Be Careful of Your Personal data

Mr K T Chan, Chief Personal Data Officer

Your salary is usually something best kept close to your chest. So is your home phone number, not to mention your identity-card details, address and other personal data such as the location of your workplace. So imagine how Anna Choy (not her real name) felt when she discovered a credit-card application together with an identity card copy of hers had been lost by a bank worker manning a promotion booth inside a shopping mall. The documents, the bank informed her, had been left on a public light bus with a bunch of other forms when the bank staff tried to bring home the application papers before returning them to the office the next working day. Furious, Choy lodged a complaint with the Office of the Privacy Commissioner for Personal Data (the PCPD).

In this issue, Mr K T Chan, our Chief Personal Data Officer, shows how this case breached Data Protection Principles and outlines some of the other complaints received last year to show the importance of personal data privacy in everyday life. The PCPD received 919 complaints from April 2003 to March 2004, an increase of 1.4% from the previous year. The rise reflects the public's growing awareness of privacy, which has led to a total of more than 5,000 complaint cases lodged with the PCPD since its establishment in 1996.

Of the complaints received in the past year, 71% (655) were against private-sector organizations, 10% (95 cases) against public-sector organizations and 19% (169) against individuals. A closer analysis of the numbers reveals that the biggest number of complaints among the 655 made against private organizations were levied at financial institutions. Fifty of the 161 such cases involved the alleged use of personal data by financial institutions to recover moneys owed. Twenty-three of these cases involved the use of customer data for direct-marketing purposes (including the transfer of customer data to third parties for promoting their products).

Telecommunications was second with 124 complaints, of which 28 concerned the use of personal data for debt-recovery purposes. In 26 cases, the telecoms companies were alleged to have applied for other services for the customers or imposed charges on them without prior authorization or notice.

In investigating complaints involving the use of personal data for debt-recovery purposes, Mr Chan found that at times some members of the public might have misinterpreted the requirements of the Personal Data (Privacy) Ordinance (the "Ordinance"). In some cases, complainants object to the transfer of their personal data to debt collectors and lodge complaint with the PCPD.

Mr Chan points out that in general financial institutions may transfer debtors' personal data to debt collectors for the purpose of debt recovery. Such transfer is, in normal circumstances, directly related to the original purpose of data collection, although institutions should only disclose to debt-collection agencies such information necessary for them to carry out their work, and should inform the debtors of such disclosure at the time of collection of the data from the debtors.

Loss of customers' application forms

Mr Chan uses the case of the lady whose personal data were left on a public light bus as an example of one of the three types of complaints received last year that we are going to discuss in this issue. After investigation it was discovered that the bank had no policy or measures in place to guide its staff to safeguard customers' personal data when conducting outside-office promotional activities. As such, the bank had contravened Data Protection Principle 4, which provides that a data user should ensure the personal data he holds are protected against unauthorized or accidental access, processing, erasure or other use.

"According to section 50 of the Ordinance, if the Privacy Commissioner is of the opinion that a company/individual has contravened any requirement of the Ordinance and the contravention is likely to continue or be repeated, the Commissioner may serve on the relevant company/individual an enforcement notice with directions about appropriate steps to remedy the situation. The bank involved in the above case, it was revealed, organized onsite promotions from time to time but had not implemented any appropriate policy or measures to handle and transmit its clients' application forms safely. To ensure customers' personal data are transmitted or stored safely in future, we served on the bank an enforcement notice directing it to implement appropriate policies or practices with respect to its onsite promotions, and to ensure compliance by its staff."

The bank eventually promised to abide by the directions in the enforcement notice and to rearrange its workflow for onsite promotional activities to avoid recurrence of similar incidents. The bank also ceased its practice of allowing staff to bring home the application papers collected in such marketing campaigns, but required them to be transmitted to and stored in nearby offices or branches.

When conducting onsite marketing activities, companies often ask customers to provide personal data on the spot. Mr. Chan reminds members of the public to take extra care in such circumstances, saying that before proceeding they should confirm the identity of the promoter collecting the personal data, and consider whether the information will be handled properly. If in doubt, he says, to protect against any potential loss, think twice before complying with request for personal details.

Cross-marketing activities

In 94 cases, customers' personal data were used for direct-marketing purposes; of these, 12 cases were related to cross-marketing activities. In cross-marketing, customer data held by company "A" are transferred or disclosed to another company (which we'll call "B") to carry out a "joint-marketing scheme" promoting products or services provided by A or B.

