A financial institution collected excessive personal data from outsourced staff without providing personal information collection statement and retained personal data for a period longer than necessary
The Complaint
The complainant worked for an information technology company and was assigned to work at the premises of a financial institution. The complainant was not employed by the financial institution, but was required to provide his personal data including date of birth to the institution, and the complainant noticed that his personal data would be retained for seven years from the date of termination of his relationship with the financial institution. The complainant therefore lodged a complaint with the PCPD against the financial institution for excessive collection of his personal data; not providing him with a Personal Information Collection Statement (“PICS”) on or before the collection of personal data; and retaining his personal data for a prolonged period of time.
Outcome
The financial institution explained to the PCPD that the collection of the complainant's date of birth was merely for the purpose of creating a personal account of the complainant in its computer system for administrative purposes. The financial institution confirmed that since at that time it was not possible to provide the relevant information through the system or any designated channel of communication, it was impracticable for it to communicate with the complainant on or before the collection of personal data and therefore did not provide him with the relevant contents of the PICS.
Moreover, the financial institution confirmed that at the time of the incident, it did not have an independent retention period for each of the personal data of its outsourced staff according to its individual reason and purpose. Instead, it required the retention of all personal data for seven years in a uniform manner. However, given that the complainant was only an outsourced staff of the financial institution and not directly employed by the institution, the PCPD considered that the financial institution should not be required to retain the complainant's Hong Kong Identity Card number for any employment reasons (including taxation or MPF contribution arrangements) or other purposes for a lengthy period of seven years, and also because it was not necessary for the financial institution to collect the complainant's date of birth, therefore it was not necessary to retain his date of birth.
After the intervention of the PCPD, the financial institution confirmed that it was no longer necessary to collect the outsourced staff’s dates of birth and would properly delete the dates of birth of the current and former outsourced staff collected for the purpose of creating employee accounts, formulated a PICS for all departments and outsourced staff and seconded staff employed by suppliers and collaborators and reminded the staff of the importance of providing the PICS on or before the collection of personal data from data subjects. The financial institution also independently reviewed the retention period of each personal data collected from its outsourced staff for its individual reason and purpose, and updated the retention period of each item of personal data in the personal data retention policy.
Based on the above, the Privacy Commissioner was of the view that the financial institution had contravened DPPs 1(1), 1(3) and 2(2) in this case. Taking into account of the circumstances of the case, including but not limited to the remedial measures taken by the financial institution, the PCPD issued a warning letter to the financial institution in response to the complaint, requiring the financial institution to comply with the relevant requirements of the PDPO in the future.
Lesson learnt
When employing staff through sub-contracting (including through third parties), organisations should pay particular attention to the handling of personal data. Examples of such situations would include employment through an employment agency, or staff employed by one company but who undertake work on behalf of another company.
As these organisations do not have a direct employment contract with the individual concerned, in general, they would collect less personal data from those subcontract staff than from its own staff. If the data is collected directly from those subcontract staff, these organisations should provide a PICS to those staff. In addition, these organisations can only continue to retain the personal data of subcontract staff for the purposes for which the data was collected; or where there is a reasonable likelihood that such staff may be re-engaged for subsequent work.
(Uploaded in February 2025)