regulation paradigm regarding the security of the computer systems that are fundamental in societal and economic activities of Hong Kong. This essay will outline the weaknesses that will be found in the current DPP4 first and then examine the CI Ordinance, deriving essential lessons out of its three-facet framework of organisational, preventive, and incident response requirements. Lastly, this essay will suggest a complete redraft of DPP4 by implementing these lessons in the context of personal data protection. 2. The Weaknesses of the present Data Protection Principle 4 2.1. The Ambiguity of All Practicable Steps The key to the obligation of DPP4 is in the word all practicable steps. This is a subjective term that is indeterminate in nature. What is practicable to a multinational corporation is quite different from what is practicable to a small local corporation. The meaning is relative, based on a post hoc determination of what was reasonably practicable to a particular organisation when a breach occurred. This sets a low and uncertain precedent where organisations can excuse low security investments based on their own appraisal of the cost, technical feasibility, or the perceived degree of harm. This vagueness is a stark contrast to the risk approach that is required by the modern international standards. An example of this is article 32 of the European Union General Data Protection Regulation (GDPR), which stipulates that data controllers must adopt an appropriate level of technical and organisational measures to achieve the proper level of security which is relevant to the risk. This clearly instructs organisations to undertake a proactive risk analysis of the risks posed by their processing activities and to frame their security appropriations to that risk. 2.2. The Lack of Mandatory Data Breach Notification Obligation The lack of a legal obligation of mandatory reporting on the breach of data is the biggest weakness in the Hong Kong privacy protection system. The data users have no legal obligation to notify the Privacy Commissioner for Personal Data (PCPD) or the victims of a breach. The PCPD has also issued non-binding guidance on Data breach handling and Data breach notification called Guidance on Data Breach Handling and Data Breach Notifications; however, there is no force of law behind this. There are a number of harmful impacts of this omission. First, it compromises accountability. Organizers have the opportunity to hide violations to keep their reputation and avoid regulatory control, and no legal consequences for such concealment. Second, it denies the afflicted parties the right to make precautions to guard themselves against identity theft, fraudsters, or any other evils that may come out of exposing their personal information. Third, it impairs the PCPD's ability to detect systemic weaknesses, monitor trends in threats, and offer industry-wide advice or take specific enforcement measures. This is unlike the GDPR, which mandates 72 hours' notification to the supervisory authority and the need to notify data subjects of high-risk breaches. Even the Personal Data Protection Act of Singapore was modified in 2021 to mandate that breaches be disclosed in case such a breach is likely to cause serious damage to individuals. 2.3. Reactive Enforcement and Non-binding Advice The lack of specific statutory obligations has made the PCPD attempt to create clarity by the use of soft law provisions, including the 'Guidance Note on Data Security Measures' and the 'Guidance on Data Breach Handling'. These reports are informative and promote such best practices as encryption of data, access control, and incident response planning. But this makes them voluntary, and therefore compliance is sporadic and unenforceable. An organization may be able to point to its compliance with some of the guidance points, but it cannot be found to have failed to comply with the directions in its totality, as the statutory test is the murky nebulou...
Updated on
Get the Whole Paper!
Not exactly what you need?
Do you need a custom essay? Order right now:
Order

👀 Other Visitors are Viewing These APA Essay Samples:

  • Essay Questions
    18 pages/≈4950 words | 23 Sources | Other | Law | Essay |
  • Basel II
    2 pages/≈550 words | 2 Sources | Other | Law | Essay |
  • Law Assignment
    7 pages/≈1925 words | No Sources | Other | Law | Essay |
© Essayzoo.org 2026
We are an established and reputable company, with over 10 years in the essay business.
Terms of Service | Privacy Policy | Essays for Sale | Essay Rewriter | APA Generator Tool | Topic Generator | Text Summarizer | Thesis Statement Generator
Sign In
Not register? Register Now!