Date: 17 November 2017
Personal Data Obtained from Public Domains is Protected under the Privacy Ordinance
(17 November 2017) A financial consultant of a financial services company faced two charges under the Personal Data (Privacy) Ordinance (the “Ordinance”) today at the Kwun Tong Magistrates’ Court. The first charge relates to the offence of using the personal data of a data subject in direct marketing without taking specified actions and obtaining her consent, contrary to section 35C of the Ordinance. The other charge relates to the offence of failing to inform the data subject, when using her personal data in direct marketing for the first time, of her right to request not to use her personal data in direct marketing without charge, contrary to section 35F of the Ordinance. The defendant pleaded guilty to both charges, and was fined HK$20,000 in total (HK$10,000 in respect of each charge).
Case Background
The case stemmed from a complaint received by the Privacy Commissioner for Personal Data, Hong Kong (“PCPD”) in November 2015.
The complainant works in a government-related organisation of the Hong Kong Special Administrative Region. Her personal data, including her name and office phone number, can be obtained from the Government Telephone Directory. In October 2015, the complainant received a call from the defendant on her office phone number, addressing the complainant by her Chinese full name. The call was to promote the investment products of the financial services company. The complainant stated that she was not a customer of the financial services company and had never consented to its use of her personal data in direct marketing. During the phone call, the defendant did not notify the complainant of her opt-out right. Subsequently, the complainant lodged a complaint to the PCPD. After processing the complaint, the Privacy Commissioner was of the view that the defendant had misused the complainant’s personal data.
PCPD’s Comments
The direct marketing provisions under the Ordinance require a data user not to use an individual’s personal data in direct marketing without that individual’s consent. In order to obtain valid consent, the data user must notify the individual of the types of personal data that will be used; the classes of goods or services that will be marketed; and a response channel through which the individual can communicate his consent to the intended use.
The data user must also, when using the data subject’s personal data in direct marketing
for the first time, inform the data subject of his right to request the data user to cease to so use the data, without charge to the data subject.
This obligation applies irrespective of whether the personal data is collected directly from a data subject or from other sources.
Personal data obtained from public domains, such as Government Telephone Directory, is also protected under the Ordinance. The Ordinance does not prohibit direct marketing activities but provides clear guidance for data users in managing their direct marketing activities. Respecting consumers’ personal data and using them properly can create a win-win situation in business.
The PCPD has published the following publications for data users and consumers:
For guidance on legal compliance, data users can refer to the "
Guidance on Direct Marketing"
As for consumers, please refer to:
-End-