Date: 21 December 2023
Privacy Commissioner’s Office Publishes Two Investigation Reports
The Office of the Privacy Commissioner for Personal Data (PCPD) today published two investigation reports. The first report relates to four cases of improper retention and use of personal data of employees / former employees by employers and the second report relates to unauthorised scraping of the personal data of Carousell users. The new edition of an information leaflet on “Human Resource Management: Common Questions” is also published at the same time.
-
Investigation Report: Four Organisations Improperly Retained and Used Personal Data of Employees / Former Employees
During the past five years, the PCPD received on average over a hundred complaints relating to human resource management per annum. To raise the awareness amongst employers and human resource managers of their duties in protecting personal data privacy and in complying with the relevant legal requirements, the Privacy Commissioner for Personal Data (Privacy Commissioner), Ms Ada CHUNG Lai-ling, today published an investigation report in respect of four complaints received by the PCPD concerning human resource management.
The four complaints involved four organisations, which are, respectively:-
-
Kwong Wah Hospital managed by the Hospital Authority (HA) – Staff improperly disclosed personal data in instant messaging application chat group;
-
Christian Louboutin Asia Limited (Christian Louboutin) – Staff improperly disclosed personal data in instant messaging application chat groups;
-
Star Entertainment (Universe) Limited (Star Entertainment) – Continued to use a former employee’s personal data as the user of a corporate bank account after he had left employment; and
-
Ngan Yuet Health and Beauty Limited (Ngan Yuet) – Used the old address of a former employee for filing and mailing a tax return.
(Please refer to the Annex for details of the aforementioned complaint cases).
After conducting investigations into the four complaints, the Privacy Commissioner found that the HA, Christian Louboutin and Star Entertainment had contravened Data Protection Principle (DPP) 3(1) of the Personal Data (Privacy) Ordinance (PDPO) as regards the use (including the disclosure) of personal data, and Ngan Yeut had contravened DPP 2(1) as regards the accuracy of personal data and DPP 4(1) as regards the security of personal data. The Privacy Commissioner has served Enforcement Notices on the four organisations, directing them to remedy and prevent recurrence of their respective contraventions.
Four Recommendations for Employers
Through the report, the Privacy Commissioner would like to make four recommendations to employers. They are recommended to:-
-
Introduce the “Personal Data Privacy Management Programme” and showcase good data governance;
-
Appoint a Data Protection Officer to implement the effective operation of the Privacy Management Programme;
-
Devise a training strategy in respect of personal data privacy; and
-
Proactively communicate with staff for the effective formulation of procedures, guidelines and training programmes that cater for their daily situations and needs.
To assist employers and human resource managers in understanding their duties in protecting personal data privacy and complying with the requirements under the PDPO in handling personal data relating to human resource management,
the PCPD has in parallel updated an information leaflet on “Human Resource Management: Common Questions”. The content covers frequently asked questions relating to the application of the PDPO to human resource management.
The Privacy Commissioner, Ms Ada CHUNG Lai-ling, said, “Human resource management often involves the handling of a vast amount of personal data. Employers and human resource managers need to acquaint themselves with the legal requirements and best practices in relation to the protection of personal data privacy. Respecting the personal data privacy of employees would not only serve to promote a harmonious relationship between employers and employees, but would also enable the organisation to gain trusts from employees, thereby achieving a win-win situation.”
Download the Executive Summary of “Investigation Report on the Improper Retention and Use of Personal Data of Employees / Former Employees by Employers”:
https://www.pcpd.org.hk/english/enforcement/commissioners_findings/files/r23_18465_e.pdf
Download the Information Leaflet on “Human Resource Management: Common Questions”:
https://www.pcpd.org.hk//english/resources_centre/publications/files/Some_Common_Question_Eng.pdf
-
Investigation Report: Unauthorised Scraping of the Personal Data of Carousell Users
On completion of its investigation into a data breach incident relating to Carousell Limited, the PCPD published an investigation report today. The investigation arose from a data breach notification lodged by Carousell Limited reporting that a listing posted on an online forum offered for sale the personal data of 2.6 million Carousell users, which included the leakage of the personal data of 324,232 user accounts in Hong Kong. According to Carousell Limited, the data breach incident was caused by a security vulnerability that was introduced during a system migration in January 2022.
According to the evidence obtained in the investigation, the Privacy Commissioner, Ms Ada CHUNG Lai-ling, considered that the incident had been caused by the following deficiencies of Carousell:
-
Failing to conduct a privacy impact assessment prior to the system migration;
-
Incomprehensive code review process;
-
Inadequate security assessment associated with the system migration;
-
Lack of a written policy in relation to the code review process; and
-
Lack of effective detection measures.
