The Privacy Commissioner for Personal Data, Hong Kong (the Privacy Commissioner) Mr Stephen Kai-yi WONG released two reports, namely “2017 Study Report on User Control over Personal Data in Customer Loyalty and Reward Programmes” and “Inspection Report: Personal Data System of An Estate Agency in Hong Kong”.
(I) 2017 Study Report on User Control over Personal Data in Customer Loyalty and Reward Programmes
The Privacy Commissioner for Personal Data, Hong Kong (PCPD) examined 30 customer loyalty and reward programmes from six sectors (i.e. retail, hotel, catering, airlines, cinema and gasoline) in late May 2017. The examination was part of the global Privacy Sweep exercise of the Global Privacy Enforcement Network (GPEN). This is the fifth consecutive year for the PCPD to participate in the Privacy Sweep. The theme of the Privacy Sweep 2017 is “User Control over Personal Information”. It aimed to examine privacy policies and practices of data users with a view to evaluating user controls over personal data. PCPD decided to examine customer loyalty and reward programmes because of their popularity in the local market and their potential to collect substantial amount of personal data from large number of individuals.
The findings showed that most the privacy policies of the examined programmes lacked transparency. Customers were unable to provide meaningful consent to the collection and use of their personal data. They were unable to exercise effective control over their personal data in aspects of data deletion, data sharing and profiling either. Many programmes indicated in their privacy policies their intention to use personal data for big data analytics, profiling and/or automated decision making, which may lead to excessive collection and amassment of personal data. In view of these findings, the report proposed recommendations for improving privacy practices of the programmes.
The Privacy Commissioner urged operators of customer loyalty and reward programmes to explain to customers frankly about their privacy policies and practices, respect the customers’ right to personal data privacy and provide the customers with control over their own personal data. He also advised individuals to read the privacy policy carefully to understand the possible use and sharing of their data, and assess the related privacy risks before joining customer loyalty and reward programmes.
(II) Inspection Report: Personal Data System of An Estate Agency in Hong Kong
Noting that the property market continued to boom, and with the vast volume and broad range of personal data (including sensitive data such as name, contact information and Hong Kong Identity Card number) that estate agents have to handle, the Privacy Commissioner considered that it was in the public interest to review the industry’s regime in data privacy protection. An inspection of the personal data system of a leading estate agency (the Agency) was hence carried out, pursuant to section 36 of the Personal Data (Privacy) Ordinance (the Ordinance).
The findings of the inspection report showed that the Agency had made reasonably good efforts generally to ensure proper management of clients’ data, and no material deficiencies were found on the part of the Agency in privacy protection matters. In particular, the Privacy Commissioner was satisfied that the Agency had top management commitment to data privacy protection by designating a senior management officer to oversee and monitor the compliance of the personal data system, setting a role model for the estate agency industry to integrate the idea of data privacy protection into the organisation’s governance. On the technical side, the Privacy Commissioner appreciated that the Agency prudently segmented the authorities and controlled the access rights of their database systems on a need-to-know basis, which minimised the risk of unauthorised access or leakage of clients’ data.
Based on the elements of a comprehensive privacy management programme, the Privacy Commissioner proposed a number of recommendations and good practices on personal data protection, such as a comprehensive privacy policies, compliance audit system, data breach reporting mechanism and guidelines, training and education, etc., to assist the industry in ensuring compliance with the requirements under the Ordinance as well as nurturing the culture of “protect and respect personal data privacy”.
The Privacy Commissioner took the view that personal data protection could not be managed effectively if an organisation treated it merely as a legal compliance issue. Instead, organisations should embrace personal data protection as part of their corporate governance responsibilities and apply them as a business imperative throughout the organisation, starting from the board room. He strongly encouraged estate agencies to develop their own Privacy Management Programme, which would not only effectively manage their customers’ personal data, but also facilitate their compliance with the requirements under the Ordinance, build trust with clients and enhance their reputation as well as goodwill.
The two reports are available at the PCPD’s website, PCPD.org.hk, for public viewing:
1. 2017 Study Report on User Control over Personal Data in Customer Loyalty and Reward Programmes
2. Inspection Report: Personal Data System of An Estate Agency in Hong Kong