PCPD - New Sletter (on-line version)

Investigation Report / Inspection Report

Publications and Videos
Newsletter

Subscribe Now!!

PRIVATE THOUGHTS (on-line version)
(Newsletter of the Office of the Privacy Commissioner for Personal Data, Hong Kong)
November 1999 Inaugural Issue

The Privacy Commissioner's Message

The protection of the privacy of the individual in relation to personal data should be a standard policy for every organization in Hong Kong. Not just because of the legal requirements of the Personal Data (Privacy) Ordinance ("the Ordinance" hereafter), but because it leads to benefits in terms of better customer and employment relations, improved data quality and efficiency of data processing.

The PCPD strives to reinforce this message and provide guidance on good data protection practices to all organizations, large and small. It gives me great pleasure to inaugurate this first edition of our newsletter.

Its title, "Private Thoughts", sums up the aim of our newsletter, which is to communicate our views on issues and news relevant to the privacy protection of personal information related to the individual.

A quarterly publication, "Private Thoughts" will provide news of and views on latest issues, case studies, topical enquiries and technological developments in the privacy arena, as well as up-to-date information on PCPD's activities.

The primary and ultimate objective of the newsletter is to assist organizations to understand and effectively comply with the requirements of the Ordinance through the implementation of good practices in the handling of personal data that they collect, retain and use.

As always, for a new endeavour to be effective and successful, your views and feedback are essential. We welcome your suggestions and criticisms. Please convey your input by writing to us at the address given at the end of this newsletter.

More Care Required In Collecting ID Card Numbers

It has been over one year since the effective date in June 1998 of the "Code of Practice on the Identity Card Number and other Personal Identifiers" issued by the PCPD, which provides for the protection of individuals' identity card (ID card) numbers, other personal identifiers and copies of identity cards.

From June 1998 when the Code took effect to September this year, the PCPD received 120 complaints related to the ID card number and copies of the ID card. This was 64% more than the combined total of the number of complaints related to ID cards received by the PCPD before the Code took effect (i.e. from December 1996 to May 1998). This large jump is not surprising given the greater awareness that the Code has aroused among the general public on the protection of ID card numbers.

The following are some of the more common complaints, in which the collection of ID card numbers or copies of ID cards were deemed excessive:

Some employers photocopied job applicants' ID cards during job interviews. Employers are allowed under the Code to keep copies of employees' ID cards as evidence of compliance with the requirements of the Immigration Ordinance to inspect if necessary employees' ID cards before employment. However, the Code does not permit the collection of a copy of the ID card merely in anticipation of a prospective relationship. Employers should not, therefore, collect a copy of a job applicant's ID card until he/she has been offered the job.
In some cases, sales assistants would ask customers who paid by credit card for their ID card numbers and recorded them on payment slips to identify the customers in case stolen or forged cards have been used. The PCPD is of the view that in processing credit card payments, once a shop has secured a transaction code from the card-issuing institution, the risk mentioned above will be borne by the card-issuing institution. There is thus no need for a shop to record customers' ID card numbers on credit card payment slips.
Some car park management staff recorded ID card numbers of car park space users for the purpose of preventing crime such as car theft . The PCPD is of the view that the recording of the licence numbers of visiting cars either on the parking ticket, or some other "exit pass" or coupon, which should be carefully kept by the drivers, should generally serve as an adequate alternative to the collection of ID card numbers of drivers for the purpose of preventing crime.

A question is also often raised on whether the security staff of a building can ask visitors to enter their ID card numbers in a visitors' log book at the entrance of a building. This really depends on whether the monitoring of the visitors' activities inside the building is feasible or not. If it is feasible, the security staff should not collect visitors' ID card numbers. If such monitoring is not feasible, they are allowed to collect visitors' ID card numbers. However, the security staff should take appropriate security measures to ensure that such entries in a visitors' log book are concealed from subsequent visitors who enter their details. In addition, before collecting visitors' ID card numbers, the security staff should also give visitors the option of choosing less privacy-intrusive alternatives other than providing their ID card numbers. Such alternatives may include identification by another identification document, e.g. a staff card issued by the visitor's company or identification by someone known to the security staff, e.g. by a resident in the case of a residential building.

