the purpose of obtaining the Certificate commits an offence. The car park

management company’s staff declared in the application form that the purpose of

obtaining the vehicle owners’ personal data provided in the Certificate of Particulars of

Motor Vehicle was “for legal proceedings”, where in fact the information collected was

used for sending promotional offers to the vehicle owners. There was no evidence to

show that the company had taken steps to prevent its staff from making a false

statement in the application forms. Concluding the investigation, the Commissioner

found that the company had collected personal data by unfair means in the

circumstances.

5.59

For the purpose of providing consumer credit reference services to credit providers, the

Code of Practice on Consumer Credit Data

43

permits the collection by a credit reference

agency of data contained in official records that are publicly available and relating to

any action for the recovery of a debt or judgment for monies owed that is entered

against an individual. This issue formed the subject matter of AAB No.5/2010 where a

complaint was lodged against a credit reference agency for collection of information

about a civil monetary claim involving the complainant. The information was obtained

from a public search of court actions. The civil monetary claim had been settled between

the relevant parties, but the settlement agreement was not a public document and the

credit reference agency did not know about it. The complainant maintained that the

collection of his personal data relating to the court action by the credit reference agency

without his knowledge prevented him from updating the record held by the credit

reference agency on settlement of the claim. The AAB noted that the information was

relevant in putting credit providers on notice to find out the outcome of the civil action,

albeit the approval of credit facilities might be delayed. It accepted that there was no

requirement under the Ordinance or the Code for the credit reference agency to notify

the complainant before collecting his personal data from court records. Hence there was

no contravention of the Code or the Ordinance.

Collection of Biometric Personal Data, Such as Fingerprint Data and Consent

5.60

The question as to whether fingerprint data is personal data was discussed in Chapter 2.

It is a unique identifier of an individual which remains unchanged throughout his lifetime.

Given the sensitive nature of biometric data, collection of such data should be handled

cautiously. Before seeking to collect biometric data from data subjects, a data user

should assess the privacy risks and impact of such collection and consider whether the

purpose of collection can be effectively achieved by other less privacy intrusive

alternatives. In seeking consent from the data subject for the provision of his fingerprint

data, it is important that the data subject is free and able to give such consent

voluntarily, not under undue pressure, influence or threat. If a data user compulsorily

collects the personal data of the data subjects without any legal basis or reasonable

grounds and takes adverse action against those who are not willing to provide their

data, such means of collection would not be regarded as fair. Furthermore, the

Commissioner will consider if the data user has provided information to the data subjects

to enable them to clearly understand the possible impact of collection of their

fingerprint data, including any adverse impact and whether other less privacy intrusive

43

Clause 3.1.3A of the Code.