7

PCPD News

私隱專員公署通訊

•

Issue no. 30

私隱專員評論

•

佰邦達未能應對

MAC

位址操作模

式的變更，是導致是次資料外洩的

主因，責無旁貸。但由於佰邦達只

是港航旅遊的外判代理，亦沒有涉

及處理顧客的個人資料，所以不屬

條例下的資料使用者。私隱專員不

能對其直接採取執法行動。

•

根據條例第

65(2)

條，港航旅遊作

為委托人須為佰邦達的錯失負責。

因此，私隱專員認為港航旅遊違反

保障資料第

4(1)

原則的規定。

• 2013

年

10

月

1

日，港航旅遊發出

在

iOS

平台運作的俠客行更新版

本，作出了下述補救措施：

»

不再以

MAC

位址識別非會員

身份

»

停止非會員查詢訂單的功能

»

非會員只可購買機票，而在每

次購買時均須重新提供乘客及

聯絡人的個人資料

•

港航旅遊已作出足夠的補救措施，

而俠客行的法律擁有權已於

2014

年

1

月轉移予一內地公司。

基於

這些情況，私隱專員未有向港航旅

遊送達執行通知。

•

不過，私隱專員已向港航旅遊作出

警告，如日後在類似情況中沒有遵

守條例的相關規定，私隱專員會考

慮對其採取執法行動。

•

雖然大部份的程式開發商如「佰邦

達」屬中小型企業，但仍有責任要

遵從條例的規定。他們必須要與時

並進，緊貼最新的科技發展及趨

勢，在更新其開發的流動應用程式

並改進有關功能時，確保不會影響

私隱及資料的保障。

•

當機構外判程式的開發時，應小心

揀選信譽好及在私隱保障勝任的程

式開發商。

•

如聘用外判代理時沒有採取妥善的

措施，導致個人資料一旦因代理的

疏忽而外洩或遭濫用，可能會對其

顧客造成嚴重傷害並有損商譽。

•

機構監督應用程式開發商，可

參考詳列於是次調查報告及公署

的「外判個人資料的處理予資料

處 理 者」資 料 單 張

(www.pcpd

.

org.hk/tc_chi/resources_centre/

publications/information_leaflet/

files/dataprocessors_c.pdf )

中所建

議的合約條款。

調 查 報 告：

w w.pcpd.org.hk/tc_chi/

enforcement/commissioners_findings/

investigation_reports/files/R14_6453_c.pdf

The Commissioner’s Comments

• BBDTek failed to respond to the

change of MAC address behaviour,

thus causing the leakage incident.

However, BBDTek was only an

outsourced agent of HKA Holidays

and was not provided or entrusted

with any personal data of the

latter's customers for processing.

Accordingly, BBDTek was not

a da t a us e r a s de f i ned unde r

the Ordinance. Therefore, the

Commissioner cannot take direct

enforcement action against it.

• By virtue of section 65(2) of the

Or d i nance , HKA Ho l i day s a s

BBDTek's principal was responsible

for BBDTek's misdeed.

• O n 1 O c t o b e r 2 0 1 3 , H K A

Holidays released an updated

version of TravelBud for running

on iOS platform, which had the

following remedial features: -

»

»

MAC address was no longer

used to identify non-members

»

»

The order history enquiry

function for non-members was

disabled

»

»

Non -membe r s cou l d s t i l l

purchase flight tickets but

needed to provide personal

data of passengers and contact

persons for each purchase

• The Commissioner considers that

HKA Holidays has taken adequate

steps to remedy the contravention.

On the other hand, the legal

own e r s h i p o f Tr ave l Bud wa s

transferred from HKA Holidays

to a Mainland company. In the

circumstances, no enforcement

notice has been served on HKA

Holidays.

• Instead, the Commissioner has

wa r n e d HK A H o l i d a y s t h a t

enforcement action would be

taken should it fail to observe the

relevant requirements under the

Ordinance in similar situations in

future.

• Although most app developers

are mostly small and medium

enterprises, they still have the

obligation to comply with the

requirements under the Ordinance.

It is incumbent upon them to keep

abreast of the relevant trends and

developments in technology so

that they can update the apps

they have developed to achieve

enhanced functionality without

compromising privacy and data

protection.

• When outsourcing the development

o f t he apps , an o r g a n i s a t i on

should exercise care and choose

competent app developers with

good t r a ck r e co r d s . Wi t hou t

appropriate safeguards in appointing

outsourced agents, leakage or

misuse of the personal data due

to the agents' negligence might

happen, thus causing serious harm

to its customers and bringing the

organisation into disrepute.

• An organisation may consider

a d o p t i n g t h e r e c omme n d e d

contractual terms found in the

investigation report and in PCPD's

"Outsourcing the Processing of

Personal Data to Data Processors"

information leaflet

(www.pcpd.

org.hk/english/resources_centre/

publications/information_leaflet/

files/dataprocessors_e.pdf)

.

I nve s t i ga t i on Repo r t :

www. pcpd .

o r g . h k / e n g l i s h / e n f o r c e m e n t /

commissioners_findings/investigation_

reports/files/R14_6453_e.pdf