Personal Data (Privacy) Law in Hong Kong – A Practical Guide on Compliance

monitoring measures to tackle the problem of employee fraud instead of collecting

members’ HKID or Home Visit Permit copies at the expense of their personal data

privacy.

5.15

However, after examining the membership agreement and past incidents of legal

actions brought against the members in respect of unpaid membership fees or for

claiming damages for broken equipment, etc. as well as other evidence available, the

Commissioner found that the fitness centre’s collection of the members’ HKID numbers

was justified under paragraphs 2.3.3.3

and 2.3.4.1

of the Code of Practice on the

Identity Card Number and other Personal Identifiers. He considered that the fitness

centre’s intention to establish or to evidence a legal right or interest or liability on the

part of the members at the time of signing the membership agreement, and the right,

interest or liability covered by the said agreement was not of a transient nature, nor was

it trivial in the circumstances. As noted by the Commissioner, the collection of a copy of

a HKID is subject to stricter control and greater protection as the copy does not only

contain a unique identifying number, but also the full name, photograph and date of

birth of the holder. The indiscriminate collection and improper handling of copies of

HKIDs may infringe the privacy of the data subject and create opportunities for fraud

and identity theft.

5.16

Another case considered by the Commissioner involved the collection by a service

operator of the HKID numbers of applicants who applied for Autotoll electronic toll

collection services, for the purposes of avoiding any damage or loss arising from Autotoll

users passing through toll lanes with a negative balance in the Autotoll account. The

Commissioner found that such collection was not inconsistent with DPP1(1) and

paragraphs 2.3.3.3 and 2.3.4.1 of the Code of Practice on the Identity Card Number and

other Personal Identifiers.

This decision was upheld by the AAB in AAB No.24/2013. The

AAB expressed the view that:

one should (not) approach paragraph 2.3.3.3 of the Code by merely counting dollars and

cents. The nature of the loss and damage is equally, if not more, important … the line should

be drawn by distinguishing genuine commercial loss essential to the very operation of the

service of a service provider from artificially created loss such as bonus points and cash

rewards.

The AAB considered that the collection of undercharge and unpaid tolls went right to

the heart of the Autotoll’s business and it was vital to its business that it could collect the

same from the account holders. The AAB agreed with the approach adopted by the

Paragraph 2.3.3.3 covers the situation of collection of identity card number by a data user to safeguard against

damage or loss on the part of the data user which is more than trivial in the circumstances.

Paragraph 2.3.4.1 concerns the collection of identity card numbers for insertion in a document to be executed by the

holder of the identity card to establish or to evidence any legal or equitable right, interest or liability on the part of any

person other than any right, interest or liability of a transient nature or which is trivial in the circumstances.

Paragraph 59 of the decision given in

AAB No. 24/2013