Although Carousell Limited was at all material times using the information systems and database under the centralised model of the Carousell Group, Carousell Limited as a data user under the PDPO has a positive duty to safeguard the security of the personal data under its control. Having considered all of the evidence of the investigation, the Privacy Commissioner considered that Carousell Limited bore responsibilities for the following deficiencies:
-
Failure to check whether a privacy impact assessment was conducted prior to the system migration;
-
Failure to check whether a comprehensive code review process was implemented before the application programming interface (API) in question was committed to production;
-
Failure to ensure that a thorough security assessment was conducted for the system migration;
-
Failure to check and ensure that there was a written policy for the code review process; and
-
Failure to ensure that effective measures were implemented to detect abnormal activities, which contributed to the failure to prevent or detect the extraction of personal data of Carousell users from the API in question.
Considering Carousell’s extensive international operations and the vast number of active users it serves, it is reasonable to expect that the Carousell Group, including Carousell Limited in Hong Kong, would have invested sufficienet resources in ensuring the robust security of its information systems. However, the Privacy Commissioner was very disappointed to note that the occurrence of the incident revealed fundamental failures by Carousell to ensure the security of the personal data held by the group, and that the incident could have been avoided if some normal risk and security assessment procedures and tools had been implemented. The Privacy Commissioner regretted that these fundamental failures had led to the leakage of the personal data of 2.6 million Carousell users worldwide, including over 320,000 of its users in Hong Kong.
Based on the above reasons, the Privacy Commissioner considered that Carousell Limited had not taken all practicable steps in relation to the system migration to ensure that the personal data involved were protected from unauthorised or accidentall access, processing, erasure, loss or use, thereby contravening Data Protection Principle 4(1) concerning the security of personal data.
The Privacy Commissioner has served an Enforcement Notice on Carousell Limited, directing it to remedy and prevent recurrence of the contravention.
Through the report, the Privacy Commissioner wishes to make the following recommendations on strengthening data security to organisations which may perform information system migration involving personal data:
-
Carry out privacy impact assessments, especially when significant changes are made to their systems or practices and upon the adoption of new technologies;
-
Develop a migration plan that prioritises data protection;
-
Conduct effective vulnerability assessments;
-
Provide relevant employee training;
-
Implement an effective mechanism for detecting abnormal activities; and
-
Formulate localised policies and procedures to ensure compliance with the PDPO.
In addition, given that the Carousell Group is based in Singapore, the PCPD has shared a copy of the investigation report with Singapore’s Personal Data Protection Commission (PDPC) in accordance with the Memorandum of Understanding signed between the PCPD and Singapore PDPC.
Download the Investigation Report “Unauthorised Scraping of the Personal Data of Carousell Users”:
https://www.pcpd.org.hk/english/enforcement/commissioners_findings/files/r23_0665_e.pdf
The Privacy Commissioner, Ms Ada CHUNG Lai-ling, elaborated on the “Investigation Report on the Improper Retention and Use of Personal Data of Employees / Former Employees by Employers”.
The Privacy Commissioner, Ms Ada CHUNG Lai-ling (centre), Assistant Privacy Commissioner (Complaints and Criminal Investigation), Mr Billy KWAN Kai-yu (left) and Senior Personal Data Officer (Compliance & Enquiries), Mr John LO Ho-wing (right), introduced the two investigation reports.
-End-
Annex
Particulars of Improper Retention and Use of Personal Data of Employees / Former Employees by Employers
Investigation Case (1)
The complainant was a staff member of Kwong Wah Hospital which is managed by the Hospital Authority (HA). On two occasions, the complainant applied for sick leave to his departmental manager directly through an instant messaging application, and mentioned his illness in the messages (see Figure 1). Subsequently, the complainant’s direct supervisor forwarded the two messages to a chat group (the Group) set up amongst 47 staff belonging to the same department as the complainant (see Figures 2 and 3).
The complainant was dissatisfied that his direct supervisor had forwarded the two messages to the Group, thus unnecessarily disclosing his illness to the members of the Group.
It is clear that the HA collected the complainant’s sick leave data to handle matters relating to the complainant’s sick leave application and staff deployment. Under Data Protection Principle (DPP) 3, unless with the complainant’s prescribed consent (that is, express and voluntary consent), the HA was only allowed to use the complainant’s sick leave data for the above purposes or directly related purposes.
From the evidence collected in the investigation, the Privacy Commissioner considered that disclosing the complainant’s illness to the members of the Group was excessive to the original purpose of use of the data (i.e. handle the complainant’s sick leave application and staff deployment). As such, the disclosure of personal data was not for the original purpose or a directly related purpose; it amounted to using the data for a new purpose. Given that the HA did not obtain the complainant’s prescribed consent for such use, the HA had contravened the requirement of DPP3(1) as regards the use of personal data in the present case.
