Skip to content

Response to Media Enquiry or Report

Response to Media Enquiry or Report

Date: 28 December 2016

Privacy Commissioner responses to Media Enquiry on the Suspected Data Breach of an Airline's Mobile Apps


In response to a media report today on suspected data breach of passengers’ boarding pass information of an airline company’s mobile application (“app”), our reply is as follows:
 
1.      It would not be appropriate for our Office to comment on the legality of any practices before looking into the details of the specific circumstances of the case.  Meanwhile, the Privacy Commissioner for Personal Data (“PCPD”) will contact the airline company for more details and commence a compliance check on this incident. If a person suspects that his personal data privacy rights relating to personal data are being abused and is able to provide prima facie evidence, he may lodge a complaint with the PCPD.
 
2.      Any data user (individual or organisation) who controls the collection, holding, processing or use of personal data in or from Hong Kong through mobile apps must comply with the requirements under the Personal Data (Privacy) Ordinance (“the Ordinance”), including the six Data Protection Principles (“DPPs”), in particular:
         a.       A data user needs to take practicable steps to safeguard personal data from unauthorised or accidental access,     processing, erasure, loss or use (DPP4); and
         b.      Personal data must be collected in a lawful and fair way, for a purpose directly related to a function or activity of the data user; data collected should be necessary but not excessive; practicable steps should be taken to provide the data subjects (e.g. the mobile app users) with the Personal Information Collection Statement on or before collecting their personal data (e.g. during the installation process of the mobile app), notifying them of the purpose for collection and use of their personal data, and the classes of persons to whom the data may be transferred (DPP1).
 
3.      Generally speaking, leakage of personal data may contravene the requirements under DPP4. Whether an organisation has collected excessive personal data of its app users depends on if the personal data collected is necessary for the functions and services provided by the app. The areas that need to be considered include:
         a.      Are the purposes of accessing/collecting each type of data to support the nature/function of the mobile app?
         b.      Is it absolutely necessary to access/collect the data in order to support the purposes?
         c.      Can the purposes be also supported by accessing less privacy sensitive data?
 
4.      Although non-compliance with DPPs does not constitute a criminal offence directly, the Privacy Commissioner may serve an Enforcement Notice to direct the data user (individual/organisation) to remedy the contravention. If the data user does not comply with the Enforcement Notice, the case may be referred to the Police for criminal prosecution. An offender is liable on conviction to a maximum fine of $50,000 and to imprisonment for 2 years; and if the offence continues after the conviction, to a daily penalty of $1,000.
 
5.      From 1 December 2016 to today (as at 5 p.m.), no related complaints have been received.
 
6.      From 1 January 2014 to 30 November 2016, the numbers of complaints related to social networks and mobile  apps are as follows:
 
Year No. of cases relating to social networks No. of cases relating to mobile apps
1Jan to 30 Nov 2016 78 54
2015 90 71
2014 99 58
 
7.      With the advancement of information technology, more and more people will make purchases or administer registrations online (e.g. purchase of air tickets and online check-in), which may lead to a higher potential risk of online privacy and security on personal data. The Privacy Commissioner reminds members of the public as follows:
  • Do not upload or share images of air tickets or boarding passes online because personal data stored within the barcodes on the air tickets or boarding passes could be decoded and accessed by others, even though the names and flight information have been covered before uploading; the air tickets and boarding passes should be destroyed upon completion of the journey to prevent personal data from being misused;
  • Do not use public computers and public Wi-Fi to access sensitive websites (e.g. online shopping and webmail); after using public Wi-Fi, delete the Wi-Fi access point in the mobile network setting of the mobile device to minimise the risk of personal data theft;
  • Do not allow devices to remember your login details, and always remember to “log out”;
  • Use complex passwords and do not use the same password for multiple accounts;
  • Install and regularly update anti-theft and anti-virus software.
 
PCPD has issued the booklet “Protecting Privacy – Using Computers and the Internet Wisely”, to advise members of the public how to protect their personal data when using computer and the Internet.
 
8.      It is very common to run business or provide services through mobile apps in both public and private sectors. As collection of personal data may always be involved, organisations must keep abreast of the latest technological development and trend to protect personal data privacy. If personal data is leaked or misused, it may cause serious harm to their customers and their reputation could be also affected. The following recommendations are offered to the organisations:
  • Have in place proper application development and change-control policy, guidelines and procedures;
  • Have in place risk assessment process for the design and operation of mobile apps;
  • Use genuine and reliable development tools and software;
  • Maintain safeguards, such as encryption, access control, password policy;
  • Establish processes to access or obtain updates from the operating system developers;
  • Have the processes and safeguards reviewed and audited by an independent party; and
  • Not to subcontract or further outsource the work unless the same level of protection could be assured.
 
Following the popularity of mobile apps, PCPD issued the “Best Practice Guide for Mobile App Development”, introducing the Privacy by Design approach to mobile app developers in developing their products and services. Adopting a comprehensive checklist, the Guide draws the attention of the app developers to all relevant factors that need to be considered in developing a privacy-friendly app. It also recommends a set of best practices.
 
Moreover, organisations are advised to notify the PCPD of a data breach incident concerning the personal data held by them as a recommended practice for proper handling of such incident. The PCPD has published the “Guidance on Data Breach Handling and the Giving of Breach Notifications”, advising the data users, in case of a data breach, to immediately gather essential information relating to the breach, adopt appropriate measures to contain the breach, and consider giving data breach notification.