On 26 January 2016, the Hong Kong Privacy Commissioner for Personal Data (Commissioner) released a report on the personal data protection measures in the Hong Kong travel service industry, which can be found here, accompanied by a press statement (click here for more details).
The report arises from an inspection conducted by the Office of the Privacy Commissioner for Personal Data (PCPD) on the data privacy practices of a major Hong Kong based travel agent. Although the report's recommendations are aimed at the travel service sector, it represents a useful guide to all data users who collect, hold, process and use personal data.
Regarding inspections, data users should note:
- Powers of inspection: The provisions in Part 7 of the Personal Data (Privacy) Ordinance (PDPO) empower the Commissioner to conduct inspections of any "personal data system" to assist him to make recommendations relating to compliance of the PDPO by a data user or class of data users. Personal data system means any system, automated or not, which is used by a data user for the collection, holding, processing or use of personal data. These powers of inspection are separate from the Commissioner's powers of investigation which are set out in the same Part of the PDPO.
- Conditions for entering premises: The PDPO gives the Commissioner powers to enter premises for the purposes of conducting an inspection provided 14 days' prior written notice is given and operations on the premises are not unduly disrupted. Consent of non-minor residents is required if the premises are domestic in nature; for non-domestic premises, the requirement is that the inspection takes place at a reasonable time.
- Obligation to provide assistance: Where the Commissioner exercises his powers of inspection, the relevant data user must, without charge, afford the Commissioner such facilities and assistance as the Commissioner may reasonably require for the purposes of the inspection concerned.
- Offences of obstruction, false statements etc: It is a criminal offence to obstruct, hinder or resist the performance of functions of or fail to comply with a lawful requirement by the Commissioner or a prescribed officer under Part 7 of the PDPO, or to knowingly make a false statement to or mislead the Commissioner or an officer performing such functions. These offences carry a maximum penalty of a Level 3 fine and 6 months' imprisonment.
- Results, recommendations and reporting: The Commissioner may publish a report of the recommendations arising from the inspection. The Commissioner must inform the data user of the results and recommendations of the inspection and furnish a copy of any report the Commissioner intends to publish.
- Timing: Apart from the requirement for 14 days' notice, there are no express time limits for carrying out the inspection. In the present circumstances, the initial notice was provided to the data user in March 2015 and documents were supplied by it in May 2015. A pre-inspection meeting occurred in June 2015 and further documents were supplied by the data user in July 2015. The site inspections took place at the travel agent's head office, various branches and call centre over the course of a week in July 2015. Subsequently, there was a review of findings in August, a clarification meeting in September and a wrap-up meeting in October 2015.
In general, the Commissioner commented favourably on the agent's practices; he did nevertheless make several findings and recommendations including:
- Privacy management programme: A significant recommendation in the report was the implementation of a privacy management programme by data users, ensuring data privacy becomes a matter of corporate governance rather than merely compliance. An effective privacy management programme would comprise a structure with management support and designated privacy manager, accompanied by controls including policies, risk assessment tools, training and ongoing communication. This would internalise data privacy as part of the organisation's infrastructure as opposed to regarding it as an external set of rules.
- Collection of data and notification: The Commissioner observed that the agent's collection of full birth dates, HKID numbers and addresses was not always necessary, reinforcing that data users should be aware of exactly what data is needed to supply products and services to customers.
- Transfer to third parties and direct marketing: The Commissioner emphasised the need for specificity when telling data subjects how their personal data may be disclosed to third parties; for example, generically describing those third parties as "partners" may be unclear. The Commissioner looked particularly at how members in loyalty programmes were notified of how their data could be used for direct marketing, including how prominently tick boxes for opting out were displayed in collection forms.
- Data retention and security: The Commissioner encouraged formalisation and tightening of measures for timely destruction of personal data, secure transfer of physical personal data, encryption of online transmission of personal data and handling of data breaches.