Figure 1
(Personal data in the case is redacted)
Figure 2
(Personal data in the case is redacted)
Figure 3
(Personal data in the case is redacted)
Investigation Case (2)
During the complainant’s employment with Christian Louboutin Asia Limited (Christian Louboutin), he submitted a certificate of diagnosis to his supervisor and provided a medical certificate through an instant messaging application. His supervisor sent a photo of the certificate of diagnosis to a work-related chat group set up for around 14 staff (see Figure 4) and forwarded the medical certificate to another work-related chat group of around 10 staff (see Figure 5). The complainant was dissatisfied that his supervisor disclosed the aforesaid information to the staff members in the relevant work-related chat groups.
The complainant provided his supervisor with a certificate of diagnosis to illustrate that he was unfit to perform certain types of work owing to his physical condition, while the medical certificate was submitted in support of his sick leave application. Under DPP3, unless with the complainant’s prescribed consent, Christian Louboutin was only allowed to use the complainant’s personal data contained in the two certificates for the purposes of adjusting work arrangements, handling his sick leave application and staff deployment consequent upon the complainant’s restrictions / absence from work, or for purposes directly related to the aforesaid purposes.
Having investigated into the case, the Privacy Commissioner considered that the members of the work-related chat groups did not need to know the complainant’s physical condition. Christian Louboutin’s use of the complainant’s personal data about his physical condition in this case was inconsistent with the purposes (including directly related purposes) for which the personal data had been collected in the first place, and such use amounted to using the personal data for a new purpose. Without obtaining the prescribed consent (that is, express and voluntary consent) from the complainant, Christian Louboutin’s act was in contravention of the requirement of DPP3(1) as regards the use of personal data.
Figure 4
(Personal data in the case is redacted)
Figure 5
(Personal data in the case is redacted)
Investigation Case (3)
The complainant is a former accounting staff of Star Entertainment (Universe) Limited (Star Entertainment). At the time when he worked for Star Entertainment, Star Entertainment registered him as one of the users of corporate online banking of an associated company (the Account). This was to enable him to operate the Account through the online banking service. However, after he had left employment, the complainant kept receiving SMS alerts from the bank in relation to the Account through his mobile number (see Figure 6). The complainant had repeatedly relayed the above situation to Star Entertainment and requested them to stop using his personal data for such purpose, but the requests were not followed up. The complainant therefore lodged a complaint with the Office of the Privacy Commissioner for Personal Data.
As the complainant’s employer, it is obvious that Star Entertainment initially collected personal data from the complainant to handle the employment matters. Star Entertainment should only use the complainant’s personal data (including his personal mobile phone number) for the purpose of handling employment matters, a directly related purpose or a new purpose to which the complainant had consented.
Although in this case the complainant had once consented to Star Entertainment’s use of his personal data to register online banking for the Account, after the complainant had left employment and ceased consenting to such use, Star Entertainment continued to use the complainant’s personal data in the registration of online banking for the Account without the prescribed consent (that is, express and voluntary consent) of the complainant. The Privacy Commissioner considered that Star Entertainment was in contravention of the requirement of DPP3(1) as regards the use of personal data.
Figure 6
(Personal data in the case is redacted)
Investigation Case (4)
Ngan Yuet Health and Beauty Limited (Ngan Yuet) updated the complainant’s address in its records as per his request during his employment. After he had left employment, the complainant did not receive the “Employer’s Return of Remuneration and Pensions” (the Return). The complainant later found that his old address had been stated in the Return (see Figure 7), a copy of which was mailed to that address.
DPP2(1) of Schedule 1 to the Personal Data (Privacy) Ordinance stipulates that all reasonably practicable steps shall be taken by a data user to ensure that personal data is accurate having regard to the purpose (including any directly related purpose) for which the personal data is or is to be used.
The Return was completed by a secretarial company on behalf of Ngan Yuet. When the relevant tax information file was provided to the secretarial company, Ngan Yuet did not notice that the file contained the old address of the complainant. In addition, the staff directly used the address shown on the Return (i.e. the old address) for mailing purposes when sending the copy of the Return. The Privacy Commissioner considered that when Ngan Yuet handled the Return and provided a copy of it to the complainant, Ngan Yuet had not taken all reasonably practicable steps to ensure that the complainant’s address was accurate, hence contravening the requirement of DPP 2(1) as regards the accuracy of personal data.
In the incident, sending of the Return to a wrong address exposed the Return to the risk of falling into the hands of unknown parties, and thereby leaking the complainant’s personal data contained in the Return, including his name, Hong Kong Identity Card number and salary information. Accordingly, the Privacy Commissioner also considered that Ngan Yuet had not taken all practicable steps to protect the complainant’s personal data contained in the Return against unauthorised or accidental access, processing, loss or use, in contravention of the requirement of DPP 4(1) as regards the security of personal data.
Figure 7
(Personal data in the case is redacted)