Notes on Complaint & Enquiry Cases related
to DPP4 - security of personal data
Case No.:
2003007
Personal data collected through outdoor marketing campaigns : organizers to take safety steps to prevent accidental loss of application data collected - DPP4
The Complaint
A bank conducted a marketing campaign in a bookshop to solicit credit card applications on a Saturday. At the end of the campaign, the bank staff put all the application forms together with applicants' identity card copies in a briefcase and carried them home before returning to office the next working day. Unfortunately, the bank staff left the briefcase in a public light bus and lost all the documents.
Findings by the Privacy Commissioner
Upon investigation of the complaint, it was discovered that the bank did not have adequate guidelines issued and given to staff in relation to handling of personal data collected during outside-office marketing campaigns. Taking into account the sensitivity of the data collected and the harm that is likely to be inflicted upon the data subject on accidental loss of the data, the bank was found in breach of the requirements of DPP4 in failing to take practicable steps to protect the security of the personal data collected.
Actions by the Privacy Commissioner
Enforcement notice was issued, and in compliance therewith the bank implemented corresponding safeguard measures, including the transmission of those credit card applications and supporting documents to a nearby branch of the bank at the end of the marketing campaign instead of allowing staff to bring them home.
