(20 November 2014) The Office of the Privacy Commissioner for Personal Data ("PCPD") published two investigation reports today. One report revealed six tutorial service agency websites in breach of Data Protection Principle ("DPP") 1(1) of the Personal Data (Privacy) Ordinance ("the Ordinance") for collecting unnecessarily the Hong Kong Identity Card ("HKID Card") numbers of private tutors and the personal particulars of their contact persons during online registration. 520,000 persons1 were affected.
2. The second investigation report revealed 10 major employment agencies for domestic helpers in breach of DPP3 for posting on their websites the personal data of overseas job applicants, members of their families and their past employers (including Hong Kong employers). The personal data concerned is irrelevant to employee screening online by prospective employers. Such indiscriminate disclosure appears to be the norm among the employment agencies for foreign domestic helpers in Hong Kong, totalling more than 330,0002.
3. The Privacy Commissioner for Personal Data ("the Commissioner") Mr Allan Chiang commented, "The rapid growth of the Internet is redefining how data is collected, used and stored. Organisations and consumers that engage in e-commerce and other online services must be aware of the associated privacy risks such as data breach and unanticipated secondary use of the data by unknown third parties including unwanted communication and identity theft. Website operators must ensure that they are capturing and using personal data for reasonable business purposes. Web consumers accustomed to submitting personal information to various service providers in order to obtain desired services must be more vigilant about the release of such information."
Tutorial Service Agency Websites
4. The investigation covered five website operators and six websites (see Annex A). They collect information online from applicants seeking private tutor jobs as well as parents and students looking for private tutors. They provide a matching service and enjoy a commission for successful matching equivalent to two weeks' tuition fees.
5. A job seeker who wished to be enrolled in the placement service must provide his HKID Card number3 and a contact person4 with name, telephone number and relationship with the job seeker. This amounted to excessive collection of personal data by the websites.
6. The websites argued that collection of the HKID Card numbers was necessary to authenticate the identity of the job seekers so as to prevent impersonation and other improper or fraudulent activities which could be committed by the job seekers to the detriment of the websites and/or the parents and students.
7. The reality is that the website operators are not employment agencies regulated under the Employment Ordinance; otherwise they have a legal obligation to collect job seekers' HKID Card numbers. Operating on a low investment cost model, they do not interview the job seekers in person for employment checking and identity verification. The collection of the job seekers' HKID Card numbers online for identification is therefore a farce.
8. Routinely the website operators liaise with the job seekers and parents and check information with them over the phone or using mail, email or SMS. The use of these confirmed communication channels should suffice for reporting to the police any problem in case of need, and for lodging a claim with the Small Claims Tribunal in the event of failure to collect the commission from the job seeker after successful placement.
9. Mr Chiang remarked, "HKID Card number is a unique personal identifier which cannot be altered throughout one's life. It should be treated as highly personal and sensitive data, and should be well protected. If HKID Card numbers fall into the wrong hands, they could create or enhance the risk of identity theft, thus causing administrative nuisance or financial loss to the affected persons. To avoid these fatal consequences in the event of data leakage or unauthorised data access, organisations should collect HKID Card numbers from their customers only when absolutely necessary."
10. "I note incidentally that the terms and conditions for the use of the service by the parents and students are confused and unclear. I would advise that the website operators should come clean with the parents and students, and tell them unequivocally that the responsibility of verifying the identity and credentials of the job seekers rest with them, not the website operators."
11. The website operators also explained that they require the name and telephone number of the job seeker's contact person as a fall-back or emergency contact in the event the job seeker cannot be reached or gets into trouble. While these explanations may make sense on some occasions for some job seekers, the job seeker must be given the option to provide or not a contact person with name and telephone number. The mandatory provision of the data should not be made a prerequisite of service enrolment.
Employment Agencies for Foreign Domestic Helpers
12. The investigation covered 10 major employment agencies for foreign domestic helpers registered under the Employment Ordinance. Their business is to recruit job seekers from overseas for placement as domestic helpers with employers in Hong Kong.
13. In the process, all 10 agencies collect on prescribed forms the personal data of job seekers, members of their families and their former employers. To enable successful job placement and to meet the procedural requirements imposed by the Labour Department and the Immigration Department, collection of this data is necessary except for the personal data (name, age and occupation) of the job seekers' family members. Conceivably after a placement is confirmed, the agency or the employer may wish to obtain from the selected employee a named member of her family as emergency contact. In the circumstances, the selected employee may supply the requested data on a voluntary basis. But there should be no obligation for her to provide such data at the outset.
