Publications and Videos

PCPD 2005-2006 Annual Report

Compliance Check

A compliance check is undertaken when the Privacy Commissioner identifies a practice in an organization that appears to be inconsistent with the requirements of the Ordinance. In these circumstances, the Privacy Commissioner raises the matter in writing with the organization concerned pointing out the apparent inconsistency and inviting it, where appropriate, to take remedial actions. In many cases, the organization concerned takes the initiative and responds by undertaking immediate action to remedy the suspected breach. In other instances, organizations seek advice from the Commissioner on the improvement measures that should be taken to avoid repetition of suspected breaches.

The reporting year saw a significant increase in the number of compliance checks undertaken by the Privacy Commissioner. This was largely attributable to the proactive approach taken towards employers placing blind recruitment advertisements (i.e. without disclosing the identities of the employers or their agents). In total, the Privacy Commissioner carried out 131 compliance checks in relation to alleged practices of data users that might be inconsistent with the requirements of the Ordinance. Among these 131 compliance checks, 41(31%) were directed against those placing blind recruitment advertisements.

The majority of compliance checks (116) involved practices in private sector organizations. The remaining 15 checks related to government departments and statutory bodies. The following examples indicate the nature of some of the compliance checks undertaken during the course of the year.

Example 1

Issue:
A shopping mall collected identity card copies from shoppers for redemption of a birthday hamper during a promotion campaign

Improvement Measures Recommended

Under the promotion campaign, shoppers whose month of birth fell within certain period and spent certain amount of money in the shopping mall would be entitled to a birthday hamper. The purpose of collecting identity card copies of the shoppers, as put forward by the shopping mall, was to ensure that the shoppers' month of birth fell within the stated period. However, since the shoppers were required to redeem the birthday hamper in person, the Commissioner took the view that the physical productions of identity cards from the shoppers to show their months of birth would suffice.

After being advised by the Privacy Commissioner, the shopping mall agreed to cease collecting the shoppers' identity card copies.

[Image of image]

Example 2

Issue :
A bank account holder received a bank statement with other's account information shown on the reverse side of the bank statement

Improvement Measures Recommended

According to the bank, the incident occurred as a result of the failure of their staff to properly reset the printing machine after an interruption of the printing process. It was also attributed to the staff's failure to identify the mistake while checking the print output.

After being notified of the incident, the bank revised their printing operation procedure including increasing second level checking and escalation procedures, and requiring staff to initial checklists and keeping logging sheets for sample checking. Refresher training on printing controls and briefing sessions for the new procedures were also provided to the staff concerned.

[Image of image]

Example 3

Issue :
Managers posted up lists containing sick leave data of staff in employee work areas

Improvement Measures Recommended

Local newspapers reported that managers of an organization posted sick leave records of staff in workplace. The Privacy Commissioner approached the organization whose management admitted that the posting of staff's sick leave data was an inappropriate practice and not allowed by the management. The management ordered removal of the data and reminded all line of business leaders not to engage in such practice.

The Privacy Commissioner subsequently confirmed with the labour union of the organization of the removal of the data, and advised the organization to establish a data protection policy to prohibit the posting of staff's sick leave data and provide ongoing training to the leaders.

[Image of image]
 
 

[Image of Previous Page][Image of Table of Contents][Image of Next Page]

End of Page

[Annual Report] [Code of Practice/ Guideline & Explanatory Booklet] [Consultation Document/ Report] [Newsletter] [Guidance Note & Fact Sheet] [Leaflet & Form] [Opinion Survey] [Others] [Investigation Report / Inspection Report] [Information Book]

[About PCPD] [The Ordinance] [PCPD Activities] [Information Centre] [Privacy Zone for Youngsters (Games)]
[Publications & Videos] [Enquiries & Complaints] [Case Notes] [Contact Us] [Search] [Site Directory] [Graphical Version]
[Chinese Version]

Notice/Copyright 2001 Office of the Privacy Commissioner for Personal Data, Hong Kong. All rights reserved. Disclaimer