Personal Data Privacy : Guidance for Mobile Service Operators

Introduction

This guidance note serves as a general reference on compliance with the requirements of the Personal Data (Privacy) Ordinance ("the PD(P)O"), in relation to practices of mobile service operators that involve the processing and use of personal data of mobile customer accounts.

The practices engaged by mobile service operators are subject to the requirements of the data protection principles and other provisions of the PD(P)O. The following provide general guidance to assist mobile service operators to comply with certain aspects of these requirements.

Handling mobile service applications

• Mobile service operators should request all applicants for new service accounts to provide proof of identity and address.
• Mobile service operators may collect a copy of the applicant's Identity Card ("ID card") as a document of identity proof for the purpose of opening new service accounts.
• A copy of an ID card, which is provided by the applicant in person, should always be checked against the ID card concerned and marked with the word "COPY" across the image of the card in the presence of the applicant.
• If a mobile service operator accepts a copy of an ID card provided other than directly from the applicant in person, it should take extra care to detect irregularities/forgery of the document and make a note on the copy itself that it is collected without being checked against the ID card concerned.
• Mobile service operators should request an original document of address proof or adopt other practicable means to verify the accuracy of the address of the applicant.
• The proof of address should be a document issued by a recognizable institution not earlier than three months from the date the application for new service account is received and the addressee of the document should be the same person as the applicant.
• Mobile service operators should not collect a copy of an ID card of its customers who apply in person for a cancellation of service, for repair of their mobiles or a refund of deposit payment.
• Mobile service operators should implement document control measures to guard against accidental loss of service application documents in their possession or when dispatched from their dealers/agents.
• Document controls should be designed to enable tracking of completed applications, reconciliation of documents and to alert prompt actions to be taken when discrepancies are found.

Providing customer hotline services

• Mobile service operators should devise adequate security features to authenticate the identity of a caller who requests the release of an account information or who applies for a change of service plan or other matters related to an account.
• For example, a good security feature would be the use of multiple identification codes in which one of the codes is a unique PIN issued and known only to the customer for the purpose of accessing information relating to his or her account.
• If the ID card number of a customer is used as the default setting for the PIN, the customer should be provided with facilities so as to change the PIN to a number of his or her own choice.
• To prevent front-line service staff from retrieving customer personal data other than in response to customers' request, at least one of the codes, e.g. the PIN issued to the customer should not be made known to these staff.
• Mobile service operators should prepare a written data privacy policy and provide guidance/training for all staff who have the responsibility in handling customer personal data on the company's rules and standards for compliance with the requirements of the PD(P)O. The policy should be brought to the attention of all staff on a regular basis so as to remind them to observe compliance with the requirements.

Offering of pre-approved service account

• Mobile service operators should not use personal data of customers collected for the purpose of mobile service accounts to set up, in the names of these customers, other non-mobile service accounts without first obtaining their consent.
• The proper course of action would be for the mobile service operator to seek consent of the customers for the intended use of their personal data in the non-mobile services. Since this amounts to a direct marketing activity, the customers should be provided with an "opt-out" opportunity to cease receiving further offerings of such services.

Recovery action of overdue charges

• Mobile service operators should not initiate recovery action or disclose customer personal data to a third party to take such action in respect of any disputed service charges by a customer without taking such steps as are necessary to verify the accuracy of the data concerned.
• When it is brought to the attention of the mobile service operator that an account invoice or an overdue payment notice might have been wrongly sent to an individual who is not a subscriber of that account, the mobile service operator should take prompt actions as are necessary to verify the accuracy of the identity and address of the account subscriber.
• Where there are reasonable grounds for believing that an account invoice or an overdue payment notice is inaccurate, the mobile service operator should cease any recovery action in respect of that account until and unless such inaccuracy is rectified.

Engaging third party agent/dealer

• A mobile service operator, who engages a third party agent or dealer to recruit customers or to take recovery actions in respect of overdue payment accounts on its behalf, should implement a written agreement between the parties with specific provisions to:
  • prohibit the other party from disclosing or using customer personal data in its possession for a purpose other than the purpose for which the party is assigned to carry out;
  • oblige the other party to protect these customer personal data by complying with the data protection principles of the PD(P)O;
  • require a timely retrieval or return of customer personal data when they are no longer required for the purpose for which the third party is assigned to carry out.
• Mobile service operators should implement monitoring measures to ensure that third party agents/dealers engaged in activities carried out on their behalf perform and comply with the provisions of the written agreements.
• Where a mobile service operator engages a third party agent to carry out recovery action in respect of an overdue account, it should transfer only such personal data relating to the customer concerned as are necessary for the agent to carry out the action. Generally, the data may include the identity and location particulars of the customer and the overdue amount that is to be recovered.

For the avoidance of doubt, nothing in this guidance note absolves mobile service operators from operating in compliance with any other regulatory requirements currently in force in Hong Kong, including the PD(P)O.

August 2000