Principle 4 of the Ordinance requires websites to adopt security measures to protect the data that they collect and transmit. Organizations should apply a "harm test" to the personal data they collect and transmit on the Internet so as to implement the appropriate level of security measures.
As a general rule, organizations collecting detailed or sensitive personal details (such as resumes from job applicants or credit card/bank account information for service payments) are required to observe a stringent level of security (such as the use of firewalls or encryption). If transfers of sensitive personal data are not encrypted, web sites should alert users to the risks of transmission and offer alternative secure means to the users for supplying the data. Therefore, when processing sensitive information such as the financial data, medical data or person identifiers of an individual, privacy enhancing technologies must be adopted. In addition to following principle 4 of the Ordinance, there are other reasons why organizations should take measures to ensure the security of online data. A leak of a client's personal data caused by the organization's lax security may easily give rise to civil claims for compensation and criminal prosecution.
Principle 4 of the Ordinance also relates to security measure fro storing personal data Allowing uncontrolled access by Internet surfers to personal data held by an organisation could be in contravention of Principle 4. Again, a "harm test" can be applied. In addition, individuals providing personal data concerned should be fully informed at the outset about the sort of access that others may have to information that they provide.