When the complainant entered a commercial building (the "Building") to attend a party, he was asked by the security guard to fill information including his HKID card number in a visitor record card. Later when he left the Building, the security guard gave him a pile of other visitors' record cards to search his own card and to fill in the departure time; thus he could read the personal information of other visitors. He complained that there was no "Personal Information Collection Statement" ("PICS") on the card and he was not informed of the retention period and the security measures regarding access and disposal of the cards.
The Commissioner's Views on the Matter
Data Protection Principle ("DPP") 1 of the Personal Data (Privacy) Ordinance ("the Ordinance") stipulates, inter alia, that the data subject should be explicitly informed on or before collecting the data of the purpose (in general or specific terms) for which the data are to be used and the classes of persons to whom the data may be transferred.
Section 26 of the Ordinance provides, inter alia, that a data user shall erase personal data held by the data user where the data are no longer required for the purpose (including any directly related purpose) for which the data were used unless any such erasure is prohibited under any law, or it is in the public interest (including historical interest) for the data not to be erased.
Similarly, DPP 2 (2) stipulates that personal data shall not be kept longer than is necessary for the fulfillment of the purpose (including any directly related purpose) for which the data are or are to be used.
DPP 4 (a) further provides that all practicable steps shall be taken to ensure that personal data (including data in a form in which access to or processing of the data is not practicable) held by a data user are protected against unauthorized or accidental access, processing, erasure or other use, having particular regard to the kind of data and the harm that could result if any of those things should occur.
Under paragraph 2.1 of the Code of Practice on the Identity Card Number and other Personal Identifiers ("the Code"), no data user may compulsorily require an individual to furnish his identity card number (unless authorized by law). Paragraph 2.2 further provides, inter alia, that before a data user seeks to collect from an individual his identity card number, the data user should consider whether there may be any less privacy-intrusive alternatives to the collection of such number, and should whenever practicable give the individual the option to choose any such alternative in lieu of providing his identity card number.
According to paragraph 126.96.36.199 of the Code, if the purpose of collecting identity card number is for future identification of the holder of the identity card where such holder is allowed access to premises which the holder is not otherwise entitled to, in circumstances where the monitoring of the activities of the visitors after gaining access into the building is not practicable, the data user is permitted to collect the identity card number. Nonetheless, the data user shall comply with the following requirements.
Paragraph 2.5.1 provides that where paragraph 188.8.131.52 applies, the data user should take all reasonably practicable steps to erase the record of an identity card number upon the holder of the identity card leaving the premises within a reasonable time thereafter.
Paragraph 2.7.2 further stipulates that unless otherwise required or permitted by law, a data user should take all reasonably practicable steps to ensure that an identity card number and the name of the holder are not made visible or otherwise accessible to any person, other than a person who needs to carry out activities related to permitted uses of the identity card number.
According to the information provided to this Office by the property management company of the Building (the "Company"), the original visitor record is of two parts with an identical serial number. The "PICS" is at the back of the lower part of the card. The lower part is kept by the visitor when he enters the building and should be returned to the management counter when he leaves. The staff will then match with the upper part of the card and fill in the departure time. Thus, no third party can access the personal information of other visitors. The contents of the "PICS" contains the purpose of collecting personal data, the retention period and the security measures regarding disposal and storage of the cards. There are also internal memo and guideline regarding the collection personal data from visitors and the retention period of the cards.
In this case, the stock of record card was exhausted. The staff only photocopied the upper part but not the lower part of the card. Furthermore, in order to expedite the checking process, the complainant was asked to pick up his own card from a pile of cards with similar spelling to the complainant's name.
After the incident, the staff on duty apologized for the inconvenience caused to the complainant. The complainant's card was destroyed. The Company revised their internal memo guideline and reminded the staff of the strict compliance of the same. A "PICS" in A4 size was posted at a prominent place of the reception counter. The Company is also considering shortening the retention period of the cards.
Owing to the remedial measures taken by the Company, the matter has been resolved effectively through mediation and further investigation of the case is unnecessary.