The Privacy Commissioner investigated and upheld complaints by two individuals against a well-known Hong Kong fitness chain regarding the collection of excessive personal data. The Privacy Commissioner determined that is was unnecessary and excessive for the fitness chain to collect full dates of birth and copy Hong Kong ID cards / Home Visit Permits for the purposes of membership applications and renewals.
The issue investigated centered on Data Protection Principle 1 of the Personal Data (Privacy) Ordinance (“DPP1”). DPP1 requires that personal data may only be collected for lawful purposes that are directly related to a function or activity of a data user (in this case the data user was the fitness chain). Critically DPP1 goes on to state that the data collected cannot be excessive in relation to the purpose for its collection
Hong Kong ID Card – Highly Sensitive Personal Data
Because of its uniqueness, the Hong Kong ID card number is considered highly sensitive personal data. Therefore, in addition to DPP1, the Privacy Commissioner has also issued a Code of Practice on the Identity Card Number and other Personal Identifiers (“the Code”). In short, this Code provides that data users should not collect Hong Kong ID card numbers or copies, except in certain limited circumstances. Moreover, because the Hong Kong ID card contains birthday information and a photograph of the holder, in addition to the unique ID number, a greater level of protection is required and, therefore, the general presumption of the Code is not to collect Hong Kong ID card copies.
Investigation and Findings
In response to the Privacy Commissioner’s investigation into each of the complaints, the fitness chain submitted that it was necessary to collect:
- dates of birth for age verification (to ensure that an applicant was not a minor) and for the marketing of special birthday offers and promotions and/or designing age specific products and services;
- Hong Kong ID card numbers to establish a legal relationship, use in possible legal action and for identifying members (due to the fact that it allowed members to sign up using an alias); and
- Hong Kong ID card copies for the same reasons as it collected the numbers, but also for the purposes of internal administration and audit and the prevention of employee fraud (via the submission of fraudulent memberships by sales staff).
The Privacy Commissioner concluded:
Collection of dates of birth
- that it was not necessary to collect dates of birth for the purposes of age verification because enrollment applications were done in person and an applicant’s age could be confirmed on the spot without the need to record the date of birth;
- special birthday offers and promotions were provided for members’ month of birth, it was therefore, unnecessary to collect a member’s full date of birth when the month of birth only would have been sufficient; and
- it would have been sufficient to collect members’ age range, rather than exact ages for the purpose of designing age specific products and services.
Collection of Hong Kong ID card numbers
- that the collection of Hong Kong ID card numbers to establish or to evidence a legal right, interest or liability of the part of the members was justified.
Collection of Hong Kong ID card copies
- that it would have been more reasonable and practicable to collect a member’s real name rather than an alias, removing the need to retain the Hong Kong ID card copy for the purposes of identification;
- less privacy intrusive alternatives could be used to audit membership income; and
- there was no evidence to show that a less privacy intrusive means of detecting or preventing employee fraud would not work.
In summary, requesting Hong Kong ID card copies and Home Visit Permit copies was unnecessary and the collection of dates of birth was excessive and, therefore, such collections by the fitness chain were in breach of DPP1.
As a result of the finding, the fitness chain was required to remedy the breaches, which included ensuring the destruction of some 200,000 Hong Kong ID card copies belonging to current and former members. This represented a significant (and expensive) undertaking for the fitness chain which estimate that it would take 2,500 – 3,000 hours to complete the destruction exercise!
Lessons to Learn
The Privacy Commissioner noted that while copies of Hong Kong ID cards are widely used by many organisations in Hong Kong as documentary proof of identity, the indiscriminate collection and improper handling of Hong Kong ID card copies could duly infringe the privacy of the individuals and create opportunities for fraud. In his final comments, the Privacy Commissioner issued a strong warning to all data users:
“When it comes to authentication, [data users] tend to require the strongest level of authentication regardless of the nature of the transaction. The over-reliance of production of Hong Kong ID card number and Hong Kong ID card copy for identity authentication is a common phenomenon in Hong Kong. It amounts to over-kill and the trend must be reversed”.
This article is for information purposes only. Its contents do not constitute legal advice and readers should not regard this article as a substitute for detailed advice in individual instances.