|
[Image of Monitoring Compliance]
Compliance
Checks
A compliance
check is undertaken when the PCPD identifies a practice in an organization
that appears to be inconsistent with the requirements of the Ordinance.
In these circumstances, the PCPD raises the matter in writing with the
organization concerned pointing out the apparent inconsistency and inviting
it, where appropriate, to take remedial action. In many cases, the organization
concerned takes the initiative and responds by undertaking immediate action
to remedy the suspected breach. In other instances, organizations seek
advice from the PCPD on the improvement measures that should be taken to
avoid repetition of suspected breaches.
The
reporting year saw a significant increase in the number of compliance
checks undertaken by the PCPD. This was largely attributable to the proactive
approach taken towards employers placing blind recruitment advertisements.
In total, the PCPD carried out 95 compliance checks in relation to alleged
practices of data users that might be inconsistent with the requirements
of the Ordinance. Among these 95 compliance checks, more than half (48)
were directed against those placing blind recruitment advertisements.
The
majority of compliance checks (87) involved practices in private sector
organizations. The remaining eight checks related to government departments
and statutory bodies. The following examples indicate the nature of some
of the compliance checks undertaken during the course of the year.
|
Example
1
[Image of image]
|
ISSUE:
A university used a fingerprint recognition device to record
employees' attendance at work |
|
IMPROVEMENT
MEASURES RECOMMENDED
The
application of biometric technologies, such as a fingerprint
scanner used for access control purposes, may well serve as
a useful security system. However, in the context of the workplace
its use in employee monitoring means that it has the propensity
to be privacy intrusive. In such circumstances the recording
of fingerprints is a sensitive matter given the widespread
association of fingerprints with criminal investigations undertaken
by the police.
One of the important considerations employers should take
into account when deploying such a device is whether the same
purpose may be achieved by less privacy intrusive means. Where
there are other pragmatic alternatives, these should be resorted
to although the preference for non-privacy invasive systems
does not automatically disqualify the use of a fingerprint
recognition system for legitimate purposes. Valid reasons
may exist for employing such a system e.g. controlling access
of personnel to a secure location.
The university responded positively to the PCPD's advice and
introduced a new PIN system which effectively served the same
purpose.
|
|
| |
|
| Example
2 |
ISSUE:
An airline collected credit card copies from customers buying
air tickets via fax |
|
IMPROVEMENT
MEASURES RECOMMENDED
The
airline took the view that the collection of credit card copies
was not excessive and therefore declined to stop such collection.
The explanation provided was that the collection of the copy
was for the purposes of verifying the credit card information
completed by the customers and preventing unlawful or seriously
improper conduct. The PCPD sought the assistance of the global
credit card issuers who confirmed that, for off-line transactions
(i.e. an order by fax or mail), the "chargeback rule"
would apply meaning that the merchant would be required to
bear the risk. That is, a dispute subsequently initiated by
a cardholder would result in the chargeback rule being invoked
in favour of the cardholder. Even if the merchant were to
produce a copy of the individual credit card, it would not
help the merchant in having the money reimbursed by the card-issuing
bank.
The
PCPD presented this rationale to the airline.
The
airline agreed to stop collection of customers' credit card
copies in transactions where no physical card was presented.
The revised policy of the airline necessitated systems adjustments
which are now in place and applicable to their international
operations.
|
|
| |
|
|
Example
3
|
ISSUE:
A bank collected Hong Kong Identity Card copies from non-account
holders buying gift cheques |
|
IMPROVEMENT
MEASURES RECOMMENDED
Local
newspapers reported that a bank had collected from non-account
holders their Hong Kong Identity Card("HKIC") copies,
their addresses and contact details when purchasing gift cheques
from the bank. The PCPD approached the Hong Kong Monetary Authority
("the HKMA") to seek clarification as to whether
such collection was required pursuant to the Guideline on
Prevention of Money Laundering ("the Guideline")
issued by the HKMA. The HKMA confirmed that although there
was no specific guideline in respect of the gift cheque business,
a customer purchasing a gift cheque from a bank would normally
be regarded as an applicant for "business". According
to paragraph 5.26 of the Guideline with respect to business
transactions undertaken for non-account holders, banks are
required to seek positive evidence of identity from applicants
and keep copies of their identification documents when the
transaction undertaken involves large sums of cash, or is
considered unusual.
The bank was approached again by the PCPD who expressed the
view that even if they relied upon paragraph 5.26 of the Guideline,
the PCPD had certain reservations as to whether the purchase
of gift cheques, which would not normally involve large sums
of cash, could be regarded as a transaction covered by the
paragraph.
