Privacy and Security
Customer data privacy and the management of cyber security risks are of the highest priority to the Group, and rigorous policies and governance mechanisms are in place to maintain consistency and oversight across operations.

In terms of privacy, the Group’s Policy on Personal Data Governance, which embraces the principles of respecting the rights of the individual, of procedural transparency, and of lawful processing, underlines the Group’s commitment to the protection of personal data of customers and employees. The Policy governs fundamental privacy aspects such as the collection, usage, retention and sharing of personal data, and safeguards if the data are to be handled by third parties. For the latter, these could include having the right to directly audit the operations of third parties.

The CK Hutchison Cyber Security Working Group, supported by technical experts from across the entire Group, oversees the Group’s cyber security defences, monitors the threat landscape facing all of the Group’s operations, provides guidance to business units, and ensures coordinated and effective efforts in managing cyber security risks across the Group.

Regarding policies, the Information Security Policy instructs the approach of the Group in protecting the confidentiality, integrity and availability of data, including personal data, as well as in managing and escalating security incidents. The Policy also forms the basis on which the businesses formulate their local policies and procedures.

In addition, through the CK Hutchison Global Cyber Security Collaboration Platform, colleagues within the Group share knowledge, exchange ideas, and collaborate to find the right security solution and the right vendor in a fast-evolving threat environment where organisations are often faced with a vast array of choices.

Internal Audit carries out independent cyber security audits across the Group, with assignments in recent times focusing on the awareness of COVID-19-themed phishing emails, and security considerations in relation to working from home and the use of collaboration tools for virtual team-work.

Further, Internal Audit periodically engages external consultants to conduct ethical hacking to probe cyber security defences in real-life settings, and follows up to see that security loopholes uncovered in these exercises are promptly and properly closed. Further discussion on management approaches to privacy and cyber security are provided within the core business sections next.