Skip to content

Case Notes

Case Notes

This case related to DPP4 - Security of personal data

Case No.:2022C03

A telecommunications company accepted a HKID Card that had been declared lost by a customer – DPP 4 – security of personal data

The Complaint

The Complainant had his belongings and HKID Card stolen. He then called and visited his telephone service provider to report the theft and asked its staff to record the theft in its computer system so that the thief could not assume his identity. Subsequently, a person (the Person) visited a branch of the telecommunications company and, using the HKID Card stolen from the Complainant as proof of identity, successfully deactivated the Complainant’s telephone number and signed two new contracts. Meanwhile, the Person also changed the Complainant’s email address from which the latter received his bills from the telecommunications company.

Dissatisfied with the handling of the case by the telecommunications company, the Complainant reported the incident to the Police and lodged a complaint with the PCPD.


The telecommunications company confirmed that the Complainant had notified them of the theft of his HKID Card. However, at the time of the incident, the telecommunications company had not established proper practices to record the loss of a customer’s HKID Card. As a result, its branch staff was not aware of the theft of the Complainant’s HKID Card when processing the Person’s application. The staff conducted the normal procedure of checking the customer’s proof of identity (i.e. asking the customer to produce the original identity document and checking the information on the document) to process the Person’s request.

In response to this case, the telecommunications company implemented a series of measures to deal with the loss of a customer’s HKID Card. They included requiring the customer who reported the loss of his HKID Card to present his recognisance form or other identity documents to its staff for verification of identity and to complete a “Declaration of Loss of HKID Card”. The staff would then suitably make a remark in the computer system, noting that the lost HKID Card could no longer be accepted as the customer’s identity proof. On the other hand, when a customer wished to apply for or change a service, and that customer had previously reported a loss of his HKID Card, its staff must check and ensure that the HKID Card presented was issued after the date of the report. When in doubt about the identity of the customer, the staff must request other identity documents from the customer. The telecommunications company also required that all such cases must be approved by a supervisor before it could be proceeded with.

The PCPD issued a warning to the telecommunications company regarding the incident. It was required to urge its staff to strictly follow its policies on the protection of customers’ personal data (including the above measures in relation to the reporting of loss of customers’ HKID Cards). It was also required to strengthen the training for its staff and remind its staff to handle customers’ personal data with prudence in order to comply with the relevant requirements of the PDPO.

Lesson learnt

With identity theft being a common occurrence nowadays, data users are faced with an unprecedented challenge to effectively protect their customers’ personal data. In the face of the multifariousness of crimes, it is important for data users to formulate proper identity verification mechanisms to avoid loopholes which unscrupulous individuals may exploit. In this case, if the telecommunications company had a proper recording and verification mechanism in place, it would have been able to effectively identify the suspected case. The telecommunications company would then have had the opportunity to bring the thief to justice.

(Uploaded in September 2022)

Category : Provisions/DPPs/COPs/Guidelines : Topic/Subject Matter :