1. An investigation conducted by the Office of Privacy Commissioner for Personal Data ("PCPD") revealed that the Hong Kong Preventive Association Limited ("HKPA") and Aegon Direct Marketing Services Insurance Broker (HK) Limited ("Aegon Direct"), in a joint telemarketing programme, had collected personal data from the public in a misleading and arguably deceitful way, thus breaching the data collection and use requirements under the Personal Data (Privacy) Ordinance (the "Ordinance").
2. Over the past two years, HKPA had obtained the personal data from about 360,000 people and sold the data to Aegon Direct for use in direct marketing of insurance products.
3. Mr Allan Chiang, the Privacy Commissioner for Personal Data reminded all organisations engaged in direct marketing activities, including those collecting personal data directly from potential customers and those obtaining personal data from other sources, to ensure compliance with the Ordinance and respect individuals' right of self-determination over their personal data. If the contraventions shown in this case were committed today, the corporate data user at fault would be held criminally liable to a fine and imprisonment under the new regulatory regime for direct marketing which commenced on 1 April 2013.
4. The Commissioner also advised members of the public to exercise vigilance when responding to telemarketing calls for the supply of their personal data in exchange for rewards. A cautious approach helps safeguard their personal data from misuse.
Background
5. Several persons complained to the PCPD that the HKPA had collected their personal data (names, gender, mobile phone numbers, residential addresses and partial identity card numbers) over the phone for the purpose of signing up for free medical check-up service that was said to be in support of a "Universal Medical Check-up Scheme". Thereafter, they received a welcome letter and gifts for joining the Aegon Direct Club. Subsequent to this automatic enrolment to the Aegon Direct Club, they received direct marketing messages from Aegon Direct from time to time.
6. Only after receipt of the welcome letter did the complainants realised that the true purpose of the call from HKPA was to collect their personal data for transfer to Aegon Direct for the latter's direct marketing activities. The complainants were dissatisfied that the HKPA telemarketers had not explicitly informed them of the intended transfer of the data to Aegon Direct for use in direct marketing. The complainants were also dissatisfied with Aegon Direct's use of their personal data in direct marketing without obtaining their consent. Hence, they lodged their respective complaints to the PCPD.
7. The PCPD has so far received 11 enquiries and five complaints in this regard. The Commissioner initiated a formal investigation against HKPA and Aegon Direct in respect of three complaints.
Findings
8. It was found that HKPA's telemarketers had asked people to give their personal data for registration for a free medical check-up when in fact the data was sold to Aegon Direct for the latter's use in marketing insurance products.
9. The Commissioner concluded that both companies, as data users, had contravened the Data Protection Principles ("DPPs") set out in the Ordinance:
HKPA
- It collected the complainants' personal data by unfair means. For example, it offered a free medical check-up in support of a "universal medical check-up scheme" which did not exist and misled the complainants into believing that the scheme had the blessing of the Government. It failed to explain clearly that the data would be transferred to Aegon Direct for use in direct marketing activities. Such unfair means of collection constitutes contravention of DPP1(2) [on Data Collection] .
- It failed to take all practicable steps to explicitly inform the complainants of the transfer of their personal data to a third party. When mentioning Aegon Direct as the transferee, it did not say what kind of business Aegon Direct was engaged in. It thus contravened DPP1(3) [on Data Collection] .
- Such transfer of the complainants' personal data was neither consistent with nor directly related to the original purpose of data collection (namely, registration for the free medical check-up). As this was done without the explicit and voluntary consent of the complainants, it constitutes contravention of DPP3 [on Data Use].
Aegon Direct
- The collection of partial identity card numbers from the complainants was held to be excessive as other contact data supplied already sufficed for the purpose of authenticating the claimants for the free medical check-up and preventing multiple claims. This constitutes contravention of DPP1(1) [on Data Collection ].
- Without the complainants' voluntary and explicit consent, it had used their personal data for direct marketing: a purpose which was different from and not directly related to the original purpose of data collection (namely, registration for medical check-up), thus contravening DPP 3 [on Data Use].
