Investigation Report: Food Company Collecting Excessive Customers'
Personal Data in Lucky Draw Activity


Introduction
1.    Many business organizations nowadays promote their products by holding  lucky draws or recruiting members to their loyalty clubs, in which different kinds of personal data of participants or members are collected.

Publication of Investigation Report
2.    Privacy Commissioner for Personal Data ("the Commissioner") Mr. Roderick B. Woo published today (7 August) a report ("the Report") on the result of an investigation of a complaint case carried out pursuant to section 38(a) of the Personal Data (Privacy) Ordinance ("the Ordinance").  The case concerned a food company ("the Food Company") that collected excessive personal data from customers who intended to participate in a lucky draw.

The Complaint
3.    The complainant purchased a product of the Food Company and called the hotline of the company to register for a lucky draw ("the Lucky Draw") in accordance with the instructions on the package box.  According to the complainant, she was requested to provide information such as name, address, telephone number, date of birth (DDMMYY) and identity card number.

4.    As the complainant believed that date of birth was not generally required for lucky draws, she refused to provide the data.  Staff of the Food Company told her that if she refused to provide date of birth, she could not participate in the Lucky Draw.  Therefore, the complainant lodged a complaint to the Office of the Privacy Commissioner for Personal Data ("PCPD").  The Commissioner then carried out an investigation in respect of the Food Company pursuant to the Ordinance.

The Investigation
5.    Under Data Protection Principle ("DPP") 1(1) of Schedule 1 to the Ordinance, personal data shall be collected for a lawful purpose related to a function or activity of the data user; the collection of the data is necessary for or directly related to that purpose; and the data are not excessive.  In this connection, the Commissioner has to decide in this investigation whether the collection of identity card number and date of birth of the complainant for the sole purpose of lucky draw by the Food Company was necessary for or directly related to the collection purpose and not excessive.

6.    The Food Company replied to the PCPD that it had to collect the names, correspondence addresses, telephone numbers and identity card numbers of the participants in the Lucky Draw to ensure contact with and verification of the winners.  Information obtained by the PCPD showed that when participants called the Lucky Draw hotline of the Food Company, they were invited to join the membership of the company, but the company collected the dates of birth of the participants before obtaining their expressed consent to join the membership.

The Commissioner's Decision
7.    Generally speaking, if participants are issued with unique lucky draw numbers, the organizer can identify the winners by the lucky draw numbers, together with the registered names, correspondence addresses and telephone numbers of the winners, and also by checking the names on the identity cards produced by the winners.  It is not necessary for the organizer to collect the identity card numbers of the participants.  In this connection, the Commissioner is of the view that the collection by the Food Company of identity card numbers of participants holding unique lucky draw numbers for the sole purpose of the Lucky Draw was excessive, and hence it has contravened DPP1 (1).

8.    The Commissioner opines that the Food Company has no need to collect the dates of birth of the participants for contact with and identification of the winners.  Therefore, the collection of the dates of birth of the participants by the Food Company for the sole purpose of the Lucky Draw was also in contravention of DPP1(1).


Remedial Action Taken by the Data User (the Food Company)
9.    The Food Company had destroyed the personal data of all non-members and undertook to assign unique lucky draw numbers to participants for identification of winners in future lucky draw activities so as to avoid collecting their identity card numbers (or other personal identifiers) and dates of birth.

The Commissioner's Advice to Business Organizations
10.    Mr. Woo said, "I hope this investigation report will help business organizations to become aware that when they collect the personal data of participants in lucky draws or when they invite the public become members of their loyalty club, they need to consider carefully the purpose of collection in respect of each item of personal data they request, and should not adopt an attitude of "the more the better".  They should avoid collecting excessive personal data.  For sensitive personal data, such as identity card number, it is important to consider whether there is any actual need for their collection, and whether the collection is in compliance with the Ordinance."

11.    Mr. Woo advised, "When collecting the personal data of their customers, organizations have to take all practicable steps to ensure that the customers are informed of the purpose for which the data are to be used.  Moreover, organizations should also clearly inform their customers whether their privileges (e.g. participation in lucky draws) will or will not be affected if they do not provide certain data."

12.    For details of the case background, relevant provisions of the Ordinance, findings, the Commissioner's recommendations and other comments, please refer to the Report.  Copies of the Report can be obtained from the Commissioner's Office at 12/F., 248 Queen's Road East, Wan Chai, Hong Kong.  The report can also be downloaded from the PCPD website (http://www.pcpd.org.hk/english/publications/invest_report.html).




END