PCO Office of the Privacy Commissioner for Personal Data, Hong Kong imagebanner image
Privacy Policy StatementSearchSite DirectoryText Only VersionChinese  
image
About PCPD
image
The Ordinance
image
PCPD Activities
image
Information Centreimage
Privacy Zone for Youngsters (Games)
image
Publications and Videos
image
Enquiries and Complaints
image
Case Notes
image
Contact Us
image
Annual ReportCode of Practice & Explanatory BookletConsultation Document/Report
NewsletterGuidance Note & Fact SheetLeaflet & FormOpinion Survey
OthersInvestigation Report / Inspection ReportInformation Book
image

Publications and Videos
Annual Report
 

Monitoring Compliance

Compliance Checks

A compliance check is undertaken when the PCPD identifies a practice in an organization that appears to be inconsistent with the requirements of the PD(P)O. In such circumstances, the PCPD raises the matter in writing with the organization concerned pointing out the apparent inconsistency and inviting it, where appropriate, to take remedial action. In many cases, the organization concerned takes the initiative and responds by undertaking immediate action to remedy the suspected breach. In other cases, organizations seek advice from the PCPD on the improvement measures that should be taken to avoid repetition of suspected breaches.

During the reporting year, the PCPD conducted 10 compliance checks in relation to alleged practices of data users that might be inconsistent with the requirements of the PD(P)O. The following are some of the compliance checks undertaken in the year.

Issues Improvement Measures Recommended
In an email sent by an employment agency to all job seekers who have previously provided their personal data, the agency addressed recipients of the email by using information about them held in its email "address book". A recipient of the email can read the names and email addresses of others.images Very often, job seekers provide their personal data under confidence to an employment agency and would expect the agency to communicate with them on a confidential basis. Although the way that the agency sends the email can bring convenience, it may lead to an unnecessary disclosure of the names and email addresses of individuals. Where an email "address book" is configured to link an individual's name with his email address, care should be taken when using the "address book" to send emails to multiple recipients. In the circumstances, the alternative of addressing recipients using the "blind carbon copy" ("bcc") function should be considered.
When visiting a page on a restaurant's website, visitors are provided a hyper link that directs them to a database that contains personal data of customers of the restaurant. imagesWhen performing website maintenance or re-design of web pages, care should be taken to ensure that control on public access to information not intended for disclosure can still be maintained. When a website is not ready for use, it would be a good practice to alert visitors that the site is "under construction/development" and to inform them of the temporary suspension of any hyperlink access.
Information contained in an individual's credit report may be misleading when it shows the writ information obtained from public court documents. A credit report may display writ information concerning an individual who is the data subject. In the absence of any unique personal identifier (as in the case of court documents) that may facilitate correct matching, care should be taken when relating such information to the individual concerned. A mis-match may occur that results in writ information of another person with similar but not identical name being associated with the individual. To avoid any misleading effect, a clear message should be displayed in the credit report, e.g. to put this kind of public information under a heading that reads "Public Record of Potential Relevance" on a separate page of the report.
Passengers traveling on ferries between Hong Kong and Macau are asked to complete a passenger information form that requires personal data such as the name, telephone number, address and seat number. imagesIt is understandable that precautionary measures need to be taken to ensure public health and safety during the outbreak of SARS, which is a communicable disease that occurred worldwide. The collection of passengers' personal data by means of a "Health Declaration Form" issued by the Health Authority is one of the means that serve to detect and control the spread of SARS in the community. However, it is neither the policy of the Health Authority nor a requirement imposed on ferry operators to collect personal data of passengers for the prevention of resurgence of SARS. The ferry operator was advised to cease the practice.
 
 

Previous PageTable of ContentsNext Page


  imageNotice/ Copyright 2001 Office of the Privacy Commissioner for Personal Data, Hong Kong. All rights reserved. Disclaimer