Skip to content

Case Notes

Case Notes

This case related to DPP4 - Security of personal data

Case No.:2018C03

Travel agency should not distribute flight itinerary list (containing all tour members’ names and e-ticket numbers) to all tour members

The Complaint

The Complainant joined a package tour (the Tour) with a travel agency. On the date of departure, the tour escort distributed a flight itinerary list (the List) to all members of the Tour. The List contained all tour members’ full names, e-ticket numbers and booking reference numbers (the Information). Since each passenger’s full name, date of birth, nationality, passport number and passport expiry date could be accessed via the relevant airline’s website after logging in with the Information, members of the Tour were able to access each other’s said personal data.


Most airlines’ websites allow passengers to login with their names and booking reference numbers / e-ticket numbers for managing their flights. After logging in, passengers are able to manage information in relation to their bookings and flights, which usually include passengers’ nationalities, passport numbers, passport expiry dates and dates of birth. In short, the Information can be used as a key to unlock sensitive personal data of passengers, thus travel agency should keep extra caution when handling the Information.

The travel agency admitted that the distribution was unnecessary and might give rise to possible risk of personal data leakage. After PCPD’s intervention, the travel agency had reminded its staff members not to distribute any similar list to tour members. The travel agency had also informed all members of the Tour regarding the possible leakage of their personal data in the present case in writing. The Commissioner issued a warning to the travel agency.

(Uploaded in March 2019)

Category : Provisions/DPPs/COPs/Guidelines : Topic/Subject Matter :