16

PCPD News

私隱專員公署通訊

•

Issue no. 32

公署動態

PCPD in Action

過度及不公平收集僱員的指紋資料

Excessive and Unfair Collection of Employees’ Fingerprint Data

公署於

2015

年

7

月

21

日發表一份調查

報告，指時裝貿易公司坤麗（亞洲）有

限公司（「該公司」）以保安及監察員

工考勤為由收集僱員的指紋資料，公署

認為其資料收集屬超乎適度和不公平。

公署的調查結果和決定

i.

基於指紋資料具獨特和不變的特

性，必須加以保障，免致個人身份

被盜用，故此必須要有充份的理據

方可收集及使用指紋資料。

ii.

該公司已安裝多項保安措施以保障

公司財物，當中包括閉路電視鏡

頭、數碼門鎖、一般門鎖及鏈鎖，

故此安裝指紋識別裝置作為夜間保

安措施，實屬多此一舉。

iii.

該公司曾發生多次日間失竊事件，

犯案者均是其員工和顧客。因此即

使安裝了指紋識別裝置以防止外人

擅自進入，亦無助防止盜竊案件發

生；反之透過已安裝的閉路電視錄

影的影像去追查這些失竊事件，並

從中成功認出犯案者 ，更能發揮保

安功能。

iv.

該公司只有

20

名僱員，要監察僱

員考勤，使用較少干犯僱員私隱的

方法來取代指紋識別裝置亦相對容

易，如利用密碼或智能卡等，均無

須額外收集或儲存個人資料。

根據上述觀察，公署認為該公司超乎適

度地收集僱員的指紋資料，違反了《個

人資料（私隱）條例》（「條例」）的

保障資料第

1(1)

原則。

此外，公署發現該公司收集僱員指紋資

料的方式屬不公平，因為該公司並沒有

讓僱員選擇其他替代方法以迎合保安及

考勤紀錄的要求，亦沒有告知僱員提供

其指紋資料所涉及的私隱風險，以及該

公司有甚麼措施防止不當收集或使用該

些資料，此舉違反了條例的保障資料第

1(2)

原則。

執法行動

前任私隱專員已向該公司送達執行通

知，指令其銷毀所有已收集屬於現職及

離職僱員的指紋資料，並停止收集僱員

的指紋資料。

公署發出《收集及使用生物辨識資

料 指 引 》

(

www.pcpd.org.hk/tc_chi/

resources_centre/publications/files/

GN_biometric_c.pdf

)

，當中提供更多有

關收集及使用指紋資料的行政措施及技

術的詳情。該指引亦適用於其他用作身

份識辨的生物特徵資料，如

DNA

、視

網膜、面部圖像、掌紋圖像及筆跡。

調 查 報 告

:

www.pcpd.org.hk/tc_chi/

enforcement/commissioners_findings/

investigation_reports/files/R15_2308_c.pdf

On 21 July 2015, the PCPD published an

investigation report on the collection of

employees’ fingerprint data by Queenix

(Asia) Limited, a fashion trading company

(“Company”), for safeguarding office

security and monitoring staff attendance.

PCPD considered such data collection

excessive and unfair.

PCPD’s Findings and Determination

i.

G i v e n t h e u n i q u e n e s s a n d

immutability of fingerprint data it

must be protected against identity

theft or misappropriation. Hence it

should be collected and used only

when justified.

ii. The Company had already installed

several security devices to safeguard

i t s p r ope r t y, i nc l ud i ng CCTV

cameras, digital locks, ordinary door

locks and a chain lock. These all

render the fingerprint recognition

devices redundant as a night-time

security device.

iii. The Company had experienced

several day-time theft incidents

which were all committed by

its staff and customers. As such,

the installation of the fingerprint

recognition devices to prevent

unauthorised entry would not help

prevent these thefts. The existing

CCTV cameras, which detected the

thefts and identified the culprits,

appear to be a more effective

security means.

iv. Th e C o m p a n y h a d o n l y 2 0

employees. Hence it would be

relatively easy to monitor staff

attendance using less privacy

intrusive means instead of the use

of a fingerprint recognition device.

These alternative means, such as a

password or a smartcard, could well

involve no additional collection or

retention of personal data.

Based on these findings, the PCPD finds

the collection of employees’ fingerprint

data by the Company was excessive,

thereby contravening Data Protection

Principle (“DPP”)1(1) of the Personal

Data (Privacy) Ordinance.

The former Commissioner also finds

t he da t a co l l ec t i on un f a i r i n t he

circumstances of the case, as the

employees were neither provided with

the choice to opt for other alternatives to

fulfil the purposes of safeguarding office

security and monitoring staff attendance,

nor informed of the privacy risks involved

and the measures to prevent wrongful

collection and misuse. This is tantamount

to a contravention of DPP1(2).

Enforcement Action

An Enforcement Notice was served on

the Company directing it to destroy

all fingerprint data collected from the

Company’s present and past employees,

and to cease collecting its employees’

fingerprint data.