14. The major problems revealed in the investigation were posting on the agencies' respective websites the personal data provided by the job seekers, which related to the job seekers themselves, their family members and their past employers, including Hong Kong employers.
15. The very unique circumstances that a domestic helper performs her job is that she lives with the family of the employer and is often treated as a member of the family, interacting intimately with all family members day in and day out. The Commissioner therefore accepts the posting by the agencies on their websites most of the personal data provided by the job applicants, including their photos, as it assists employee screening by prospective employers. However, the posting of the job applicants'names5, addresses6 and passport and/or HKID Card numbers7 is not accepted because it is inconceivable that this data serves an instrumental role in the prospective employer's initial selection process.
16. For the same reason, the display on their websites of the personal data (e.g. name, age and occupation) of the job applicants' family members8 and past employers'names9 and addresses10 is not acceptable.
17. A table listing all the specific contraventions of the 10 agencies under the Ordinance is at Annex B.
18. Mr Chiang commented, "The agencies should live up to the privacy expectation of these overseas job seekers who supply the personal data of themselves and others for the purpose of seeking a domestic helper's position in Hong Kong. They should consider conscientiously whether the display of the personal data concerned is in line with this purpose. If not, they must not display the data online."
19. "As distinct from presenting the job seeker's profile to the prospective employer in person when the latter visits the agencies' offices, display of her personal data online is subject to unrestricted access by unidentified third parties, who may copy the data, retain the data permanently, integrate or correlate the data with other fragmented data of the same person from different sources. The possible secondary use of such data is beyond the average person's anticipation or comprehension and definitely very difficult to control. The website operators should appreciate the harm that could be done to the job seekers, and act cautiously to mitigate such risks."
Remedial Actions and Enforcement Action
20. During the course of investigation, the Commissioner was pleased to note that certain remedial actions were taken by some of the employment agencies for foreign domestic helpers (see Annex C).
21. To secure full compliance with the Ordinance, the Commissioner has served enforcement notices to the ten employment agencies and the five tutorial service website operators, directing them to take steps to remedy the contraventions for which remedial actions are outstanding, and prevent the recurrence of all known contraventions11.
22. Mr Chiang added, "The investigation against employment agencies for foreign domestic helpers did not cover the direct disclosure of former employers' personal data to prospective employers visiting the agencies' offices. I would advise that while it is acceptable for the agency to disclose the job seeker's work experience (employment period, work district and job duties), the former employer's personal data (such as name and contact information) should not be disclosed. In case a prospective employer wants to contact the job applicant's former employer for a reference, the prior consent of the former employer should be obtained by the agency."
23. "I would further advise that as a matter of best practice (not just compliance with the provisions of the Ordinance), the employment agencies should obtain the consent of the job applicants for online display of their personal data even though objectively the data is relevant to employee selection by prospective employers. Going this extra mile is recommended in view of the privacy risks associated with posting information online and that some information posted are indeed sensitive. The employment agencies should respect the choice made by the job applicants and refrain from uploading those information for which an indication of objection is expressed by the applicants."
Concluding Comments
24. Mr Chiang concluded, "Through publication of the two investigation reports, I have in effect provided a template for managing personal data and protecting privacy for tutorial service agency websites and employment agencies for domestic helpers. I encourage all operators in these two industries and indeed all web service operators to make good use of the reports, and help build a trustworthy and privacy-assuring online ecosystem."
Read the Investigation Reports online:
Tutorial Service Agency Websites -
www.pcpd.org.hk/english/resources_centre/publications/files/R14_19675_e.pdf
Employment Agencies for Foreign Domestic Helpers -
www.pcpd.org.hk/english/resources_centre/publications/files/R14_1382_e.pdf
- End -
1 Based on public information and information provided by agencies; inclusive of both private tutors and contact persons but overlapping registration not discounted
2 Figure as at end of October 2014 provided by Immigration Department
3 In all six websites
4 In five of the six websites, with Hong Kong University Students' Education Network excepted
5 By all 10 agencies
6 By seven agencies
7 By one agency
8 By eight agencies
9 By the same eight agencies
10 By two agencies
11 Contravention of an enforcement notice is an offence under the Ordinance and an offender is liable on conviction to a fine of HK$50,000 and to imprisonment for 2 years and, in the case of a continuing offence, to a daily penalty of HK$1,000.