The Complaint

A tenancy dispute over rental payment arose. In the course of taking action for recovery of rent, the landlord's solicitors issued a demand letter to the tenant and had it copied to his employer disclosing details of the dispute and the rent in arrears.

Outcome of Investigation

Personal data of the tenant relating to the tenancy dispute are considered to be collected for the purpose of dealing with or resolving the dispute between the parties. The employer of the tenant had no prior involvement in the tenancy nor the dispute. The landlord failed to justify why it was necessary to write to the employer about the dispute. The landlord might wish to put pressure on the tenant to submit to their demand but such use of the data was considered not within the original collection purpose. In the absence of evidence showing that the tenant had given his "prescribed consent¡" to the disclosure of his personal data in relation to the tenancy dispute to his employer, the landlord was found in contravention of DPP3. Enforcement notice was issued requiring the landlord (which is in the real estate business) to cease such practice of informing tenants' employers in similar situations.

The Complaint

A mobile phone service company provided an internet billing service to its customers through its website. The electronic bills, which contained customers' data including calling records, were password protected. In addition, a mechanism to deactivate internet access to an account after five unsuccessful logins was built in to preclude hacking. However, upon reactivation of the lockout account by request of the customer, the password would be automatically reset to a fixed number (e.g. 123456), which was applicable to all customers. This allowed a hacker to gain access to the account information by first deactivating an account with five unsuccessful login attempts to prompt the customer to make a lockout report to the mobile phone company and then logging in to the account with the fixed reset password before the customer ever changed the password. A complaint on the security pitfall on password control was lodged with the PCPD by a customer.

Outcome of Investigation

DPP4 requires the phone company to take all reasonably practicable steps to guard against unauthorized access to its customers' data. Taking into account the sensitivity of an individual's calling records, the phone company's unvaried practice of resetting the password of a lockout account to a fixed number was considered insufficient to protect customers' data against possible intrusion as suggested above, despite the phone company's effort to remind customers via their system to change passwords periodically. There was nothing suggesting that it was not reasonably practicable for the phone company to allot a varied, rather than a fixed, password to customer when reactivating a lockout account. Eventually, the mobile service provider improved its system to have the password reset to a random number and the customer informed of the reset password via short message sent to his mobile telephone.

The Complaint

Another case of internet billing service provided to customers by a mobile phone service company. The system was secured by password feature where a customer had to enter his password to gain access to his account information. In an attempt to access the account information via the service, a customer was alarmed to find out that it was possible to return to the same secured pages which he had previously visited by simply striking the "Back¡" button or via the "History¡" function of the browser, even after he had logged out from the system and gone offline.

Outcome of Investigation

By allowing such security loopholes, the company exposed its customers' personal data to the risk of being accessed by unintended or unauthorized third parties, particularly so when the customers used computer terminals available in public places. This was considered a contravention of DPP4 in failing to provide sufficient safeguards to protect customer data held. In response to the PCPD's findings and in order to remedy the situations, the company immediately carried out rectifications to eliminate the loopholes and added security alert statements on the website, advising customers to log out from the system and close the browser window after finished viewing the password controlled personal information on the website.

The Complaint

A bank conducted a marketing campaign in a bookshop to solicit credit card applications on a Saturday. At the end of the campaign, the bank staff put all the application forms together with applicants' identity card copies in a briefcase and carried them home before returning to office the next working day. Unfortunately, the bank staff left the briefcase in a public light bus and lost all the documents.

Outcome of Investigation

Upon investigation of the complaint, it was discovered that the bank did not have adequate guidelines issued and given to staff in relation to handling of personal data collected during outside-office marketing campaigns. Taking into account the sensitivity of the data collected and the harm that is likely to be inflicted upon the data subject on accidental loss of the data, the bank was found in breach of the requirements of DPP4 in failing to take practicable steps to protect the security of the personal data collected. Enforcement notice was issued, and in compliance therewith the bank implemented corresponding safeguard measures, including the transmission of those credit card applications and supporting documents to a nearby branch of the bank at the end of the marketing campaign instead of allowing staff to bring them home.