| EMPLOYERS:
THINK CAREFULLY BEFORE YOU DECIDE TO COLLECT EMPLOYEES' DNA
DATA - DPP1(1) |
| 1/05 |
|
|
The
Complaint
[Image of image]What
were believed to be menstrual bloodstains were found in the female
toilet of a company. Suspecting that the bloodstains had been left
by one of its female employees, and to deter any recurrence of such
inconsiderate behaviour, the management of the company required
all female staff to submit to a DNA test. It was intended that the
test results would be matched against the sample bloodstains found
in the toilet with a view to positively identifying the employee
involved. Feeling humiliated by the employer's decision to collect
DNA samples, one employee filed a complaint with the PCPD.
|
|
Findings
of the Privacy Commissioner
The
issue in this case was whether the collection by the company
of the DNA data of its employees was excessive under the circumstances.
The Privacy Commissioner took the view that it would be highly
invasive of privacy to identify an individual by examining
unique DNA data. The Privacy Commissioner held that the collection
and use of DNA data was only justifiable in serious circumstances
e.g. a criminal investigation. The collection of DNA data
by the employer, solely for the purpose of ensuring hygienic
conditions in the female toilets, was not justified as being
either necessary or reasonable. The company was found to have
contravened DPP1(1) by collecting excessive personal data
of its employees.
|
|
|
Action
by the Privacy Commissioner
An
enforcement notice was is sued against the company. As a result
of that notice the collection of DNA samples was immediately stopped.
In addition, those DNA samples or reports that had been collected
by the company were destroyed.
|
| |
| PROPERTY
MANAGEMENT BODIES: COLLECTION OF IDENTITY CARD NUMBERS OF RESIDENTS
APPLYING FOR ELECTRONIC ENTRANCE CARDS GIVING ACCESS TO THE
BUILDING VIEWED AS EXCESSIVE COLLECTION - DPP1(1) AND THE CODE
OF PRACTICE ON THE IDENTITY CARD NUMBER AND OTHER PERSONAL IDENTIFIERS
|
| 2/05 |
|
|
The
Complaint
A
property management company in a private housing estate introduced
a "Door Access Card" system. Once the electronic readers
had been installed residents needed to use a door access card or
door key to enter the building. Those residents who wished to apply
for the door access cards were required to register their names,
telephone numbers and Hong Kong Identity Card numbers with the management
company for record purposes. One resident of the housing estate
objected to the collection of his identity card number and lodged
a complaint with the PCPD.
The
management company explained to the PCPD that the door access cards
might fall into the wrong hands. If that occurred the identity card
number would permit the identification of the resident in the event
that the access card were misused e.g. for criminal purposes. In
the event of claims being made against the management company i.e.
redress sought by a victim of some criminal wrongdoing, the management
company could seek indemnity from the cardholder concerned. The
collection of identity card numbers was intended to prevent any
harm to residents and to safeguard against damage or loss on the
part of the management company. As such, these purposes were permitted
under paragraphs 2.3.3.2 and 2.3.3.3 of the Code of Practice on
the Identity Card Number and other Personal Identifiers ("the
PI Code"). The management company also stated that collection
was necessary for the purposes set out in section 58(1)(a) and (d)
of the Ordinance, i.e. the prevention or detection of crime and
the prevention, preclusion or remedying of unlawful conduct, which
satisfied paragraph 2.3.2.2 of the PI Code.
|
|
Findings
of the Privacy Commissioner
The
existence and extent of loss or damage contemplated by the
management company was held by the Privacy Commissioner to
be something that should be realistically justified. Paragraph
2.3 of the PI Code was not intended to be invoked as an excuse
for general application. Paragraph 2.3 is designed to provide
specific exceptions to the general prohibition placed upon
the collection of identity card numbers. In this particular
case, it would be possible for the management company to identify
or trace the responsible cardholder through the flat owner
who originally agreed to the issuance of the access card in
question or, where appropriate, take legal action against
the flat owner. While acknowledging that an identity card
number is an important item of personal data, the Privacy
Commissioner considered it unnecessary and excessive to collect
the identity card numbers of all residents in the estate simply
because of the installation of a door access card system.
|
|
|
Action
by the Privacy Commissioner
An
enforcement notice was served on the management company and, as
directed, the company ceased collection and destroyed those records
containing the identity card numbers of residents.
|
| |
| CREDIT
CARD COMPANIES: MUST ENSURE ACCURATE REPORTING AND TIMELY UPDATING
OF ACCOUNT REPAYMENT DATA PROVIDED TO A CREDIT REFERENCE AGENCY
- DPP2(1) AND THE CODE ON CONSUMER CREDIT DATA |
| 3/05 |
|
|
The
Complaint
A
credit card holder obtained his credit report in September 2003
from a credit reference agency ("the CRA") and noticed
that, notwithstanding the final settlement of his credit card account
in August 2002, the report indicated that there was an outstanding
sum still owed to the credit card company. As the outstanding sum
was disputed by the card holder, he therefore filed a complaint
with the PCPD.
