Complaints Received 2004-2005

The 953 complaint cases received in 2004-2005 involved a total of 1106 alleged breaches of the requirements of the Ordinance. Of these, 970 (88%) were alleged breaches of the data protection principles and 136 (12%) were alleged contraventions of the provisions in the body of the Ordinance.

Of the 970 alleged breaches of the data protection principles, 479 (49%) concerned the alleged use of personal data of complainants without their consent. In this category, 92 (19%) involved debt collection, mostly allegations against financial institutions for passing customers' personal data, such as contact details and amount of indebtedness, to debt collecting agencies for the recovery of outstanding debts.

There is a misunderstanding among some complainants regarding the ambit of the Ordinance when applied to use or disclosure of personal data. A common example is that some complainants believe their personal data can only be used or disclosed to others after prior consent concerning a particular act has been obtained from them. The Ordinance restricts the purpose of use or disclosure of personal data to their original collection purpose or a directly related purpose. Any other use or disclosure of personal data requires the express consent of the data subject concerned. In other words, if the use or disclosure of personal data is within an original collection purpose, or a directly related purpose, it is not necessary for the data user to obtain the consent of the data subject prior to use or disclosure.