The Complaint

An individual who is the sole proprietor of a business, complained that a bank, without his authority and without cause, accessed and obtained his credit data held by a credit reference agency through a credit report.

The bank alleged that it received a credit application referred by an intermediary and in order to check the credit status of the purported credit applicant, i.e. the soleproprietorship, the bank accessed and obtained the soleproprietor's credit data held by the credit reference agency. The bank did not contact the purported credit applicant nor had it obtained any written authorization from the sole proprietor prior to accessing his credit data.

Outcome of Investigation

The Code of Practice on Consumer Credit Data issued by the Privacy Commissioner allows a credit provider, through a credit report, to access consumer credit data held by a credit reference agency on an individual in the course of the consideration of any grant of new consumer credit to the individual. It was doubtful as to whether the sole proprietor had actually made the credit application. The bank's access to the credit report without first verifying the truthfulness of the application was considered unfair collection of personal data in the circumstances of the case amounting to a contravention to the requirement of DPP1(2).

An enforcement notice was issued and the bank subsequently changed its practice and procedure in relation to credit application referred by an intermediary, requiring direct verification of the application with the applicant.

The Complaint

A witness provided a statement to a government department for the purpose of prosecuting an offender. The department's standard statement form was used which required the witness to fill in her personal particulars including name, age, sex, identity card number, place of birth, nationality & dialect, address, residential telephone number, occupation and office telephone number. An unedited copy of the witness statement, containing all the witness' personal particulars, was released to the defendant by the department without the prior knowledge or consent of the witness. The witness was concerned about the disclosure of such private and personal information to the offender and made a complaint to the PCPD.

Outcome of Investigation

It was not disputed that the information collected in the witness statement was for the purpose of prosecuting the subject case and hence the transfer of the statement to the defence to answer the charge was for a directly related purpose. However, it was understood to be the long standing practice of the prosecuting authority to edit out witness' personal information from a witness statement, such as the address, telephone numbers and, where applicable, the place of employment of a witness which are irrelevant to the proceedings in question. In the instant case, the identity card number, address (i.e. place of employment), contact telephone numbers and place of birth bore no relevancy to the proceedings. The disclosure of these data to the defendant was therefore not accepted to be for the original purpose of collection or for a directly related purpose for the proceedings. These data should not therefore without the prescribed consent of the witness be disclosed or transferred to the defendant. Without obtaining the requisite consent from the witness, the department had acted contrary to the requirement of DPP3.

An enforcement notice was issued and as a result the department revised its working manual to remedy the matters by, inter alia, requiring staff to review and edit copy witness statements before releasing to the defence so as not to disclose personal particulars of witnesses that were irrelevant to the proceedings in question.

The Complaint

A customer rented a flat through the service of a property agency. The agency transferred his data to a club operated by its subsidiary. The club sent a letter to the customer notifying him that he would automatically become a member of the club if he failed to object. The club did not receive any objection from the customer. The club later engaged in a joint marketing scheme with an insurance company and passed the customer's name, contact details and identity card number to the insurance company. The insurance company then called the customer to promote its life insurance products. The customer complained about improper use of his personal data by the agency.

Outcome of Investigation

DPP3 prohibits the use (including transfer) of the individual customer's personal data for any purpose other than the original purpose for which the data were collected or a directly related purpose, unless his "prescribed consent¡" has been obtained beforehand. It was clear that the original collection purpose of the customer's data was for the provision of property-agency service for renting a flat. The agency had not informed the customer of any other purpose of use of his data at the time of collection of the data. Joining the club, which provided multifarious services other than property-agency service, could not be said to be related to the original collection purpose for renting a flat, in particular when the club would disclose members' data to third parties for promotion of products unrelated to property transaction. "Prescribed consent¡" means voluntary and express consent. For the purpose of the PD(P)O, the sending of the notification letter and the customer's failure to object could not amount to "prescribed consent¡" for using his data to make him a member of the club.

Accordingly, the transfer of the customer's data to the club for making him a member and the subsequent disclosure to the insurance company for marketing life insurance products were found to be in contravention of DPP3. Consequently, the agency and the club ceased such uses of customers' data after the issuance of enforcement notices to them.