PCPD - Collection of Visitors' Fingerprint Data by a Theme Park

Collection of Visitors' Fingerprint Data by a Theme Park

The Privacy Commissioner for Personal Data (the “Commissioner”) Mr. Roderick B. Woo today completed the investigation of a complaint case concerning the collection and recording of visitors’ fingerprint data by an entertainment theme park in Hong Kong (the “Park”).

Background

The complainant was dissatisfied that his family of four (including himself) bought four mutliple entry tickets to the Park but were required to have their fingerprint image scanned at the entry gate without being provided with a less privacy-intrusive option.

The complainant felt further aggrieved when his request for a copy of his “biometric fingerprint scan” pursuant to the data access right to which he is entitled under section 18 of the Personal Data (Privacy) Ordinance (the “Ordinance”) was denied. The Park told the complainant that it had not collected or stored his fingerprint scan.

Commissioner's action

The Commissioner decided to carry out an investigation pursuant to section 38(a) of the Ordinance in September 2009. The focus of the investigation was to find out whether any personal data were collected by the Park; and if yes, whether the collection of such personal data were necessary, adequate but not excessive and by means that are lawful and fair under the circumstances.

The course of investigation was difficult due to a multiplicity of complicated IT issues. In order to fully understand the operation of the Park’s ticketing system (the “System”), the Commissioner’s officers carried out a site inspection at the Park. The Commissioner also took statements from the Park’s staff and the vendors of the System.

The System

According to the Park, scanning is done of vistors to the Park who wish to have their tickets enabled by “Ticket Tag”. Upon inserting a ticket to the ticket reader at the turnstile, the System will take some sample points from the surface of a visitor's index finger so as to form an Initial Numeric Code (“INC”), which is used to associate with the Ticket Identity Number (“TIN”) stored in the magnetic strip of the ticket with the person using the ticket.

The fingerprint image is deleted immediately once the sample points are taken. The INC is encrypted and stored in a secure database and will be erased on a weekly basis after expiration of the validity period of the ticket. The link between a visitor and his INC is the TIN which is embedded in the ticket kept by the visitor.

When the visitor re-enters the Park, he will be required to insert his ticket into a ticket reader. The reader will decrypt the TIN to verify the validity of the ticket and pull the INC associated with the ticket from the INC database. The visitor’s index finger will be scanned again to create a new numeric code, which will then be compared with the INC. The visitor will be allowed access if the score passes the false-acceptance rate.

Findings of the Commissioner

The evidence and information before the Commissioner indicate that the complainant bought 4 “Stay and Play” tickets (valid for 2 days) for him and his family members to visit the Park. None of the 4 persons chose to register his/her name on the ticket. The Park only collected fingerprint images from them so as to form an INC for ticket validation and did not collect any other personal identifying particulars from them at the entry gate.

Despite the Park having the personal details of the complainant when he registered as a guest of the Park’s hotel, it was not practicable for the Park to link up an INC with the complainant. It was because the Park could not identify out of which of the tickets was used by the complainant. To constitute “personal data” under the Ordinance, one of the conditions is that it is practicable for the identity of the individual to be directly or indirectly ascertained from the data. As it was not practicable for the Park to uniquely identify the complainant’s INC, the data did not fall within the definition of “personal data” under the Ordinance.

In so far as the complaint is concerned, the Commissioner finds that the Park has not contravened the requirements of the Ordinance.

The Commissioner’s comments on other situations where personal information are collected and kept by the Park

The comments from here on do not form part of the Commissioner’s decision in the complaint case.

The Commissioner notes there are situations where personal information are collected:-
(a)    Where only one guest buys a “Stay and Play” ticket and uses the System, the Park may then link the personal particulars of the guest with the INC through the TIN;
(b)    Where a visitor purchases an Annual Pass, both his personal particulars and the INC will be collected by the Park

There are arguments that the data stored in a biometric recognition system may not be personal data because the stored biometric data are just meaningless numbers and therefore are not personally identifiable information and a biometric image cannot be reconstructed from the stored biometric template.

The Commissioner has in the past been of the view that although the feature of an individual’s fingerprint image had been converted into a numeric value, the sample points taken from the surface of a visitor's index finger may still be adequate to establish a positive identification. The purpose of a fingerprint recognition system is to identify or verify the identity of an individual. Hence, they will be considered “personal data” when combined with other identifying particulars of a data subject.

Thus an INC might in certain circumstances constitute the personal data of a visitor, i.e. where the visitor was both the buyer and the user of a personalized pass.

The Commissioner makes the following observations:-

(a)    Options to be considered and made available:
The Park provides an alternative option of “photo identification” (i.e. identification by means of a document with a photo of the person concerned such as a passport, a HKID card, etc.) in lieu of scanning a visitor’s fingerprint image. Such option is expressly stated on a ticket and in the Park’s website, and orally conveyed to a ticket-holder upon his first entry to the Park.

(b)    Consent
The Commissioner respects the decision made by a data subject to voluntarily supply his fingerprint data for specific purposes. Unlike other cases where special relationship between the data user and the data subjects exists (e.g. employer and employees, school and pupils), the Park is only an amusement service provider to the visitor and there is no reasonable suspicion of undue influence due to disparity of bargaining power. Hence, the visitors’ consent to provide their fingerprint data are genuine consent as a visitor may choose the “photo identification” option and in any case the visitor may simply not visit the Park if he does not like any of the options.

(c)    No collection of fingerprint data from children of young age
The Commissioner notes that the Park does not accept children aged 3 to 11 to provide fingerprint for purpose of access to the park. They must use “photo identification” instead.

(d)    Proper handling of the data
The System is designed in such a way that the fingerprint data and the customer data are stored in two separate databases having logical segregation. This reduces the risk/impact in the case of unauthorized or accidental access of the INC database. Besides, the default design of the System does not allow the INC database to be viewed or exported. The Commissioner is reasonably satisfied that sufficient measures are in place to control the retention, processing and security of the fingerprint data.

The Commissioner respects the individual’s right of self-determination.

“I respect the free will of an individual to provide his fingerprint data for access to facilities and services if this is an informed decision made without undue influence being exerted upon him. An important factor being considered is that the Park has provided options for their visitors to choose and decide whether to use his fingerprint to gain access to the Park. The visitors are not compelled to provide their biometric data. Through examining its ticketing system, I note that the Park has been mindful in its operation and has incorporated measures to manage the privacy risks” said Mr. WOO.

END