Data Privacy and Cyber Security

We have implemented Privacy Management Programme (PMP) to enhance personal data privacy protection and ensure compliance and accountability to data subjects. The PMP consists of a set of policies and processes reflecting our organisational commitment, system control and ongoing assessment to safeguard data privacy. We also conduct regular internal audits of the privacy policy compliance. 

The Company’s Data Privacy Standing Committee (the “Committee”) reviews strategies for handling personal data. The Committee is chaired by the Head of Legal who reports directly to the Managing Director. Through the concerted effort of the Data Protection Officer and the Departmental Data Protection Coordinators, we have established a formal communication channel to deal with personal data situations such as disseminating up-to-date data protection information and enhancing the effectiveness of the PMP. 

Additionally, the Committee manages potential data breaches. If a data breach does occur, the Committee will conduct an interim assessment on the risk of harm and decide whether the incident will be escalated to top management for their attention. The Committee will also suggest solutions for resolving the incident.

Every department is required to make a declaration to the Company about its compliance with the requirements of data protection principles and any data protection matters that might have arisen during the year.

The Privacy Impact Assessment (PIA) and Data Processor Review Checklist (DPRC) are two important tools for our PMP which aims to assess potential privacy risks for any new projects or processes. PIA ensures our customer data is safeguarded and our compliance with the Person Data (Privacy) Ordinance of Hong Kong is confirmed. A walk-through of DPRC is also required for new or ongoing projects that entail the processing of customer data by a third party on behalf of Towngas. The PMP online platform has been set up to facilitate the submission of DPRC and to build our data inventory.
 

To address cyber security issues, we have a Cyber Security Committee that is responsible for managing all cyber security matters and is overseen by the Head of Corporate Information Technology who reports directly to the Managing Director who is also a member of the Board.

Early anomaly detection allows suspected activities to be detected in the early stage which effectively minimises the impact. By leveraging on threat intelligence and active monitoring under the ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework, any suspected activities are under tight scrutiny and are validated against its legitimacy and incident response procedures. To further improve cyber security maturity, we have commissioned a third-party consultant to monitor potential cyber incidents around the clock. The consultant has integrated global threat intelligence and built up a platform for detection capability improvement. The platform helps to minimise Towngas cyber risks and enabling Towngas to continue innovating safely on the digital modernisation journey. To further identify potential vulnerabilities and mitigate our cyber security risks, we conduct regular penetration test internally and third-party security assessment annually on our applications. 

In the event of a cyber incident, we have developed a Cybersecurity Incident Response Plan (CIRP) with five response playbooks covering the top five cyber security incidents including data leakages and cyberattacks. The CIRP provides employees with actionable, consistent processes for responding to and recovering from various cyber incident scenarios that would have a severe impact on our business processes. In the event of a suspected cyberattack, our Cyber Security Committee will initiate the incident response process, contain the data leakage and contact the Cyber Security Centre of the Hong Kong Police Force and other security experts. We also test our incident response procedures at least annually. 

To test our recovery capability under the situation of cyber-attack, we conduct an annual disaster recovery drill on a backup site.