Information Centre

Investigation Report: Employer Collecting Employees' Fingerprint Data for Attendance Purpose


Date: 31 May 2011
Privacy Commissioner's submission in response to Government's Report on Further Public Discussions on Review of the Personal Data (Privacy) Ordinance

1.    The Privacy Commissioner for Personal Data (“the Commissioner”) Mr. Allan CHIANG, made a submission today to the Administration and the Legislative Council’s Panel on Constitutional Affairs in response to the Government’s Report on Further Public Discussions on Review of the Personal Data (Privacy) Ordinance issued on 18 April 2011.

2.    Mr. Chiang said, “As the regulator for personal data protection, I look forward to an early implementation of the various amendment proposals which will lead to enhanced protection. There are, however, a significant number of proposals made by us which the Administration has decided not to pursue. These include proposals to increase the sanctioning powers of this Office, tighten the regulation on data processors and afford sensitive personal data greater protection. On these shelved proposals, our position remains unchanged as we believe they are meeting rising public expectations to deter privacy contraventions more vigorously.”

3.    Mr. Chiang further said, “The Administration has made detailed implementation proposals in its recent report. These will need to be looked at with caution. We note with particular concern several crucial flaws in the Administration’s implementation proposals regarding collection and use of personal data in direct marketing as well as unauthorized sale of personal data by data user.”

4.    “Firstly, as regards sale of personal data by the data user for a monetary gain or in kind gains, the Administration has proposed to permit the data user to inform the data subject any time after collecting the data that the data are to be sold. This is out of keeping with Data Protection Principle (“DPP”) 1(3) in Schedule 1 of the Personal Data (Privacy) Ordinance (“the Ordinance”) which requires the purpose of use of the data to be made known to the data subject on or before collecting the data. With this delay approach, the data user’s notification that the data would be sold can take place at any un-predetermined time after data collection.  In addition, it would be incumbent on the data subject to make a specific opt-out request in response to the notification. If the data subject does not respond within 30 days, he would be deemed to have not opted out and the data user may proceed to sell the data to third parties. As such, data users are likely to make more use of delayed notification rather than giving notification on or before collecting the data.”

5.    “Secondly, there are conceivable difficulties in coming up with a fair and effective system of delayed notification by the data users. They may not have updated contact particulars of the data subjects and the means of notification may fail for one reason or another. As such, failure of the data subject to exercise the opt-out option may be due to non-receipt of the data user’s notification and the application of the deeming rule would be unfair to the data subject. To address this imbalance against the data subject, the data user may be asked to maintain documentary proof of the correct issue of the notification but the cost of doing so may be disproportionately high.”

6.    “Thirdly, if a data subject does not opt-out at the first opportunity (that is, within 30 days after the data user gave the notification) and only exercises this option later, the difficulties he faces could well be insurmountable. At this late stage, he may be dealing with the transferee(s) of his personal data rather than the data user making the data transfer. He may not even be able to identify the original data source and tackle the problem at its root. Instead he may have to deal with individual data transferees as they make direct marketing approaches. To assist the data subject in this uphill struggle, we have earlier proposed to give the data subject a legal right to demand the data transferee to trace the source of the data but regrettably the Administration has chosen not to pursue this proposal.”     

7.    “Fourthly, in most if not all cases where the data subject is not informed before or at the time of data collection that the data would be sold, sale of data as the purpose of use would fall outside the reasonable expectation of the data subject and therefore not consistent with or directly related to the original purpose of use of the data. In the circumstances, DPP 3 in Schedule 1 of the Ordinance requires the data user to obtain the prescribed consent of the data subject before the data could be sold. Prescribed consent of an individual means express consent given voluntarily, and it cannot be inferred or implied from conduct or silence. Hence, under the current regime, unless the data user receives a positive indication from the data subject, the data user cannot sell the personal data of the data subject. In contrast, the Administration’s deeming rule as laid down in its current proposal in effect obviates the requirement for prescribed consent and legalizes sale of personal data by data users without seeking the data subject’s prior consent: an act which is not permissible under DPP 3. In sum, it falls short of the strong public expectation revealed in the Octopus incident and represents a retrograde step in tightening up control over the sale of personal data by data users. ”

8.    “As regards collection and use of personal data in direct marketing, the Administration has proposed to provide for delayed notification of use of data for direct marketing, and to apply also the opt-out mechanism and deeming rule. The proposal is therefore beset with the same flaws pointed out above for sale of personal data. Specifically, they give rise to concern about deliberate delay in notification, which must be addressed by the Administration when drafting the amendment bill. ” 

9.    Mr. Chiang added, “We hope that our submission will be duly considered by the Administration and the Legislature so that the amendment bill to the Ordinance will best meet the public aspirations for protecting personal data privacy.”

