Media Statements

Privacy Issues relating to
Government’s Cash Payout Scheme

Upon receipt of media enquiries about personal data privacy issues relating to the Government’s Cash Payout Scheme, the Privacy Commissioner for Personal Data, Hong Kong (PCPD), Mr Stephen Kai-yi WONG made the following response specifically from the perspective of the Personal Data (Privacy) Ordinance (PDPO):

The PCPD pointed out that on 8 June 2020, the Financial Secretary and relevant Government officials clearly and thoroughly explained the key privacy issues relating to the Scheme.  They had also communicated and exchanged views with the PCPD before then. The PCPD firmly believes that only minimum and necessary personal data will be collected; the use of the personal data will be subject to appropriate restrictions; convenience, expediency, safety and security will be achieved in processing the personal data, and the requirements of the PDPO will be complied with. 

1) Can the personal data collected in the Scheme be used for other purposes or similar relief measures in future?

• Data Protection Principle 3 of the PDPO provides that personal data shall be used (including transfer and disclosure) for a purpose which is the same as or directly related to the original collection purpose.  It shall not be used for a new purpose save for having the express and voluntary consent of the data subject or any applicable exemptions under the PDPO.
   
• The PCPD notes that the Personal Information Collection Statement for the Scheme will clearly state that, the information collected will mainly be used for the purposes of effecting cash handouts under the Scheme and effecting cash/non-cash handouts/refunds (if any) under schemes administered by the Government in future that are aimed at, amongst other things, encouraging local consumption, relieving people’s financial burden, and/or returning wealth to the people. The Government will not use the information collected for purposes other than the purposes above. As the stated purposes of using personal data include use for similar schemes in future, the Government may use the personal data again in a scheme in future if it is directly related to the aforesaid purposes.
   
• If the Government and any organisation (including the participating banks) wish to use the personal data collected for a new purpose, they must obtain voluntary and explicit consent from the data subjects concerned.

2) How long can the personal data collected be kept?

• The current PDPO does not stipulate a fixed period of retention of personal data. That said, pursuant to Data Protection Principle 2 of the PDPO, data users should not keep personal data longer than is necessary for the fulfilment of the purpose for which the data is used. Section 26 of the PDPO further requires data users to take all practicable steps to erase the personal data held by them where it is no longer required unless the erasure is prohibited by any law, or  it is in the public interest for the data not to be erased.
   
• The Scheme’s official website mentions that the data collected will be kept for seven years, after which a review will be conducted. The PCPD accepts that it is reasonable and meets the practical needs of the original purpose. Generally, the retention period for financial information is also seven years. If the Government continues to retain the personal data, there should be justifiable reasons such as keeping the data for similar cash or non-cash disbursement schemes in future which are directly related to the Scheme.

3) Some banks offer incentives for customers to register for the Scheme through the banks. How should banks collect and use customers’ personal data?

• The PCPD notes that some banks (as data users) have offered incentives to attract customers (as data subjects) to register for the Scheme through the banks. It is a commercial decision of the banks to launch these promotion plans. However, banks are still required to comply with the requirements stipulated under the PDPO and by the regulatory authority concerned because collection, processing and use of customers’ personal data are involved.
   
• According to Data Protection Principle 1 of the PDPO on the collection of personal data, banks should collect non-excessive personal data from data subjects in a lawful and fair manner and the purpose of their collection should be directly related to their functions or activities (e.g. banking services, assistance in registering for the Scheme). A Personal Information Collection Statement should also be provided when/before collecting customers’ personal data to inform them of the data collected and the purposes, and the classes of person to whom their data may be transferred.
   
• According to Data Protection Principle 3 of the PDPO on the use of personal data, the banks' use of personal data is limited to the purpose stated at the time of collection or directly related purposes. To use the data for a new purpose, voluntary and explicit consent of the data subjects must be obtained in advance. Otherwise, it will constitute a contravention of Data Protection Principle 3.

4) Is there effective protection of personal data security under the Scheme?

• According to Data Security Principle 4 of the PDPO on security of personal data, data users must take all practicable steps to safeguard personal data from unauthorised or accidental access, processing, erasure, loss or use.
   
• The PCPD notes that according to the Government, the computer systems for and the process of handling registration and payment have passed the privacy impact assessment conducted by an independent consultant, thus ensuring that the business flow and related system design of the Scheme are in compliance with statutory requirements.
   
• The PCPD has previously provided his views to the Government on data security of the Scheme, and believes that the Scheme will meet the requirements of the PDPO.

Stay vigilant when registering for the Scheme

The PCPD reminds members of the public to be cautious when providing personal data, especially when asking others to assist with registration.  Sensitive personal data such as identity card numbers and bank account numbers should be provided with extra caution. Members of the public are also advised to pay attention to official announcements in order to avoid phishing websites and fraudulent calls.

The PCPD also urges members of the public to visit “Cash Payout Scheme- FAQs” on the official website (https://www.cashpayout.gov.hk) where detailed information including personal data-related issues is provided by the Government.