In one case, the complainant contended the bank that issued his credit card transferred his personal data without his consent to an insurance company for telemarketing purposes. The bank acknowledged as much, admitting that it had transferred to the insurance company detailed information about the customer - his name, phone number, date of birth, identity-card number and credit-card number. But it argued that it had informed all clients beforehand that their personal data would be used to market financial products, insurance service being perceived by the bank as one such product. Which is why it insisted such transfer of customer's personal data was consistent with the purpose stated in its personal-data collection notice.

The PCPD, however, takes a different view. "Although the transfer of the customer's data might be directly related to the original collection purpose, we considered that the customer's contact details would have been sufficient," says Mr Chan. "In other words, the transfer of other information such as identity-card number and credit-card number was unnecessary and excessive. In light of this, our view was that the bank had contravened Data Protection Principle 3 in terms of the use of those personal data."

Mr Chan understands that commercial companies need to market their products to customers but says they should be mindful of using or disclosing customers' personal data and ensure they are complying with the requirements of the Ordinance. To provide clear practice guidelines to companies carrying out cross-marketing activities, the PCPD published in March a fact sheet called "Personal Data Privacy: Guidance on Cross-Marketing Activities".

Complaints related to job applications

Last year the PCPD investigated five complaint cases about "blind recruitment advertisements". According to the Code of Practice on Human Resource Management (the "Code"), recruitment advertisements that directly solicit personal data from job applicants must provide the means to identify the employer or its agent. That means job ads that do not provide the name of the organization fall into the category of "blind recruitment advertisements". In other words, if a company invites applicants in a recruitment ad to send their resume to a post-office box, fax number or e-mail address without disclosing its identity, it has contravened the Code.

Job applicants are often asked to provide large amounts of personal data or even copies of their identity cards. But the prospective employer should not collect identity card copies during the recruitment process until the applicant has accepted the employment offer. In addition, prospective employers should not ask job applicants to provide information unrelated to the recruitment exercise (which is primarily for the purpose of identifying suitable candidates) such as credit-card details or bank account details. That amounts to collection of excessive data and contravenes the Code, hence the Ordinance.

"We understand that job applicants are eager to get a job and worry that they will lose opportunities if they are not cooperative," says Mr Chan. "However, we should bear in mind that employers sometimes ask for excessive data. Before providing the information we should think about what is being requested and why. Would an organization asking for excessive personal data be a good employer? To avoid being duped by impostors, job applicants should not underestimate the serious consequences that may arise from their providing more information than is necessary."

To raise job seekers' privacy awareness in a user-friendly way, the PCPD has placed a computer game on the PCPD web site (www.pcpd.org.hk) called "Beware of Job Application Pitfalls".

Having processed numerous complaint cases, how would Mr Chan advise the public to protect their personal information? "Before giving out information about yourself you must be aware of the collection purpose and how the data will be used," he says. "Hong Kong is a metropolitan city where the flow of information is essential and inevitable. In many cases, there is a genuine need for members of the public to provide personal data in order to receive the products and services of organizations. We should be vigilant and conscious of the reason we are being asked to provide such data. Is it reasonable for the company to ask for the data in that situation? Are the requests for information excessive? If there is any doubt we should clarify with the parties concerned, and if the reply is not convincing we may express our concern or consider declining to provide the data to prevent any unnecessary loss."

To provide a clear interpretation of the Ordinance in our daily life, the PCPD will introduce new materials to provide practical guidance so members of the public will be able to better protect their personal data. Our staff are also available to help you with any queries. Our hotline number is 2827 2827.

"Privacy Protection Drama Show" Returns Due to Popular Demand

Last year, we presented to the public for free a series of four privacy drama shows called "Private Affairs". The drama, performed by popular artistes from the Artiste Training Alumni Association (ATAA), highlighted the most common privacy-related problems people may encounter in daily life and offered possible solutions.

Owing to the overwhelming responses, we decided to stage a rerun of the show at Sha Tin Town Hall on 8 June. The performance enjoyed a full house, with audiences of more than 1,000.

"Telling you my secret" - A Privacy Enhancement Activity in the Primary Schools

The PCPD had launched an ingenious on-stage privacy show entitled "Telling you my secret" (¦³­ÆÙ_¡Âµ¡ˆ_K¸Ü¡¡ÓAª¾) in March aimed at instilling the notion of protecting and respecting privacy rights amongst primary school students in Hong Kong.

To enhance children's interests on the subject, the PCPD had invited Mr. Harry Wong, a renown youth program host, to conduct interactive activities integrating music, magic shows, puppet shows, drama and role play to help youngsters understand the concept of privacy protection and to introduce ways of protecting their own personal data and those of their families and friends in everyday lives under a lively atmosphere.

