|
[Focus Story:]
[Compliance Actions Taken by the PCPD]
If you
live in any modern city, including Hong Kong, information
about you is collected every minute of every day. So says
the Privacy Commissioner's Office ("PCPD") Chief
Privacy Compliance Officer Vincent Li. Although in most cases
gathering of such information may be warranted, Mr. Li recognizes
that some instances may breach the Personal Data (Privacy)
Ordinance (the PD(P)O). Working on information gathered from
a variety of sources - the media and the general public included
- he and his team are proactive in contacting data users directly
to alert them about practices of theirs that could be a cause
for concern. If the data users contend that amending the practices
in question will be difficult, says Mr. Li, "We will
give advice on how to strike a balance between practical realities
and compliance with the PD(P)O."
The PCPD's
aim to ensure all data users comply with the provisions of
the PD(P)O could not be effectively achieved if it were to
take a passive role and initiate investigations only after
complaints are received from the public. When handling complaints,
legal procedures are involved and these are usually time-consuming.
To make up for this, the PCPD has actively engaged in compliance
checks in recent months to inform organizations concerned
that their actions may be inconsistent with the requirements
of the PD(P)O. The organizations have also been advised to
take corresponding remedial measures before the PCPD receives
any formal complaints.
[image]Below
are three examples of recent cases with fruitful outcomes:
One involved
a report by several local newspapers that a bank had collected
from non-account holders copies of their Hong Kong Identity
Cards, addresses and contact details when they purchased gift
cheques from this bank. Upon learning about the practice,
the PCPD initiated a compliance check.
According
to the PD(P)O, personal
information should not be collected unless it is for a lawful
purpose directly related to the data user's function or activity.
A further provision is that the information collected should
not be excessive. The PCPD has set out the circumstances under
which copies of an individual's identity card may be collected.
|
|
Mr.
Vincent Li, Chief Privacy
Compliance Officer |
After
vetting the Guideline on Prevention of Money Laundering, the
PCPD took the view that, with respect to the activity in question,
banks are required to seek positive evidence of identity from
applicants and keep copies of their identification documents
when transactions involve large sums of cash or are considered
unusual. The PCPD considered it doubtful that the purchase
of gift cheques would normally involve large sums of cash
or could be considered unusual.
If the
PCPD believes that certain practices of an organization may
not be consistent with the requirements of the PD(P)O, says
Mr. Li, "after the matter has been resolved, we will
bring it to the attention of the association concerned for
that particular industry or to the regulatory body supervising
the whole industry".
[image]Eventually,
the bank in question agreed to revise its practice and ceased
to collect copies of Hong Kong Identity Cards from non-account
holders buying gift cheques, unless the amount of a single
purchase exceeds HK$100,000.
The PCPD
was alerted to a similar case involving requests for copies
of identity cards. A mobile-phone service company made this
demand of a director of a limited company who had opened an
account in the name of his firm. He was also asked to provide
his company's registration documents.
Because
the client was essentially a "limited company",
such data collection was considered unnecessary under the
Code of Practice on the Identity Card Number and other Personal
Identifier.
On learning
about the incident, the PCPD immediately contacted the mobile-phone
service company to enquire about not only the case in question
but also the company's guidelines in handling such matters.
It learned that any individual opening an account was required
to provide a copy of his or her identity card, irrespective
of whether the account was that of a company or an individual.
After the PCPD's involvement, however, the mobile-phone service
provider agreed to amend its policy so that individuals opening
a company account would no longer be required to furnish copies
of their identity cards.
[image]Another
case tackled by the compliance team involved an organization
introducing a fingerprint-recognition system to record employees'
attendance at work. This attracted much attention from the
mass media and the PCPD initiated a compliance check. The
organization explained to the PCPD that it thought this would
be an accurate and effective way to ensure staff punctuality.
It is
generally accepted that the application of biometric technology
as a monitoring /security system for employees. The PCPD takes
the view that, before determining which monitoring / security
system to employ, employers should carry out assessments to
determine the potential risks and benefits to be derived from
using the system. Thereafter, the employers should assess
the likely adverse impact the system may have on the personal
data privacy of employees. One consideration that employers
should take into account is whether the same purpose can be
achieved by means less intrusive on privacy. Where
there are other realistic or pragmatic alternatives, these
should be resorted to.
In the
case concerned, if the use of fingerprint-recognition devices
is solely for the purpose of recording staff attendance, its
application does not appear to justify its use. It does not
mean, however, that the use of a fingerprint-recognition system
for legitimate purposes would never be allowed. Valid reasons
for employing such a system might exist in situations where
stringent control is required in ensuring access to an absolute
security area by authorized personnel only.
The organization
subsequently heeded the PCPD's advice and introduced a new
PIN system for the same purpose. Saying that ignorance is
to blame for many cases involving contraventions of the PD(P)O,
Mr. Li adds: "Once we've explained to those concerned
that the requirements of the PD(P)O may have been breached,
they're more than happy to revise their practices to comply
with the PD(P)O."
It is
hoped that the PCPD's proactive approach, coupled with the
public's increasing awareness of personal data privacy, further
enhances a respect for personal data privacy by organizations
and individuals.
|