For those who would like to find out more about the Code, copies of the Code and other related publications are available from the PCPD office.

Sending abusive messages on the Internet

The complainant complained that his ex-colleague, without his knowledge or consent, posted his name and mobile phone number in a message at an Internet newsgroup soliciting sexual service which resulted in numerous nuisance calls to him. Upon investigation by the PCPD, it was ascertained that his ex-colleague obtained his mobile phone number while they were employees of the same company. Although the sender of the message tried to hide his identity by using a fake account name, the PCPD secured evidence from the related Internet Service Provider that the account from which the message originated was that of the ex-colleague. An enforcement notice was served on the ex-colleague directing him to cease such action.

This case illustrates that generally speaking,a data user should not, without an individual's consent, use that individual's personal data for a purpose other than the purposes stated at the time when the data were collected. In addition, newsgroups are public forum where posted messages are openly exposed to anyone having access to the Internet. Individuals should consider the privacy risks involved before posting any personal data at newsgroups.

Access request to employment-related personal data

The complainant was a former primary school principal. The school terminated her employment summarily, paying her wages in lieu of notice in accordance with the requirements of the employment law. The complainant subsequently made a data access request to the primary school. The primary school failed to comply with her data access request within 40 days of receiving her request, as required by the Ordinance.

In response to the complaint, the primary school relied on the exemption provisions of section 54 of the Ordinance in refusing to comply with her data access request. Section 54 is a transitional provision intended to avoid the possible disruption to the staff management relationship that may be caused by disclosing assessments provided in confidence at a time when there was no right of access to personal data, before our Ordinance took effect, i.e. before 20 December, 1996. This provision applies only so long as there is an ongoing employment relationship. Since the primary school was no longer the employer of the complainant at the time when the complainant made her data access request, section 54 would not apply. Upon warning, the school undertook to provide the data to the complainant and to revise its policy and procedures regarding the handling of data access requests.

Biometrics and Privacy

Biometrics is the process of collecting, processing and storing details of a person's physical characteristics for the purpose of identification and authentication. The most popular forms of biometric identifiers are retina scans, hand geometry, thumb scans, fingerprints, voice recognition, and digitised photographs. The technology has gained the interest of governments and companies because it has the capacity to identify the target subject much more accurately than other forms of identification such as identity cards or papers.

Biometrics schemes are being implemented across the world. Spain has commenced a national fingerprint system for unemployment benefit and healthcare entitlement. Jamaicans are required to scan their thumbs into a database before qualifying to vote at elections. In France and Germany, tests are under way with equipment that puts fingerprint information onto credit cards. In the US, cash can be drawn from ATM machines which establish the identity of a customer through the scanning of facial features instead of the presentation of an ATM card.

The most controversial form of biometrics - DNA identification - is benefiting from new scanning technology which can automatically match DNA samples against a large database in minutes. Police forces in several countries such as the United States, Germany and Canada are creating national databases of DNA. The Hong Kong Government is actively pursuing the establishment of a similar DNA database of persons who have been convicted of a serious crime.

The PCPD recognises the considerable benefits to the community through the creative application of biometrics. At the same time, there are concerns with the potential risks of privacy intrusion through the use of such biometrics data for purposes that were not originally intended. Therefore applications of biometrics must have adequate safeguards for data privacy, including clear and transparent declarations of how the data collected are to be used, adequate security measures to prevent unauthorised access to data, and where relevant, regulatory measures to support complaints and redress mechanisms. In addition, in conjunction with biometrics, use should be made where appropriate of so-called privacy enhancing technology. The use of such technology minimises the collection of personally-identifying data without compromising the power of biometrics to authenticate an individual's claim as an authorised user of a system or service.

(Reference is drawn from "Privacy & Human Rights", GILC)

After an employee has left our company to seek employment in another company, can we provide a reference in respect of the staff member upon the request of a prospective employer or is the written consent of the staff concerned required for such disclosure?

