PCO Office of the Privacy Commissioner for Personal Data, Hong Kong image image
Privacy Policy StatementSearchSite DirectoryText Only VersionChinese  
Media StatementSpeeches and Articles & PapersMulti-media Information
Exhibition MaterialsOther Related WebsitesArchiveOther Resources
On-line Self TrainingSubmissions to Public Consultation
image

Information Centre
Privacy Commissioner welcomes AAB's decision

 
 


Date: 30 April  2009
Privacy Commissioner welcomes AAB’s decision

1.    The Privacy Commissioner for Personal Data (“the Commissioner”) Mr. Roderick B. Woo welcomes a decision made by the Administrative Appeal Board (“AAB”) on an appeal case pursuant to the Personal Data (Privacy) Ordinance (“the Ordinance”).

2.    The complainant subscribed for an electronic financial information service with a company (“the Company”) through its website.  In applying for membership, the complainant provided the company with an e-mail address, xyz@xxx.com.hk, where xyz was the complainant’s initials.

3.    The complainant thereafter received numerous SPAM emails at the said email address.  Having learned from the media that the Company’s security system had been infiltrated by hackers, the complainant alleged that the Company had failed to protect his personal information.  The complainant complained to the Commissioner that the Company had breached Data Protection Principle 4 (“DPP 4”) of the Ordinance.

4.    DPP 4 provides that a data user shall take all practicable steps to ensure that the personal data held by it are protected against unauthorized or accidental access, processing, erasure or other use.

5.    The Commissioner took the view that the complainant’s email address did not constitute “personal data” within the meaning of the Ordinance, as the complainant’s identity could not be ascertained from the email address alone.  There was also no evidence showing that his personal data had been leaked to the spammers by the Company’s website.  In view of this, the Commissioner refused to carry out an investigation.  The complainant appealed against the Commissioner’s decision.

6.    The AAB remarked that the SPAM emails received through the complainant’s email address contained no information concerning the identity of the complainant.  There was no evidence that other than the use of the designated email address, there had been any unauthorized use of the complainant’s personal information or information which would have revealed the complainant’s identity.

7.    The AAB did not preclude the possibility that an email address, in some circumstances, could be personal data where it would be reasonably practicable, whether because of the information revealed in the email address itself or in conjunction with other information, for the identity of an individual to be ascertained from such an address.  However, in this case, AAB did not accept that the complainant’s identity could reasonably be ascertained from the email address notwithstanding the fact that the prefix of the address “xyz” corresponded to the complainant’s initials.

8.    The AAB took the view that there was nothing to indicate that a contravention by the Company of DPP 4 had occurred and therefore dismissed the appeal.

END





 

Back to top

BackArchive

  imageNotice/ Copyright © Office of the Privacy Commissioner for Personal Data, Hong Kong. All rights reserved. Disclaimer
The contents of this website (including all uploaded publications) must be read subject to the Personal Data (Privacy) (Amendment) Ordinance 2012. Full Version