Media Statements
Media Statement - PCPD Publishes Investigation Report on Security Measures Taken by14 Restaurants to Protect Customers Registration Data
Date: 28 October 2021
PCPD Publishes Investigation Report on Security Measures Taken by
The Privacy Commissioner Ms Ada CHUNG Lai-ling also reminds citizens that, “To protect personal data, members of the public should be mindful of the privacy risks inherent in providing personal data for different restaurants. This is particularly true for citizens who frequently dine at different restaurants, if they choose to register personal information rather than using the “LeaveHomeSafe” mobile app, which effectively means that they may need to provide personal data for different restaurants daily. This, when compared with storing visiting records in the “LeaveHomeSafe” app in their own mobile phones, actually carries greater privacy risks.”
Download the Investigation Report “Security Measures Taken by Restaurants to Protect Customers’ Information Collected during the Registration Required under the COVID-19 Anti-pandemic Measures”: https://www.pcpd.org.hk/english/enforcement/commissioners_findings/files/r21_2485_e.pdf
The Privacy Commissioner Ms Ada CHUNG Lai-ling published Investigation Report on security measures taken by 14 restaurants to protect customers’ registration data.
A restaurant failed to cover the collection box at all times.
Some restaurants used common registration forms or books.
Annex
PCPD Publishes Investigation Report on Security Measures Taken by
14 Restaurants to Protect Customers’ Registration Data
In response to the COVID-19 pandemic, the Government imposed requirements under the Prevention and Control of Disease (Requirement and Directions) (Business and Premises) Regulation (Cap. 599F) on responsible persons of restaurants to ensure that customers either scan the venue QR code with the “LeaveHomeSafe” mobile app or register their names, contact numbers and dates and times of their visits, before entering the premises, and for restaurants to keep such written or electronic records for 31 days (“the Restaurant Entry Requirement”).
Since the implementation of the Restaurant Entry Requirement on 18 February 2021, the Privacy Commissioner for Personal Data, Ms Ada CHUNG Lai-ling (“the Privacy Commissioner”) has launched investigations into 14 complaints about the failure of restaurants to properly handle the registration data of customers.
The Privacy Commissioner found that the retention periods set by the 14 restaurants concerned (see Annex for details) for keeping the registration data of customers did not exceed 31 days. In other words, the restaurants kept the data in accordance with the data retention period as specified in the Restaurant Entry Requirement, in such a way that the relevant personal data was not kept longer than necessary for the fulfilment of the original purpose. The Privacy Commissioner found that such practice is commendable, as it is in compliance with the requirements of Data Protection Principle (“DPP”) 2(2) under the Personal Data (Privacy) Ordinance (“the Ordinance”).
Meanwhile, the Privacy Commissioner also found that 11 restaurants (namely, Triple O’s in Pacific Place of Admiralty, Spicy and Sour Noodle at Portland Street of Mongkok, Zaks in D’Deck of Discovery Bay, The Grill Room in the L. Square of Causeway Bay, Corner Kitchen at Tso Kung Square of Tsuen Wan, Bond at Tung Lo Wan Road of Tai Hang, Carnival Seafood Restaurant in Leung King Plaza of Tuen Mun, American Seafood & Grill in Fortune City One of Shatin, TW Yummy at Nathan Road of Yaumatei, Beef Noodle Box at Kam Ping Street of North Point and Ming Kee Cheung Fun at San Hong Street in Sheung Shui) used common registration forms or books, 1 restaurant (TamJai Yunnan Mixian at Kwai Yi Road in Kwai Fong) did not set up any collection box for the forms, 1 restaurant (House of Canton Restaurant in Cityplaza) failed to cover the collection box at all times, and 1 restaurant (Gyuugoku at Tai Tsun Street in Tai Kok Tsui) used uncut sheets of paper as common forms. The above practices had exposed the registered personal data to unauthorized or accidental access or use, and contravened DPP 4(1) of the Ordinance as regards the security of personal data.
Although the 14 restaurants subsequently took remedial actions to prevent recurrence in future, the Privacy Commissioner has decided to issue Enforcement Notices to the restaurants in question to request them to implement appropriate and practicable measures to protect the registration data of customers and specify the steps to be taken by the restaurants for preventing recurrence of the contravention. The measures included providing written policy and guidance to their staff, as well as circulating the guidance regularly and providing training to raise the awareness of their staff to the protection of personal data privacy.
The Privacy Commissioner wishes to make the following reminders and suggestions to all restaurants in Hong Kong through the report: -
Since the implementation of the Restaurant Entry Requirement on 18 February 2021, the Privacy Commissioner for Personal Data, Ms Ada CHUNG Lai-ling (“the Privacy Commissioner”) has launched investigations into 14 complaints about the failure of restaurants to properly handle the registration data of customers.
The Privacy Commissioner found that the retention periods set by the 14 restaurants concerned (see Annex for details) for keeping the registration data of customers did not exceed 31 days. In other words, the restaurants kept the data in accordance with the data retention period as specified in the Restaurant Entry Requirement, in such a way that the relevant personal data was not kept longer than necessary for the fulfilment of the original purpose. The Privacy Commissioner found that such practice is commendable, as it is in compliance with the requirements of Data Protection Principle (“DPP”) 2(2) under the Personal Data (Privacy) Ordinance (“the Ordinance”).
