|
Report
on Activities - Operations
Compliance
Checks carried out in 2001-02
A
compliance check is undertaken when the
PCPD identifies a practice in an organization
that appears to be inconsistent with the
requirements of the PD(P)O. In such circumstances,
the PCPD raises the matter in writing with
the organization concerned pointing out
the apparent inconsistency and inviting
it, where appropriate, to take remedial
action. In many cases, the organization
concerned takes the initiative and responds
by undertaking immediate action to remedy
the suspected breach. In other cases, organizations
seek advice from the PCPD on the improvement
measures that should be taken to avoid repetition
of suspected breaches.
During
the reporting year, the PCPD conducted 41
compliance checks in relation to alleged
practices of data users that might be inconsistent
with the requirements of the PD(P)O. Of
these, 5 compliance checks related to practices
in government departments/statutory bodies.
The remaining 36 compliance checks related
to practices in private sector organizations.
| Figure
14 - Illustrations of issues of compliance
checks
|
| Issues
|
Improvement
Measures Recommended
|
| A
circular accessible via the departmental
network disclosed the full date of birth
of retiring officers.
|
There
is no justifiable reason for the disclosure
of the full date of birth of staff members
who have retired. When personal data
are published, special care should be
taken in respect of the sensitivity
of the type of data that might be disclosed.
Only limited data necessary for the
purpose of the display should be openly
published.
|
| Application
forms containing personal data of claimants
were found unattended in the toilet.
|
When
disposing of old documents that contain
personal data, care should be taken
to avoid inadvertent disclosure of the
data. A proper procedure would be to
have the documents shredded.
|
| A
prize-winning announcement made on an
Internet web-site disclosed the full
name and HK Identity card number of
prizewinners.
|
The
organization was recommended to publish
either the name of winners or the HK
Identity card number in its future prize-winning
announcements. Where both data are published,
it should avoid disclosing the full
HK Identity card number of prizewinners.
|
| Job
applicants were required to provide
a copy of their HK Identity card when
they attended a job interview.
|
Copies
of the HK Identity card should only
be collected from prospective employees
after they have accepted employment,
as proof of compliance on the part of
the employer with section 17J of the
Immigration Ordinance. The company was
recommended to cease the practice.
|
| Application
forms of mobile service subscribers
were re-used as draft papers and distributed
to unrelated parties.
|
The
company was recommended to implement
guidelines to remind all staff to avoid
re-using papers that contain the personal
data of individuals unless appropriate
measures are taken to safeguard those
data from inadvertent disclosure.
|
| Visitors
to a building estate car park were required
to provide their HK Identity card number
for recording when leaving the car park.
|
The
car park management was recommended
to consider adopting a "double
permit system" in which an exit
pass given to the driver on entry to
the car park must be surrendered upon
departure from the car park. |
| Owners
of a newly occupied private estate were
required to provide copies of their
HK Identity card for the refund of temporary
water meter deposits.
|
The
property management company was recommended
to cease the practice, as the water
meter deposit receipts from the Water
Authority should be adequate to serve
the purpose of the refund applications.
|
| Notices
issued to registered consumers responsible
for repair of building communal pipeworks
listed the names and mailing addresses
of other parties.
|
The
department was recommended to revise
the repair notice so as to avoid the
listing of the names and mailing addresses
of other responsible parties. When the
mailing address of a registered consumer
differs from the address of the concerned
premises, a personal copy of the notice
should be sent instead.
|
| Outdated
service orders of a utility company
were left unattended in a car park.
|
The
company was recommended to require its
appointed contractor to review its operational
procedures regarding the collection
and disposal of confidential documents.
|
Sample
checks on "Blind" recruitment
advertisements
The
Code of Practice on Human Resource Management
("the Code") was issued on 22
September 2000. It came into effect on 1
April 2001. Under the Code, "blind" recruitment
advertisements that directly solicit personal
data from job applicants, and do not identify
the parties that have placed them, are not
permitted. For example, a recruitment advertisement
that asks job applicants to submit their
resumes to a PO box number without revealing
the identity of the employer would be in
breach of the Code.
Prior
to the commencement of the Code, the PCPD
examined over 6,000 recruitment advertisements
in leading local newspapers. Of these, about
25% were "blind"advertisements
that directly solicited personal data from
job applicants. Over 1,500 reminder letters
were sent to them alerting them of the requirements
of the Code.
After
the Code came into effect on 1 April 2001,
the PCPD continued to examine leading local
newspapers and recruitment supplements on
a daily basis to identify "blind"
recruitment advertisements. Advertisers
who directly solicited the submission of
personal data from job applicants but did
not reveal their identity were selected.
Advisory letters and copies of the Code
and the Compliance Guide for Employers and
HRM Practitioners were sent to them reminding
them of the requirements of the Code.
During
the period from April 2001 to end June 2002,
over 215,755 recruitment advertisements
were randomly checked. Of these, 12.3% (26,542)
were non-compliant recruitment advertisements
in which advertisers were found to have
directly solicited personal data from job
applicants without revealing their identity
to applicants. A total of 13,734 warning
notices were issued to these advertisers.
Formal investigations were carried out in
two cases in which the advertisers were
found to be repeated offenders and were
issued with more than 10 warning notices.
(Figure 15)
   
|
