The Complaint
1. Summary of Facts
The Privacy Commissioner carried out an investigation under s38(b) of the Ordinance against an insurance company on his own initiative. The company engaged in a practice of retaining personal data of unsuccessful insurance applicants for an indefinite period of time.
2. Issues of the Case
Whether the company's practice of retaining personal data of unsuccessful insurance applicants for an indefinite period of time contravened DPP2(2).
Outcome
1. Reasoning
The company stated that it was necessary for them to retain the data indefinitely for the purpose of (i) complying with the various legal requirements for keeping books of accounts; (ii) for complying with the guidelines and circulars of the regulatory authorities; (iii) for handling potential litigations, enquiries and complaints and (iv) for checking completeness and accuracy of the information in the event of their future applications.
During the investigation, the Privacy Commissioner sought comments from the Hong Kong Federation of Insurers ("HKFI") and Office of the Commissioner of Insurance ("OCI") regarding the needs for retaining the data of unsuccessful insurance applicants and period of retention. Furthermore, the Privacy Commissioner had studied the requirements of various ordinances which require records of business transactions to be kept.
For cases of unsuccessful insurance applications, they generally comprise of two scenario, the first is where money transaction is involved (e.g. where premium is paid together with the application) and the second is where there is no money transaction involved. In the former case which books of account have to be kept, the Privacy Commissioner finds it justifiable that the relevant data be kept for the statutory period prescribed by the applicable ordinances. However, where no money transaction is involved, the Privacy Commissioner does not accept that the company shall retain the personal data indefinitely simply for the reason that the person may apply in future as otherwise, it would tantamount to giving general sanction for retention of personal data indefinitely by any service provider. For purpose of handling any future enquiry, complaints or legal action that may be lodged, a reasonable period of retention suffices. Insofar as compliance with the guidelines and circulars issued by the HKFI and OCI, it is to be noted that these should not be applied out of context and they should not be construed as derogating the data user's duty to comply with the requirements of the DPP2(2).
Premised on the above, the Privacy Commissioner took the view that for unsuccessful insurance applications where money transaction is involved, the optimal period of retention of the personal data concerned should generally not exceed 7 years. For cases where no money transaction is involved, the Privacy Commissioner finds that an optimal retention period of two years generally suffices for fulfilling the various purposes mentioned by the company.
2. Action by the Privacy Commissioner
An enforcement notice was served on the company requiring them to erase the personal data which had been retained longer than the optimal periods recommended by the Privacy Commissioner.
3. Improvement action by the company
The company agreed to comply with the enforcement notice.