15

PCPD News

私隱專員公署通訊

•

Issue no. 29

場景

Scenario

2

抽獎活動

Lucky Draws

場景

Scenario

1

積分獎賞╱會員計劃

Reward Points for Purchases

零售商推出積分獎賞計劃，會員需提供

身份證號碼及出生日期登記。會員每次

購物可賺取積分，用積分換取現金券。

會員亦享有購物折扣和推廣優惠。若會

員報失會員咭，店員會要求會員出示身

份證以核實會員的身份，才安排換領新

會員咭及保留已賺取的積分。

A retail group has devised a customer-

loyalty programme which requires

the collection of ID card numbers

and dates of birth of its members.

Membe r s can ea r n r ewa r d po i n t s

for each purchase, and the reward

points can be used to redeem cash

coupons. Members are also entitled

to take advantage of discount and

promotional offers. If members lose

their membership cards, they need to

present their ID cards to obtain new

cards and retain the reward points

earned.

保障私隱錦囊

•

提供一般的消費優惠或獎賞，用顧客

的姓名及電話號碼已足以核實身份，

毋須收集身份證號碼或副本等私隱度

高的資料。

零售公司舉辦抽獎遊戲，要求參加者提

供姓名、地址、電話號碼和身份證號碼

登記。獎品價值達數萬元。

A retail company is holding a lucky

draw. Participants are required to

p r o v i d e t h e i r n ame s , a dd r e s s e s ,

telephone numbers and ID card numbers

for registration. The prize is worth tens

of thousands of dollars.

•

在申請表格上提供「收集個人資料聲

明」，述明收集資料的目的、資料用

途、資料可能轉移給甚麼類別的人，

及要求查閱及改正個人資料的方法等。

•

如要收集與參加積分獎賞╱會員計

劃無直接關係的資料（例如職業、喜

好），以作市場分析，應讓客人自行

選擇是否願意提供。

•

考慮侵犯私隱度較低的方法。舉例

說，憑出生月份已足以提供生日優

惠，不必要求顧客填報出生年月日；

用年齡組別選項代替填寫具體歲數，

避免收集「超乎適度」的個人資料而違

反規定。

•

如為會員提供網上服務，應採取足

夠的保安措施，以防資料外洩。勿用

電話號碼或身份證號碼作為會員號

碼或網上帳戶的密碼，減低被盜用

的機會。

Tips for data privacy

• Name and telephone number are

adequate for the purpose of identity

authentication in the case of general

offers and rewards. There is no need to

collect highly private data such as ID

card numbers or hard copies of ID cards.

保障私隱錦囊

•

可考慮在抽獎券上印上序號，以防複

製或偽造。領獎時，可要求得獎者出

示身份證以核對其姓名和容貌。

•

除非關乎公司「超過輕微程度的損失」，

否則不必收集顧客的身份證號碼作身

份核實之用。

•

活動完結後，應將不再需要的資料銷

毀，以免違規。

• P r ov i de a Pe r sona l I n f o rma t i on

Collection Statement (“PICS”), which

states the purpose of collection, the

intended use of the data, the types of

parties the data will be transferred to,

and how to make a request for data

access or data correction.

• If any data not directly related to the

reward programmes/membership

programmes (for example, occupations

or preferences) is to be collected for

market research purposes, the members

should be given the choice of whether

or not to provide the data.

• Con s i de r l e s s p r i vacy - i n t r u s i ve

alternatives. For example, collect

only the month of birth for birthday

offers; use age ranges instead of asking

for the exact age. These alternatives

would help avoid collecting excessive

personal data.

• If online services are provided for

members, take measures to ensure

the security of their data. To reduce

the risk of identity theft, never use

t he phone numbe r s o r ID c a r d

numbers of members as default

membership numbers or passwords

for online user accounts.

Tips for data privacy

• Consider printing the numbers on the

draw ticket to prevent duplications or

fakes. Check the name and photo on

the ID card produced by the person

who claims to be the winner.

• If the potential loss for the company

is trivial, it is not necessary for the

company to collect the ID card

number of participants for identity-

authentication purposes.

• Destroy all data which is no longer

necessary after the event.