The Complaint

The complainant provided her name, contact number and email address to a jewelry company through the Internet for entering into a prize-winning quiz in 2002. In May 2007, the complainant discovered that her personal data could be accessed on the Internet via a search engine by any Internet user.

Outcome

The jewelry company explained that the complainant's personal data had been stored in their web server database protected by firewall and passwords. However, they failed to reset the access right to the database after they had reinstalled their operating system in 2006. As a result, the personal data stored in the database could be accessed by Internet search engines. Upon the advice of the Commissioner, the jewelry company removed their database from the web server and requested the Internet search engine companies to delete all personal data associated with their database from search results. The jewelry company also undertook to: -

The Complaint

The complainant lodged a complaint in person to a government department. The government department made a record of the complaint and intended to send a copy of the record to the complainant. The copy containing personal data of the complainant however was mistakenly placed in an envelop addressed to a complainant in another case, resulting in the complainant's personal data being accidentally disclosed to an unrelated party.

Outcome

The government department accepted the advice of the Commissioner by requiring all letters be counterchecked by another staff before sending out.

The Complaint

A patient (the complainant) received a call from a male claiming himself to be a doctor of a hospital, and asking questions about her sexual life and the condition of her genital parts. The complainant was later notified by the hospital that its staff had disclosed her telephone number and Hong Kong identity card number to an unknown person who impersonated a hospital doctor.

Outcome

The hospital explained that the imposter called the hospital and was able to provide certain information to the hospital staff and spoke in such manner that made her believe that he was a doctor of the hospital.

After reviewing the case, the Commissioner advised the hospital to devise detailed guidelines in relation to the handling of telephone enquiry requesting for personal data, in particular that callers would be asked to provide their contact numbers so that the staff could call back after proper verification of the callers' identities. The hospital accepted the Commissioner's advice and implemented the guidelines.

The Complaint

The complainant is a registered member of a professional association. She had written to the association requesting not to receive any further marketing emails. Despite her request, the association continued to send marketing emails to the complainant within the same week of receiving the complainant's opt-out request.

Outcome

The association explained that it took them 14 days to process an opt-out request. Upon receiving an opt-out request, it would simply remove the requestor's email address from its database.

It was noted that members of the association were required to renew their membership annually and the new membership data would be uploaded to the association's database. As a result, the association's practice of simply removing the complainant's email address from the database would not effectively prevent the association from sending marketing material to the complainant again after renewal of her membership. To comply with the requirement of section 34 of the Ordinance, the association was advised to maintain an opt-out list and check against the list every time before sending out marketing information to members.

The as soc iat ion ac cepted the v iew of the Commissioner and implemented the measures accordingly.