Case Notes

Restaurants took inadequate security measures to protect customers’ information – DPP 4 – security of personal data... <more>

Staff of a property management company disclosed the personal data of residents when using recycled paper – DPP 4 – security of personal data... <more>

A telecommunications company accepted a HKID Card that had been declared lost by a customer – DPP 4 – security of personal data... <more>

An employer posted a list containing the personal data of staff who were to undergo virus testing – DPP 4 – security of personal data... <more>

Staff of a public transport company was doxxed – section 64 of the PDPO – disclosure of personal data... <more>

This case related to provisions on direct marketing... <more>

This case related to DPP1 - Purpose and manner of collection of personal data, DPP3 - Use of personal data and Code of Practice on Human Resource... <more>

Unencrypted personal data transmitted in mobile applications – DPP 4 – security of personal data... <more>

Loss of notebook computer containing work files – DPP 4 – security of personal data... <more>

Inadvertent disclosure of students’ personal data via email by a university – DPP 4 – security of personal data... <more>

Unauthorised access to an international fashion chain’s customer personal data system – DPP 4 – security of personal data... <more>

Unfair audio-recording of conversations with a subordinate by a supervisor – DPP 1 – collection of personal data... <more>

A hospital collected the time spent by a doctor on wards rounds and the number of patients he attended to, without prior notification – DPP 1–col... <more>

Disclosure of a customer's payment information to a third party by a travel agency – DPP 3 – use of personal data... <more>

Accessing a patient's electronic health record for non-medical purposes – DPP 3 – use of personal data... <more>

This case related to DPP1 - Purpose and manner of collection of personal data, DPP5 - Information to be generally available, Code of Practice on ... <more>

This case related to DPP1 - Purpose and manner of collection of personal data... <more>

A staff member transferred personal data held by his employer to his personal computer without authorisation – DPP 4 – security of personal data... <more>

Unauthorised access of personal data held by public schools via a web-based application system – DPP 4 – security of personal data... <more>

Recruitment platform wrongfully sent out emails containing CV information – DPP 4 – security of personal data... <more>

Unauthorised circulation of confidential documents containing personal data in social media network – DPP 4 – security of personal data... <more>

Personal data collection in shopping mall membership programmes and online promotion activities – DPP 1 – purpose and manner of collection of per... <more>

Websites without secure transmission of personal data – DPP 4 – security of personal data... <more>

Travel agencies’ customer databases being hacked – DPP 4 – security of personal data... <more>

IT system containing over 11,000 unencrypted patients’ records being hacked – DPP 4 – security of personal data... <more>

Online food ordering records leaked to the Internet involving 62,539 customers – DPP 4 – security of personal data... <more>

Data leakage via a phishing email involving 6,131 members of an institute – DPP 4 – security of personal data... <more>

Unauthorised download of 210,000 customers’ personal data by a contractor – DPP 4 – security of personal data... <more>

Credit card data of 11,655 Hong Kong customers hacked by a zero-day malware – DPP 4 – security of personal data... <more>