A booklet titled " Protecting Privacy & Respecting Others" was also produced to accompany the show to further enhance their understanding of the protection of personal data privacy in cartoon illustrations and comic script.

The PCPD had received overwhelming responses from over 300 local primary schools. Over 10,000 pupils of 30 local primary schools had enjoyed the show during the period from 15 March to 2 April 2004.

We are pleased to see that the shows were well received by the participating schools and students. We are also glad to see that the students had given serious thoughts to the matter. Please enjoy the following drawings of some creative ways of how to protect your personal data drawn by some students:

To enjoy more drawings, please visit the PCPD web site. In the future, we shall keep organizing more meaningful educational activities for youths in Hong Kong.

APEC Privacy Initiative

The Electronic Commerce Steering Group (ECSG) is a special task group established by the Asia-Pacific Economic Cooperation (APEC) to ensure coordination and pursuit of the Blueprint for Action on Electronic Commerce endorsed by APEC ministers. It is committed to promote mechanisms to increase trust and confidence of participants in electronic commerce in order to encourage greater use of the Internet to perform transactions and one of its initiatives is "data privacy".

The challenge for APEC economies in addressing the issue of data privacy is protecting the personal information of consumers while also facilitating trans-border data flows. In order to foster the development of compatible approaches to data privacy in the APEC region, the ECSG undertook a mapping exercise of APEC economies' approaches to data privacy in 2002. In February 2003 the ECSG established a Data Privacy Subgroup comprising Australia, Canada, China, Hong Kong China, Chinese Taipei, Japan, Korea, Malaysia, New Zealand, Thailand and the USA to develop a set of privacy principles and implementation mechanisms, to continue the exchange of information on developments related to data privacy within individual economies and to encourage public awareness by identifying and sharing best practices on data privacy protection.

Privacy Commissioner Raymond Tang had attended Privacy Subgroup meetings held in August 2003 (Thailand), September 2003 (Sydney), February 2004 (Chile) and June 2004 (USA). It is expected to finalize the APEC Privacy Framework at the September 2004 ECSG Meeting.

The PCPD official web site has won a Web Care Award (Primary Level) organized by the Internet Professional Association to recognize achievement in satisfying the different needs of the public in accessing online information.

Website Enhancement

Learning can be fun and flexible. With this in mind the PCPD has started enhancing its web site to widen the scope of privacy-protection information in an interesting and flexible way.

Youngsters haven't been forgotten, which is why three computer games designed by three talented teenagers have been uploaded to the "Privacy Zone for Youngsters" section to instill in our future generation the importance of respecting the privacy of others.

The games - "Beware of Job Application Pitfalls", "Privacy Matching" and "Privacy Fighter" - will enable young people to learn about the protection of personal data privacy in an enjoyable way.

A new section called "On-line Self Training" has also been created (see "Information Centre") to encourage self-learning in compliance with the requirements of the PD(P)O. This offers data users a greater degree of flexibility in terms of time and resources.

Kick-starting developments is on-line version of the "Self-Assessment Form for Evaluating Compliance with the Personal Data (Privacy) Ordinance". Soon an "On-line Privacy Seminar" will also be introduced to enable members of the public to learn at their convenience how to interpret and apply the PD(P)O.

New/Revised Guidance Notes

The PCPD has issued a good number of guidance notes in different areas to provide data users with practical guidance in complying with the requirements of the Personal Data (Privacy) Ordinance ("the Ordinance") in the handling of personal data.

In light of the prevalence of cross-marketing activities in Hong Kong, the PCPD has taken the initiative to issue the "Personal Data Privacy: Guidance on Cross Marketing Activities" in March. Cross-marketing activities may result in customers of one company being approached or sent marketing materials by a party previously unknown to them. Thus the use of personal data to carry out such activities may be a matter of particular sensitivity to the individuals concerned. The guidance provides advices to data users on: (i) the provision of notification to customers of joint marketing scheme; (ii) the handling and transfer of customers' personal data for marketing purpose, and (iii) the provision of "opt-out" option to customers.

In June, the PCPD released a revision to the "Personal Data Privacy: Guidance on Electioneering Activities" to advise candidates the proper way of how to collect and use personal data for canvassing support for votes in compliance with the requirements of the Ordinance in the upcoming Legislative Council election. The guidance note was first issued in 2000.

To win or to hide

Care to be tracked down in return for a car?

