1. The Privacy Commissioner for Personal Data (“the Commissioner”) Mr. Allan Chiang published today (20 June) 5 investigation reports:-
(i) 4 reports on contravention of the Data Protection Principles (“DPPs”) of the Personal Data (Privacy) Ordinance (“the Ordinance”) related to collection and use of customers’ personal data by banks (Citibank, Fubon Bank, ICBC and Wing Hang Bank); and
(ii) one report on Inland Revenue Department which contravened another DPP of the Ordinance for failure to ensure the accuracy of the address data of a tax payer.
PCPD received complaints similar to the Octopus incident
2. Last year, the Octopus incident aroused grave public concern over the sale of customers’ personal data by organizations without customers’ consent. Around that time, the Office of the Privacy Commissioner for Personal Data (“PCPD”) commenced investigation into 14 similar cases. Of these, 8 involved telecommunications companies; 5 involved banks; and the remaining one involved an insurance company. All investigations have now been completed.
3. Of the 8 complaint cases involving telecommunications companies, 2 cases involved the same telecommunications company and the Commissioner’s determination is being appealed against. For the other 6 cases involving telecommunications companies and the one case involving an insurance company, the PCPD has not made any finding of contravention of the requirements under the Ordinance.
4. Of the 5 cases involving banks, one relates to an investigation initiated by the PCPD. The investigation result has been forwarded to the bank concerned and its response is awaited. The PCPD today released the investigation reports of the other four complaint-based cases.
Results of investigation on 4 banks
5. In summary, the 4 banks’ contraventions in the collection and use of customers’ personal data for direct marketing were as follows:
(i) Collection of personal data (Contravention of DPP1)
On or before the collection of customers’ personal data, the banks used vague and loose terms to inform customers of the classes of persons to whom the data might be transferred and hence the customers could not ascertain with a reasonable degree of certainty the persons who could use their personal data. The font size of the Personal Information Collection Statement (“PICS”) was too small to read.
(ii) Use of personal data (Contravention of DPP3)
Customers’ personal data were disclosed to third parties for marketing purpose and monetary gain without their express and voluntary consent. Such use of customers’ personal data was not within their reasonable expectation.
In all four cases, the customer was only provided with one space to sign on the service application form. Hence he/she had to choose between (i) giving up the application for the service and (ii) agreeing to the transfer of his/her personal data to unrelated third parties for direct marketing purposes and monetary gains when in fact he/she might find such use objectionable. Such “bundled consent” cannot be regarded as an express and voluntary consent as required under the Ordinance.
(iii) Non-compliance with opt-out requests (Contravention of Section 34(1) of the Ordinance)
In one bank, namely ICBC, a customer’s written request for ceasing to use her personal data for direct marketing was poorly handled. It is clear that the bank’s operational system for handling customers’ opt-out requests was deficient and the staff concerned had been grossly negligent. After the customer concerned lodged the opt-out request with the bank, she had to complain several times in response to continued telemarketing calls in a period of 8 months before the request was finally acceded to.
(Please refer to Appendix A for details of the contraventions)
Follow up action by the PCPD
6. In the above contravention cases, the Commissioner has issued an Enforcement Notice to Wing Hang Bank. As regards Citibank, Fubon Bank and ICBC, as they have given the Commissioner written undertakings to remedy the contraventions and to ensure that the contraventions would not continue or recur, the Commissioner has not served them an enforcement notice.
7. On the other hand, to help organizations comply with the requirements under the Ordinance as regards collection and use of personal data for direct marketing activities, the PCPD has offered assistance in different ways, including the issue of a Guidance Note, “Guidance on the Collection and Use of Personal Data in Direct Marketing” (“the Guidance Note”) in last October. The Guidance Note advises on how to meet legal requirements and recommends good practices for personal data protection. A number of compliance workshops and seminars have also been held for marketing practitioners and banking professionals.
The Commissioner’s compliance checks on selected banks
8. The above cases refer to past contraventions. It is important is to ascertain whether and how the banks have learnt from their past mistakes and followed the Guidance Note. For this purpose, the Commissioner has taken the initiative to undertake checks on the credit card application forms of 10 local banks selected to ascertain compliance with the Guidance Note. The details of the checks are indicated in Appendix B. It could be seen that the banks are generally meeting the legal requirements in the collection and use of customers’ data for direct marketing. But they are less forthcoming in following the good privacy practices.
Inland Revenue Department cannot ensure the accuracy of personal data
9. In another case, the Inland Revenue Department (“IRD”) had erroneously changed the correspondence address of a tax payer and had retained and repeatedly used the wrong address in mailing the Notice of Assessment and Demand for Tax to the tax payer, resulting in non-receipt. The case was handled by 4 staff members from 4 different units of the department but they all failed to correct the address. The tax payer had made 6 complaints by email, telephone and meeting the IRD staff in person before the IRD could finally correct the data. As a result, the IRD contravened DPP2(1): it had not taken all reasonably practicable steps to ensure the accuracy of the complainant’s address held and used by it.
