PCO Office of the Privacy Commissioner for Personal Data, Hong Kong imagebanner image
Privacy Policy StatementSearchSite DirectoryText Only VersionChinese  
image
About PCPD
image
The Ordinance
image
PCPD Activities
image
Information Centreimage
Privacy Zone for Youngsters (Games)
image
Publications and Videos
image
Enquiries and Complaints
image
Case Notes
image
Contact Us
image
Annual ReportCode of Practice & Explanatory BookletConsultation Document/Report
NewsletterGuidance Note & Fact SheetLeaflet & FormOpinion Survey
OthersInvestigation Report / Inspection ReportInformation Book
image

Publications and Videos
Annual Report
 

Compliance Actions

Compliance Checks

A compliance check is undertaken when the Privacy Commissioner identifies a practice in an organization that appears to be inconsistent with the requirements of the Ordinance. In these circumstances, the Privacy Commissioner alerts the organization in writing, pointing out the apparent inconsistency and inviting it, where appropriate, to take remedial actions.

In many cases, the organization takes immediate action to correct the suspected breach. In some instances, advice is sought from the Privacy Commissioner on the measures that should be taken to prevent further breaches. Other times, the Privacy Commissioner would investigate the matter and take action to ensure compliance with the Ordinance. This might include issuing an enforcement notice to the organization directing it to remedy the situation, for example.

During the reporting year, the Privacy Commissioner carried out 66 compliance checks in total in relation to alleged practices of data users that might be inconsistent with the requirements of the Ordinance.

The majority of the compliance checks (57) occurred in the private sector. The remaining 9 related to government departments and statutory bodies. The following examples highlight some of the compliance checks undertaken during the year.

image Example 1

image A primary school used fingerprint reader system to collect fingerprint data of its pupils for attendance record purposes.

A self-initiated investigation was carried out against the school in relation to the use of fingerprint reader system to collect fingerprint characteristics of pupils of the school for attendance record purpose.

The age of the pupils in this case ranged mostly between 6 to 12. The regular use of biometrics in the school was considered to be highly undesirable because the pupils, who were minors of tender age, could not understand the adverse privacy impact on the provision of their fingerprint data. Meanwhile, the Ordinance does not contain provision that accepts the giving of prescribed consent from a third party, e.g. the parents, on behalf of the children.

After an investigation, the Privacy Commissioner was of the opinion that no genuine informed consent was given by the pupils of the school, and the collection of the fingerprint data for the administrative purpose of recording attendance is considered to be unnecessary and excessive having regard to the function or activity of the school. The collection of the personal data of pupils was therefore found to be in contravention of Data Protection Principle 1(1) of Schedule 1 to the Ordinance.

An enforcement notice was served on the school directing it to remedy the situation. Subsequently, the school ceased using the fingerprint reader system and destroyed the fingerprint data of its pupils.

image Example 2

image A company required job applicants to provide copies of their identity cards during job interviews.

The Privacy Commissioner approached the company whose management admitted that it was their established practice to collect the identity card copies from job applicants during job interviews.

After being notified of the relevant requirements under DPP1(1) and DPP1(2), paragraph 3.1 of the Code of Practice on the Identity Card Number and other Personal Identifiers and paragraph 2.2.4 of the Code of Practice on Human Resource Management issued by the Privacy Commissioner under the Ordinance, the company immediately ceased to collect copies of identity card from job applicants at job interviews and destroyed all the identity card copies previously collected from unsuccessful job applicants.

image Example 3

image Customers of some banks could see their full bank account numbers on ATM machine screens even when Personal Identification Numbers (PIN) are incorrectly entered.

According to local newspaper reports, customers of some banks could see their full bank account numbers when using ATM machines even if the wrong PIN is entered.

The banks said it was their standard practice to display account numbers on the ATM machine screen before the PIN is verified but that customers cannot continue with any transactions if the PIN is incorrect. To address the public's concerns, the banks stated that certain digits of an account number would be omitted to enhance security when using ATM machines.

 
 

Previous PageTable of ContentsNext Page

  imageNotice/ Copyright 2001 Office of the Privacy Commissioner for Personal Data, Hong Kong. All rights reserved. Disclaimer