PCPD News

私隱專員公署通訊

•

Issue no. 29

22

PCPD in Action

公署動態

Mark Your Diary

活動日誌

Resources Updates

資源快訊

Statistics

統計

Glossary

詞彙

Technology Updates

科技新知

California Fitness

違規向

會籍申請人收集過度的個人資料

California Fitness Collected Excessive Personal Data

from Membership Applicants

連鎖健身中心

California Fitness

（簡稱

「

CF

」）向申請入會或續會的人士收集超

乎適度的個人資料，包括香港身份證副

本，侵犯顧客的個人資料私隱。

私隱專員於

2013

年

12

月公佈調查結果

前發出執行通知，指令

CF

糾正和防止違

規情況發生，而

CF

已向行政上訴提出上

訴，反對該執行通知。該公司堅稱需要

收集會員的身份證副本以配合職員的銷

售獎賞制度，作為防止銷售員遞交虛假

會籍申請。

調查源於兩名市民投訴

CF

在處理其會籍

申請及續會申請時收集其完整出生日期

（包括年月日）、身份證號碼及身份證副

本（或以回鄉證副本替代）。

私隱專員蔣任宏批評

CF

並沒有從八達通

事件汲取教訓，重犯錯誤收集超乎適度

的身份證明資料以核實客戶身份。

「機構在收集個人資料方面傾向寧濫莫

缺，未有認真考慮收集得的個人資料，

可達致的實際目的為何。再者，機構流

於偏重行政及運作的方便，而犧牲了資

料當事人的私隱及資料保障。在核證方

面，機構不理會交易的性質而追求最嚴

密的核證程序，過份依賴用身份證號碼

及身份證副本去核證個人身份的做法普

遍，實在有必要糾正過來。」

他提醒機構在身份核實程序的設計和執

行上應尊重私隱，核實的嚴密程度（如

為核實而收集多少個人資料），應與交

易的性質和價值相稱，並應考慮相關的

個人資料的敏感度。

網上閱覽調查報告全文：

www.pcpd.org.hk/chinese/publications/

files/R13_12828_c.pdf

California Fitness, a fitness centre chain,

has breached data protection principle

under the Ordinance by collecting

excessive personal data, including copies

of Hong Kong Identity Card (“HKID

Card”), from its customers who applied

for or renewed memberships.

California Fitness lodged an appeal to the

Administrative Appeals Board against the

enforcement notice served by the Privacy

Commissioner following the release of

the investigation report in December

2013. The company held that HKID Card

copies had to be collected to support

its staff remuneration system for reward

of achievement of sales targets. These

documents served to data submission of

bogus membership applications by the

sales staff.

The investigation stemmed from two

complaints by its members against

California Fitness’s collection of their full

dates of birth; HKID Card numbers; and

copies of HKID Card or alternatively,

Home Visit Permit.

Privacy Commissioner, Mr Allan Chiang

criticised California Fitness for not

having learnt from the infamous Octopus

incident and repeating the mistake

of excessive collection of customers’

personally identifiable information for

authentication purposes.

“Corporate data users tend to collect

personal data without giving serious

thought to what real purposes the data

collected could serve. Further, they tend

to over-emphasise their administrative

and operational convenience, at the

expense of data subjects’ privacy and

data protection, and adopt the strongest

level of identity authentication regardless

of the nature of the transaction. The over-

reliance of production of HKID Card

number and HKID Card copy for identity

authentication amounts to overkill and

the trend must be reversed.”

He advised organisations should respect

privacy and ensure data protection at

every stage of the process of design and

operation of an authentication process.

The level of authentication (such as the

amount of personal data collected for

that authentication process) should be in

proportion to the nature and value of the

transaction, and take into account the

sensitivity of the personal data involved.

Read the Investigation Report online:

www.pcpd.org.hk/english/publications/

files/R13_12828_e.pdf

公署認為

Califo nia Fitness

收集超乎適度的個人資料，包括香港身份證副本，違反了條例的規定。

California Fitness was found in breach of the Ordinance by collecting excessive personal data, including copies

of Hong Kong Identity Card.