Significant Investigation Results

The following complaint cases illustrate some data user acts or practices that were found to have contravened the requirements of the Ordinance during the reporting period. They are selected on the basis of subject content and demonstrate the wide variety of conduct subject to the provisions of the Ordinance, including those of the Data Protection Principles ("DPP").

PHOTO SHOP : SHOULD NOT COLLECT IDENTITY CARD NUMBER OF CUSTOMER WHEN COLLECTING PHOTOGRAPHS WITHOUT PRODUCING THE RECEIPT- DPP1(1) AND THE CODE OF PRACTICE ON THE IDENTITY CARD NUMBER AND OTHER PERSONAL IDENTIFIERS

The Complaint

A customer placed an order for printing some photographs with a photo shop. The shop issued a receipt to the customer after recording the customer's surname and mobile telephone number. The customer unfortunately lost the receipt and was unable to present it when attempting to collect the photographs. The shop asked for the customer's Hong Kong identity card number for recording in an "Order Claim Form" as a prerequisite to releasing the photographs and negatives to him. The customer took the view that the collection of his identity card number was unnecessary as his mobile telephone number as well as his images appearing in the printed photographs were sufficient to show that he was the rightful person placing the order. He thus made a complaint to the Commissioner.

The shop explained that the identity card number was necessary for identifying the person who actually collected the photographs to avoid giving the photographs to the wrong person. The shop did not consider asking the person to describe the images on the photographs feasible because it did not necessarily mean that he was the one placing the order. The shop also stated that there had been cases where customers sued them for loss of photographs, negatives, films, etc., and on one occasion, they had paid a compensation of more than HK$5,000 to a customer. The shop therefore argued that the collection was permitted under paragraph 2.3.3.3 of the Code of Practice on the Identity Card Number and other Personal Identifiers ("the PI Code"). Paragraph 2.3.3.3 allows the collection of identity card number by a data user if it is necessary for the correct identification of the holder so as to safeguard against damage or loss on the part of the data user which is more than trivial in the circumstances. The shop however admitted that they had not received any complaints from customers who had their negatives, films or photographs wrongfully collected by others.

Findings of the Privacy Commissioner

The Privacy Commissioner holds the view that the existence and extent of loss that a data user contemplated should be something realistically justified for paragraph 2.3.3.3 of the PI Code to be invoked. To allow for the collection of identity card number where a real risk of more than trivial loss or damage is not shown (as in the present case) is tantamount to allowing collection in general cases which would be contrary to the objectives of the PI Code. In this particular case, since the mobile telephone number was given by the customer when placing the order, verification could simply be done by calling the number in his presence when he came to collect the photographs. Alternatively or additionally, the shop could record the full name of the customer (checked against the identification document presented) for identification purpose and to match with the records of the surname kept by them, and/or examine the images on the photographs. In the circumstances, the Privacy Commissioner considered such practice of the shop of collecting identity card number not a necessary measure, while it was privacy intrusive, to take.

Action by the Privacy Commissioner

An enforcement notice was served on the photo shop and, as directed, the practice was ceased and the records of identity cards numbers so collected were destroyed

PROPERTY MANAGEMENT BODY : COLLECTION OF IDENTITY CARD NUMBERS OF PERSONS DRIVING OUT FROM A CAR PARK VIEWED AS EXCESSIVE COLLECTION - DPP1(1) AND THE CODE OF PRACTICE ON THE IDENTITY CARD NUMBER AND OTHER PERSONAL IDENTIFIERS

The Complaint For the purpose of preventing car theft, the company managing a car park in a shopping mall sought to record Hong Kong identity card numbers of drivers who drove their vehicles leaving the car park between 11:00 p.m. and 7:00 a.m. Two drivers objected to the collection of their identity card numbers and made complaints to the Commissioner. The management company explained that the measure was taken in view of the rising figures of thefts in car parks and after consulting a government department. The department confirmed that in response to the company's enquiries about car park theft, they had advised the company to step up car park security measures such as enhancing patrolling manpower and video monitoring, cooperation with the police in patrol exercise and display of notices reminding drivers of tips to protect their cars. The department however did not suggest the company to collect identity card numbers of car park users.

Findings of the Privacy Commissioner

The car park was opened to public use. The practice of collecting identity card numbers of drivers would result in large amount of sensitive personal data of individuals being collected and held by the management company. Before adopting such practice, it is imperative for the company to consider the adverse impact on individuals' personal data privacy and if there are any less privacy-intrusive alternatives.

One practical alternative is to adopt a "double permit" system whereby the vehicle registration number is marked on an "exit pass" given to the driver when he drives into the car park, so that security staff at the exit may then collect and check the same when the vehicle leaves the car park. Another alternative is to install electronic devices designed to capture the image of the number plate when the vehicle enters the car park and have it checked against the registration number of the vehicle leaving the car park to ensure that the same car park ticket is used for the same vehicle.

Paragraph 2.3.2.2 of the PI Code allows the collection of identity card number where the use of the number by the data user is necessary for the prevention or detection of crime. Although the management company claimed that there had been three car thefts happening in the car park in the past two years, the company was unable to show that adoption of the above security measures recommended by the government department as well as the aforesaid alternatives could not satisfactorily solve the car theft problem. In the circumstances and according to a previous ruling of the Administrative Appeals Board in Administrative Appeals No.41/2004, the management company may not rely on the exemption provision in paragraph 2.3.2.2 to collect identity card numbers of the drivers.

If collection of identity card numbers is allowed in this particular case, so will be the collection of identity card numbers of everyone entering and exiting a department store because of its shoplifting problem. This apparently is not the intention of introducing the PI Code. The Commissioner therefore considered it unnecessary and excessive in collecting the identity card numbers of the drivers by the management company in the circumstances of the case.

Action by the Privacy Commissioner

An enforcement notice was served on the management company and, as directed, the company ceased such practice of collecting drivers' identity card numbers and destroyed all records of identity card numbers so collected.

EMPLOYERS : THINK CAREFULLY BEFORE USING COVERT MEANS TO MONITOR EMPLOYEES' ACTIVITIES AT WORK - DPP1(1), 1(2) AND 5

The Complaint

It was reported in local newspapers that pinhole cameras were found installed by a government department in the working areas, near the toilets and changing rooms of its regional office. The department's response was that pinhole cameras were installed for the purpose of detecting crime as a result of a series of theft cases occurring in the office. The department believed that the use of pinhole cameras was an effective way for them to identify the culprit(s) and gather evidence.

Findings of the Privacy Commissioner

Site investigation conducted by the Privacy Commissioner's officers revealed that six pinhole cameras were installed at different working locations of the office. The cameras were discreetly concealed inside a socket-like box and it was difficult for anyone to notice their existence.

Under the "Privacy Guidelines: Monitoring and Personal Data Privacy at Work" issued by the Privacy Commissioner, covert monitoring is not to be used unless justified as last resort measures and being absolutely necessary in detecting or gathering evidence of unlawful activities, and the monitoring should be limited in scope and duration. Further, the employer should formulate a clear employee monitoring policy by making known and communicating to the employees the purposes of monitoring, the circumstances under which monitoring will take place and the kind of personal data that will be collected.

Though the department do have a legitimate purpose to protect its and its customers' property from theft, the evidence available did not show the existence of a risk of loss to such extent as to justify the engaging in vast scale video monitoring activities using pinhole cameras which was highly privacy intrusive. The dimension and extensiveness of the monitoring activity carried out was out of proportion to attaining the purpose of collection, and the department was intent upon engaging in continuous and universal preventive monitoring. The Commissioner was therefore of the view that the engaging in employee monitoring activities in such dimension and scale by the department to collect evidence of crime, given the vast amount of personal data that could be captured without the knowledge of the employees, was excessive and thus in breach of DPP1(1).

There was no evidence showing that the department had given due consideration to the use of other less privacy intrusive alternatives or that the use of overt means would necessarily frustrate the purpose of collection. The universal and continuous covert monitoring without a definite plan or policy for its duration is highly privacy intrusive, aggravating the harm, if any, that may be inflicted upon innocent parties. The Commissioner found that the covert monitoring was carried out in an unreasonable and unfair manner, contravening the requirement of DPP1(2).

Where employee monitoring is to be undertaken, reasonable practical steps should be taken to formulate and communicate a clear privacy policy statement to persons affected by the monitoring activity. Since (before using the pinhole cameras) the department had already installed overt CCTV cameras for security reason through which personal data might be collected, there was a real need to implement an effective monitoring policy which should be brought to the attention of the employees affected. On the basis that the department did not have any privacy policy to address employee monitoring activity by using video recording system, the Privacy Commissioner found that the department had contravened the requirement of DPP5.

Action by the Privacy Commissioner

An enforcement notice was served on the department and, as directed, the department ceased the practice of covert monitoring, dismantled all the pinhole cameras, destroyed all relevant recordings and formulated a privacy policy in relation to video monitoring activities undertaken by it.