Report Published under Section 48(2) of the Personal Data (Privacy) Ordinance

Section 48(2) of the Ordinance provides that the Commissioner may, after completing an investigation and if he believes that it is in the public interest to do so, publish a report ("Report") disclosing the investigation results and any recommendations or comments that he sees fit.

During the reporting year, the Commissioner published one Report relating to the excessive collection of personal data by a credit provider for business promotion.

No Excessive Collection of Personal Data for Business Promotion

On 21 September 2007, the Commissioner published a Report of the findings of a self-initiated investigation into the collection of personal data by a credit provider for business promotion.

Background

A citizen received a letter without addressee issued by a credit company in Hong Kong in early January 2006. A form was enclosed in the letter ("the Form"), stating that the receiver could get supermarket gift coupons amounting to HK$80 if "simple information" was provided on or before a specified date. According to the instructions on the Form, an applicant was required to fill in various information, including Hong Kong identity card number and name of employing company. Upon verification of the Form, the applicant would be offered a supermarket gift coupon of HK$20. A maximum of four applicants were allowed in each household, but each applicant could only apply once. Although the citizen only made an enquiry about such activity but had not formally lodged a complaint, the Commissioner initiated an investigation on the credit company under section 38(b) of the Ordinance.

The Investigation

The focus of the investigation was to ascertain whether the personal data collected by the credit company in this promotion activity for the related purposes were excessive, contravening DPP1(1) in Schedule 1 to the Ordinance. In this connection, the Commissioner has to consider if the credit company had any actual need to collect the personal data for the related purposes, or if there were any other alternatives that could avoid collection of those personal data. Moreover, as the personal data collected included identity card ("ID") number, the Commissioner also needed to consider if such act complied with the requirements in paragraph 2.3 of the Code of Practice on the Identity Card Number and other Personal Identifiers (the "PI Code"), which provides that a data user should not collect the ID number of an individual except in the situations specified therein.

The Privacy Commissioner's Findings

The Commissioner found that the credit company had contravened DPP1(1) in relation to its collection of the ID number and name of employing company of the applicants for the purpose of business promotion. Such collection was unnecessary and excessive.

During the investigation, the credit company deleted the information on ID numbers and names of employing companies collected in the promotion activity, and ceased collecting such data in similar promotion activities.

Learning from this incident

In view of the fact that commercial organizations will collect and use citizens' personal data for the purpose of promotion, they are reminded that they should not collect personal data for such purpose at will. As for sensitive personal data such as ID number, commercial organizations should seriously consider whether the collection of the data is indeed necessary and in compliance with the PI Code.

On the other hand, the public should be mindful of the handling of their personal data. They should not rashly disclose their personal data for the benefits or temptations offered by the collecting party.

Copy of the Report is available from the PCPD at 12/F., 248 Queen's Road East, Wan Chai, Hong Kong. They are also available for download from the website of the PCPD (http://www.pcpd.org. hk/english/publications/invest_report.html).