In response to a media report yesterday (28 September 2005) regarding "suspected leakage of customers’ privacy" by the self-service deposit system of a bank, the PCPD provides its views on this matter to ease public concern.
According to the report, a member of the public deposited cash to his friend by using the self- service deposit system of a bank. He keyed in the account number and then deposited cash into his friend's account. After the transaction, he found that his friend’s name and account number were clearly printed on the customer advice slip. He worries that such practice would enable fraudsters to obtain other people's bank account information and hopes that the bank should take measures to protect personal data privacy of customers.
Data Protection Principle 3 of the Personal Data (Privacy) Ordinance - use of personal data - relates to this matter. Under this principle, the purpose for which the customers’ personal data are to be used by the bank must be consistent with its original purpose stated at the time of data collection or for a directly related purpose, otherwise the prescribed consent of the customers concerned should be obtained beforehand.
In the above incident, the printing of the recipient customer's name and account number on the customer advice slip would enable the depositor to check and verify the recipient's details when making deposits into other customers’ bank accounts. Such a practice by the bank is consistent with the original collection purpose of the data of the customers (the recipient customers). Thus the bank has not contravened the above data protection principle.
The PCPD understands public’s concern on personal data privacy. In fact, the PCPD had previously discussed this issue with the banking sector and suggested ways to enhance protection of customers' personal data privacy. On this matter, the PCPD will approach the relevant bank to have a better understanding of the incident and hopes that the bank would adopt better practices.