PCO Office of the Privacy Commissioner for Personal Data, Hong Kong imagebanner image
Privacy Policy StatementSearchSite DirectoryText Only VersionChinese  
image
About PCPD
image
The Ordinance
image
PCPD Activities
image
Information Centreimage
Privacy Zone for Youngsters (Games)
image
Publications and Videos
image
Enquiries and Complaints
image
Case Notes
image
Contact Us
image
Annual ReportCode of Practice & Explanatory BookletConsultation Document/Report
NewsletterGuidance Note & Fact SheetLeaflet & FormOpinion Survey
OthersInvestigation Report / Inspection ReportInformation Book
image

Publications and Videos
PCPD 2005-2006 Annual Report
 

Compliance Check

A compliance check is undertaken when the Privacy Commissioner identifies a practice in an organization that appears to be inconsistent with the requirements of the Ordinance. In these circumstances, the Privacy Commissioner raises the matter in writing with the organization concerned pointing out the apparent inconsistency and inviting it, where appropriate, to take remedial actions. In many cases, the organization concerned takes the initiative and responds by undertaking immediate action to remedy the suspected breach. In other instances, organizations seek advice from the Commissioner on the improvement measures that should be taken to avoid repetition of suspected breaches.

The reporting year saw a significant increase in the number of compliance checks undertaken by the Privacy Commissioner. This was largely attributable to the proactive approach taken towards employers placing blind recruitment advertisements (i.e. without disclosing the identities of the employers or their agents). In total, the Privacy Commissioner carried out 131 compliance checks in relation to alleged practices of data users that might be inconsistent with the requirements of the Ordinance. Among these 131 compliance checks, 41(31%) were directed against those placing blind recruitment advertisements.

The majority of compliance checks (116) involved practices in private sector organizations. The remaining 15 checks related to government departments and statutory bodies. The following examples indicate the nature of some of the compliance checks undertaken during the course of the year.

Example 1

Issue:
A shopping mall collected identity card copies from shoppers for redemption of a birthday hamper during a promotion campaign

Improvement Measures Recommended

Under the promotion campaign, shoppers whose month of birth fell within certain period and spent certain amount of money in the shopping mall would be entitled to a birthday hamper. The purpose of collecting identity card copies of the shoppers, as put forward by the shopping mall, was to ensure that the shoppers' month of birth fell within the stated period. However, since the shoppers were required to redeem the birthday hamper in person, the Commissioner took the view that the physical productions of identity cards from the shoppers to show their months of birth would suffice.

After being advised by the Privacy Commissioner, the shopping mall agreed to cease collecting the shoppers' identity card copies.

image

Example 2

Issue :
A bank account holder received a bank statement with other's account information shown on the reverse side of the bank statement

Improvement Measures Recommended

According to the bank, the incident occurred as a result of the failure of their staff to properly reset the printing machine after an interruption of the printing process. It was also attributed to the staff's failure to identify the mistake while checking the print output.

After being notified of the incident, the bank revised their printing operation procedure including increasing second level checking and escalation procedures, and requiring staff to initial checklists and keeping logging sheets for sample checking. Refresher training on printing controls and briefing sessions for the new procedures were also provided to the staff concerned.

image

Example 3

Issue :
Managers posted up lists containing sick leave data of staff in employee work areas

Improvement Measures Recommended

Local newspapers reported that managers of an organization posted sick leave records of staff in workplace. The Privacy Commissioner approached the organization whose management admitted that the posting of staff's sick leave data was an inappropriate practice and not allowed by the management. The management ordered removal of the data and reminded all line of business leaders not to engage in such practice.

The Privacy Commissioner subsequently confirmed with the labour union of the organization of the removal of the data, and advised the organization to establish a data protection policy to prohibit the posting of staff's sick leave data and provide ongoing training to the leaders.

image
 
 

Previous PageTable of ContentsNext Page

  imageNotice/ Copyright 2001 Office of the Privacy Commissioner for Personal Data, Hong Kong. All rights reserved. Disclaimer