Visitors' Fingerprint Data by a Theme Park
The Privacy Commissioner for Personal Data (the “Commissioner”) Mr. Roderick B. Woo
today completed the investigation of a complaint case concerning the
collection and recording of visitors’ fingerprint data by an
entertainment theme park in Hong Kong (the “Park”).
The complainant was dissatisfied that his family of four (including
himself) bought four mutliple entry tickets to the Park but were
required to have their fingerprint image scanned at the entry gate
without being provided with a less privacy-intrusive option.
The complainant felt further aggrieved when his request for a copy of
his “biometric fingerprint scan” pursuant to the data access right to
which he is entitled under section 18 of the Personal Data (Privacy)
Ordinance (the “Ordinance”) was
denied. The Park told the complainant that it had not collected or
stored his fingerprint scan.
The Commissioner decided to carry out an investigation pursuant to
section 38(a) of the Ordinance in September 2009. The focus of
the investigation was to find out whether any personal data were
collected by the Park; and if yes, whether the collection of such
personal data were necessary, adequate but not excessive and by means
that are lawful and fair under the circumstances.
The course of investigation was difficult due to a multiplicity of
complicated IT issues. In order to fully understand the operation of
the Park’s ticketing system (the “System”), the Commissioner’s officers
carried out a site inspection at the Park. The Commissioner also took
statements from the Park’s staff and the vendors of the System.
According to the Park, scanning is done of vistors to the Park who wish
to have their tickets enabled by “Ticket Tag”. Upon inserting a ticket
to the ticket reader at the turnstile, the System will take some sample
points from the surface of a visitor's index finger so as to form an
Initial Numeric Code (“INC”),
which is used to associate with the Ticket Identity Number (“TIN”) stored in the magnetic strip
of the ticket with the person using the ticket.
The fingerprint image is deleted immediately once the sample points are
taken. The INC is encrypted and stored in a secure database and will be
erased on a weekly basis after expiration of the validity period of the
ticket. The link between a visitor and his INC is the TIN which is
embedded in the ticket kept by the visitor.
When the visitor re-enters the Park, he will be required to insert his
ticket into a ticket reader. The reader will decrypt the TIN to
verify the validity of the ticket and pull the INC associated with the
ticket from the INC database. The visitor’s index finger will be
scanned again to create a new numeric code, which will then be compared
with the INC. The visitor will be allowed access if the score passes
the false-acceptance rate.
of the Commissioner
The evidence and information before the Commissioner indicate that the
complainant bought 4 “Stay and Play” tickets (valid for 2 days) for him
and his family members to visit the Park. None of the 4 persons chose
to register his/her name on the ticket. The Park only collected
fingerprint images from them so as to form an INC for ticket validation
and did not collect any other personal identifying particulars from
them at the entry gate.
Despite the Park having the personal details of the complainant when he
registered as a guest of the Park’s hotel, it was not practicable for
the Park to link up an INC with the complainant. It was because
the Park could not identify out of which of the tickets was used by the
complainant. To constitute “personal data” under the Ordinance,
one of the conditions is that it is practicable for the identity of the
individual to be directly or indirectly ascertained from the
data. As it was not practicable for the Park to uniquely identify
the complainant’s INC, the data did not fall within the definition of
“personal data” under the Ordinance.
In so far as the complaint is concerned, the Commissioner finds that
the Park has not contravened the requirements of the Ordinance.
Commissioner’s comments on other situations where personal information
are collected and kept by the Park
The comments from here on do not form part of the Commissioner’s
decision in the complaint case.
The Commissioner notes there are situations where personal information
(a) Where only one guest buys a “Stay and Play”
ticket and uses the System, the Park may then link the personal
particulars of the guest with the INC through the TIN;
(b) Where a visitor purchases an Annual Pass, both
his personal particulars and the INC will be collected by the Park
There are arguments that the data stored in a biometric recognition
system may not be personal data because the stored biometric data are
just meaningless numbers and therefore are not personally identifiable
information and a biometric image cannot be reconstructed from the
stored biometric template.
The Commissioner has in the past been of the view that although the
feature of an individual’s fingerprint image had been converted into a
numeric value, the sample points taken from the surface of a visitor's
index finger may still be adequate to establish a positive
identification. The purpose of a fingerprint recognition system
is to identify or verify the identity of an individual. Hence, they
will be considered “personal data” when combined with other
identifying particulars of a data subject.
Thus an INC might in certain circumstances constitute the personal data
of a visitor, i.e. where the visitor was both the buyer and the user of
a personalized pass.
The Commissioner makes the following observations:-
Options to be considered and made available:
The Park provides an alternative option of “photo identification” (i.e.
identification by means of a document with a photo of the person
concerned such as a passport, a HKID card, etc.) in lieu of scanning a
visitor’s fingerprint image. Such option is expressly stated on a
ticket and in the Park’s website, and orally conveyed to a
ticket-holder upon his first entry to the Park.
The Commissioner respects the decision made by a data subject to
voluntarily supply his fingerprint data for specific purposes.
Unlike other cases where special relationship between the data user and
the data subjects exists (e.g. employer and employees, school and
pupils), the Park is only an amusement service provider to the visitor
and there is no reasonable suspicion of undue influence due to
disparity of bargaining power. Hence, the visitors’ consent to
provide their fingerprint data are genuine consent as a visitor may
choose the “photo identification” option and in any case the visitor
may simply not visit the Park if he does not like any of the
collection of fingerprint data from children of young age
The Commissioner notes that the Park does not accept children aged 3 to
11 to provide fingerprint for purpose of access to the park. They
must use “photo identification” instead.
Proper handling of the data
The System is designed in such a way that the fingerprint data and the
customer data are stored in two separate databases having logical
segregation. This reduces the risk/impact in the case of unauthorized
or accidental access of the INC database. Besides, the default design
of the System does not allow the INC database to be viewed or exported.
The Commissioner is reasonably satisfied that sufficient measures are
in place to control the retention, processing and security of the
The Commissioner respects the individual’s right of
“I respect the free will
of an individual to provide his fingerprint data for access to
facilities and services if this is an informed decision made without
undue influence being exerted upon him. An important factor being
considered is that the Park has provided options for their visitors to
choose and decide whether to use his fingerprint to gain access to the
Park. The visitors are not compelled to provide their biometric
data. Through examining its ticketing system, I note that the
Park has been mindful in its operation and has incorporated measures to
manage the privacy risks” said Mr. WOO.