As the information you have about an employee or ex-employee was collected for your human resources management purposes, and not those of the prospective employer, you should obtain the individual's express voluntary consent before disclosing information to the prospective employer. The consent does not have to be in writing, i.e. it can be given orally. However, having consent in writing reduces the opportunity for subsequent argument. It would be acceptable for the consent to be given via the prospective employer.

We are a retail company. We intend to out-source the processing of customers' account statements to an outside service provider. Is this in contravention of the Ordinance?

If the data to be transferred to the outside service provider are confined to what is necessary for preparing the customers' account statements, the transfer of such data is consistent with the requirements of the Ordinance. However, following the general rule in any outsourcing arrangement, you should take care to ensure by contract or otherwise that the service provider will comply with the relevant requirements of the Ordinance in handling the data. In particular, it should be required to pay due attention to the security of the personal data in its possession, will not use such data for any purpose other than for providing the service in the instructed manner and will either destroy the data or return them to you once the service has been provided.

We are a telecommunications company. Can we, by virtue of inclusion of a waiver of right clause by our customers, use their data for any purpose we choose?

The requirements of the Ordinance are binding on a data user irrespective of any contrary terms contained in an agreement with an individual. For example, under the Ordinance, data protection principle 1 requires that personal data shall not be collected except for a lawful purpose directly related to a function or activity of the party that will use the data. This requirement overrides any term or condition in a customer agreement that purports to give the company concerned the right to use personal data for any other purposes.

More common Q & As can be found on the "Advice & Decisions" section of the PCPD web site at http://www.pcpd.org.hk.

PCPD hosted international privacy conference in Hong Kong

The 21st International Conference on Privacy and Personal Data Protection was held in Hong Kong on 13 and 14 September in conjunction with the International Meeting of Data Protection Commissioners on 15 September. The Conference was hosted by the PCPD and attracted close to 400 delegates from 35 countries.

The Conference is the most significant annual international conference in the global privacy arena and was held for the first time in Asia. The theme of this year's conference was "Privacy of Personal Data, Information Technology & Global Business in the Next Millennium". A total of 65 speakers from 15 countries shared their insights on topics including the impact of current and future technologies on privacy and personal data, electronic commerce and personal data, the impact of the European Union's Data Protection Directive on global business and trade as well as privacy issues related to specific sectors such as Government, telecommunciations, news media, information technology and law enforcement.

For those who have missed the Conference, the Conference proceedings can be purchased from the PCPD.

Data access request form issued

In PCPD's experience in handling complaints, misunderstanding has been found among both the general public and organisations in relation to data access requests under the Ordinance. To assist individuals in making data access requests and remind data users of their obligations in handling such requests, the PCPD has issued a Data Access Request Form. Data users are encouraged to use the Form to handle individuals' data access requests. To allow time for data users to revise their internal procedures in light of the Form, the Form will have legal effect on 1 December, 1999. After this date, a data user may refuse to comply with a data access request that is not made with the Form. A pamphlet that explains to individuals how they can exercise their data access rights and make use of the Form has also been issued. The Form and the pamphlet are available from the PCPD and all district offices.

3rd annual opinion survey results released

The PCPD has released the results of the 1999 opinion survey on attitudes towards and implementation of the Personal Data (Privacy) Ordinance. Some 1,600 individuals were interviewed and questionnaires received from 460 organisations in the survey. Privacy continued to be rated by individuals as an important social policy issue, with a rating of 7.6 out of 10. The survey also found in particular that there was a significant increase in the percentage of organisations which considered that the Ordinance would have long term benefits in areas such as customer and employee relations, data accuracy and management and their organisations' public image. A booklet containing the key results of the survey has been published and is available from the PCPD at a nominal charge.

Public consultation being conducted on a draft Code of Practice on Human Resources Management

The PCPD published at the end of September for public consultation a draft Code of Practice on Human Resources Management (HRM) for the protection of personal data privacy in relation to HRM practices. The draft Code governs the collection, use, retention, security and other aspects of handling of personal data by HRM practitioners. Views are in particular invited on the recommendations in the draft Code on recruitment advertisements and the retention periods for different types of employment-related personal data. The public consultation period will last three months and interested parties and the general public are invited to submit their views to the PCPD by 31 December. The consultation paper is available from the PCPD and all district offices.