Skip to content

Case Notes

Case Notes

This case related to DPP1 - Purpose and manner of collection of personal data , Code of Practice on the Identity Card Number & Other Personal Identifiers

Case No.:2014C16

Unnecessary collection of HKID Card copy of a corporate customer’s representative by a telecommunications company when the customer applied for replacement of a mobile SIM card – DPP1(1)

The Complaint

The Complainant was authorised by his employer to apply for replacement of his employer’s mobile SIM card at a branch of a telecommunications company. Although the Complainant had produced his employer’s business registration certificate and company chop, the telecommunications company demanded to scan the Complainant’s HKID Card for record. Considering that the telecommunications company had collected excessive personal data from him, the Complainant lodged a complaint with the PCPD.

The telecommunications company explained that according to its established practices, when a corporate customer applied for replacement of a mobile SIM card, it would collect a copy of HKID Card of the corporate customer’s representative, in addition to the business registration certificate and company chop. The representative’s HKID Card copy was collected for identity verification to prevent the SIM card from being obtained by someone impersonating the corporate customer.

Outcome

With respect to ascertaining if a corporate customer’s representative is legally authorised by the corporate customer, the Commissioner was of the view that the telecommunications company should request the representative to provide an authorisation letter containing the representative’s name issued by the corporate customer. To verify the representative’s identity, the telecommunications company could request the representative to produce an identification document with photo (e.g. HKID Card or staff card) on-site to match it with the representative’s appearance and name on the authorisation letter. If the telecommunications company still had doubt about the representative’s identity, it could contact the person-in-charge of the corporate customer direct for clarification.

Hence, the Commissioner was of the view that the telecommunications company’s collection of the HKID Card copy of the corporate customer’s representative was excessive and contravened DPP1(1).

After PCPD’s intervention, the telecommunications company took various remedial measures, which included ceasing collecting HKID Card number, or copy, of a corporate customer’s representative when handling replacement of a mobile SIM card; notifying its frontline staff of the said arrangement; and destroying HKID Card data of corporate customers’ representatives previously collected.

(Uploaded in September 2016)


Category : Provisions/DPPs/COPs/Guidelines : Topic/Subject Matter :