Personal Data (Privacy) Law in Hong Kong – A Practical Guide on Compliance

5.19

The practice of collecting a partial HKID number was also examined in an investigation

concerning the MoneyBack Programme run by A.S. Watson Group Limited through

ParknShop.

The MoneyBack Programme was a customer rewards scheme whereby

customers were rewarded for their loyalty by redemption offers of goods and services as

well as marketing offers. The application form for the scheme required applicants to

provide their names, addresses, telephone numbers, the first four digits of their HKID

numbers and their months and years of birth. The collection of the partial HKID number

was for the purpose of identifying the customer in the event of report of loss of the card

and also as default password to log in to the Programme’s website. The Commissioner

did not accept such collection was necessary. First, the telephone number of the

applicant, as noted in the application form, could also be used as default password. In

addition, any other set of numbers or characters could be generated and assigned to

the customer as a default password. As in the Octopus Card case, the Commissioner

was of the view that the name, home address and telephone number were sufficient

data for customer identification purposes.

5.20

Having considered that the contract entered into between the company and the

customer involved only bonus points and discount privileges and that the low value (less

than $1,000) of the reward points likely to be accumulated by the average subscriber,

the Commissioner found that the collection of the partial HKID number did not fall within

the permitted circumstances under the Code of Practice on the Identity Card Number

and other Personal Identifiers.

In coming to this conclusion, the Commissioner rejected

the argument that the partial HKID number should not be deemed as a personal

identifier, considering that it could be combined with other personal data collected to

ascertain the identity of the customer. The company was thus found to have

contravened DPP1(1).

Collection of HKID Numbers through Mobile Apps

5.21

Nowadays, organisations use a mobile application (“app”) as a means to reach out to

customers and collect and process a wide range of personal data. It is pertinent that

before seeking to collect personal data, they consider whether the items are necessary

and not excessive in complying with the requirements under DPP1(1).

See Investigation Report No. R12-3888, available on the Website:

Paragraphs 2.3.4.1 of the Code of Practice on the Identification Card Number and other Personal Identifiers.

As regards the month and year of birth, the Commissioner however accepted the argument that these data was

primarily collected for designing targeted promotional offers in order to better understand members’ background and

make offers more suited to their needs. The Commissioner was of the view that the collection of the data was directly

related to the purposes of the Programme and found no evidence to suggest that such collection was excessive.

The Commissioner has issued a

Best Practice Guide for Mobile App Development

providing practical guidance on

privacy protection to mobile app developer, available on the Website: