The Privacy Commissioner for Personal Data published an investigation report on 5 December 2013, and issued an Enforcement Notice against fitness centre chain California Fitness, for excessive collection of personal data from its customers, including HKID Card copies and full date of birth particulars. California Fitness has indicated that it would file an appeal with the Administrative Appeals Board. This legal update will look at the key findings of the investigation report and discuss the practical implications of the decision.

Summary of the Investigation Report

California Fitness (“CF”) is a fitness centre chain which provides fitness training and facilities in Hong Kong. At present CF has eight branches.

PERSONAL DATA INVOLVED

Two CF customers complained to the Privacy Commissioner that CF had requested excessive personal data from them when one of them applied for membership with CF and the other sought to renew his membership with CF. The personal data involved were:

  1. HKID Card numbers;
  2. copies of HKID Cards (one of the complainants refused and instead provided a copy of his Home Visit Permit); and
  3. date of birth information (year, month and date).

The Privacy Commissioner launched an investigation. The investigation report revealed that CF started collecting such data in 2007. As of July 2013, CF had in excess of 200,000 copies of HKID Cards of members.

APPLICABLE DATA PROTECTION PRINCIPLE

The case revolves around the requirements of Data Protection Principle (1) (“DPP(1)”) of the Personal Data (Privacy) Ordinance (“PDPO”). DPP(1) stipulates that the collection of personal data must be necessary for the intended purpose. The personal data collected must not be excessive.

In addition, the “Code of Practice on the Identity Card Number and other Personal Identifiers” issued by the Privacy Commissioner in 1997 requires that a data user must not collect HKID Card numbers or copies of HKID Cards except under limited circumstances specified in the Code, e.g., where the collection is expressly authorised by law or where the collection is for the prevention or detection of crime or seriously improper conduct. The Code is not legally binding but a breach of the Code will give rise to an unfavourable presumption against the data user in legal proceedings.

THE PRIVACY COMMISSIONER'S FINDINGS

CF put forward a number of explanations for requesting such personal data from its customers. While the collection of HKID Card numbers was justified under the Code (to establish a legal right or interest or liability on the part of the data subject), the collection of copies of HKID Cards and of full birth date particulars were found to amount to an excessive collection of data and thus be in breach of DPP(1) and the Code.

  1. HKID Card numbers

CF explained that in light of past cases of unpaid fees or damage to equipment or facilities by members, CF inserted its customers’ HKID Card numbers in the membership contracts to facilitate the enforcement of contract. The report revealed that CF lodged more than 2,800 civil claims between 2005 to 2008 against its customers. Considering that the potential loss or liability under the membership contracts was not of a transient or trivial nature, the Privacy Commissioner found that CF’s collection of HKID Card numbers for inclusion in membership contracts was justified.

  1. Copies of HKID Cards/Home Visit Permits

CF claimed that keeping the HKID Card copies of its customers could facilitate its internal administration and external audit. In addition, CF submitted that the collection of HKID Card copies would discourage its staff, who earn commission based on new memberships, from fraudulently creating membership accounts.

Those arguments were rejected and the Privacy Commissioner reiterated that stricter control is applicable to the collection of HKID Card copies, the misuse of which would be more likely to create opportunities for forgery or identity theft. The Privacy Commissioner was not persuaded by the evidence before him that the passive retention of HKID Card copies by itself could effectively monitor or deter any fraudulent activities. The Privacy Commissioner considered alternative means could be employed which would be less privacy intrusive, e.g., randomly checking employee records or making calls to members to verify their application. The Privacy Commissioner was also not persuaded that the  HKID Card copies by themselves would be necessary for audit purposes, since auditors could verify CF’s income from other sources such as CF’s bank statements or by seeking confirmation from banks.

Since Home Visit Permits contain similar sensitive personal data of individuals, the same restrictions would apply to the collection of Home Visit Permits.

  1. Birthday information (year, month and date)

CF argued that the collection of the date of birth information was necessary for CF to offer birthday privileges and promote age-specific products to members. The Privacy Commissioner found that the collection of the month of birth would be sufficient for birthday privilege purposes, and that the mere inspection of a HKID Card would do if CF wanted to promote age-specific products. CF had no justification to seek the collection of full date of birth particulars.

OUTCOME

The Privacy Commissioner found CF to have breached DPP(1) as it collected HKID Card copies and full date of birth particulars from its customers. An Enforcement Notice was issued to direct CF to remedy and prevent any recurrence of the contravention.

Implications

The investigation report may not be the final word on this story. CF has indicated that it would file an appeal to the Administrative Appeals Board against the Privacy Commissioner’s decision.

Regardless of the outcome of the appeal, this case serves as a timely reminder that data users must think twice before collecting HKID Card (and other identification documents) information/copies and exact birthday information from individuals. While DPP(1) and the Code have been effective for over 15 years, in recent cases the Privacy Commissioner has demonstrated his increasingly strong disapproval towards the excessive collection of personal data (especially after the Octopus card incident) and the inclination to fully investigate complaints that relate to the excessive collection of personal data, in particular any collection of HKID Card copies (as such data is deemed “sensitive” by the Privacy Commissioner).

A few practical tips for data users:

  • The PDPO does not impose an absolute ban on the collection of HKID Card copies and the other personal data concerned in this case. However, data users should have the default mindset that they should not collect such personal data unless the collection can be justified within the meaning of the PDPO and the Code (merely administrative convenience or costs-saving is unlikely to amount to a good and valid reason).
  • Data users should always consider alternative means which would be less privacy-intrusive. For example, where the customer submits its application in person, his/her identity can be verified on the spot without the need to retain any copy of the identification submitted.
  • When responding to an investigation by the Privacy Commissioner, data users must be able to justify the purposes of collection of such data with adequate evidence. For example, where the collection is required by a third party (like an external auditor or a bank), the data user should be able to have such statements corroborated by such third parties. Another example is where it is alleged a particular measure is necessary to control or prevent some improper conduct (like employee/customer fraud), supporting evidence in the form of statistics showing the effectiveness of the measure (e.g., number of fraud cases before and after the measure) would be helpful.
  • All data users who are currently collecting HKID Card copies and full date of birth of customers/ members should take this opportunity to review their practices and policies. Where there are doubts or where there may be potentially less privacy-intrusive collection measures, data users should consider revising their collection policy to reduce the risk of contravening the PDPO.