On 14 May 2012, Hong Kong's Privacy Commissioner for Personal Data (Privacy Commissioner) released a revised guidance note on the Collection of Fingerprint Data (Guidance Note) to assist those who wish to collect fingerprint data to comply with the Personal Data (Privacy) Ordinance, Cap 486 (PDPO). The Guidance Note was first published in 2007.
The Guidance Note should be read by data users (such as employers) before they decide whether to collect fingerprint data from individuals (such as employees) and should be regularly referred to if data users decide that fingerprint data should be collected. In this article, we will provide an outline of the topics addressed in the Guidance Note.
Why are fingerprint data personal data?
The Privacy Commissioner acknowledged that there are varying views as to the practicality of identifying an individual from a fingerprint image (and thereby whether it constitutes personal data under the PDPO). However, the Privacy Commissioner clarified that while a person may not be able to identify an individual just by looking at the individual's fingerprint, if by linking the fingerprint image with another database containing other identifying data, the identity of the individual could be ascertained then the fingerprint image when combined with such other identifying data would constitute personal data under the PDPO.
Whether or not fingerprint data should be collected?
Under this section, the Privacy Commissioner explains that while fingerprint data may be personal data, not all cases involving fingerprint data fall within the scope of the PDPO. If there is no collection of the fingerprint data then the matter would not be regulated by the PDPO.
What are the principal requirements under the PDPO on data collection?
When collecting fingerprint data, a data user should ensure that it complies with Data Protection Principle 1 of the PDPO which requires that the collection must be for a lawful purpose directly related to the data user's function or activity and that the collection is necessary but not excessive in relation to achieving that purpose.
What is a privacy impact assessment and what needs to be considered in conducting the assessment?
A privacy impact assessment aims to assist users to evaluate the impact to which a proposal to collect fingerprint data has on personal data privacy and whether collection of fingerprint data is necessary and not excessive. It requires the data user to answer a series of questions relating to the purpose of collecting fingerprint data, whose fingerprint data are intended to be collected and the extent of the data to be collected. Data users should keep written records of their reasons for collecting fingerprint data to help them explain why the collection was necessary in the event that they face any legal challenge under the PDPO.
What should be considered in ensuring that the individuals have free and informed choice and can make a conscious decision on whether or not to supply the fingerprint data?
Data users should provide those individuals whose fingerprint data will be collected with a full explanation of the impact of the collection on their personal data privacy and as far as practicable, provide the individuals with the free choice of a less privacy intrusive alternative to fingerprint data collection. Data users should also adopt all practicable measures to protect the personal data privacy of those individuals.
An individual's consent to fingerprint data collection should be voluntarily and expressly given (and preferably recorded in writing). In this connection, the Privacy Commissioner considers it critical that (i) the individual has the requisite mental capacity to understand the adverse impact of the collection on his personal data privacy and (ii) there is no undue influence on the individual when his consent is sought.
What should be addressed after having decided to collect fingerprint data?
Upon being satisfied that collecting fingerprint data is necessary and not excessive, data users have an ongoing obligation to protect the fingerprint data collected. Data users will need to implement measures to: