Report on Activities - Operations

Highlights of acts or practices found in contravention of the PD(P)O

Provided below are brief illustrations of some of the acts or practices that were found to have contravened the requirements of the PD(P)O in the complaint investigations undertaken in 2001-02. They are selected on the basis of subject matter and demonstrate the wide variety of conduct that are subject to the requirements of the PD(P)O, including those of the Data Protection Principles ("DPPs").

In May 2001, the PCPD referred a case to the Police for possible prosecution proceedings as a result of the failure by a person to comply with an enforcement notice pursuant to section 64(7) of the PD(P)O. The case originated with a complaint by a hotel's customer against the defendant who was a former hotel telesales staff responsible for promoting the hotel's membership campaign. The defendant obtained the complainant's personal data during the marketing campaign. After enrolment, the complainant discovered that the terms of the scheme were totally different to that promised by the defendant. She complained to the hotel about the matter. Upon receiving further complaints against the defendant the hotel dismissed him. Feeling aggrieved, the defendant took into his possession records of the hotel's customers' details and used the data to send out numerous fax letters to these customers accusing them of causing him to lose the job. This was done contrary to the terms of employment he had with the hotel. Furthermore, the hotel had an internal policy that customers' data should not be used for purposes other than purposes related to its membership services.

After investigation, the PCPD found that the defendant had collected personal data of the hotel's customers in a manner that was contrary to the requirements of DPP1(2). An enforcement notice was served on him directing him to return the customers' information to the hotel. He failed to comply with the directive. The case was then referred to the police for possible prosecution proceedings pursuant to section 64(7) of the PD(P)O. Section 64(7) provides that a data user who contravenes an enforcement notice served on him commits an offence and is liable, on conviction, to a fine of $50,000 and to imprisonment for two years and, in the case of a continuing offence, to a daily penalty of $1,000.

The defendant denied having received the enforcement notice but during an identification parade he was positively identified by the PCPD officer who served the enforcement notice on him at the material time. The defendant was accordingly charged and convicted on his own plea. He received a fine. This successful conviction has sent a clear message to the public that the requirements of the PD(P)O are not to be taken lightly.

An insurance company engaged in a joint promotion programme to market the credit card services of its affiliated company. In doing so, the insurance company transferred the policyholders' data to its affiliated company. The data included customers' information such as their name, address, telephone number, gender and their Hong Kong Identity Card Number. Although the insurance company had, at the time when customers applied for insurance policies, informed them about the use of their data for direct marketing purposes, the extent of data used for marketing purposes was found to be inconsistent with the requirements of DPP3. For marketing purposes, location or contact data such as the customer's name, address and telephone number would be adequate. There was no justification to transfer the customer's Hong Kong Identity Card Number because it was collected for the purpose of managing the customer's insurance policy and account. Not being location or contact data, it should not have been used or transferred in the joint promotion programme.

In subscribing to a mobile phone service, the complainant submitted his mobile service application, an auto-payment authorization form and a copy of his credit card at a sub-dealer shop of a mobile service operator. He was told that the documents would be delivered to the operator for processing. Later, when he checked with the operator, he was told that they had never received the documents. Upon investigation, it was found that the document flow involved the delivery of the documents from the sub-dealer shop to the dealer shop, which would then forward the documents to the operator. However, in the process, there was no proper verification to ensure that the number of documents dispatched matched the number of documents received by the operator. In the absence of adequate document control procedures imposed on its dealer, the operator was found liable for the act done by its dealer by virtue of section 65(2) of the PD(P)O.

The complainant was a police undercover agent engaged on a criminal investigation case. In an article published by a newspaper on its web-site, the newspaper disclosed a copy of the complainant's witness statement in which his Hong Kong Identity Card Number, Police UI Number and full Chinese Name were clearly shown. The complainant had not consented to the public display of his identifying particulars in the article. Neither would the display of the complainant's full identifiable particulars serve any public interest in the circumstances of the case. The publication by the newspaper of the personal data was found to be in breach of DPP3. The publisher was directed to delete the data from the article.

The complainant received by fax a large quantity of documents consisting of service applications, copies of Hong Kong Identity Cards and copies of credit cards that were personal data of customers of a mobile service operator. These documents originated from a retail outlet of the operator. The normal process was that the staff at the outlet would transmit the documents using a pre-programmed fax number. On this occasion, a staff at the outlet manually dialed the fax number. Due to a manual error, the documents were sent to the wrong fax number. No procedures had been implemented at the outlet that required staff to check and ensure that the transmission of documents was correctly carried out. The operator was found to be in breach of DPP4 and was directed to implement remedial measures to prevent any recurrence. The appropriate procedure would be to check the fax journal printout to ensure outgoing faxed documents had been transmitted to the right destination.

The complainant was seeking a part-time tutorial job through an employment agent. The agreement was that if she were successfully employed, the employer would pay a commission fee to the agent. Prior to referring the complainant to the employer, the agent required the complainant to deposit a copy of her Hong Kong Identity card as a guarantee that if the employer failed to pay the commission, she would pay the fee instead. The act of the agent was contrary to DPP1(1) in that the collection of the ID card copy amounted to an excessive collection of the complainant's personal data in the circumstances of the case. There was no justification to require the deposit of a copy of the ID card as the agent's interests would best be protected by including clear provisions in the agreement with the complainant about the terms of the engagement.