(5 December 2013) The fitness centre chain, California Fitness (“CF”), breached data privacy by collecting excessive personal data, including copies of Hong Kong Identity Card (“HKID Card”), from its customers who applied for or renewed membership, the Office of the Privacy Commissioner for Personal Data (“PCPD”) revealed in an investigation report today. CF is in possession of some 200,000 copies of HKID Card it had previously collected.
2. The Privacy Commissioner for Personal Data Mr Allan Chiang reminds organisations to “wake up” to their obligation under the Personal Data (Privacy) Ordinance (the “Ordinance”) and avoid disproportionate collection of personal data. “HKID Card numbers and copies, in particular, are very important personally identifiable information and should be treated with caution. It is irresponsible for organisations to collect these data for identification and authentication purposes without seriously assessing the risk, if any, of using alternative and less privacy-intrusive means. In the event that these data are mishandled or inappropriately disclosed, individuals will suffer the risks that their identity, finances and privacy are compromised. They should not therefore give out such data readily. Never be afraid to ask the data users why they want the data and what they plan to do with the data.”
3. The investigation stemmed from two complaints against CF’s policies and procedures for membership application and renewal which involve the collection of the applicant’s full date of birth particulars comprising year, month and date; HKID Card number; and copy of HKID Card or alternatively, Home Visit Permit.
4. The issue is whether the collection of such personal data is necessary and not excessive for the purpose of membership application/renewal and other lawful activities of CF, as required by Data Protection Principle (“DPP”) 1(1) under the Ordinance.
Full Date of Birth Particulars
5. CF claimed that collection of full date of birth particulars was necessary to establish the legal age of the applicant before signing the membership agreement. However, as applications are made in person, verification of age could be made by examining the applicant’s HKID Card on the spot.
6. CF also asserted that collection of full date of birth particulars was necessary for designing and promoting its products and services to the members. Only two examples were quoted. The first example referred to age-specific classes and exercise programmes. The second example was a promotional offer which was provided in the birthday month of the member. In the circumstances, the Commissioner considered that collection of the member’s age range and month of birth would suffice. The collection of the member’s year and date of birth was excessive.
HKID Card Number
7. As members have to enter into a formal agreement with CF which entails significant rights and obligations, the Commissioner sees no objection to collecting HKID Card number for inclusion in the agreement.
Copies of HKID Card and Home Visit Permit
8. The arguments put forward by CF to support the need to collect a copy of HKID Card or alternatively, Home Visit Permit, are all untenable. First, CF argued that since members were permitted to use pseudonyms on membership cards and membership agreements, it had to retain the HKID Card copies so that the legal names (the name on HKID Card) could be ascertained as required in certain circumstances such as legal proceedings. But CF could have included the legal names in the membership agreement at the outset.
9. Secondly, CF alleged that HKID Card copy was required by auditor to verify membership income but it fell short of confirming that this was either a statutory requirement or a standard accounting and audit practice. Clearly other alternatives of verification of membership income such as examination of bank statements are equally effective.
10. Thirdly, CF explained that HKID Card copies had to be collected from members to support their staff remuneration system for reward of achievement of sales targets. The system is tiered with different levels of sales target and the higher the level of target achievement, the bigger is the amount of bonus payable. As the extra amount of bonus gained by achieving a higher sales target could far exceed the payment for membership fee, the system provides great incentive for the staff to submit bogus membership applications. To deter such possible fraud, CF insisted that the sales staff had to obtain HKID Card copies from the membership applicants as proof of transaction. The Commissioner, however, considered that alternative measures such as calling the applicants to verify the genuineness of the applications could be equally if not more effective.
11. The Commissioner concludes that in the circumstances of the two complaint cases, CF’s collection of members’ full date of birth particulars and copies of HKID Card/Home Visit Permit was unnecessary and amounted to excessive collection of personal data, thus contravening the requirements of DPP 1(1) on data collection. At the same time, he finds no contravention on the part of CF for collecting HKID Card number.
12. Accordingly the Commissioner served an enforcement notice on CF on 21 November 2013 directing it to remedy and prevent any recurrence of the contravention. [CF was holding the HKID Card copies of some 200,000 current and former members.] In response, CF has indicated it will appeal to the Administrative Appeals Board against the enforcement notice.
13. Mr Chiang commented, “It is most regrettable to find that CF, with a database of nearly 220,000 customers, has not learnt from the infamous Octopus incident which took place three years ago. It repeated the Octopus mistake of excessive collection of customers’ personally identifiable information for member authentication purposes.”
14. “Organisations engaged in the design or operation of an authentication process should respect privacy and ensure data protection at every stage of the process. This would involve limiting the collection, use, storage, transfer and disclosure of personal data to the purposes deemed necessary for accomplishing authentication. The level of authentication (and, by definition the amount of personal data collected for that authentication process) should be in proportion to the nature and value of the transaction, and take into account the sensitivity of the personal data.”
15. “The past Octopus incident and the current CF case highlight a number of recurrent problems in personal data collection. First, corporate data users tend to err on the generous side. They collect personal data without giving serious thought to what real purposes the data collected could serve. Further, they tend to over-emphasise their administrative and operational convenience, at the expense of data subjects’ privacy and data protection. When it comes to authentication, they tend to require the strongest level of authentication regardless of the nature of the transaction. I believe over-reliance of production of HKID Card number and HKID Card copy for identity authentication is a common phenomenon in Hong Kong. It amounts to overkill and the trend must be reversed.”
16. In the past six years, the PCPD received about 950 complaint cases in relation to collection and handling of the data relating to HKID Card and other personal identifiers. In the year 2012, this privacy issue was ranked fourth in terms of the number of complaints received. A summary of selected cases handled in recent years is at Annex. The cases cover a wide range of areas including application to join customer loyalty schemes, entry for lucky draws, acting on behalf of a company in which one is employed, identification of oneself as a visitor to a residential building and to a commercial building, going through a recruitment process and so on.
17. Mr Chiang emphasised, “We should bear in mind that HKID Card number is a unique personal identifier which cannot be altered throughout one’s life. We should treat it as highly personal and sensitive data, and protect it against any unwarranted disclosure or misuse. If HKID Card number or copy fell into the wrong hands, it could create or enhance the risk of identity theft causing administrative nuisance or financial loss to the affected persons. We do not have official statistics in Hong Kong regarding identity theft but it is worrying to know that in the U.S. thieves stole more than US$21 billion from 12.6 million victims (5% of the adult population) in 2012 by using their personal information1, and it can take years for identity theft victims to repair their finances2.”
Read the Investigation Report online:
http://www.pcpd.org.hk/english/resources_centre/publications/files/R13_12828_e.pdf
Guidance to Organisations (copies can be obtained at the PCPD office or downloaded ):
- End -
1 According to a study by Javelin Strategy and Research
2 According to the Privacy Rights Clearinghouse
Notes to Editors:
1. The PCPD is an independent statutory body set up to oversee the enforcement of the Personal Data (Privacy) Ordinance in Hong Kong.
2. Anyone who collects and use (including disclose and transfer) personal data must comply with the six Data Protection Principles (DPPs) of the Ordinance, which make sure that personal data is:
3. Non-compliance with DPPs does not constitute a criminal offence directly. But the Privacy Commissioner may serve an Enforcement Notice to direct the data user concerned to remedy the contravention. Contravention of an Enforcement Notice is an offence which could result in a maximum fine of HK$50,000 and imprisonment of up to 2 years.
4. If an enquiry /investigation finds prima facie evidence that an offence is committed, the Commissioner may refer the case to the police for criminal investigation and prosecution.