The Office of the Privacy Commissioner for Personal Data (PCPD) has completed its investigation into an incident relating to the wrongful disclosure of customers’ personal data through sample forms by an airline company.
The investigation arose from a complaint received by the PCPD in which a passenger of the airline company (the Complainant) alleged that the personal data of two passengers and two related persons were disclosed to him through sample forms attached to an email sent by a ground service agent of the airline company stationed in Phu Quoc in Vietnam.
The PCPD has commenced an investigation into the incident and conducted five rounds of enquiries with the airline company. According to the information obtained during the investigation, the Complainant claimed compensation from the relevant airline company for delayed baggage regarding the flight that he took from Hong Kong to Vietnam and received an email from its ground service agent at the outport in Phu Quoc in Vietnam. Two sample forms were attached to the relevant email for the Complainant to make reference to when completing the forms for the settlement of his compensation claim, and real personal data of two passengers and two related persons were contained in the sample forms which included their names, flight details and/or bank account details. The relevant airline company admitted that the staff in question did not follow the instructions set out in the Ground Operations Manual and the training materials.
Having considered the circumstances of the incident and the information obtained during the investigation, the Privacy Commissioner for Personal Data (Privacy Commissioner), Ms Ada CHUNG Lai-ling, found that the following deficiencies of the airline company were the main contributing factors of the occurrence of the incident:-
-
Failure to take effective measures to raise the awareness of the staff members of the ground service agent of the requirements relevant to personal data privacy as set out in the Ground Operations Manual, and of the need to protect personal data privacy;
-
Failure to provide sufficient and regular training to the staff members of the ground service agent; and
-
Failure to monitor the performance of ground handling agents.
The Privacy Commissioner found that the airline company had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use, thereby contravening Data Protection Principle 4(1) of the Personal Data (Privacy) Ordinance concerning the security of personal data.
The Privacy Commissioner has served an Enforcement Notice on the airline company, directing it to take measures to remedy the contravention and to prevent recurrence of similar contraventions in future.
The full version of the investigation findings can be downloaded
here.