Subscribe Now!!

PRIVATE THOUGHTS (on-line version)
(Newsletter of the Office of the Privacy Commissioner for Personal Data, Hong Kong)
May 2000 Issue No.3

Using Personal Data in Direct Marketing

Direct marketing is a common activity of a modern business and often involves the use of personal data. Of the total number of complaints received by the PCPD, approximately one-tenth relates to direct marketing. The use of personal data in directing marketing is governed specifically by section 34 of the Personal Data (Privacy) Ordinance ("the Ordinance").

Under section 34, direct marketing refers to the advertising or offering of goods, facilities or services, or the solicitation of donations or contributions for charitable, cultural, philanthropic, recreational, political or other purposes by means of mail, fax, E-mail or telephone addressed to a specific person or specific persons by name. It can be seen from this definition that the Ordinance covers direct marketing activities through a variety of channels. On the other hand, direct marketing materials addressed to "the occupant" or "the tenant" of a certain address would fall outside the scope of the Ordinance.

Data users who have obtained personal data from any source to carry out direct marketing activities should, for the first time they use such data for direct marketing purposes, inform the individual that he or she may request the data users to cease to use his or her personal data for direct marketing purposes, i.e. to provide an "opt-out" choice to the individual. If the individual makes such a request, the data users should cease to so use the data without charge to the individual.

As of April 2000, the PCPD has received 102 complaints related to direct marketing. The majority of these complaints involve real estate agencies making cold-calls to prospective customers without providing an "opt-out" choice or failing to comply with "opt-out" requests made by the individuals concerned. Other complaints involve the sending of promotional materials to individuals by investment services companies, magazines, banks, holiday resort operators, etc. in which no "opt-out" choice is provided to the recipients. Below are some complaint cases related to direct marketing which might serve as a reminder to data users carrying out direct marketing activities:

In one case, a complainant complained that a magazine sent promotional materials without an "opt-out" clause to her at her office address. Upon enquiry, the PCPD ascertained that the promotional materials did have an "opt-out" clause, but it was not a valid one as it only informed the complainant of her right to cease the receipt of materials sent by other companies that had connection with the magazine. In addition, the clause did not indicate that the exercising of the complainant's "opt-out" right was without charge. Upon intervention by the PCPD, the magazine amended its "opt-out" clause.

In another case, the complainant, a graduate of an education institute, complained that the institute transferred her personal data to a bank for the promotion of the institute's affinity credit card. Upon enquiry by the PCPD, it was ascertained that the bank did not obtain the data from the institute concerned, but it was the institute that sent out the promotional materials on the affinity card programme with an accompanying letter inviting the complainant to join the programme. However, in its letter, the institute required that, unless the complainant exercised the "opt-out" option before a specified date, it would regard her as agreeing to the offer of the service by the bank. Upon advice by the PCPD, the institute amended the "opt-out" option to remove the deadline for reply as the Ordinance does not allow for the imposition of a deadline for "opt-out".

It is worth noting that, as opposed to the contravention of a data protection principle under the Ordinance, failure to comply with section 34 is a direct offence, which carries a penalty of a fine from $5,001 to $10,000.

For those who are interested in finding out more about this subject, guidelines in this area are available from the PCPD and on the PCPD web site at www.pcpd.org.hk.

Accuracy and security of personal data

The complainant and her friend applied for travel insurance with an insurance company. However, she failed to provide her correspondence address on the application form. Instead of asking the complainant to furnish her address, the insurance manager wrote the address of her friend on her policy document. The insurance manager further sent both insurance policies to the address of the complainant's friend, without keeping the complainant's policy in a separate envelope, thereby allowing access to the complainant's personal data as contained on her policy to her friend. The PCPD found that the act was inconsistent with the requirements of data protection principle 2 ("DPP2") and data protection principle 4 ("DPP4"). DPP2(1) requires a data user to take all reasonably practicable steps to ensure that personal data are accurate having regard to the purpose (including any directly related purpose) for which the personal data are or are to be used. DPP4 provides that a data user must take all reasonably practicable steps to safeguard the security of personal data, having regard to the harm that could result from any unauthorized or accidental access or other use of the data. Upon advice by the PCPD, the insurance company agreed to provide appropriate guidance and instructions to its staff in handling customers' data in accordance with the data protection principles.

