Back to business FAQs

1. Do the Cybersecurity Law, and related guidelines, including Personal Information Security Specification remain applicable during the business resumption period?

Yes, organizations should continue, as far as possible, to comply with relevant data protection laws. This said, there are circumstances in which, given the current situation, entities (in particular government and healthcare bodies) may not need to full comply with all privacy obligations in the context of COVID- 19 prevention and control.

2. Is consent still required to collect personal information in the context of COVID-19 prevention and control?

Yes, however organizations should first check to see whether they have already obtained sufficient consent from their employees at onboarding (for example, many organizations set out in their standard employee privacy notices/ contracts that personal information may be collected for health control reasons). As noted above, certain organizations (such as government entities or healthcare bodies) may be permitted to collect and process personal information without consent in the context of COVID-19 prevention and control.

3. Are organizations allowed to disclose to colleagues and third parties (customers / suppliers particularly), the identity of the employees that have tested positive for COVID-19 for the purpose of prevent further infection?

Organisations should not disclose the identity of the underlying individual, however, from a practical perspective, organisations are able to notify colleagues and third parties that there has been a positive case and that appropriate remediation measures are being taken.

4. Are security measures necessary in processing the personal information?

Yes, organisations should continue to adopt appropriate technical and organisational measures, such as encryption, access control, ID verification, etc., to protect the security, integrity and confidentiality of any personal information, and to safeguard personal information from any unauthorized use, breach, or disclosure.

5. What privacy issues may arise by allowing our personnel to work from home? How can we manage these?

Working from home arrangements may increase the risks in privacy and cyber related incidents. It is therefore important that organisations ensure that there is proper communication and reminders to employees around maintaining compliance with internal protocols and procedures. Organisations should also ensure that its IT software and security systems are up-to-date and proper technical measures are adopted to minimise the occurrence and impact of any incident.

New notices

Publication date Name Source
30/01/2020 Urgent Notice on Co-ordinating the Work of Epidemic Prevention and Control and Transportation Security.
02/02/2020 Circular on Personal Information Protection while Using Big Data to Support Joint Prevention and Control
14/02/2020 Notice on Protecting Network Security in the Information and Communication Industry During Epidemic Prevention and Control.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.