Skip to content

Case Notes

Case Notes

This case related to DPP3 - Use of personal data

Case No.:2013C04

Whether the use of an employee’s personal mobile phone number in work amounts to a breach of DPP3

The Complaint

The Complainant was employed by a bank (the "Bank") and had provided her mobile phone number (the "Number") to the Bank when she opened a payroll account with it. The Complainant was assigned as an authorised signatory of a corporate service company set up by the Bank ("CSC"). As a result, the Complainant became an authorised signatory of an account (the "Account") held in the Bank by a company, of which CSC was the trustee.

On 26 September 2013, the Complainant received a telephone call at the Number from a staff (the "Staff") of a branch of the Bank requesting to confirm a securities transaction conducted through the Account. The Complainant queried why the Staff used the Number for dealing with matters relating to the Account. She therefore lodged a complaint with this Office against the Bank.

Representations from the Bank

The Bank explained that on 25 September 2013, the Company sent an email to it and CSC (including the Complainant and the Staff) requesting to place a securities transaction order (the "Order"). To obtain formal authorisation from the authorised signatories for execution of the Order, the Staff attempted to contact the Complainant by her office telephone number as well as other authorised signatories on 26 September 2013 but in vain. To avoid any further delay in fulfilling the Order, the Staff subsequently accessed the Complainant's customer profile in relation to the Company and used the Number so obtained to contact the Complainant for handling the Order. The Bank submitted that this incident was an isolated case.

Outcome

The Number was originally provided by the Complainant to the Bank for the purpose of facilitating the Bank to administer the payroll account. The Complainant was the authorised signatory of CSC only for the purpose of fulfilling her job duties under her employment with the Bank, which had nothing to do with her personal payroll matters. The Bank's use of the Number obtained from the Complainant's profile for handling matters unrelated to her payroll account was inconsistent with DPP 3 and beyond the Complainant's reasonable expectation.

Upon our intervention by PCPD, the Bank confirmed in writing that in future, (i) the designated staff acting as authorised signatory of CSC would be required to forward their office telephone calls to their respective personal mobile phones when they were away from desks during office hours; (ii) other authorised signatories would be required to back up each other when any of them were away from the office; and (iii) a call list would be put in place for emergency situations when other authorised signatories could not be located. The Bank had also notified its relevant staff in writing to cease the practice of accessing personal contact information of all authorised signatories of CSC unless written consent has been obtained.

uploaded on web in February 2015


Category : Provisions/DPPs/COPs/Guidelines : Topic/Subject Matter :