Excessive collection of personal data for a resident's card

The complaint involved the implementation by a private estate management company of a new security system which required all residents to provide their names, ages, identity card/ passport numbers and photographs for the application of magnetic cards used for entry to the estate. The complainant refused to provide such data on the basis that the collection of the data required was unnecessary and that he was not informed of the purposes for which the data were to be used.

Upon advice by the PCPD, the management company notified the applicants of the purposes of data collection as required by data protection principle 1 (3) (DPP1 (3)) in the form of a personal information collection statement in the application forms. In addition, the management company undertook to review the extent of data necessary for the application of the magnetic entry cards as the age and identity card numbers of the applicants might be considered excessive for the purpose of the issuance of the cards. DPP1 provides that personal data shall be collected for a lawful purpose directly related to a function or activity of the data user, and that the data are adequate but not excessive in relation to the purpose. For the purpose of the issuance of building entry pass or permits, data users should consider to collect the minimum amount of personal data from applicants to fulfil its intended purpose.

Surveillance Technologies

The last twenty years have seen explosive and sophisticated development in the technologies which embody the ability to locate and track people with unprecedented precision, accurate to within a few metres with a global search.

Location and tracking could be effected through the trail of financial transactions through ATM machines and credit card usage; telecommunications technology which uses calling-line-display or real time call tracing, locating mobile phone users through signal-tracking of the mobile phones, and using satellites to determine precisely the whereabouts of people and objects (Global Positioning System).

It is abundantly clear that location and tracking are important functions, with an array of economic and social benefits. However, accompanying such benefits are potential dangers of privacy intrusion with the use of the acquired location and tracking data for purposes beyond those originated intended. It is therefore important for the applications of such technologies to recognize these potential dangers and implement complementary measures to ensure that the individuals concerned are protected from privacy intrusion. These complementary measures should be based on good information practices and the data protection principles enshrined in the Ordinance.

The following common surveillance applications serve as illustrations:

Intelligent Transportation System - To alleviate urban traffic congestion, electronic road pricing (ERP) is considered by many countries including Hong Kong whereby toll payment is necessary for vehicles to traverse a designated traffic zone. Through remote interaction with a contactless chip card attached to its windscreen, data related to the entry to and exit of the vehicle from the designated zone are collected for billing purposes. Such movement information originally intended for billing could be of interest to other unrelated parties, from law enforcement to kidnappers to market researchers. To deter such potentially privacy-intrusive dangers, a technology-based alternative should also be offered whereby the contactless chip card is essentially a pre-paid cash card (like the anonymous OCTOPUS card for multi model transportation) without the need for any identifiable personal data related to the vehicle-owner, and payment for the use of the designated traffic zone is simply a draw down of the cash purse. No personal data are required as subsequent billing is unnecessary. It is therefore up to the vehicle owner to select which payment mechanism he prefers.

Workplace Surveillance - For reasons of security and productivity, increasingly technology is used for workplace surveillance of employees' activities, for example the use of covert or overt video camera, but there are significant privacy complications. The PCPD's current attitude is that the installation of an overt video camera in the common areas of a workplace for security reasons is generally justified, but a Personal Information Collection Statement (PICS) should be placed next to the video camera, and that the visual data collected can only be used for purposes related to security, and that such data are kept secure and erased after the expiry of a meaningful period of time. It is the PCPD's intent to promulgate a privacy code of practice to provide guidance on these and other surveillance activities to ensure their compliance with the Ordinance.

I am the supervisor of the customer services department of a company. We have received a complaint against one of our staff member from a customer. Being aware of this specific complaint, the staff member requests to have a copy of the complaint record which happens to contain his personal data as well as information of some other individuals. Should we entertain his request?

