On 9 April 2013, the Office of Privacy Commissioner for Personal Data ("Commissioner") issued a report in respect of the investigation carried out by the Commissioner against a body check service company and an insurance broker concerning the unfair collection of personal data from the public by the body check service company and its transfer to the insurance broker for use in direct marketing.
The Commissioner had received 11 enquiries and five complaints against the body check services company and the insurance broker and initiated a formal investigation against them in respect of three complaints.
The body check services company provided laboratory testing and medical check-up services through cooperation with private laboratories and operated call centres to provide marketing services for various commercial organisations.
The investigation revealed that over the past two years, the body check services company had collected personal data (including names, gender, mobile phone numbers, residential addresses and partial identity card numbers) from more than 360,000 people over the telephone to enable them to sign up for a free medical check-up service that was said to be in support of a "Universal Medical Check-up Scheme". The data were then sold to the insurance broker for use in direct marketing of insurance products. The complainants were subsequently enrolled in a member club and received a welcome letter and gifts from the club. Following on from this automatic enrolment in the member club, the complainants from time to time received direct marketing messages from the insurance broker.
It was found that the body check services company's telemarketers had asked people to give their personal data for registration for a free medical check-up when in fact the data was sold to the insurance broker for its use in marketing insurance products; the body check services company telemarketers had further not explicitly informed the complainants of the intended transfer of the data to the insurance broker for use in direct marketing and the insurance broker had not obtained the complainants' consent to its use of their personal data in direct marketing. The Commissioner concluded that both companies, as data users, had contravened the data protection principles set out in the Personal Data (Privacy) Ordinance (Cap.426) ("PDPO").
In relation to the insurance broker, the Commissioner determined that the collection of partial identity card numbers from those people was excessive as other contact data supplied already sufficed for the purpose of authenticating the claimants for the free medical check-up and preventing multiple claims. In addition, the insurance broker had used the personal data of those individuals for direct marketing; a purpose which was different from and not directly related to the original purpose of data collection (namely, registration for medical check-up) without those persons’ voluntary and explicit consent.
It is noted that after the Commissioner's intervention, the insurance broker ceased using the complainants' personal data for direct marketing and destroyed their personal data as well as the partial identity card numbers of those individuals who had not purchased any insurance products through the insurance broker. The Commissioner nonetheless served an Enforcement Notice directing both companies to formulate relevant policies, guidelines and/or procedures to prevent contravention of the requirements under Part VIA of the PDPO in their collections and use of personal data for direct marketing purposes in future. The Commissioner also directed the insurance broker to destroy the personal data provided by the body check services company by 30 September 2013, except (a) the personal data of the data subjects who, as a result of the body check services company's referral, had purchased insurance products through the insurance broker, and (b) data that were being used before that date for direct marketing, in which case the provisions in Part VIA of the PDPO were required to be complied with.
It should also be noted that had the contraventions identified in this case been committed on or after 1 April 2013, the corporate data user at fault would have been held criminally liable and may have been subject to a fine and imprisonment under the new regulatory regime for direct marketing which commenced on that date.
All organisations engaged in direct marketing activities are therefore recommended to review their existing policies, guidelines and/or procedures and, where appropriate, seek legal advice in relation to the collection and use of personal data to ensure compliance with the PDPO.