PCO increasingly active

The Personal Data (Privacy) Ordinance (PDPO) came into force in 1996 to protect privacy rights by regulating the way in which personal data is collected and used.  The Privacy Commissioner (PCO) has been increasingly active lately; due largely to a combination of three factors: a new PCO keen to protect privacy, a recent spate of high-profile cases and a government initiative to overhaul the PDPO. 

Insurance companies and their practices have not been spared regulatory scrutiny.

Insurance companies indirectly caught up in PCO inquiries

There have not been many high-profile cases since the PDPO was enacted, until recently.  One that caught the public’s attention - and the attention of scrutiny by legislators and regulators - was the case of Octopus Holdings.  The PCO described the “Octopus case [as] a wake-up call to those who had neglected the issue of personal data in the past.”

It was also in this case that insurance practices first came into the spotlight.  Octopus Holdings Ltd  issues stored value cards which are widely used in Hong Kong to pay for public transport and small-value items such as drinks and snacks.  Octopus collected information about the users of its cards, some of which was sold to other companies, including CIGNA Worldwide Life Insurance Company for marketing purposes.  The inquiry focussed on Octopus’s sale of personal data and not CIGNA’s use of it for direct marketing purposes.  CIGNA’s only, and limited, involvement was to provide information to the PCO.  However, the case did publicise, perhaps somewhat uncomfortably, how insurance companies obtain personal data from others who hold great amounts of such data.  Further, this case came to the PCO’s attention by a whistle-blower claiming to be a former employee of CIGNA. 

CIGNA was again involved in a later case involving a Wing Lung Bank customer, who complained to the PCO when information she provided to the bank, which she thought was for a credit card application, was provided to CIGNA.  A CIGNA employee, describing himself as bank staff, called the customer and sold her an insurance policy.   The customer complained when she later discovered the policy was issued by CIGNA and not the bank.  The PCO concluded that the bank was in breach of the PDPO.

On appeal, the Administrative Appeals Board agreed with the PCO and also commented that the bank/CIGNA arrangements were “rather confusing” and said that “any possible misrepresentation should be avoided as to the true identity of the insurer”.

Insurance companies become the subject of PCO inquiries

More recently, insurance companies have been directly in the firing line.  Manulife customers complained when they were unable to check their accounts online without first agreeing to the use of their personal data for promotion and marketing purposes.  Here, Manulife’s regulator, the Mandatory Provident Funds Authority, stepped in and instructed Manulife to allow their customers the choice to accept or reject the proposed use of their personal data.

What should insurance companies do?

Realise that privacy issues are important: Expect how you collect or use personal data to be examined critically.  The PCO recently observed that “..organisations…seem satisfied to do the least possible to meet minimum legal requirements…”.

  • Do a compliance review;
  • Train your staff - they should be aware of privacy issues;
  • Educate senior management about privacy issues;
  • Have adequate security measures to prevent and detect data privacy breaches;
  • Have a plan to deal with customers, regulators and media if there is a privacy problem; and
  • Consider how data is shared - within the company and with others such as business partners and service providers.

Have simple and easy to read documents: In Hong Kong, the norm is to use a Personal Information Collection Statement (“PICS”) to tell people how their personal data is collected and used.  Small print and overly wide or complicated language have been seen as questionable practices.

  • Use a reasonably sized font;
  • Avoid legal or complicated language; and
  • Have a standalone PICS (do not “bundle” with other documents).

Critically examine your practices: Current ways of obtaining or using personal data may be out of line with the expectations of the public or the regulators.

  • Manage expectations : be open and specific about why you collect and how you use personal data
  • See the other side : how would you like your personal data to be used?

Keep track of developments: These cases have provided further impetus to the government’s and PCO’s drive to reform the PDPO.