10.    A full version of the Commissioner’s submission can be accessed from the website of the Office of the Privacy Commissioner for Personal Data at:


Back to top

End of Page

[Media Statement] [Speeches, Articles & Papers] [Exhibition Materials] [Other Related Websites] [Archive] [Other Resources] [On-line Self Training] [Submissions to Public Consultation] [Privacy Commissioner's response following former Deputy Commissioner's conviction] [Response to the loss of medical data by Department of Health] [Privacy Commissioner commits himself to securing patients' data] [Privacy Commissioner commences inspection against Hospital Authority] [Response to data leakage by Immigration Department] [Response to data loss by HSBC] [Privacy is Your Business International Privacy Video Competition] [Privacy Commissioner strives to promote protection of personal data privacy] [Response following former Deputy Commissioner's conviction] [The Privacy Commissioner's clarification on criminalizing data leakage] [The Privacy Commissioner responds to media report today that] [Response to data leakage by the Police] [Progress of Inspection Against Hospital Authority] [The Director of Immigration Department signed formal undertaking] [Speech by Privacy Commissioner at the special meeting of Legislative Council Panel on Home Affairs] [Response to data loss incidents by The Hongkong and Shanghai Banking Corporation Limited] [The Privacy Commissioner completes the Inspection of the Hospital Authority's Personal Data System] [Privacy Commissioner Publishes Inspection Report on Hospital Authority] [Privacy Commissioner explains recommendations on the protection of patients' data privacy] [Privacy Commissioner accepts an Undertaking by HSBC] [Privacy is Your Business International Privacy Video Competition Prize Presentation Ceremony] [Response to Judgment of judicial review application by Cathay Pacific] [Privacy Commissioner welcomes HA's effort to enhance patient data privacy] [Statement by the Privacy Commissioner Following the Judgment made in HCAL 50/2008] [PCPD received a letter from CX Flight Attendants Union] [Impact of Technology on Data Privacy] [Privacy Commissioner responds to taxi industry's proposal of installing CCTVs in taxis] [United Christian Hospital's loss of patients' data] [Privacy Commissioner hosts the 31st APPA Forum] [Privacy Commissioner urges job seekers to be careful when providing personal data] [Launch of a booklet on protection of personal data] [Investigation Report: Employer Collecting Employees' Fingerprint Data for Attendance Purpose] [The Recruitment of Deputy Privacy Commissioner (DPC)] [Response to Media Report on the Use of Fingerprint Recognition System by a School] [Privacy Commissioner Responds to Public Enquiries about the Issue of] [Investigation Report: Tutorial Centre Using a Student's Results Notice for Promotion without the Student's Consent] [Privacy Commissioner Welcomes Hospital Authority's New Measures on the Protection of Patients' Personal Data] [Investigation Report: Food Company Collecting Participants' Personal Data in Lucky Draw Activity] [Privacy Commissioner Responds to] [The need to ensure that individuals are identified by the correct personal identifiers: the case of identification of new born babies] [Public Consultation on Ordinance Review] [] [Response to Media Report on Searching for Others' Personal Data on the Internet] [Privacy Commissioner attended the 31st International Conference of Data Protection and Privacy Commissioners] [Response to Media Enquiries] [The "Value-for-money" Audit Report on PCPD issued by the Director of AuditThe] [Protective measures taken by the Hospital Authority which enhance the protection of new born babies and the accuracy of their personal data] [The Privacy Commissioner issued two investigation reports on data access request fee charged by data users and the proper handling of personal data transferred by data users to their debt collection agency] [A personal statement by Roderick Woo, the Privacy Commissioner] [Office of the Privacy Commissioner for Personal Data's Annual Report won international awards for three consecutive years] [Privacy Commissioner Launches Privacy Awareness