Privacy Commissioner reminds data users of the requirements
of the Ordinance when engaging direct marketing activities

1.    The Privacy Commissioner for Personal Data, Mr. Allan Chiang ("the Commissioner") today (12 August) wrote to the Chief Executive of Hong Kong Monetary Authority, the Commissioner of Insurance, and the Director-General of Office of the Telecommunications Authority, to draw their attention to the requirements of the Personal Data (Privacy) Ordinance (“the Ordinance”) when personal data are collected and use for directing marketing purposes (Click here to view the details).

2.    Mr. Chiang said, “The collection and use of customers’ personal data for direct marketing activities carried out by Octopus group of companies has been the focus of public attention recently.  The privacy impact caused by the Octopus incident should provide food for thought to all banks, insurance companies, telecommunications companies and other service industries engaged in such activities.”

3.    When carrying out direct marketing activities, the data users should note the following practices that cause privacy concerns:

(i)    The excessive collection of personal data for direct marketing activities
Data users should carefully consider and decide the kind and scope of personal data to be collected and the data subjects should be clearly informed about the intended purpose of use of their personal data.  A sufficiently clear, unambiguous and easy to understand Personal Information Collection Statement should be given to the data subjects to take into account the general level of understanding of the data subjects, the target of the direct marketing activities;

(ii)    Failure to obtain consent from the data subject to subscribe for direct marketing activities whenever practicable
Data users should avoid requesting “bundled consent” when specific consent could be practically obtained for using the data for direct marketing purposes.  The application form for collecting personal data and information from the data subjects should be designed to this effect by the data users;

(iii)  The means of collection of personal data may not be fair
Data subjects should not be misled into giving their personal data when the
true purpose of collection is for carrying out direct marketing activities and the transfer of the data to other “business partners”;

(iv)  Failure to be specific about the classes of transferees of the data
Data users should state clearly if the personal data shall be transferred to third parties for direct marketing.  Defining a class of transferees in vague terms such as “business partners” or “such third parties” should be avoided;

(v)  To limit the kind of personal data to be transferred and the mode of operation of the direct marketing activities
When personal data are to be used for direct marketing activities, a data user should be prudent in deciding the amount of personal data to be used.  In most cases, the use of the contact information, i.e. name, contact telephone or address would be sufficient.  A data user making any excessive disclosure of personal data to a third party will run the risk of contravention of DPP3;

(vi)   To ensure no excessive retention of personal data no longer required
When personal data used for direct marketing purposes are no longer required, the data user should ensure that the personal data collected are safely erased. 

4.    Mr. Chiang added, “I would call upon all data users to take a serious look into the matter.  It is opportune that before any legislative amendments come into force, they will take efforts to proactively review and examine the current practices with a view to strengthening the control on management of personal data so that consumers’ rights and interests are better protected.”


END