Significant Investigation Results

SERVICE PROVIDERS : MUST ENSURE ACCURACY OF CUSTOMERS' CORRESPONDENCE ADDRESSES IN THEIR RECORDS TO AVOID LEAKAGE OF CUSTOMERS' INFORMATION - DPP2(1)

The Complaint

Two ex-customers re-subscribed to the fixed line telephone services of a telecommunications company at their new addresses respectively. The company subsequently sent letters and bills to the customers' old billing addresses as shown in their records. The customers later learnt about this and filed complaints to the Privacy Commissioner for leakage of their personal data to others.

Findings of the Privacy Commissioner

The company attributed the mistakes to the failure of their staff to properly update the customers' billing addresses in their records. The wrong mails could have been avoided if the automated system of the company was able to detect the discrepancy between the billing address and the installation address, which should be a sign for verification of the accuracy of the inputted addresses. The company, however, did not provide such detection tool in their customer database system. In addition, the company did not have any standard procedure for counter-checking the correctness of the customer data that the operators inputted into the system. The Commissioner also discovered that the company did not have in place any guidelines or procedures for their staff for ensuring accuracy of customers' personal data. The company was therefore found to have contravened DPP2(1) for failing to take all reasonable practicable steps to ensure accuracy of customers' personal data.

Action by the Privacy Commissioner

The Privacy Commissioner issued an enforcement notice against the company and consequently, the company agreed to develop the said detection tool in their system and also revised and implemented its practice and procedure for ensuring accuracy of customer data, including a counter-checking procedure and providing training and regular briefings to staff.

SERVICE PROVIDERS : THINK CAREFULLY BEFORE USING CUSTOMERS' DATA FOR PROMOTION PROGRAM - DPP3

The Complaint

A customer of the IDD service of a telecommunications company received a letter from the company informing him that as a gift they gave him a 2 months' free insurance plan against accidents. The letter enclosed an insurance certificate issued by an insurance company, with the customer named as the insured. The customer was dissatisfied that his personal data were passed to the insurer without his consent and thus made a complaint to the Privacy Commissioner.

The telecommunications company explained that they had transferred their customers' personal data to the insurer for a joint marketing program to sell insurance products to their customers, and asserted that this was within the original collection purpose of the customers' personal data.

Findings of the Privacy Commissioner

The Privacy Commissioner was of the opinion that the use of the customer's data for the purpose of taking out an insurance policy was not within the original purpose of collection of the data, taking into account, in particular, the business nature of the company in providing telecommunications services which was unrelated to insurance, and that it would not be within the reasonable expectation of a customer of the company to have his data being used in such manner. The use of customers' personal data by the company in the circumstances was therefore found to be in contravention of DPP3.

Action by the Privacy Commissioner

An enforcement notice was served on the company directing it remedy the situation. Subsequently, the joint marketing progam was ceased and the company established a policy to prevent recurrence of similar contravention.

COMPANIES CARRYING OUT OUTDOOR MARKETING ACTIVITIES : MUST ENSURE PROPER HANDLING OF CUSTOMERS' PERSONAL DATA BY MARKETING STAFF -DPP4

The Complaint

A salesman of a pay television company visited a private residential building for a door-to-door promotion campaign. The salesman approached a man who was an ex-customer of the company. The man later complained to the Commissioner that the salesman had carried a computer printout recording the man's name and address but failed to take any steps to conceal the data so that anyone in the vicinity could easily read the data. The company however denied having sent any staff to conduct promotional activities in the building.

Findings of the Privacy Commissioner

Based on evidence available, the Privacy Commissioner satisfied that the salesman was an employee of the company and had carried out the promotional activities at the building. The salesman did hold a pile of paper containing the man's personal data when he visited the man's premises. It was also discovered that the company had not provided any guidelines to their marketing staff regarding the handling of personal data during outdoor marketing exercises. In the circumstances, the company was found to have contravened the security requirements of DPP4 in failing to take any reasonable practicable steps to ensure the proper handling of customers' personal data during outdoor marketing activities.

Action by the Privacy Commissioner

An enforcement notice was issued and the company was required it to devise a policy, practice and procedure regarding personal data security during the conduct of outdoor marketing campaigns.