Upon
investigation the credit card company admitted that the account
in question had been fully settled in August 2002, but that this
fact would only be captured and reflected in the next statement
issued in September 2002. Since the credit card company's practice
was to submit their customer's credit data to the CRA at the end
of each month, the records kept by the CRA at the end of the month
of August 2002 continued to show an outstanding debt. Further submission
of account repayment data by the end of September 2002 was rejected
by the CRA for technical reasons. Nonetheless the credit card company's
staff failed to take appropriate action and the matter went unattended
until the customer lodged an inquiry with the CRA in 2003.
|
|
Findings
of the Privacy Commissioner
An
investigation by the Privacy Commissioner revealed that the
credit card company had provided inaccurate data to the CRA
resulting in an inaccurate entry on the complainant's credit
report. Secondly, the credit card company did not have a verification
procedure in place to ensure the accuracy of the account data
prior to providing that data to the CRA. The credit card company
was found to have contravened clause 3.4 of the February 2002
version of the Code of Practice on Consumer Credit Data ("the
CCD Code") and thus DPP2(1) of the Ordinance.
It
was also established that there was no procedure to ensure
that a rejection report would be properly dealt with by the
bank. As a result, the matter went unattended until a complaint
was received from the customer. The credit card company was
therefore found to have contravened clauses 2.5 and 2.7 of
the current version of the CCD Code and DPP2(1). Subsequent
to the PCPD's investigation the mistake was eventually rectified.
Action
by the Privacy Commissioner
An
enforcement notice was issued by the Privacy Commissioner.
This required the credit card company to implement practices
that would ensure timely and accurate reporting of account
repayment data to the CRA in accordance with the CCD Code,
and to properly supervise compliance by its staff.
|
|
| |
| SERVICE
PROVIDERS CHARGING CUSTOMERS' CREDIT CARDS: NOT TO USE CREDIT
CARD DATA OF TERMINATED ACCOUNTS - DPP3 |
| 4/05 |
|
|
The
Complaint
A
customer subscribed to the Internet service of a telecommunications
company and used her credit card to pay for the charges. She subsequently
terminated the Internet account with the company. A year later,
the customer registered with the telecommunications company for
its IDD service and chose to settle the bills by cash payment. There
was a default on payment of her IDD bill and the company resorted
to the use of the customer's credit card information to charge the
outstanding amount. On learning of this the customer made a complaint
to the PCPD.
|
|
Findings
of the Privacy Commissioner
An
investigation by the PCPD revealed that the customer had not
been informed of such use of her credit card information at
the time of collection of the data by the telecommunications
company. Further, it was held that it was not within a consumer's
reasonable expectation for the credit card information, provided
in conjunction with a terminated account, to be used for payment
of services under a different account. No express consent
had been obtained from the customer and the company was found
to have changed the use of the credit card data in contravention
of DPP3.
|
|
|
Action
by the Privacy Commissioner
An
enforcement notice was served on the company requiring it to cease
such practice of using the customers' credit card data.
|
| |
| SENDERS
OF INFORMATION THROUGH FAX: MUST ENSURE NO UNAUTHORIZED OR ACCIDENTAL
ACCESS TO THE INFORMATION BY UNRELATED PARTIES - DPP4 |
|
5/05 |
|
|
The
Complaint
A
donor sent a letter to a government department requesting the issuance
of an official receipt for a donation made. The letter contained
the donor's name, residential address, identity card number, and
details of the donation. Staff of the department called the property
management office of the estate in which the donor lived and asked
for a contact phone number. The management office refused to disclose
the number for privacy reasons. The staff of the government department
then wrote her own telephone and fax numbers on the letter and faxed
it to the management office asking them to put the faxed copy in
the donor's letter box so that the donor could call back. A member
of the donor's family subsequently collected the faxed letter and
in so doing saw the donation details. The donor took the view that
if the government department wished to contact her they could either
write or leave their contact number at the management office for
the donor to call back. The donor was embarrassed by the disclosure
of the donation details to a family member and made a complaint
to the PCPD.
|
|
Findings
of the Privacy Commissioner
The
Privacy Commissioner agreed with the complainant that department
staff should have used alternative means of getting in touch
with her. It was also held that staff of the government department
failed to ensure the secure transmission of the faxed copy
to the recipient by not requesting the management office to
put the fax in a sealed envelope addressed to the complainant
before placing it into the letter box. The transmission of
the faxed letter resulted in disclosure of the complainant's
data to management office staff as well as a family member.
