Learn more about our comprehensive legal services.
Advising our clients on different opportunities and challenges of the industry.
News & Insights
Authored by: Charmaine Koo and Timothy Chow
Covid restrictions and laws require many businesses to collect personal data of their customers to track their entry into their premises and movements. However, many business do not pay attention to what happens with the data after collection and whether their collection, storage and erasure complies with the Privacy laws in Hong Kong. The Hong Kong Privacy Commissioner recently published a report on “Security Measures Taken by Restaurants to Protect Customers’ Information Collected during the Registration Required under the COVID-19 Anti-pandemic Measures”. Upon receiving complaints from the public, investigations of 14 restaurants were carried out in relation to their handling of personal data collected under Covid-19 anti-pandemic measures.
Restaurants in breach
Under the Prevention and Control of Disease (Requirement and Directions) (Business and Premises) Regulation, restaurants are required to ensure that customers (before entering the premises) either (i) use the “LeaveHomeSafe” mobile app to scan the restaurants’ QR codes, or (ii) register their names, contact numbers and dates and times of their visits.
The Privacy Commissioner found that the practices of all 14 restaurants exposed customers’ personal data to unauthorised, or accidental, access or use. The practices included the use of common registration forms, books, or uncut sheets of paper, the failure to use a collection box for the forms, or to cover the collection box at all times. Such practices were found to be in breach of the Personal Data Privacy Ordinance (PDPO). Although the restaurants took remedial action including newly designed individual registration forms, using form-collection boxes made of opaque material, and reminding staff to cover collection boxes, the Privacy Commissioner still decided to issue enforcement notices.
The Report reminded restaurants that:-
Since the publication of this Report, the Government has announced that restaurant customers of restaurants must use the “LeaveHomeSafe” app and may no longer use the registration method. However, other businesses or organisations that require registration of customers’ personal data should ensure that their registration system complies with the PDPO and is in line with the observations in the Report.
Taking a proactive approach
It is important to note that the Privacy Commissioner not only has the power to conduct investigations upon receiving a complaint, but may take its own initiative to carry out inspections of any personal data system. The Privacy Commissioner has been active in monitoring compliance by businesses and, since 1997, has issued 51 investigation reports and 12 inspection reports involving varied industries ranging from financial institutions, food and beverage companies, public authorities and utilities, to the retail industry.
It is clear that the Privacy Commissioner takes a proactive approach and businesses should also be proactive in reviewing their practices and systems. The numerous investigation and inspection reports provide useful guidelines on what is regarded as good practice. Maintaining a sound and compliant system is better than taking remedial action when the Privacy Commissioner comes knocking at the door.
Subscribe to Publications
Sign up for our regular updates covering the latest legal developments, regulations and case law.
For media enquiries please contact us at email@example.com.
Tel: +852 2825 9211