PCO Office of the Privacy Commissioner for Personal Data, Hong Kong imagebanner image
Privacy Policy StatementSearchSite DirectoryText Only VersionChinese  
image
About PCPD
image
The Ordinance
image
Review of the Ordinance
image
PCPD Activities
image
Information Centreimage
Privacy Zone for Youngsters
image
Publications and Videos
image
Enquiries and Complaints
image
Case Notes
image
Contact Us
image
Search Case Notesimage
image

Case Notes
Complaint & Enquiry Cases

 

 

Notes on Complaint & Enquiry Cases related to DPP4 - security of personal data

Case No.: 1997015

Liability of a principal

A customer of a department store received promotional materials issued jointly by the department store and a bank. She was surprised to see that her identity card number was shown on the envelope, together with her name and address.

Upon investigation by the PCPD, it was ascertained that the personal data were provided by the department store to the printer. The bank had advised, and the department store agreed, that only the first four digits of a customer's identity card number should be printed on the address label for verification purpose, but the printer had mistakenly printed the number in full.

The Commissioner's views on the matter

DPP4 requires a data user to take all reasonably practicable steps to ensure that personal data held by it are protected against unauthorized or accidental access, processing, erasure or other use. In this case, the envelopes were printed by the printer. However, the department store and the bank were responsible for the mistake which occurred. This is because both of them controlled the collection, holding, processing and other use of the data and were thus data users in relation to the data as defined in section 2 of the Ordinance. Furthermore, the relationship between them and the printer was that of principals and agent. Under section 65(2) acts done by employees and agents are treated for the purpose of the Ordinance as acts done by employers and principals themselves. To minimize the risk of mistakes steps should have been taken to confirm with the other parties to ensure that instructions were complied with. Such steps could include layout proof checking of the printed materials before their printing or sample checking of the printed materials prior to their dispatch.

Accordingly, the Commissioner concluded that the bank and department store had breached DPP4. After receiving advice from the PCPD, they undertook to strengthen the inspection of printed materials and to make arrangements with the printer to ensure that such mistake would not occur again. The case was settled by mediation.

Back to top

  imageNotice/ Copyright 2001 Office of the Privacy Commissioner for Personal Data, Hong Kong. All rights reserved. Disclaimer