Skip to content

Case Notes

Case Notes

This case related to DPP4 - Security of personal data

Case No.:2022C05

Restaurants took inadequate security measures to protect customers’ information – DPP 4 – security of personal data

The Complaint

In response to the COVID-19 pandemic, the Government imposed the Restaurant Entry Requirement whereby the responsible persons of restaurants had to ensure that customers either scanned the venue’s QR code with the “LeaveHomeSafe” mobile app or registered their names, contact numbers, and dates and times of their visits before entering the restaurants, and for restaurants to keep such written or electronic records for 31 days. Since the implementation of the Restaurant Entry Requirement on 18 February 2021, the PCPD had received complaints about the failure of restaurants to properly handle the registered data of customers, and as a result, launched investigations into 14 complaints.


The PCPD’s findings revealed that: 11 restaurants used common registration forms or books; one restaurant did not set up any collection box for the forms; one restaurant failed to cover the collection box at all times; and one restaurant used uncut sheets of paper as common forms. The above practices exposed the registered personal data to unauthorised or accidental access or use, and contravened DPP 4(1) of the PDPO as regards the security of personal data.

The 14 restaurants subsequently took remedial action, including replacing common registration forms or books with individual registration forms, setting up a form-collection box made of opaque materials for customers’ use, and requesting its staff to cover the collection box at all times. Nevertheless, in order to prevent recurrence of similar incidents in future, the PCPD issued Enforcement Notices to the restaurants in question to request them to implement appropriate and practicable measures to protect the registration data of customers and specified the steps that ought to be taken by the restaurants for preventing recurrence of the contravention. These measures included providing a written policy and guidance to their staff, as well as circulating the guidance regularly and providing training to staff to raise their awareness of personal data privacy protection.

Lesson learnt

Regardless of the scale of business, mode of operation and availability of resources, all restaurants have the responsibility to comply with the requirements of the PDPO in the collection, holding, processing and use of personal data. When it comes to implementing anti-epidemic measures, restaurants should raise their staff’s awareness of personal data privacy protection through appropriate training and guidance. With effective measures in place to protect personal data privacy, restaurants are set to enhance their goodwill, competitive edge and potential business opportunities.

On the other hand, to safeguard their personal data, members of the public should be mindful of the privacy risks inherent in providing personal data to restaurants.

(Uploaded in September 2022)

Category : Provisions/DPPs/COPs/Guidelines : Topic/Subject Matter :