Meanwhile, the Privacy Commissioner also found that 11 restaurants (namely, Triple O’s in Pacific Place of Admiralty, Spicy and Sour Noodle at Portland Street of Mongkok, Zaks in D’Deck of Discovery Bay, The Grill Room in the L. Square of Causeway Bay, Corner Kitchen at Tso Kung Square of Tsuen Wan, Bond at Tung Lo Wan Road of Tai Hang, Carnival Seafood Restaurant in Leung King Plaza of Tuen Mun, American Seafood & Grill in Fortune City One of Shatin, TW Yummy at Nathan Road of Yaumatei, Beef Noodle Box at Kam Ping Street of North Point and Ming Kee Cheung Fun at San Hong Street in Sheung Shui) used common registration forms or books, 1 restaurant (TamJai Yunnan Mixian at Kwai Yi Road in Kwai Fong) did not set up any collection box for the forms, 1 restaurant (House of Canton Restaurant in Cityplaza) failed to cover the collection box at all times, and 1 restaurant (Gyuugoku at Tai Tsun Street in Tai Kok Tsui) used uncut sheets of paper as common forms. The above practices had exposed the registered personal data to unauthorized or accidental access or use, and contravened DPP 4(1) of the Ordinance as regards the security of personal data.
Although the 14 restaurants subsequently took remedial actions to prevent recurrence in future, the Privacy Commissioner has decided to issue Enforcement Notices to the restaurants in question to request them to implement appropriate and practicable measures to protect the registration data of customers and specify the steps to be taken by the restaurants for preventing recurrence of the contravention. The measures included providing written policy and guidance to their staff, as well as circulating the guidance regularly and providing training to raise the awareness of their staff to the protection of personal data privacy.
The Privacy Commissioner wishes to make the following reminders and suggestions to all restaurants in Hong Kong through the report: -
- Regardless of the scale of business, mode of operation and availability of resources, all restaurants have responsibility to comply with the requirements of the Ordinance in the collection, holding, processing and use of personal data;
- In addition to incorporating privacy protection in the workflow of data processing, restaurants must also provide appropriate training and guidance for their staff;
- Restaurants must adopt measures to provide clear guidelines for their staff on the process and purpose of customer registration, and ensure the proper conduct of their staff, so as to avoid the collection and processing of personal data from being hampered by human negligence or error; and
- In response to anti-epidemic measures, restaurants need to raise the awareness of their staff to personal data privacy protection. By strengthening personal data privacy protection, restaurants would be able to enhance their goodwill, competitive edges, and potential business opportunities.
The Privacy Commissioner Ms Ada CHUNG Lai-ling also reminds citizens that, “To protect personal data, members of the public should be mindful of the privacy risks inherent in providing personal data for different restaurants. This is particularly true for citizens who frequently dine at different restaurants, if they choose to register personal information rather than using the “LeaveHomeSafe” mobile app, which effectively means that they may need to provide personal data for different restaurants daily. This, when compared with storing visiting records in the “LeaveHomeSafe” app in their own mobile phones, actually carries greater privacy risks.”
Download the Investigation Report “Security Measures Taken by Restaurants to Protect Customers’ Information Collected during the Registration Required under the COVID-19 Anti-pandemic Measures”: https://www.pcpd.org.hk/english/enforcement/commissioners_findings/files/r21_2485_e.pdf
The Privacy Commissioner Ms Ada CHUNG Lai-ling published Investigation Report on security measures taken by 14 restaurants to protect customers’ registration data.
A restaurant failed to cover the collection box at all times.
Some restaurants used common registration forms or books.
A restaurant used uncut sheets of paper as common forms.
Annex
The 14 restaurants under complaint and their addresses
|
|
Triple O’s Shop 009, LG/F, Two Pacific Place, 88 Queensway, Admiralty |
|
|
Sour and Spicy Noodle 1/F, 215 Portland Street, Mongkok |
|
|
TamJai Yunnan Mixian Shop 49-54, G/F, 2-11 Kwai Yi Road, Kwai Fong |
|
|
American Seafood & Grill Shop 71-73 & 82B, G/F, Fortune City One, Shatin |
|
|
TW Yummy G/F, Independent Building, 499 Nathan Road, Yaumatei |
|
|
Zaks Shop 4, G/F. & Shop 3, 1/F., D’Deck, Discovery Bay |
|
|
Beef Noodle Box G/F, 41A Kam Ping Street, North Point |
|
|
The Grill Room 5/F, The L. Square, Causeway Bay |
|
|
Bond 2/F, 98 Tung Lo Wan Road, Tai Hang |
|
|
Gyuugoku 38 Tai Tsun Street, Tai Kok Tsui |
|
|
Corner Kitchen G/F., 10 Tso Kung Square, Tsuen Wan |
|
|
Ming Kee Cheung Fun 11 San Hong Street, Sheung Shui |
|
|
House of Canton Restaurant 506 Cityplaza, Taikoo Shing |
|
|
Carnival Seafood Restaurant Shop 305-306, 3/F, Leung King Plaza, Tuen Mun |
-End-