10. The Commissioner finds that IRD had allowed multiple human errors to happen in the processing of the information of the complainant. This regrettable incident reflects the lack of awareness of data protection not only on the part of a single staff member but also across different units of the IRD. Nevertheless, the Commissioner recognizes that IRD has followed his advice and recommendations, and implemented remedial and improvement measures to address the problems identified and to prevent their recurrence. In the circumstances, no enforcement notice was served on the department.
Naming the organizational data users
11. The 5 reports released today disclose the names of the parties complained against. This practice of naming the organizational data user which has contravened the requirements under the Ordinance will henceforth be adopted for all investigation reports published under section 48(2) of the Ordinance, subject to the following exceptions: (i) it is against Hong Kong’s public interests such as security, defence or international relations; (ii) it will prejudice the investigation or detection of crime; or (iii) there are other legislative requirements prohibiting publication and identification of the relevant data users in particular cases.
12. Mr. Chiang said, “We trust that the practice of naming data users will invoke the sanction and discipline of public scrutiny. In turn it will serve to encourage compliant behaviour by data users concerned and related parties.”
Commissioner’s observations and recommendations
13. With regard to the findings of the five investigations published today, the Commissioner has the following observations and recommendations.
14. Firstly, he hopes all enterprises engaged in the collection and use of vast amounts of customer data have learnt from the lessons of the Octopus incident and the banks. They need to have a corporate-wide privacy strategy which applies in all their business processes and operational procedures. They have to adhere to the principle of transparency in communicating to the customers the purpose of collection of their data and respect the customer’s right of self-determination over the use of the data.
15. Secondly, he is disappointed that the banks, whilst generally meeting the legal requirements in the collection and use of customers’ data for direct marketing, are less forthcoming in following the good privacy practices recommended in the Guidance Note. Specifically, the Guidance Note advises enterprises to design their service application form in a manner that provides for the customer’s agreement to the terms and conditions for the provision of the service to be separated from the customer’s consent to the use of his personal data for marketing any products or services not related directly to the services he seeks, including the sale of his personal data for monetary gains. The recommended ways to achieve this end include inviting the customer to “tick” a box or giving a separate signature specifying whether the customer agrees to such use of his data. The banks seem reluctant to provide this facility in the service application form.
16. It is worth noting that the Government’s proposals to amend the Ordinance to tighten up regulation on the collection and use of personal data include the requirement for the enterprise to provide, before or at the time of data collection, an option for the customer to choose not to agree to the use of his personal data for direct marketing purposes or sale to third parties. The Commissioner hopes that the banks could take a more proactive customer-centric and privacy-friendly approach in heeding the recommendations of the Guidance Note, instead of getting complacent in meeting the minimum requirements under the existing Ordinance. In return, they should enjoy an enhanced customer trust and loyalty, thus creating a win-win for both the customers and themselves.
17. Thirdly, the ICBC’s case of mishandling the customer’s opt-out request highlights the difficulties that consumers in Hong Kong face in opting out of direct marketing approaches under section 34 of the Ordinance, namely,
(a) they can only opt out after the approach has been made;
(b) they have to exercise the option against each and every direct marketing company after the approach has been made; and
(c) they have to rely on the direct marketers to honour their unsubscribe requests.
18. To address these problems, PCPD has been advocating the setting up of a central “Do-not-call” register for consumers to opt out of all unwanted person-to-person telemarketing calls at the outset. The proposal can be implemented under the Unsolicited Electronic Messages Ordinance as an extension of the existing “Do-not-call” register operated by the Office of the Telecommunications Authority which covers only fax, short messages and pre-recorded telephone messages. The Commissioner hopes that the Government will seriously and promptly pursue the proposal, in an effort to strengthen regulation to prevent or reduce misuse of personal data for direct marketing.
19. Fourthly, the irregularities identified in the ICBC’s mishandling of the customer’s opt-out request and the IRD’s failure to maintain accuracy of the tax-payer’s correspondence address share one common feature. They both involved multiple mistakes committed by different staff across a number of work units. They underline the fact that standard operational procedures and guidelines alone will not guarantee compliance with the requirements under the Ordinance. It is important that the staff share work norms which emphasize such compliance. The Commissioner hopes that enterprises will be inspired to proactively build a corporate culture which embraces customer-centricity, privacy and data protection. It is incumbent upon the top management to take the lead to inculcate the staff with these values through effective communication and due reinforcement.
20. Mr. Chiang concluded, “Since the Octopus incident, we see that some businesses have made obvious improvements in the protection of personal data privacy. Many business organizations have improved their Personal Information Collection Statement in terms of clarity as regards the purposes of uses of data and the classes of parties to whom the data may be transferred. They are more concerned about compliance with the requirements under the Ordinance. However, contraventions of the requirements under the Ordinance are still prevalent and PCPD has been handling an increasing number of complaints. I hope that businesses can manage the collection and use of personal data in a more proactive and serious manner so as to achieve a win-win outcome for both businesses and customers.”
Obtaining the Reports
21. For details of the case background, findings, the Commissioner’s recommendations and other comments, please refer to the published reports. Copies of the reports can be obtained from the PCPD at 12/F., Sunlight Tower, 248 Queen's Road East, Wan Chai, Hong Kong or downloaded from its website (http://www.pcpd.org.hk/english/enforcement/commissioners_findings/investigation_reports/invest_report.html).
END