Privacy Policy Terms of Use
Home

Enforcement action follows PCPD finding of ineffective data privacy training

Apr 29 2026
 

In this news update, Pádraig Walsh from our Data Privacy practice looks at a recent investigation report by the Hong Kong Office of the Privacy Commissioner for Personal Data (PCPD) into the wrongful disclosure of personal data in April 2025 through sample forms by an airline company. The heart of the findings provides a salutary reminder of the importance of training and awareness programmes in data privacy management.

What happened

An airline passenger complained to the PCPD that the personal data of two other passengers and two related persons were disclosed to him through sample forms attached to an email sent by a ground service agent of an airline company stationed in Phu Quoc in Vietnam.

This arose when the passenger claimed compensation from the airline company for delayed baggage for a flight from Hong Kong to Vietnam. The ground service agent in Phu Quoc requested the passenger by email to complete the required forms for settlement of the claim, and attached two sample forms to the email. The sample forms contained the personal data of two passengers and two related persons, including names, flight details and bank account details.

Upon being notified of the incident, the airline company instructed the ground service agent the next day to stop sharing and attaching personal data of passengers, and directed the ground service agent to require its staff to attend briefing and training sessions.

The conduct of the ground service agent involved a breach of the Ground Operations Manual of the airline company. The PCPD investigated the complaint.

PCPD findings and decision

The key findings of the PCPD were that the key contributing factors to the data breach were that the airline company:

1.        failed to take effective measures to raise the awareness of the staff members of the ground service agent of personal data privacy requirements in the Ground Operations Manual;

2.        failed to provide sufficient and regular training to staff members of the ground service agent; and

3.        failed to monitor the performance of ground handling agents.

The PCPD found that the airline company had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use, and the airline company had contravened DPP 4(1) of the Personal Data (Privacy) Ordinance concerning the security of personal data. The PCPD served an Enforcement Notice on the airline company, directing it to take measures to remedy the contravention and to prevent recurrence of similar contraventions in future.

Lessons to learn

This investigation and enforcement action is all about failure in training and awareness programmes. The Ground Operations Manual had adequate provisions to deal with personal data management in the circumstances of this case. The person on the ground was not aware of the provisions. Here it did not matter that the person on the ground was in Vietnam. The ground service agent acted under the control and authority of the airline company in Hong Kong. It was a data processor of the Hong Kong data user. So, it was the obligation of the airline company to train and elevate awareness of the ground service agent of privacy requirements under Hong Kong law.

Privacy policies and procedures are not documents to be kept on the shelf. They are the operational steps people in an organisation must follow to implement effective privacy management. You need to be aware of a process before you can follow it. Training is the key to unlock this awareness.

An organisation does not rise to the level of its aspiration, it falls to the level of its training. This key message is a core tenet of privacy management programmes. Training and awareness programmes are the key driver to ensuring organisational and human behaviour implements well-designed policies, programmes and processes. We, at Tanner De Witt, provide organisation training to elevate privacy awareness and breach response readiness. Speak to us. We can help.

Pádraig Walsh

If you want to know more about the content of this article, please contact:

Pádraig Walsh
Partner | Email

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication. This article was last reviewed on 29 April 2026.

Tags:

Cybersecurity Legal Updates TMT

Share this post

Pádraig Walsh

Featured Articles

Insights
News update: Hong Kong Privacy Commissioner claws back privacy protection from agentic AI tools
Pádraig Walsh 18 May 2026
Insights
News update: Finfluencers on the SFC regulatory radar
Pádraig Walsh 18 May 2026
Insights
What Is the Right Measure of Compensation in Hong Kong Discrimination Claims?
Russell Bennett 14 May 2026
Insights
News update: Secondary Trading of Tokenised Authorised Investment Products Permitted in Hong Kong
Pádraig Walsh 04 May 2026
Insights
Enforcement action follows PCPD finding of ineffective data privacy training
Pádraig Walsh 29 April 2026
Insights
What you need to know about the Protection of Critical Infrastructures (Computer Systems) Ordinance, the cybersecurity legislation in Hong Kong (Part 6)
Pádraig Walsh 21 April 2026