When privacy policies are sound but a databreach still occurs, where does the responsibility lie? For one Hong Kong airline, the answer was clear: failures in training and awareness.
In our latest PrivacyEspresso episode, we are pleased to feature Padraig Walsh, Partner at Tanner De Witt and former Chairperson of PrivacyRules, who brings his deep expertise in data privacy, cybersecurity, and TMT law to unpack a recent and highly instructive investigation by Hong Kong’s Privacy Commissioner for Personal Data (PCPD).
The case involves an airline whose ground service agent in Vietnam shared real passenger data, including names, flight details, and bank account information, as “sample forms” when helping a customer file a baggage claim. The policies were sound. The breach happened anyway. Why? Failures in training and awareness.
In this episode, Pádraig covers:
🔹 The facts and findings of the PCPD investigation into the airline data breach
🔹 How training and awareness failures — not system flaws — led to a violation of Data Protection Principle 4
🔹 The four levels of effective privacy training, from information delivery to live breach simulations
🔹 The distinction between training and awareness, and why both are essential
🔹 How organizations can shift from a compliance mindset to a genuine privacy culture
One clear takeaway: an organization does not rise to the level of its aspirations, it falls to the level of its training. Policies left on the shelf protect no one.
Listen to the full episode to understand why investing in training and awareness is not a cost — it’s your strongest line of defence.
📄 For a deeper analysis of this enforcement action and its practical implications for organizations managing data privacy across borders, we also invite you to read the full article available in the link below: https://bit.ly/4f4G4cH