The bank agreed to revise their practices and in future, they
will not collect HKIC copies from non-account holders buying
gift cheques unless the amount of a single purchase exceeds
HK$100,000.
|
|
| [Image of image] |
| Example
4 |
ISSUE:
A mobile phone service company collected the Hong Kong Identity
Card Copy of a director of a limited company when opening an
account in the name of the firm |
|
IMPROVEMENT
MEASURES RECOMMENDED
As
the client was a corporate entity, collection of the director's
Hong Kong Identity Card copy was considered unnecessary. On
learning of the incident, the PCPD contacted the mobile phone
service company to enquire about both the case in question
and the company's guidelines in handling such matters. It
transpired that an individual opening an account was required
to provide a copy of his identity card, irrespective of whether
the account was in the name of a company or an individual.
After
the PCPD's involvement, the mobile phone service company agreed
to amend its policy such that individuals opening a company
account would no longer be required to furnish copies of their
identity cards.
|
|
| |
|
| Example
5 |
ISSUE:
Blind recruitment advertisements-advertisements purporting
to recruit employee(s) without identifying the employer. |
|
IMPROVEMENT
MEASURES RECOMMENDED
During
the reporting period the PCPD continued to monitor and sample
job advertisements published in newspapers and major recruitment
magazines. Warning letters were issued to those advertisers
who placed blind recruitment advertisements and, where the
same blind recruitment advertisement was repeated, a compliance
check was undertaken. The PCPD identified suspect employers
and advertisers with the help of the publishers and proceeded
to raise the issue with those concerned, requesting them to
take immediate remedial action.
To date, 48 compliance checks have been undertaken. There
was no evidence in the checks undertaken that the advertisements
constituted an act of dishonesty designed to obtain job seekers'
information for unlawful purposes (e.g. to perpetrate a fraud).
Prospective employers were genuinely ignorant of the requirements
of the Code of Practice on Human Resource Management ("the
Code").
Upon being informed of the provisions of the Code the majority
of employers ceased placing blind recruitment advertisements.
|
|
| [Image of image] |
|
|
ISSUE:
Privacy concern over the provision by a telecommunications
company of telephone number and address information to the Fire
Services Department for handling emergency calls |
|
IMPROVEMENT
MEASURES RECOMMENDED
In
February 2005 the PCPD received enquiries from the press, and
members of the public, expressing concern about possible intrusion
of personal data privacy arising from a new service provided
by a fixed telecommunications network service company ("the
telephone company") in disclosing subscribers' telephone
numbers and address information to the Fire Services Department
("FSD"). The purpose of disclosing this information
is to enable the FSD to respond efficiently to emergency calls.
The
PCPD approached the telephone company and the FSD to ensure
that, where this disclosure involved personal data, it was
in compliance with the requirements of the Ordinance. Both
parties indicated that the telephone company would only provide
the FSD with the telephone numbers and installation addresses
i.e. the building or estate from which an emergency call had
been made. The full address and name of the subscriber would
not be disclosed to the FSD.
According
to section 2 of the Ordinance, "personal data" means
any data relating directly or indirectly to a living individual
and from which it is practicable for the identity of the individual
to be directly or indirectly ascertained. As the information
disclosed by the telephone company to the FSD did not contain
any personal identifying particulars it did not fall within
the definition of "personal data" stipulated by
the Ordinance.
The
FSD also explained that the practice of calling back the caller,
relying upon the displayed number, was not the most effective
way to respond to emergency calls. In an emergency time is
of critical importance and the caller may not be able to clearly
relay information such as an address due to extreme anxiety
or other circumstances. In view of this, the prompt retrieval
of the caller's installation address would enable the FSD
to accurately identify the incident location and respond to
the call more efficiently.
Staff
of the PCPD later paid a visit to the FSD's Command and Control
Centre and were satisfied that no personal data were transferred
from the telephone company to the FSD in this new service.
N.B.
The Office of the Telecommunications Authority ("OFTA")
approached the PCPD in 2002 regarding the unblocking of Calling
Name Display ("CNAMD")[1] data on FSD emergency
hotlines. At that time the PCPD took the view that it would
be prudent for subscribers to be notified at the time of their
subscription to the CNAMD service that all blocking options
would not be available for calls made to FSD emergency hotlines.
[1]
Insofar as CNAMD and related services are concerned, OFTA
has issued a Code of Practice on Calling Line Identification
and Other Calling Line Identification Related Services ("the
Code") to be followed by the telecommunications industry.
Since CNAMD discloses the name of an individual, the Code
requires prior registration with the operator and the written
authorization and consent of the person whose name will be
displayed to the called party when making calls from the subscribed
telephone line.
|
|
|