Jurisdiction - Hong Kong
News
Hong Kong – Privacy Commissioner Investigation Report: JV Fitness Limited Trading As California Fitness.

5 September, 2014

 

Legal News & Analysis – Asia Pacific – Hong Kong – Regulatory & Compliance

 

[Office of the Privacy Commissioner for Personal Data, Hong Kong – Report Number: R13 – 12828]

 
Privacy Commissioner Investigation Report: Collection of Excessive Personal Data from Membership Applicants by J.V. Fitness Limited (trading as California Fitness) Report of the Office of the Privacy Commissioner for Personal Data, Hong Kong dated 5 December 2013

 
Privacy – Personal Data – Customer complaints – Investigation – Excessive collection of data – Hong Kong Identity Card – Date of birth

 
The Facts

 
California Fitness is a fitness centre chain, which provides fitness training and facilities in Hong Kong. Two customers complained to the Privacy Commissioner that California Fitness had requested excessive personal data from them during (i) an application for membership and (ii) a renewal of membership. They were asked to provide their Hong Kong Identity Card (“HKID”) numbers, copies of HKID, and date of birth information. The customers complained and California waived the HKID card requirement in respect of the new member (Complainant A) but accepted a copy of the Home Visit Permit of the member applying for a renewal (Complainant B). Complainant B had not been required to provide his HKID card and birthday information when originally applying to be a member. Both customers subsequently lodged complaints with the Privacy Commissioner. The Privacy Commissioner initiated a formal investigation into whether California Fitness had breached the Personal Data (Privacy) Ordinance (Cap. 487) (“PDPO”).

 
Data Protection Principle 1 of the PDPO states that personal data shall not be collected unless for a lawful purpose directly related to a function or activity of a data user and that the collection of personal data must be necessary for the intended purpose and must not be excessive. The Privacy Commissioner has also published a Code of Practice on the Identity Card Number and other Personal Identifiers (the “Code”) issued in 1997. The Code states that data users must not collect HKID numbers or copies except under very limited circumstances such as “to safeguard against damage or loss on the part of the data user which is more than trivial in the circumstance”, where necessary for “the prevention or detection of crime” or the prevention of “unlawful or seriously improper conduct”.

 
The Investigation

 
California Fitness advanced various arguments in its defence. It explained that the collection of HKID numbers was necessary in order to establish a legal relationship and take enforcement action against their members for unpaid fees and damage to the facilities. California Fitness claimed that it had made more than 2,800 claims between 2005 and 2008 against its customers in respect of unpaid fees of HKD 11m, not trivial sums. The Privacy Commissioner held that the collection of the HKID numbers by California Fitness was justified and this was supported by the Code, as it was done to establish or evidence a legal right or liability on the part of members that was not of a transient nature or trivial in the circumstances.

 
As for the collection of copies of the HKID, California Fitness ran the argument that it would help to facilitate its internal administration procedures and would discourage staff from creating fake membership accounts to boost their commission. The Privacy Commissioner did not accept this line of reasoning and emphasised that stricter control was required for the collection of HKID copies because there are serious identity theft issues. The Privacy Commissioner highlighted some alternative measures that could have been taken, including random calls to customers to verify membership and more scrutiny of employees’ records and said the same principles apply to the collection of copies of Home Visit Permits and passports.

 
California Fitness stated that as for the collection of the dates of birth it was necessary for age verification and in order to provide birthday privileges and promote age-specific products to its members. This was deemed excessive by the Privacy Commissioner because the day and month of birth and inspection of the HKID would have been adequate for age verification, and age-specific products could be provided by collection of members’ age range.

 
Taking all of this into consideration, the Privacy Commissioner found that California Fitness was in breach of Data Protection Principle 1 of the PDPO in respect of collecting copies of HKID
cards and Home Visa Permits, as well as collecting members’ day and year of birth (but not in relation to HKID card numbers) and issued an Enforcement Notice to California Fitness to remedy and avoid repetition of the offence in the future.

 

Commentary 

 
For those of us who have grown up in a society which has not adopted a universal identity card system (for example the UK), there is always a feeling, when asked to present our HKID (other than to a law enforcement officer) that the requester is somehow demanding the card ‘because they can’ rather than because they need it. There needs to be a good justification for keeping a record of someone’s HKID number (as opposed to simply looking at the card to check that the person’s name and face matches the name and photograph on the card). In many cases the requester oversteps the mark.

 
It is perhaps surprising that the Commissioner sided with California Fitness on the collection of the HKID numbers. Although it explained that it wanted to take enforcement action against recalcitrant members, it would not be prevented from doing so in the absence of having the HKID numbers. The more important information is the current residential address, which will allow effective proceedings to be issued and eventually enforced.

 
Of perhaps greatest note, however, is that the Commissioner was able to issue an Enforcement Notice in respect of the breaches be found. Until Section 50 of the Personal Data (Privacy) Ordinance (PDPO) was changed in 2013, it was only possible for the Commissioner to issue an Enforcement Notice where in his opinion the data user was continuing to contravene a requirement under the PDPO, or circumstances made it likely that the contravention would continue or be repeated. This is a high bar for the Commissioner to achieve. Even in the case of an egregious breach, if the data user had stopped the offending behaviour, the Commissioner was stymied from taking further enforcement action. Since the 2013 changes the Commissioner has been able to issue an Enforcement Notice simply against previous contraventions of the PDPO. The result has been a marked increase in enforcements and hopefully this will have a deterrent effect.

 

Pinsent Masons

 

For further information, please contact:

 

Peter Bullock, Partner, Pinsent Masons
peter.bullock@pinsentmasons.com

 

Homegrown Regulatory & Compliance Law Firms in Hong Kong 

 

International Regulatory & Compliance Law Firms in Hong Kong  

Comments are closed.