The Complaint

A customer using the broadband service of a telecommunications company could not log on to her internet account using her password. When she checked with the company, she discovered that a man pretending to be her husband had called the customer service hotline and requested that the account password be reset. Since the caller provided the customer's full name, Hong Kong identity card number and the relationship with the customer, the company agreed to his request and reset the password to the first 6 digits of the customer's Hong Kong identity card number.

The company explained that these measures were its standard verification procedure for handling such telephone requests. The company said that it would also ask for the account holder's address as an added safety measure.

Outcome

An internet password gives online access to the personal data of an internet account. Any request to reset the password needs to be handled with extra care and caution to prevent access to the information by unauthorized people.

The company's practice of asking the caller for the account holder's name, Hong Kong identity card number, address and the caller's relationship with the account holder was plainly insufficient to determine whether the request is genuine and authorized. The resetting of the password to the first 6 digits of the account holder's identity card was also unsatisfactory. The Privacy Commissioner found that the company had contravened the security requirements of DPP4 in failing to take all reasonable practicable steps to protect customers' personal data against unauthorized access due to its inadequate verification procedure as aforesaid .

The Privacy Commissioner issued an enforcement notice against the company directing it to improve its verification procedure and ensure that any telephone request to reset internet account passwords was properly made or authorized by the account holder. The company agreed to comply with the enforcement notice.

The Complaint

It was discovered that, after logging onto the online billing system of a telecommunications company, web pages containing customers' personal data could still be retrieved from the browser's history even after logging out of the system and/or restarting the browser.

Outcome

An investigation by the Privacy Commissioner revealed that the security lapse occurred at the user's accessing terminal, where the user's browser software was configured to store personal information from the visited webpages in the cache memory. The telecommunications company stated that they had subsequently taken measures to stamp out the security loopholes. However, it was insufficient for the telecommunications company to simply recommended its customers to use a particular browser without advising them of the details of the risks that might entail for not using the recommended browser. The Privacy Commissioner found that the company had contravened the requirements of DDP4 by failing to take all reasonably practicable steps to protect the personal data of customers when using its online billing service.

An enforcement notice was served requiring the telecommunications company to carry out periodic tests of its online billing system by using new browsers and fixing any data security loopholes associated with the browsers. The telecommunications company was also required to notify its customers when using its online billing service of the details of the risks that might entail for not using the browser recommended by it. The telecommunications company had complied with the enforcement notice.

The Complaint

The complainant was a referee of a debtor who had borrowed money from a financial institution. In default of payment, the financial institution appointed a debt collection agent (the Agent) to recover the debt. The Agent posted various notices containing the complainant's name in the corridor of the building where he lived.

Outcome

After investigation, the Privacy Commissioner found that the Agent did post up the notices, and did not have any internal policy or procedure regarding the handling of referee personal data.

The Privacy Commissioner took the view that a debt collector should only use the personal data of the referee (i.e. the complainant) in locating the whereabouts of the debtor rather than exerting pressure on the referee to repay the debt; and that it would not be within the reasonable expectation of the referee to have his personal data being used in such manner. The Privacy Commissioner found that the Agent had contravened DPP3 for using the complainant's personal data other than for the original collection purpose by displaying the complainant's personal data in public.

An enforcement notice was issued by the Privacy Commissioner directing the Agent to stop posting the referee's personal data in public and to develop policies and procedures for handling referees' personal data.

The Agent did not respond to the enforcement notice. As a result, he committed an offence by contravening the enforcement notice pursuant to section 64(7) of the Ordinance. The Agent was subsequently prosecuted in the Magistrates' Courts, convicted and fined $5,000.