Click here to view the web version
Issue 17, 6 September 2016
What's On
Privacy Commissioner Issues “BYOD (Bring Your Own Device)” Information Leaflet
It highlights the personal data privacy risks that an organisation needs to be aware of when it develops a BYOD policy. It also suggests best practices in allowing employees to use BYOD equipment to access and work with the corporate system that contains personal data.
It highlights the personal data privacy risks that an organisation needs to be aware of when it develops a BYOD policy. It also suggests best practices in allowing employees to use BYOD equipment to access and work with the corporate system that contains personal data.
e-Wallet – Privacy Commissioner Provides Practical Tips and Advice on Controlling Personal Data
The Privacy Commissioner urged that individuals should vigilantly keep in control of their own personal data, and the e-Wallet operators should aim to win customers’ trust by respecting their privacy right and safeguarding their personal data.
The Privacy Commissioner urged that individuals should vigilantly keep in control of their own personal data, and the e-Wallet operators should aim to win customers’ trust by respecting their privacy right and safeguarding their personal data.
Training Updates
Introduction to the Personal Data (Privacy) Ordinance Seminar
Oct to Dec 2016 seminars are open for enrolment!
To raise public awareness and their understanding of the Ordinance, the PCPD organises introductory seminars on the Ordinance twice a month.
Outline:
Oct to Dec 2016 seminars are open for enrolment!
To raise public awareness and their understanding of the Ordinance, the PCPD organises introductory seminars on the Ordinance twice a month.
Outline:
- A general introduction to the Ordinance
- The six data protection principles
- Offences & Compensation
- Direct Marketing
Data Protection Principle (DPP) 1 - Purpose and manner of collection of personal data
A vendor should not compulsorily require customers to join its membership programme for registration of product maintenance and repair, and should not collect the full date of birth of individuals joining the programme – DPP1(1) and 1(2)
The Complaint
Summary of Facts
The Complainant purchased a printer and wanted to register for the maintenance and repair service (“the Registration”) of the vendor (“the Vendor”) through the Vendor’s webpage. However, the Complainant found that she had to log into the webpage of the Vendor’s membership programme (“the Programme”) before registering. As the Complainant was not a member of the Programme, she was required to provide her personal data for membership registration before applying for the maintenance and repair service. The Complainant said that the Vendor had unnecessarily required her to provide her personal data to join the Programme, including her date of birth. Hence, she lodged a complaint with the PCPD.
Information provided by the Vendor
The Vendor explained that all customers could generally get the after-sale maintenance and repair service with their purchase invoice and product record card. However, to get an extra three months’ maintenance and repair service, they had to join the Programme. As the Registration extension was offered only to members of the Programme, customers who wanted to get the extension had to become Programme members first and then register by entering their member account number and password on the Programme webpage.
Regarding the collection of the full date of birth of individuals joining the Programme, the Vendor explained that the year of birth was important for analysing market trends and customer consumption habits, and the month of birth was collected to provide birthday privileges or gifts to members.
A vendor should not compulsorily require customers to join its membership programme for registration of product maintenance and repair, and should not collect the full date of birth of individuals joining the programme – DPP1(1) and 1(2)
The Complaint
Summary of Facts
The Complainant purchased a printer and wanted to register for the maintenance and repair service (“the Registration”) of the vendor (“the Vendor”) through the Vendor’s webpage. However, the Complainant found that she had to log into the webpage of the Vendor’s membership programme (“the Programme”) before registering. As the Complainant was not a member of the Programme, she was required to provide her personal data for membership registration before applying for the maintenance and repair service. The Complainant said that the Vendor had unnecessarily required her to provide her personal data to join the Programme, including her date of birth. Hence, she lodged a complaint with the PCPD.
Information provided by the Vendor
The Vendor explained that all customers could generally get the after-sale maintenance and repair service with their purchase invoice and product record card. However, to get an extra three months’ maintenance and repair service, they had to join the Programme. As the Registration extension was offered only to members of the Programme, customers who wanted to get the extension had to become Programme members first and then register by entering their member account number and password on the Programme webpage.
