Table of Contents Table of Contents
Previous Page  56 / 192 Next Page
Information
Show Menu
Previous Page 56 / 192 Next Page
Page Background

chain lock. In particular, the installation of CCTV cameras was proven effective in

identifying the culprits involved in several day-time theft incidents experienced by the

employer, all committed by its staff and customers, who were authorised to access the

premises. The Commissioner considered that the installation of fingerprint recognition

devices to prevent unauthorised entry would not help prevent these thefts. Besides, the

company had only twenty employees. Hence, it would be relatively easy to monitor

staff attendance by other less privacy intrusive alternatives such as using a password or

a smartcard that carries an identification number instead of using a fingerprint

recognition device. These alternative means could well involve no additional collection

or retention of personal data. Therefore, the Commissioner also considered that the

employer’s collection of the employee’s fingerprint data was unnecessary and

excessive in the circumstances, in contravention to the requirements under DPP1(1).

5.64

The Commissioner respects a data subject’s free will to provide his biometric data for his

daily or social activities, such as for gaining access to an amusement theme park. In an

investigation carried out by the Commissioner, the theme park in question gave options

to its customers to choose between the provision of fingerprint data and photographs

for identification, and no fingerprint data of children aged 11 and below was

collected.

47

Where the data subjects are sufficiently informed of the adverse impact

brought about by the collection of their fingerprint data and they are given an option

not to provide the data, there is no issue of unfairness. Data users who intend to collect

the fingerprint data of data subjects for performing its lawful functions and activities may

refer to the Guidance on Collection and Use of Biometric Data issued by the

Commissioner.

48

DPP1(3)

5.65

Data Protection Principle 1(3) of Schedule 1 to the Ordinance provides as follows:

(3) Where the person from whom personal data is or is to be collected is the data subject,

all practicable steps shall be taken to ensure that –

(a) he is explicitly or implicitly informed, on or before collecting the data, of –

(i) whether it is obligatory or voluntary for him to supply the data; and

(ii) where it is obligatory for him to supply the data, the consequences for him if he

fails to supply the data; and

(b) he is explicitly informed –

(i) on or before collecting the data, of –

(A) the purpose (in general or specific terms) for which the data is to be used;

and

47

Case No. 2009C10 of Complaint Case Notes, available on the Website:

https://www.pcpd.org.hk/english/enforcement/case_notes/casenotes_2.php?id=2009C10&content_type=&content_n ature=&msg_id2=337

48

See the

Guidance on Collection and Use of Biometric Dat

a, available on the Website:

https://www.pcpd.org.hk//english/resources_centre/publications/files/GN_biometric_e.pdf
1 51 52 53 54 55 56 57 58 59 60 61 62 192  FlippingBook