Skip to content

Case Notes

Case Notes

This case related to Customer data

Case No.:2008C13

Whether the Recordings contained any personal data of the Complainant as defined in section 2 of the Ordinance

The Complaint

1. Summary of Facts

The Complainant maintained an investment account (the "Account") with a bank (the "Bank") and she had authorized Mr. X to handle all transactions, including giving instructions, in relation to the Account on her behalf. The Complainant later made a data access request ("DAR") to the Bank for copies of tape recordings regarding two transactions (the "Recordings"). In response to the DAR, the Bank alleged that the Recordings did not come within the ambit of "personal data" under the Personal Data (Privacy) Ordinance (the "Ordinance") so that copies would not be provided to the Complainant. However, the Bank offered to let the Complainant listen to the Recordings at their office. The Complainant complained that the Bank had failed to comply with her DAR.

2. Issue of the case

Whether the Recordings contained any personal data of the Complainant as defined in section 2 of the Ordinance; if yes, whether the Bank had complied with the DAR by offering the Complainant to listen to the Recordings at their Office.

Outcome

1. Reasoning

The Commissioner had obtained a copy of the Recordings from the Bank. The Recordings could be divided into three categories: (a) the instructions given by Mr. X to the Bank on behalf of the Complainant in relation to the Account; (b) confirmation of the said instructions made by the Bank staff; and (c) questions and answers made between the Bank staff and Mr. X relating to the relevant investment products before Mr. X had given the said instructions. It appeared that categories (a) and (b) were the Complainant's personal data as it obviously related to the Complainant as to what she was going to invest and had invested through the Bank. Category (c) did not necessarily relate to the Complainant unless the information formed part of or was referred to in the instructions given.

Section 18(1)(b) of the Ordinance requires that compliance with a data access request is by supplying the requestor with a copy of the requested data. Although the Bank had offered to allow the Complainant to listen to the Recordings, such offer did not amount to compliance with the DAR under section 18(1)(b) of the Ordinance. The Commissioner was therefore of the view that the Bank had failed to comply with the DAR within 40 days, contrary to section 19(1) of the Ordinance.

2. Action by the PCPD

An enforcement notice was served on the Bank directing it to provide the Complainant with a copy of her personal data in the Recordings.

3. Improvement Action by pca, if any

The Bank had complied with the enforcement notice.

uploaded on web in April 2010


Category : Provisions/DPPs/COPs/Guidelines : Topic/Subject Matter :