Regarding the collection of the full date of birth of individuals joining the Programme, the Vendor explained that the year of birth was important for analysing market trends and customer consumption habits, and the month of birth was collected to provide birthday privileges or gifts to members.
Outcome
The Privacy Commissioner was of the view that registering for maintenance and repair service for products purchased was a basic right of customers. The right to receive after-sales service should not depend on whether customers are members of the Programme. Although the Vendor explained that its customers could get the standard maintenance and repair service with their purchase invoice and product record card, the Vendor accepted the Privacy Commissioner’s recommendation by amending its webpage to specify that customers could receive the standard maintenance and repair service by producing their purchase invoice and product record card, but that they could receive the three months’ extension only by joining the Programme.
Regarding the collection of members’ full date of birth, the Privacy Commissioner recommended that the Vendor inform the customers joining the Programme of the purpose of collecting their personal data (i.e. for analysis of market trends and consumption habits, and for providing birthday privileges or gifts to members), and explain that it would collect their year and month of birth only with their voluntary consent. The Vendor stopped collecting the full date of birth of members. Instead, it now collects only the month of birth. It also undertook to destroy the records of year and date of birth of members previously collected.
The Privacy Commissioner was of the view that registering for maintenance and repair service for products purchased was a basic right of customers. The right to receive after-sales service should not depend on whether customers are members of the Programme. Although the Vendor explained that its customers could get the standard maintenance and repair service with their purchase invoice and product record card, the Vendor accepted the Privacy Commissioner’s recommendation by amending its webpage to specify that customers could receive the standard maintenance and repair service by producing their purchase invoice and product record card, but that they could receive the three months’ extension only by joining the Programme.
Regarding the collection of members’ full date of birth, the Privacy Commissioner recommended that the Vendor inform the customers joining the Programme of the purpose of collecting their personal data (i.e. for analysis of market trends and consumption habits, and for providing birthday privileges or gifts to members), and explain that it would collect their year and month of birth only with their voluntary consent. The Vendor stopped collecting the full date of birth of members. Instead, it now collects only the month of birth. It also undertook to destroy the records of year and date of birth of members previously collected.
Q: Which of the following information should not be recorded for handling sick leave application by a human resources manager?
A. Date and time of medical appointments
B. Details of medical treatment
C. Number of sick leave granted
Q: For how long can the personal data of former employees be kept?
A. Until the former employees request for deletion
B. Until the closure of organisation
C. Seven years
Q: Which of the following information of the former employee can be specified in the resignation notice?
A. Hong Kong Identity Card number
B. Reason for departure
C. Name and title
A. Date and time of medical appointments
B. Details of medical treatment
C. Number of sick leave granted
The correct answer is B. A human resources manager only needs the minimum information about a sick leave application of an employee to verify or calculate the entitlement to sick leave and other related benefits but not the details of the medical treatment. Therefore, the collection of the details of medical treatment is excessive and contrary to the Data Collection Principle.
Q: For how long can the personal data of former employees be kept?
A. Until the former employees request for deletion
B. Until the closure of organisation
C. Seven years
The correct answer is C. An employer should not retain the personal data of a former employee for a period longer than seven years from the date the former employee ceases employment with the employer unless there is a subsisting reason that obliges the employer to retain the data for a longer period (e.g. to fulfil contractual or legal obligations) or the former employee has given prescribed consent for the data to be retained beyond seven years.
Q: Which of the following information of the former employee can be specified in the resignation notice?
A. Hong Kong Identity Card number
B. Reason for departure
C. Name and title
The correct answer is C. The disclosure of the former employee’s name and position in the organisation should be sufficient for the purpose of identifying the employee concerned. Disclosure of excessive data may lead to possible misuse and hence contrary to the Data Use Principle.
Tips on Encryption
Encryption is an effective way to prevent data from being understood when your computer is hacked or when your Portable Storage Devices are lost.
PCPD’s Corporate Video
With public education as one of the PCPD’s priorities, this video is developed to raise public awareness of personal data protection and to highlight the work of the PCPD.
Online Assessment Tool – Retail
Start testing your knowledge on how the industry should protect personal data.