options have been offered to the data subjects to make a well-informed decision.

5.61

Children of school age or individuals who are incapable of managing their own affairs

are vulnerable, warranting greater protection of their personal data privacy. Collection

of fingerprint data from these groups, if challenged, will be critically examined by the

Commissioner. A primary school’s practice of collecting the fingerprint data of its

students for the purpose of recording the use of the canteen and library facilities was

found to be unnecessary and excessive.

44

5.62

In a complaint case where an employer collected fingerprint data to record staff

attendance, the Commissioner considered the keeping of an effective and accurate

staff’s attendance record was not sufficient grounds to justify the collection of biometric

personal data of a sensitive nature. Particularly as the employer had also installed

surveillance cameras to monitor staff attendance and the system that collected the

fingerprint data also offered the option of using passwords for staff identification, the

collection of the fingerprint data was unnecessary and excessive.

The Commissioner also

found that the staff were under undue pressure to oblige for fear of the termination of

their employment.

Taking further into account that the employer had not provided the

staff with sufficient information to enable them to make informed decisions, the

Commissioner found the employer had adopted unfair means to collect the fingerprint

data in all the circumstances of the case, and contravened DPP1(2)(b).

45

5.63

Similarly, in another investigation case,

46

the Commissioner considered that an

employee’s consent to providing fingerprint data to her employer was neither genuine

nor informed. In that case, a high-end fashion trading company collected employees’

fingerprint data for the purposes of safeguarding office security and monitoring staff

attendance. The employer had failed to duly inform employees of relevant matters such

as whether the whole or partial images of fingerprints were collected; how the

fingerprint recognition devices operated; the class of persons to whom fingerprint data

might be transferred; the privacy risk associated with the collection and use of

fingerprint data and the measures to prevent abuse or improper handling of the data;

the channel for employees to inquire about the accuracy of their attendance data

collected; the retention period of their fingerprint data and the persons who could

access the fingerprint data, etc. Therefore, the Commissioner took the view that the

collection of the employees’ fingerprint data by the employer was not fair in the

circumstances, and was thus a contravention of DPP1(2). Another finding related to the

security of the premises. To safeguard its property, the employer had already installed

several security devices including CCTV cameras, digital locks, ordinary door locks and a

44

See case note no. 2005C12, available on the Website:

https://www.pcpd.org.hk/english/enforcement/case_notes/casenotes_2.php?id=2005C12&content_type=&content_n ature=&msg_id2=257

45

See investigation Report No. R09-7884, available on the Website:

https://www.pcpd.org.hk/english/enforcement/commissioners_findings/investigation_reports/files/report_Fingerprint_e.p df

46

See Investigation Report No. R15-2308, available on the Website:

https://www.pcpd.org.hk/english/enforcement/commissioners_findings/investigation_reports/files/R15_2308_e.pdf