|
Compliance
Actions
Compliance
Checks
A compliance check
is undertaken when the Privacy Commissioner identifies a practice in an
organization that appears to be inconsistent with the requirements of
the Ordinance. In these circumstances, the Privacy Commissioner alerts
the organization in writing, pointing out the apparent inconsistency and
inviting it, where appropriate, to take remedial actions.
In many cases, the
organization takes immediate action to correct the suspected breach. In
some instances, advice is sought from the Privacy Commissioner on the
measures that should be taken to prevent further breaches. Other times,
the Privacy Commissioner would investigate the matter and take action
to ensure compliance with the Ordinance. This might include issuing an
enforcement notice to the organization directing it to remedy the situation,
for example.
During the reporting
year, the Privacy Commissioner carried out 66 compliance checks in total
in relation to alleged practices of data users that might be inconsistent
with the requirements of the Ordinance.
The majority of the
compliance checks (57) occurred in the private sector. The remaining 9
related to government departments and statutory bodies. The following
examples highlight some of the compliance checks undertaken during the
year.
[Image of image]
Example 1
| [Image of image] |
|
A
primary school used fingerprint reader system to collect
fingerprint data of its pupils for attendance record purposes.
|
|
|
A
self-initiated investigation was carried out against
the school in relation to the use of fingerprint reader
system to collect fingerprint characteristics of pupils
of the school for attendance record purpose.
The
age of the pupils in this case ranged mostly between
6 to 12. The regular use of biometrics in the school
was considered to be highly undesirable because the
pupils, who were minors of tender age, could not understand
the adverse privacy impact on the provision of their
fingerprint data. Meanwhile, the Ordinance does not
contain provision that accepts the giving of prescribed
consent from a third party, e.g. the parents, on behalf
of the children.
After
an investigation, the Privacy Commissioner was of the
opinion that no genuine informed consent was given by
the pupils of the school, and the collection of the
fingerprint data for the administrative purpose of recording
attendance is considered to be unnecessary and excessive
having regard to the function or activity of the school.
The collection of the personal data of pupils was therefore
found to be in contravention of Data Protection Principle
1(1) of Schedule 1 to the Ordinance.
An
enforcement notice was served on the school directing
it to remedy the situation. Subsequently, the school
ceased using the fingerprint reader system and destroyed
the fingerprint data of its pupils.
|
|
|
[Image of image]
Example 2
| [Image of image] |
|
A
company required job applicants to provide copies of their
identity cards during job interviews. |
|
|
The
Privacy Commissioner approached the company whose management
admitted that it was their established practice to collect
the identity card copies from job applicants during
job interviews.
After
being notified of the relevant requirements under DPP1(1)
and DPP1(2), paragraph 3.1 of the Code of Practice on
the Identity Card Number and other Personal Identifiers
and paragraph 2.2.4 of the Code of Practice on Human
Resource Management issued by the Privacy Commissioner
under the Ordinance, the company immediately ceased
to collect copies of identity card from job applicants
at job interviews and destroyed all the identity card
copies previously collected from unsuccessful job applicants.
|
|
|
[Image of image]
Example 3
| [Image of image] |
|
Customers of some banks could see their full bank account
numbers on ATM machine screens even when Personal Identification
Numbers (PIN) are incorrectly entered. |
|
|
According
to local newspaper reports, customers of some banks
could see their full bank account numbers when using
ATM machines even if the wrong PIN is entered.
The
banks said it was their standard practice to display
account numbers on the ATM machine screen before the
PIN is verified but that customers cannot continue with
any transactions if the PIN is incorrect. To address
the public's concerns, the banks stated that certain
digits of an account number would be omitted to enhance
security when using ATM machines.
|
|
|
|