Media Statements

e-Wallet – Privacy Commissioner Provides
Practical Tips and Advice on Controlling Personal Data

(25 August 2016) In view of the privacy issues related to the stored value facilities (“e-Wallets”) mentioned by the Hong Kong Monetary Authority in its inSight article yesterday and other parties concerns in relation to personal data privacy, Mr Stephen Kai-yi WONG, the Privacy Commissioner for Personal Data (“Privacy Commissioner”), urged that individuals should vigilantly keep in control of their own personal data, and the e-Wallet operators should aim to win customers’ trust by respecting their privacy right and safeguarding their personal data.

1. Depending on the services required, e-Wallets operators may need to collect different types and amount of personal data. For example, if an e-Wallet user would like to use the person-to-person (P2P) payment transaction service, the operator needs to access and collect the user’s phonebook data stored in his mobile device in order to process the payment and notification. The collection of the additional personal data is not of itself necessarily privacy-intrusive.
2. e-Wallet operators should offer a level-playing field on its e-Wallet app, and let the users decide if they allow the app access or collect information (such as locations, contact lists, etc.) from their mobile devices, and allow the customers to withdraw the consent at any time without prejudice to their use of the e-Wallet.
3. e-Wallets users should find out what personal data will be required at different stages of the account operation. For example, an e-Wallet operator may require a small amount of personal data (e.g. name and email address) to open an account, but an extensive amount when upgrading or closing an account, with the balance of the account to be withdrawn. To improve transparency, e-Wallet operators should inform and remind customers clearly of what personal data will be required as and when appropriate.

The Privacy Commissioner also offers the following practical tips and advice on personal data protection for both the e-Wallet users and their operators:

For e-Wallet Users - Tips on Personal Data Protection

• Find out how the e-Wallet operators will handle and process personal data collected;
• Understand privacy settings in e-Wallets and select the appropriate options;
• Examine the types of mobile device data an e-Wallet app will access, and appropriately disable such accessibility;
• Do not operate an e-Wallet app over a public or unsecure Wi-Fi connection;
• Use a complex password, and do not use the same password for other less-sensitive services, such as social networks;
• Make sure the device on which the e-Wallet app operates has appropriate anti-theft features switched, and has the latest security patch and anti-virus software installed;
• Do not open attachments or click on links in unexpected email messages. If in doubt, clarify with the sender before taking any action; and
• Regularly monitor transaction records for unauthorised activities.

Advice to e-Wallet Operators:

• e-Wallet operators are reminded of the proportionality and transparency requirements under the Personal Data (Privacy) Ordinance (the “Ordinance”), and adopt simple, succinct and user-friendly language and presentation to explain purposes for collecting various types of personal data.
• If an e-Wallet operator intends to use personal data collected through e-Wallet operations for a purpose not directly related to payment, they should seek explicit and voluntary consent from the customers concerned. If an operator intends to use personal data in direct marketing, he has to take specified actions and obtain consent from customers in compliance with the direct marketing provisions under the Ordinance;
• e-Wallet operators are reminded of their legal responsibility to ensure accuracy and security of personal data collected. Given the sensitivity of personal data involved, e-Wallet operators are expected to perform formal risk assessment on the full data cycle to determine the commensurate level of protection;
• e-Wallet operators are obliged to comply with data access and correction requests of their customers made under the Ordinance; and
• If an e-Wallet operator engages an outsourcing agent (data processor) to process personal data on his behalf, he must adopt contractual or other means to: (i) prevent personal data transferred to the data processor being kept longer than is necessary for processing of the data; and (ii) prevent unauthorised or accidental access, processing, erasure, loss or use of the data transferred to the data processor for processing.

For more practical guidance and tips on personal data protection, please visit our website at: PCPD.org.hk

- END -