The government department was found by the PCPD to have contravened
the security provisions of DPP4. In addition, guidelines provided
by the department to staff regarding the handling of this
kind of request from donors were deemed inadequate.
|
|
|
Action
by the Privacy Commissioner
An
enforcement notice was issued against the department. The department
subsequently ceased the practice of transmitting personal data via
unrelated parties.
|
| |
| DATA
USERS RECEIVING DATA ACCESS REQUESTS: MAKE A TIMELY DECISION
WHETHER TO COMPLY AND RESPOND WITHIN 40 DAYS - SECTIONS 18 TO
21 OF THE ORDINANCE |
|
6/05 |
|
|
The
Complaint
Through
a solicitor, a former employee made a data access request ("DAR")
to the employer asking for certain minutes and tape recordings of
meetings. The meetings in question included discussion of the termination
of employment of the former employee. Two days before the expiry
of the 40-day period after receiving the DAR, the employer's solicitors
wrote to the employee's solicitors seeking clarification in respect
of the request. The employee's solicitors replied the next day and
provided the information sought. A few weeks later the employer
supplied edited copies of the minutes but refused to release the
tape recordings. The employer explained that the tape recordings
would disclose the voices, and hence identities, of other individuals
and therefore could not be released. The employee filed a complaint
with the PCPD.
|
|
Findings
of the Privacy Commissioner
The
Privacy Commissioner took the view that the employer should
have decided whether to comply with the request and, if so,
supply the requested data within 40 days of receiving the
DAR (in accordance with section 19(1) of the Ordinance. If
compliance with the request cannot be made within the 40-day
period, the employer should have informed the requestor within
the period, complied with the request to the extent possible
and then supplemented that initial reply as soon as practicable
thereafter (according to section 19(2)). If the employer decided
not to comply with the request, he should have informed the
requestor within the 40-day period and advised the requestor
of the refusal with reason(s) (as required under section 21(1)).
If the employer required more information from the requestor
before deciding whether to comply with the request, then he
should have written to him earlier, taking into account the
40-day requirement. The employer failed to discharge his duty
under the Ordinance and was found to have contravened section
19(1) by not complying with the DAR within 40 days of receiving
it.
As
for the tape recording, the Privacy Commissioner considered
that a practical way of complying with the request would be
to provide a transcript of the recording with names or other
identifying particulars of other individuals omitted (as required
under section 20(1)(b) and 20(2) of the Ordinance. It should
be noted that section 18(1)(b) of the Ordinance requires the
supply of a copy of the data and not a copy of the document,
tape recording or other medium containing the data. Under
such circumstances the employer would be justified in levying
a fee for the preparation of the transcript, in accordance
with section 28(2).
|
|
|
Action
by the Privacy Commissioner
After
the PCPD's intervention the employer undertook to provide a transcript
of the tape recording with names or other identifying particulars
of other individuals omitted, after receipt of the fee from the
complainant.
|
| |
| MERCHANTS
OUTSOURCING DIRECT MARKETING: ENSURE ADEQUACY OF DE-DUPLICATION
PROCESS PERFORMED BY AN OUTSOURCED AGENT IN COMPLIANCE WITH
OPT-OUT REQUESTS - SECTION 34 OF THE ORDINANCE |
|
7/05 |
|
|
The
Complaint
A
lawyer complained against a magazine publisher for sending him direct
mail despite repeated requests to remove his name from their mailing
list ("opt-out requests"). Though the lawyer's name and
office address used in several mailshots were not identical, there
was no doubt that they related to one and the same person. The publisher
explained that they engaged an outsourced agent - a lettershop -
to undertake the work, using name lists with contact details acquired
from external list brokers and list owners ("external names
lists"). The lettershop used a computer programme to match
names and addresses in the external names lists against a list maintained
by the publisher of individuals who had made opt-out requests. The
purpose of this matching was to ensure that subsequent mailshots
were not sent to those individuals who had previously decided to
opt-out. i.e. the "de-duplication process".
|
|
[Image of image]
|
Findings
of the Privacy Commissioner
An
investigation revealed that a defect in the automated de-duplication
process failed to identify the lawyer's entries from the external
names lists (because of differences in the names and addresses
used) resulting in mailshots continuing to be sent to him.
The
PCPD was of the view that the publisher was primarily responsible
for the acts of the lettershop, in relation to the processing
and use of personal data in the external names lists, and
hence answerable to the allegation made.
Though
the names and addresses used in the series of mailshots were
not identical, it would not have been difficult for a reasonable
person to infer that they were the personal data of, and referred
to, one and the same individual, i.e. the lawyer. The PCPD
considered that the opt-out requirement in section 34(1)(ii)
of the Ordinance should apply in relation to the use of the
lawyer's personal data, i.e. his name and office address,
in spite of the fact that the data used were not identical.
The lawyer continued to receive mailshots despite previous
opt-out requests having been made to the publisher. This constituted
a contravention of the requirements under section 34(1)(ii)
of the Ordinance on the part of the publisher.
|
|
|
Action
by the Privacy Commissioner
An
enforcement notice was issued directing the publisher to cease using
the lawyer's name and office address for further direct marketing
mailshots. In addition, the publisher was required to implement
measures for selecting a competent outsourced service provider of
direct marketing campaigns and to ensure the effectiveness of the
de-duplication process used by the service provider by instructing
staff to conduct tests and verification procedures.
|