Week 2010] [Response to recent discussion about third parties' requests for patients data] [Opinion Survey: Senior Citizens' Attitudes and Perceptions towards Personal Data Privacy] [Public Seminar on] [Privacy Campaign for Insurers] [Google collected Wi-Fi data] [Google collected Wi-Fi data in Hong Kong] [Google collected Wi-Fi data in Hong Kong] [Privacy Commissioner attended the 33rd Asia Pacific Privacy Authorities Forum] [Privacy Commissioner responds to a local magazine's editorial on privacy issues] [Privacy Commissioner Publishes Guidance Note on Data Breach Handling and the Giving of Breach Notifications] [Privacy Commissioner responds to an opinion survey report on Octopus cards and privacy issues] [Privacy Commissioner's Finding against HSBC was set aside by the Administrative Appeals Board] [The Personal Data (Privacy) Ordinance and Octopus Card System] [Privacy Commissioner initiates investigation on the Octopus] [Privacy Commissioner Publishes Information Leaflet on Privacy Impact Assessment] [Privacy Commissioner published new revised edition of a book to provide in-depth interpretation] [The Privacy Commissioner gives interim report on the investigation of Octopus] [The Privacy Commissioner Completed the Compliance Check on Google's Collection of Wi-Fi Payload Data] [The Privacy Commissioner has completed a Privacy Compliance Assessment Report on the Smart Identity Card System] [Collection of Visitors' Fingerprint Data by a Theme Park] [Investigation Report: Beauty Centre Transferring a Client's Personal Data to a Third Party without the Client's Consent] [Hong Kong Letter - Roderick Woo, Privacy Commissioner for Personal Data] [Mr. Allan Chiang took office as Privacy Commissioner] [A short video introducing the Personal Data (Privacy) Ordinance] [Privacy Commissioner reminds data users of the requirements of the Ordinance when engaging direct marketing activities] [PCPD joined APEC Cross-border Privacy Enforcement Arrangement] [Privacy Commissioner discussed organizations’ collection and use of personal data for direct marketing with a political commentary group] [Amended Data Access Request Form takes effect] [Response to media reports on the attendance records of the Personal Data (Privacy) Advisory Committee] [Privacy Commissioner completed investigation on Octopus Holdings Ltd] [Multi-media Information] [Investigation Report – Octopus Rewards Program] [Privacy Commissioner publishes Guidance on the Collection and Use of Personal Data in Direct Marketing] [Privacy Commissioner responds to Government's proposals on Review of the Personal Data (Privacy) Ordinance] [PCPD's Statement regarding investigations into the Octopus Group of Companies] [Hong Kong Letter - Allan Chiang, Privacy Commissioner for Personal Data] [Investigation Report: A Telecommunications Company Authorized Another Company to Conduct Telemarketing] [A Personal Statement by Mr. Allan CHIANG in response to media reports on his handling of a personal data privacy case when he was Postmaster General in 2005] [A Personal Statement by Mr. Allan CHIANG in response to media reports on his handling of personal data privacy cases when he was Postmaster General from 2003 to 2006] [Online Survey of the] [PCPD's Submission in response to Report on Public Consultation on Review of the Personal Data (Privacy) Ordinance] [The Sharing of Mortgage Data for Credit Assessment] [Public Forum on Proposed Revisions to the Code of Practice on Consumer Credit Data] [Privacy concerns about resumption of Google Street View car operation] [Public Consultation on the Sharing of Mortgage Data for Credit Assessment Ended] [Consumer Roadshow on Protection of Personal Data] [Consultation Report on the Sharing of Mortgage Data for Credit Assessment] [Amendments to Code of Practice on Consumer Credit Data To Take Effect]

[About PCPD] [The Ordinance] [PCPD Activities] [Information Centre] [Personal Data Privacy Liberal Studies] [Privacy Zone for Youngsters]
[Publications & Videos] [Enquiries & Complaints] [Case Notes] [Contact Us] [Search] [Site Directory] [Graphical Version]
[Chinese Version]

Notice/Copyright 2001 Office of the Privacy Commissioner for Personal Data, Hong Kong. All rights reserved. Disclaimer