In response to a data access request, you should provide a copy of all the personal data requested by the individual that relates to him or her. However, if you cannot comply with the request without disclosing the personal data of someone else, you must only comply with the request to the extent that is possible without disclosing the identity of other individuals, e.g. by blocking out the information that identifies those other individuals, unless those other individuals have consented to such disclosure.

We are going to launch a customer satisfaction survey to ascertain the degree of customer satisfaction to the one-stop-shop service currently provided by our company. We intend to engage a contractor to carry out the survey by telephone and by mail. We will provide the contractor with a list of our customers from which they will select the survey subjects. Customers' data such as their names, telephone numbers and addresses will be provided to the contractor. Will this contravene the Ordinance?

In accordance with data protection principle 3 ("DPP3") of the Ordinance, personal data shall only be used for a purpose for which the data were to be used at the time of collection or a directly related purpose unless the subject of the data expressly and voluntarily consents otherwise. Applying DPP3 to the situation, it appears that you would need to obtain the express consent given voluntarily by all the individuals to be surveyed before their information could be used for the purpose of carrying out the survey. However, Section 62 of the Ordinance states that personal data are exempt from the requirements of DPP3 when the data are to be used for the purpose of preparing statistics or carrying out research and the results of the statistical or research work do not identify any of the individuals concerned. Accordingly, if your proposed survey meets the conditions specified in Section 62 of the Ordinance, you may carry out the survey, whether by yourself or through a contractor, without obtaining the consent of the individuals involved.

PCPD issues privacy compliance self- assessment kit

The PCPD has issued "Privacy.SAFE", a privacy compliance self-assessment kit, to assist organizations in assessing whether their personal data management practices and procedures meet with the requirements of the Ordinance. Comprising a set of checklists, guidance notes and an interactive CD-ROM, the "Privacy.SAFE" kit provides a means for organizations to perform systematic and self-monitored checks on compliance on an on-going basis. The kit categorises the requirements of the Ordinance into seven different groups comprising the six data protection principles, which are the core requirements of the Ordinance, and requirements on direct marketing. For each group, a corresponding checklist is provided to assist an organization to ascertain its status of compliance with the Ordinance. The kit is available for purchase from the PCPD at HK$150 per set. Those interested can call the PCPD hotline at tel. no.: 2827 2827 for more details.

Mass media publicity campaign launched

A mass media publicity campaign was launched in March to promote general awareness of the PCPD and the public's right to complain to the PCPD when their personal data in a recorded form have been misused. Based on the theme: "When there is no privacy, there is no dignity", the campaign comprises 30-second advertisements on TV and radio as well as MTR advertising.

PCPD and RTHK join hands to produce TV docu-drama series on privacy

The PCPD has joined hands with Radio Television Hong Kong (RTHK) to produce a series of four docu-drama episodes to portray the application of the Ordinance to common situations in our everyday life. The four docu-drama episodes discuss personal data privacy issues related to consumers, technology as well as the workplace and explore the tension and balance between protecting an individual's privacy on one hand and safeguarding public and social interests on the other. The docu-drama series are broadcast on the TVB-Jade channel from 7:35 pm to 8:00 pm on four consecutive Saturdays from 13 May to 3 June.

First meetings of the Data Protection Officers' Club held

The first meetings of the private sector and the public sector streams of the Data Protection Officers' Club were held on February 23 and 28 respectively. The Club comprises individuals from organizations who have responsibility for implementing and co-ordinating compliance with the Ordinance within their organizations. Apart from briefing members on PCPD's latest activities and views on personal data privacy issues, the PCPD also invited Mr. Wilfred Wong, Director of Human Resources of Duty Free Shoppers Hong Kong Limited, and Ms. Venus Choy, Chief Legal Counsel of the Hospital Authority, to share with club members their relevant experience. Those interested in joining the Club can call tel. no.: 2877 7171 for more details.