Table of Contents Table of Contents
Previous Page  115 / 192 Next Page
Show Menu
Previous Page 115 / 192 Next Page
Page Background


In March 2010, a government department reported to the Commissioner that an

employee had lost certain computer printouts when he was carrying out outdoor duties

that required home visits.


The lost printouts contained the names, gender, addresses

and telephone numbers of 126 individuals. Although there was a genuine operational

need for the staff to bring the printouts during home visits, he had taken more data than

required to visit the twenty individuals on the day of the home visits. The guidelines of the

department were revised as a result by specifying the amount of personal data that was

required for conducting home visits on a particular day so as to ensure that no

unnecessary personal data would be taken out by staff for performing home visits.

(c) Telecommunications Companies


Internet and telecommunications service providers possess substantial amount of

personal data of their customers. It is essential for them to ensure data security to avoid

leakage. Customers sometimes may have forgotten the passwords to access their

account information. In such circumstances, service providers must be cautious in

verifying the identity of the customer before rendering any assistance to access

account information. The Commissioner received a complaint where the internet service

provider reset a customer’s password upon the request of a person who knew the name

and HKID number of that customer, even though the caller was not the customer and

the customer was not aware of the request. Such practice was found to be insufficient

to meet the standards required by DPP4 in ensuring data security.


Similarly, in another complaint handled by the Commissioner,


the complainant’s

creditor successfully gained access to the electronic telephone bills of the complainant

by typing in his HKID number as the password for online access which as a result enabled

the creditor to collect the telephone records of the complainant and to use them for

making nuisance calls to his friends. The telecommunications company in question was

found to have contravened DPP4 in failing to take all reasonably practicable steps to

safeguard the complainant’s personal data. In the enforcement notice served by the

Commissioner, the company was required to cease the practice of using HKID numbers

as default passwords for its customers. Given the ease of guessing passwords of this kind

and the likelihood of manipulation and unauthorised access, the service provider was

advised to take steps to protect the security of the customers’ personal data by, for

example, providing randomly selected passwords.


In another complaint, the complainant visited a telecommunications shop to subscribe

for broadband and fixed-line services. The shop had an open-plan design with some

computer terminals set up in a public area and visitors were free to stroll around those

terminals. When his subscription request was processed by the staff through the use of

the computer terminal, the complainant noticed that his personal data displayed on the

screen of the computer terminal was visible to people standing next to or behind the

customer service officer. Since the receipt of the complaint, the telecommunications

company has installed polarized filters, screen saver and software functions that


See case reported in the Annual Report 2010-11 of the Commissioner (page 96), available on the Website:


See Case Note No. 2002C08, available on the Website: