In view of reports and commentary in today’s news media on the PCPD’s compliance action against an online ID index, the PCPD will make the following clarifications:
1. The Office of the Privacy Commissioner for Personal Data (“PCPD”) acted on reports in recent news media that an online database had been set up containing complete ID card numbers as well as various types of personal data of more than 1,100 individuals, allegedly obtained from various sources including the Hong Kong Companies Registry. The online database offers uncontrolled access and use of the data. Data Protection Principle 3 of the Personal Data (Privacy) Ordinance (“the Ordinance”) stipulates that unless with the data subject's prior consent, personal data shall only be used for the purpose for which it was originally collected or a directly related purpose. A compliance check was initiated by the PCPDto stop possible data privacy breach.
2. The compliance check does not purport to extend to personal data published on the websites of the government and other law enforcement agencies by reason of their specific functions. Hence any suspicion or confusion over a possible “control on the collection of publicly available personal information” is unfounded.
3. The suspicion that “the PCPD took action purely for the benefit of a particular group of affected persons” is also groundless. A compliance check may be conducted where the Privacy Commissioner for Personal Data identifies a practice that appears inconsistent with the requirements of the Ordinance. In 2012 the PCPD carried out a total of 179 self-initiated compliance checks. A recent example is the PCPD’s compliance action against a number of educational organisations that inadvertently exposed student personal data on their websites.
4. Typically, in a compliance check, the Privacy Commissioner warns the data user in writing, pointing out the apparent inconsistencies of its practice with the requirements of the Ordinance and inviting it, where appropriate, to take remedial action. In the majority of these cases, data users have been cooperative and have taken immediate action to correct their personal data practice due to respect for personal data protection and appreciation of the value of the PCPD’s compliance checks to them.
5. The PCPD reiterates that “publication” of personal data on public registers does not affect the data’s inherent nature as personal data, and does not thereby lend it to unrestricted or uncontrolled use. Generally speaking, the use of personal data listed in public registers is governed by the terms prescribed by the operators of the registers or the relevant ordinances establishing such registers.
6. Last but not the least, neither privacy right nor freedom of speech or information is absolute, and a good balance must be struck to serve the wider public interest. The PCPD welcomes discussion on the risk of identity theft and fraud resulting from unwarranted disclosure of ID numbers, which evidently may be used together with other personal data of the affected individuals.
- End -