|
In this issue,
Mr K T Chan, our Chief Personal Data Officer, shows how this case
breached Data Protection Principles and outlines some of the other
complaints received last year to show the importance of personal
data privacy in everyday life. The PCPD received 919 complaints
from April 2003 to March 2004, an increase of 1.4% from the previous
year. The rise reflects the public's growing awareness of privacy,
which has led to a total of more than 5,000 complaint cases lodged
with the PCPD since its establishment in 1996.
Of the complaints
received in the past year, 71% (655) were against private-sector
organizations, 10% (95 cases) against public-sector organizations
and 19% (169) against individuals. A closer analysis of the numbers
reveals that the biggest number of complaints among the 655 made
against private organizations were levied at financial institutions.
Fifty of the 161 such cases involved the alleged use of personal
data by financial institutions to recover moneys owed. Twenty-three
of these cases involved the use of customer data for direct-marketing
purposes (including the transfer of customer data to third parties
for promoting their products).
Telecommunications
was second with 124 complaints, of which 28 concerned the use of
personal data for debt-recovery purposes. In 26 cases, the telecoms
companies were alleged to have applied for other services for the
customers or imposed charges on them without prior authorization
or notice.
In investigating
complaints involving the use of personal data for debt-recovery
purposes, Mr Chan found that at times some members of the public
might have misinterpreted the requirements of the Personal Data
(Privacy) Ordinance (the "Ordinance"). In some cases,
complainants object to the transfer of their personal data to debt
collectors and lodge complaint with the PCPD.
Mr Chan points
out that in general financial institutions may transfer debtors'
personal data to debt collectors for the purpose of debt recovery.
Such transfer is, in normal circumstances, directly related to the
original purpose of data collection, although institutions should
only disclose to debt-collection agencies such information necessary
for them to carry out their work, and should inform the debtors
of such disclosure at the time of collection of the data from the
debtors.
Loss
of customers' application forms
Mr Chan uses
the case of the lady whose personal data were left on a public light
bus as an example of one of the three types of complaints received
last year that we are going to discuss in this issue. After investigation
it was discovered that the bank had no policy or measures in place
to guide its staff to safeguard customers' personal data when conducting
outside-office promotional activities. As such, the bank had contravened
Data Protection Principle 4, which provides that a data user should
ensure the personal data he holds are protected against unauthorized
or accidental access, processing, erasure or other use.
[Image of image]
"According
to section 50 of the Ordinance, if the Privacy Commissioner is of
the opinion that a company/individual has contravened any requirement
of the Ordinance and the contravention is likely to continue or
be repeated, the Commissioner may serve on the relevant company/individual
an enforcement notice with directions about appropriate steps to
remedy the situation. The bank involved in the above case, it was
revealed, organized onsite promotions from time to time but had
not implemented any appropriate policy or measures to handle and
transmit its clients' application forms safely. To ensure customers'
personal data are transmitted or stored safely in future, we served
on the bank an enforcement notice directing it to implement appropriate
policies or practices with respect to its onsite promotions, and
to ensure compliance by its staff."
The bank eventually
promised to abide by the directions in the enforcement notice and
to rearrange its workflow for onsite promotional activities to avoid
recurrence of similar incidents. The bank also ceased its practice
of allowing staff to bring home the application papers collected
in such marketing campaigns, but required them to be transmitted
to and stored in nearby offices or branches.
When conducting
onsite marketing activities, companies often ask customers to provide
personal data on the spot. Mr. Chan reminds members of the public
to take extra care in such circumstances, saying that before proceeding
they should confirm the identity of the promoter collecting the
personal data, and consider whether the information will be handled
properly. If in doubt, he says, to protect against any potential
loss, think twice before complying with request for personal details.
Cross-marketing
activities
In 94 cases,
customers' personal data were used for direct-marketing purposes;
of these, 12 cases were related to cross-marketing activities. In
cross-marketing, customer data held by company "A" are
transferred or disclosed to another company (which we'll call "B")
to carry out a "joint-marketing scheme" promoting products
or services provided by A or B.