Enforcement Action
10. After the PCPD's intervention, Aegon Direct had ceased using the complainants' personal data for direct marketing, and had destroyed their personal data as well as the partial identity card numbers of persons who had not purchased any insurance products through Aegon Direct. However, in order to remedy the contraventions and prevent any recurrence, the Commissioner had served on HKPA and Aegon Direct an Enforcement Note, pursuant to section 50(1) of the Ordinance.
11. The Enforcement Notice directed both companies to formulate relevant policies, guidelines and/or procedures to prevent contravention of the requirements under Part VIA of the Ordinance when they collect and use personal data for direct marketing purpose in future.
12. The Commissioner also directed Aegon Direct to destroy the personal data provided by HKPA by 30 September 2013, (a) except the personal data of the data subjects who, as a result of HKPA's referral, had purchased insurance products through Aegon Direct, and (b) unless such data will be used before that date for direct marketing, in which case the provisions in Part VIA of the Ordinance must be complied with.
13. Under the Ordinance, a data user who fails to comply with an Enforcement Notice commits a criminal offence and is liable on conviction to a maximum fine of $50,000 and imprisonment for two years.
The Commissioner's Comments
14. Mr Chiang remarked, "Octopus's contraventions in the collection and use of the personal data of customers registered in the Octopus Rewards Programme (2010) should be a wake-up call to corporate data-users in Hong Kong. With regret, however, in many recent investigation cases, including this one, it was found that the data users still fell short of meeting customer expectations and compliance with the requirements of the Ordinance."
15. "One example is seen in the investigation report on "MoneyBack Programme" operated by A.S. Watson Group (HK) Limited through PARKnSHOP and Watsons (published in October 2012). A.S.Watson failed to learn from the Octopus case on two counts. First, it repeated the mistake of Octopus for collecting the customers' partial ID card number for authentication, when other contact information already sufficed for that purpose. Secondly, it failed to define clearly the purpose of data collection and to whom the data would be transferred. As pointed out in the Octopus investigation report, the use of vague terms to define the data transferees such as "subsidiaries", "partners", "affiliates", "third parties" and "any other persons under a duty of confidentiality to us" were not acceptable. But they continued to be used by A. S. Watson regardless."
16. "In the present case, HKPA and Aegon Direct again repeated the mistake of excessive collection of personal data, namely, collecting the partial ID card number of target customers for authentication purpose. Worse still, as in the Octopus incident, a misleading or arguably deceitful communication approach was adopted in the collection of personal data. Obviously, this was calculated to enable HKPA to sell the target customers' personal data to Aegon Direct for the latter's direct marketing activities, at the expense of the customers' right to make an informed decision. Aegon Direct was also accountable as it had approved the scripts of the HKPA telemarketers. Such irresponsible and recalcitrant behavior must be condemned."
17. Mr Chiang concluded, "I sincerely wish all corporate data users to measure up to customers' expectations and embrace privacy and data protection as a business imperative, instead of taking a remedial approach when sanction is invoked against them. At the minimum, they should seriously review their privacy policies and data protection practices to ensure compliance with the Ordinance. Strategically, they are encouraged to build a privacy-respectful culture within their organisations so as to win customers' trust and enhance their competitive edge."
Enhanced regulation and heavier penalties
18. The Commissioner reminded organisations that a tighter regulatory regime under the Ordinance for the collection and use of personal data in direct marketing had commenced on 1 April 2013. The consequences of contravening the new requirements are dire. For example, the maximum penalty for the unauthorised transfer of the personal data of a data subject by a data user to a third party for the latter's use in direct marketing is a fine of $500,000 and imprisonment for 3 years . If the transfer is for gain, the maximum fine is $1 million and imprisonment of 5 years.
19. It is also an offence to use the data subjects' personal data in direct marketing without prior notification to them of such intended use and obtaining their consent. The maximum penalty is a fine of $500,000 and imprisonment of 3 years. The new provisions should serve as an effective deterrent to future contraventions.
20. The full version of the Investigation Report can be obtained from the PCPD (12/F, Sunlight Tower, 248 Queen's Road East, Wanchai, Hong Kong), or at www.pcpd.org.hk/english/resources_centre/publications/files/R13_1138_e.pdf
- End -