|
Monitoring
Compliance
Compliance
Checks
A compliance
check is undertaken when the PCPD identifies a practice in an organization
that appears to be inconsistent with the requirements of the PD(P)O. In
such circumstances, the PCPD raises the matter in writing with the organization
concerned pointing out the apparent inconsistency and inviting it, where
appropriate, to take remedial action. In many cases, the organization
concerned takes the initiative and responds by undertaking immediate
action to remedy the suspected breach. In other cases, organizations seek
advice from the PCPD on the improvement measures that should be taken to
avoid repetition of suspected breaches.
During the reporting
year, the PCPD conducted 10 compliance checks in relation to alleged practices
of data users that might be inconsistent with the requirements of the
PD(P)O. The following are some of the compliance checks undertaken in
the year.
| Issues |
Improvement
Measures Recommended |
| In
an email sent by an employment agency to all job seekers who have
previously provided their personal data, the agency addressed recipients
of the email by using information about them held in its email "address
book". A recipient of the email can read the names and email addresses
of others.[Image of images] |
Very
often, job seekers provide their personal data under confidence to
an employment agency and would expect the agency to communicate with
them on a confidential basis. Although the way that the agency sends
the email can bring convenience, it may lead to an unnecessary disclosure
of the names and email addresses of individuals. Where an email "address
book" is configured to link an individual's name with
his email address, care should be taken when using the "address book"
to send emails to multiple recipients. In the circumstances, the alternative
of addressing recipients using the "blind carbon copy" ("bcc") function
should be considered. |
| When
visiting a page on a restaurant's website, visitors
are provided a hyper link that directs them to a database that contains
personal data of customers of the restaurant. |
[Image of images]When
performing website maintenance or re-design of web pages, care should
be taken to ensure that control on public access to information not
intended for disclosure can still be maintained. When a website is
not ready for use, it would be a good practice to alert visitors that
the site is "under construction/development" and to inform them of
the temporary suspension of any hyperlink access. |
| Information
contained in an individual's credit report may be misleading when
it shows the writ information obtained from public court documents. |
A
credit report may display writ information concerning an individual
who is the data subject. In the absence of any unique personal identifier
(as in the case of court documents) that may facilitate correct matching,
care should be taken when relating such information to the individual
concerned. A mis-match may occur that results in writ information
of another person with similar but not identical name being associated
with the individual. To avoid any misleading effect, a clear message
should be displayed in the credit report, e.g. to put this kind of
public information under a heading that reads "Public Record of Potential
Relevance" on a separate page of the report. |
| Passengers
traveling on ferries between Hong Kong and Macau are asked to complete
a passenger information form that requires personal data such as the
name, telephone number, address and seat number. |
[Image of images]It
is understandable that precautionary measures need to be taken to
ensure public health and safety during the outbreak of SARS, which
is a communicable disease that occurred worldwide. The collection
of passengers' personal data by means of a "Health Declaration Form"
issued by the Health Authority is one of the means that serve to detect
and control the spread of SARS in the community. However, it is neither
the policy of the Health Authority nor a requirement imposed on ferry
operators to collect personal data of passengers for the prevention
of resurgence of SARS. The ferry operator was advised to cease the
practice. |
|