This summer a US soft drink giant is using the cutting-edge Global Positioning System (GPS) to find winners. In a national-wide promotion, the company will use a satellite-based navigation system to pinpoint users' exact locations. Prizes will be awared to those located.

The 120 GPS game cans are disguised to look and feel like a regular soft drink and are concealed inside multi-packs of the soft drink. The cans contain both a phone and a GPS locator devise. Lucky consumers who find the winning cans should push the button on the can to contact the prize claiming hotline. If the consumer agrees to be found the company will begin the search via the GPS can.

When the company finds the exact location of the GPS game can and verifies eligibility, they will deliver the prize to the winner, which could be a new car, at an unexpected time.

The company intends to use this high technology to reach consumers and bring them fun and excitement and stresses that the searching won't start until the consumer express consent to it. There are alternative ways for the winners to claim their prizes if they refuses to participate in the game.

Appeal arising from a neighbourhood dispute

The Complaint

Mrs. LEE (pseudonym) complained to the property management office about the nuisance caused by noise and water dripping from the planter of her neighbour, Mrs. NG (pseudonym) living in the flat immediately above hers. The management office tried to contact Mrs. NG several times with a view to settle the dispute but to no avail. Mrs. LEE found the nuisance hard to tolerate and thus filed a claim against Mrs. NG at the Small Claim Tribunal. The management office acceded to Mrs. LEE's request and provided her with a copy of the complaint records containing Mrs. NG's personal data in order to show that they had taken follow-up actions in respect of her complaint. Mrs. NG became very angry on learning that and was of the view that the management office had infringed upon her privacy rights by providing a copy of the said records containing her personal data to Mrs. LEE without her consent. As such, Mrs. NG complained to the Office of the Privacy Commissioner for Personal Data ("PCPD") that the management office had improperly disclosed her personal data.

Action Taken by the PCPD

After enquiries, the PCPD opined that the provision of the complaint records containing Mrs. NG's personal data by the management office to Mrs. LEE was for a purpose consistent with or directly related to the original purpose of collecting the complainant's personal data, i.e. for property management purpose and for following up the tenants' disputes. Therefore, even without the consent of the complainant, the disclosure of such personal data to Mrs. LEE by the management office was not inconsistent with the requirements of Data Protection Principle 3 ("DPP3") of the Personal Data (Privacy) Ordinance ("Ordinance")¹.

In addition, even though the original purpose of collecting the complainant's personal data was not for use as evidence in handling disputes but the use was later changed and the said data were handed to one of the parties involved in the dispute as evidence in court proceedings, past cases showed that "the prevention ... of unlawful and seriously improper conduct" under section 58 of the Ordinance² also includes the provision of evidence in respect of civil wrongs in courts and such data are therefore exempt from DPP3. As a result, the PCPD informed the complainant that the case would not be proceeded further.

Appeal by the Complainant

The complainant was not satisfied with PCPD's decision and made an appeal to the Administrative Appeals Board ("AAB"). After hearing, the AAB ruled that the decision by the PCPD not to investigate the case was correct and the appeal was thus dismissed.

The AAB supported PCPD's decision and was of the view that such use of the complainant's personal data was consistent with its original collection purpose. As for the query by the complainant whether the exemption provisions of section 58 could be applied to this case, no ruling was made by the AAB. However, it was of the view that such use of the complainant's personal data by the management office was not inconsistent with DPP3 and this is sufficient to support PCPD's decision not to carry out investigation into the complainant's case.

Plenary Meeting

An audience of more than 250 people, including members, guest speakers and campus reporters attended the first plenary meeting for this membership year at the Hong Kong Convention and Exhibition Centre on 7 May 2004.

It was a great pleasure to have representatives from the Police Force and the Immigration Department speak at the meeting. Ms Gloria Yu, Woman Chief Inspector of Hong Kong Police Force, talked about identity-related theft crime in Hong Kong and gave practical advice on prevention such crimes. Mr. K. M. Wong, Senior Immigration Officer (Operational Research) of the Immigration Department, gave a detailed presentation on the security features of Smart ID Card.

The meeting also drew campus reporters from the Hong Kong Tang King Po College, St. Mary's Church College, and the Campus Television Team from the Yan Tak Catholic Primary School. Attentive attendees, the youngsters raised interesting questions, that reflected a genuine interest in privacy issues. Later, the Campus TV reporters interviewed the Privacy Commissioner about PCPD's work, asking him about means of privacy protection. The articles they wrote and video of the interview are now available on the PCPD website under the DPOC section. Hope you enjoy them!

In the forthcoming months, more members will have the opportunity to participate in Club activities such as workshops and sharing sessions.