Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Hong Kong: PCPD issues advisory letter to WiFi device rental company for inadequate security measures
In February 2024, the Office of the Privacy Commissioner for Personal Data (PCPD) published its decision in Case No. 2024C02, in which it issued an advisory letter to a mobile Wi-Fi device rental company for a violation of the Personal Data (Privacy) Ordinance (PDPO) regarding inadequate security measures to protect customers' personal data, following a complaint.
Background to the case
The PCPD noted that the complainant, who was a customer of the company, was picking up a WiFi device at the company's counter and noticed that the acknowledgment of receipt form used gave the company permission to access the personal data of other customers, including their full English names, rental periods, and destinations, while the counter was left unattended during non-business hours.
Findings of the PCPD
The PCPD found that the situation led to unauthorized access to customers' personal data in violation of principle 4 of the PDPO.
Outcomes
In light of the above, with the PCPD's intervention, the company revised the format of the form by removing the 'destination' column and displaying only the customer's family name with the initial of the given name so that the identity of the customer could not be ascertained from the limited information available on the form. Furthermore, the PCPD issued an advisory letter to the company requesting it to take all practicable measures to protect the registration data of customers against unauthorized or accidental access, processing, erasure, loss, or use and to train their staff to raise awareness of personal data privacy protection.
Moreover, the PCPD encouraged companies to focus on the format of the acknowledgment form by displaying only the necessary information for the purpose of acknowledging receipt, thereby minimizing the risk of personal data leakage. The PCPD also advised companies to consider digitizing such processes by using a computer system instead of physical common forms, thereby ensuring better protection of customers' personal data privacy.
You can read the press release here.