A customer purchased a mobile telephone from a mobile telephone company. Later she was contacted by another company, which informed her that it had received an application in her name for a fixed line telephone service. Suspecting that her personal data had been passed on to the second company by the first company without her consent, she complained to PCPD.
Investigations revealed that the two companies were in fact associated. The second company was contracted to enlist customers for the first company. The employee of the second company who sold the products of the first company to the complainant, had subsequently filed an application with the second company in the name of the complainant for telephone services. There was evidence to show that the second company had a clearly stated policy about the protection of information relating to customers. There were also strict procedural rules controlling the handling of applications for services. The sales assistant, whose employment had since been terminated, had acted in contravention of the company's policy and rules. In the light of the incident the company undertook to tighten up procedures to prevent misuse of customers' personal data.
The Commissioner's views on the matter
Section 65(1) of the Ordinance renders a data user responsible for any act done by its employee in the course of his employment. Under section 65(3) it is a defence for the employer to prove that he had taken such care as in all the circumstances was reasonable to avoid the contravention concerned. In this case the company had taken practical steps to prevent the misuse of customers' personal data. Accordingly it was not liable for the act of the employee, which it did not permit or condone.