Handling real-name registration for SIM cards
The Enquiry
An enquirer asked whether personal data would be leaked or misused when shop assistants handled the real-name registration for SIM cards.
Our Response
All data users should observe the six Data Protection Principles (DPPs) of Schedule 1 to the Ordinance upon collecting and using personal data.
Concerning security of personal data, DPP4(1) stipulates that all practicable steps shall be taken to ensure that personal data held by a data user is protected against unauthorised or accidental access, processing, erasure, loss or other use, having particular regard to:-
There are no hard and fast rules in governing the type and level of the security measures that should be adopted. The adequacy of security measures depends on the circumstances of each case. Generally speaking, the more sensitive the data and the greater the potential harm from unauthorised or accidental access, processing, erasure, loss, or use, the higher the level of security measures that should be implemented.
Generally speaking, personal data collected during the real-name registration process for SIM cards should only be accessible to authorised staff. The data user should take all reasonably practicable measures to ensure that staff members handling personal data are trained on the data user’s personal data privacy policies, exercise due diligence in the application of those policies, and enhance awareness of personal data privacy protection. If personal data is in hard copy form, it should be held in a secure place accessible only to authorised personnel on a “need-to-know” basis.
(Uploaded in August 2024)