Skip to content

Response to Media Enquiry or Report

Response to Media Enquiry or Report

Date: 30 July 2020

Response to media enquiry on guidelines of personal data collection during the pandemic

Thank you very much for your enquiry about personal data collection during the pandemic. Our response to your enquiry is as follows:

Enquiry
“My questions are as follows:
  1. What should companies do when collecting data from individuals? How should this data be protected?
  2. What are the risks for individuals if their temperature data is breached?
  3. Under Covid-19 track and trace guidelines, what other data can companies collect? Are there any laws or bills that govern how this data is protected?
  4. Are you receiving any reports of Covid-19-related data being abused or breached?”~

Answer 1 & 3:
  • The overriding principle is that any measures that may intrude personal data privacy should be necessary, appropriate and proportionate.
  • In addition to upholding the principle, organisations as data users who control the collection, holding, processing or use (including disclose and transfer) of personal data in Hong Kong must comply with the relevant provisions of Personal Data (Privacy) Ordinance (PDPO) and the six data protection principles. They should seek to process the relevant data in an anonymised or de-identified way. Least privacy-intrusive measures should be preferred.
  • Organisations are required to take all practicable steps (such as providing a Personal Information Collection Statement (PICS)) on or before data collection to inform individuals of the type of personal data to be collected and the purposes (e.g. protection of public health), and the classes of persons (e.g. public health authorities) to whom their data may be transferred, etc. It is also a good practice to inform the individuals through the PICS the maximum period of time for which the data will be retained. 
  • Besides, organisations shall permanently destroy the personal data collected for the purposes of combatting COVID-19 when the purpose of collection is fulfilled, such as when there is no evidence suggesting that any visitors have contracted COVID-19 or have close contacts with the infected after a reasonable period of time.
  • Organisations must take effective security measures for protecting personal data against unauthorised or accidental access, processing, erasure, loss or use.  Failure to do so may constitute contravention of the Data Security Principle of the PDPO.
  •  The Privacy Commissioner for Personal Data, Hong Kong (PCPD) has issued the following statements advising organisations on personal data collection during the pandemic:
Answer 2:
  • Body temperature data per se is not regarded as “personal data” under the definition in section 2(1) of the PDPO. However, if a data user also collects other personal data of a data subject, such as his/her facial image, name and contact details, a breach of the collected data (which is practicable for the identities of individuals to be directly or indirectly ascertained) would put the data subjects concerned at the risk of fraud or phishing activities when people are more prone to falling prey to scams associated with the pandemic.  
Answer 4:
  • The PCPD received the first complaint in relation to COVID-19 on 25 January 2020. As of 27 July 2020, the PCPD received the following numbers of complaints alleging that COVID-19-related health data were collected unfairly or were misused:
Allegation Number of Complaints
Employees requested by employers to provide location data / body temperature measurements 3
Customers requested by restaurants/hotels to fill in health declaration forms 14
Disclosure of personal data of people suspected to have tested positive for COVID-19 or people under quarantine 82