The company explained that the above was its standard verification procedure for handling telephone request for resetting password initiated by a third party on behalf of an account holder. The company further asserted that, with the recent enhancement of this procedure by also asking for the account holder's address, it had already protected the account holder¡¦s personal data privacy.

2. Issue of the case

Failing to take all practicable steps to ensure that personal data held by a data user are protected against unauthorized or accidental access, processing, erasure or other use.

Outcome
1. Reasoning

Internet password is the key giving online access to personal data kept in the internet account, hence any request for resetting of password needs to be handled with extra care and caution lest the information in the account be open to unauthorized access by person other than the account holder.

The company's practice of asking the caller for the account holder's name, Hong Kong identity number, address and the caller's relationship with the account holder was plainly insufficient to ensure that the request was genuinely made or authorized by the account holder. The resetting of the password to the first 6 digits of the account holder's identity card was also unsatisfactory. The Privacy Commissioner found that the company had contravened the security requirements of DPP4 in failing to take all reasonable practicable steps to protect customers' personal data against unauthorized access due to its inadequate verification procedure as aforesaid.

2. Action by the PCPD

The Privacy Commissioner issued an enforcement notice against the company directing it to improve its verification procedure to ensure that any telephone request for resetting internet account password was properly made or authorized by the account holder.

3. Improvement Action

The company agreed to comply with the enforcement notice.