In one case,
the complainant contended the bank that issued his credit card transferred
his personal data without his consent to an insurance company for
telemarketing purposes. The bank acknowledged as much, admitting
that it had transferred to the insurance company detailed information
about the customer - his name, phone number, date of birth, identity-card
number and credit-card number. But it argued that it had informed
all clients beforehand that their personal data would be used to
market financial products, insurance service being perceived by
the bank as one such product. Which is why it insisted such transfer
of customer's personal data was consistent with the purpose stated
in its personal-data collection notice.
The PCPD, however,
takes a different view. "Although the transfer of the customer's
data might be directly related to the original collection purpose,
we considered that the customer's contact details would have been
sufficient," says Mr Chan. "In other words, the transfer
of other information such as identity-card number and credit-card
number was unnecessary and excessive. In light of this, our view
was that the bank had contravened Data Protection Principle 3 in
terms of the use of those personal data."
Mr Chan understands
that commercial companies need to market their products to customers
but says they should be mindful of using or disclosing customers'
personal data and ensure they are complying with the requirements
of the Ordinance. To provide clear practice guidelines to companies
carrying out cross-marketing activities, the PCPD published in March
a fact sheet called "Personal Data Privacy: Guidance on Cross-Marketing
Activities".
Complaints
related to job applications
Last year the
PCPD investigated five complaint cases about "blind recruitment
advertisements". According to the Code of Practice on Human
Resource Management (the "Code"), recruitment advertisements
that directly solicit personal data from job applicants must provide
the means to identify the employer or its agent. That means job
ads that do not provide the name of the organization fall into the
category of "blind recruitment advertisements". In other
words, if a company invites applicants in a recruitment ad to send
their resume to a post-office box, fax number or e-mail address
without disclosing its identity, it has contravened the Code.
Job applicants
are often asked to provide large amounts of personal data or even
copies of their identity cards. But the prospective employer should
not collect identity card copies during the recruitment process
until the applicant has accepted the employment offer. In addition,
prospective employers should not ask job applicants to provide information
unrelated to the recruitment exercise (which is primarily for the
purpose of identifying suitable candidates) such as credit-card
details or bank account details. That amounts to collection of excessive
data and contravenes the Code, hence the Ordinance.
[Image of image]"We
understand that job applicants are eager to get a job and worry
that they will lose opportunities if they are not cooperative,"
says Mr Chan. "However, we should bear in mind that employers
sometimes ask for excessive data. Before providing the information
we should think about what is being requested and why. Would an
organization asking for excessive personal data be a good employer?
To avoid being duped by impostors, job applicants should not underestimate
the serious consequences that may arise from their providing more
information than is necessary."
To raise job
seekers' privacy awareness in a user-friendly way, the PCPD has
placed a computer game on the PCPD web site (www.pcpd.org.hk) called
"Beware of Job Application Pitfalls".
Having processed
numerous complaint cases, how would Mr Chan advise the public to
protect their personal information? "Before
giving out information about yourself you must be aware of the collection
purpose and how the data will be used," he says. "Hong
Kong is a metropolitan city where the flow of information is essential
and inevitable. In many cases, there is a genuine need for members
of the public to provide personal data in order to receive the products
and services of organizations. We should be vigilant and conscious
of the reason we are being asked to provide such data. Is it reasonable
for the company to ask for the data in that situation? Are the requests
for information excessive? If there is any doubt we should clarify
with the parties concerned, and if the reply is not convincing we
may express our concern or consider declining to provide the data
to prevent any unnecessary loss."
To provide a
clear interpretation of the Ordinance in our daily life, the PCPD
will introduce new materials to provide practical guidance so members
of the public will be able to better protect their personal data.
Our staff are also available to help you with any queries. Our hotline
number is 2827 2827.
[Image of image]
|