The Personal Data (Privacy) Ordinance (Cap 486) (PDPO), Part VIA provides generally for all forms of direct marketing. Marketing of securities in particular is subject to further regulations under the Securities and Futures Ordinance and other laws.
“Direct marketing” is defined as
(a) the offering, or advertising of the availability, of goods, facilities or services; or
(b) the solicitation of donations or contributions for charitable, cultural, philanthropic, recreational, political or other purposes, through direct marketing means.
“Direct marketing means” is further defined to mean “
(a) sending information or goods, addressed to specific persons by name, by mail, fax, electronic mail or other means of communication; or
(b) making telephone calls to specific persons”.
Hence, direct marketing under the current regime does not include unsolicited business electronic messages sent to telephone, fax machines or email addresses without addressing to specific persons by name and person-to-person calls being made to phone numbers randomly generated.
PDPO Part 6A covers two scenarios. Firstly, where the data user uses personal data in direct marketing for his or her own purpose; and secondly, where the data user transfers personal data to third parties for use in direct marketing.
References:
PDPO, Part 6A, Div 2 – Use of Personal Data in Direct Marketing
PDPO, Part 6A, Div 3 – Provision of Personal Data for Use in Direct Marketing
Under both scenarios, a data user must inform the data subject of the intention to use his or her personal data for direct marketing (data user notification) and provide the data subject with a means to communicate consent to the intended use (data subject consent). Otherwise, the organization commits an offence.
References:
PDPO, s 35E(4)
PDPO, s 35K(4)
First scenario: Data user using personal data in direct marketing for his or her own purpose
Data subject consent can be oral or written, but if a data subject gives oral consent, it must be followed by his or her written confirmation within 14 days. Silence does not constitute consent but under PDPO, s 35A, consent may encompass an indication of no objection.
References:
PDPO, s 35C
PDPO, s 35E
Amongst other things such as the data user’s intention to use the personal data of the data subject for direct marketing, the kinds of personal data to be used, the classes of marketing subjects in relation to which the data is to be used, the data user must notify the data subject of two things: first, the data subject’s opt-out right when the data user uses personal data for the first time; and secondly, the data subject’s right to opt out at any time at no cost to him or her.
There is no specific requirement prescribing how the data subject is ot be informed. However, it is a requirement that the information should be presented in a manner that is easily understandable, and if in written form, easily readable.
References:
PDPO, s 35C
PDPO, s 35F
PDPO, s 35G
The use of the personal data in direct marketing must be consistent with the data subject’s consent, that is (a) the personal data to be used falls within the permitted kind of personal data; and (b) the marketing subject in relation to which the data is used falls within the permitted class of marketing subjects.
A data subject may at any time require a data user to cease to use his/her personal data in direct marketing, and the data user must, without charge to the data subject, cease to use the personal data concerned upon receipt of such notification.
References:
PDPO, s 35E
PDPO, s 35F
Any person contravening the above commits an offence and is liable to a fine of HK$500,000 and imprisonment of three years.
References:
PDPO, s 35C(5)
PDPO, s 35E(4)
PDPO, s 35F(3)
PDPO, s 35G(4)
Second scenario: Data user transferring personal data to third parties for use in direct marketing
The same data user notification and data subject consent requirements explained in the above apply equally here, except that:
- the data user notification and data subject consent must be written and
- the prescribed information in the notification shall also mention to whom the data is transferred and if the transfer is for gain, the fact that the transfer is for gain shall also be mentioned
“For gain” means the provision of personal data in return for money or other property, irrespective of whether the return is contingent on any condition or the data transferor retains any control over the use of the data.
References:
Interpretation and General Clause Ordinance, s 3
PDPD, s 35A
A data subject may at any time require a data user to (i) cease to provide his/her personal data to any other person for use by that other person in direct marketing and (ii) to notify any person to whom the data has been so provided to cease to use the data in direct marketing. A data user must, without charge to the data suject, comply with such requirement by (i) ceasing to provide the data’s subject’s personal data to any person for use in direct marketing; and (ii) to notify in writing any person to whom the data has been so provided to cease to use the data in direct marketing.
References: PDPD, s 34L
A data subject may still opt out any time. Any person contravening the above commits an offence and is liable to a fine of HK$500,000 (or HK$1 million if the transfer is for gain), and imprisonment of three years (or five years if the transfer is for gain).
References:
PDPO, s 35J(5)
PDPO, s 35K(4)
PDPO, s 35L
Grandfathering arrangement
The new requirements to notify the data subject of a data user’s intention to use his or her personal data in direct marketing and to obtain consent or indication of no objection to the intended use take effect on a prospective basis. They do not apply to pre-existing data before 1 April 2013 if all of the following conditions are fulfilled:
- a data subject had been explicitly informed by a data user in an easily understandable and, if informed in writing, easily readable manner of the intended use or use of the data subject’s personal data in direct marketing in relation to a class of marketing subjects
- the data user had so used any of the data
- the data subject had not required the data user to cease to use any of the data and
- the data user had not, in relation to the use, contravened any provision of PDPO as in force as at the time of the use
This grandfathering arrangement applies only to the use of personal data by the organization for its own direct marketing, but not to the transfer of personal data to another person for the latter’s use in direct marketing.
Implications for the financial services industry
Compliance with PDPO is important for financial institutions because they usually handle a lot of personal data. The following are a few practical implications that are or may be relevant to financial institutions.
Privacy policy statements
To comply with DPP5, financial institutions should have in place data protection policies or privacy policy statements that are open and transparent and contain the necessary information discussed above.
Personal Information Collection Statement (PICS)
When a client relationship is first established, the usual practice is to conduct KYC (Know Your Client) to obtain information about the client. When financial institutions recruit employees, they will also collect personal data from employees. Financial institutions should ensure that clients and employees sign the PICS when personal data are collected from them, which should contain the four categories of data required under DPP1.
Direct marketing
Financial institutions are recipients of a vast amount of personal data from their customers. They may be involved in the transfer of their customers’ personal data to third-party business partners, for example, insurance companies. Financial institutions must comply with the new direct marketing provisions discussed above. Among other requirements, they must obtain the data subject’s consent before they use or transfer the personal data to third parties for direct marketing purposes. Financial institutions should also maintain a list of customers who have indicated their opt-out requests and update it regularly. Where financial institutions have transferred personal data to another person to use in direct marketing, they should stop transferring and notify in writing the transferees of personal data to stop using the data in direct marketing.
References:
PDPO, s 35G
PDPO, s 35L
Employee monitoring at work
Financial institutions might have measures in place to monitor the activities and communications of their employees, especially when they are involved in sensitive activities. Employee monitoring may take the form of telephone, email, internet and video monitoring. Where employee monitoring results in the collection of the employee’s personal data, financial service institutions shall ensure that the monitoring act or practice complies with the DPPs. Most importantly, the reasons for monitoring employees have to be well-founded and the monitoring has to be related to and align with business or regulatory needs, for example, to manage workplace productivity, to ensure the employees do not make unsolicited calls or cold calls in violation of legal requirements, or to ensure the employees do not use mobile phones for receiving client order instructions on the trading floor or in the trading room.
Use of computers and the internet
Financial institutions should ensure that they have robust IT infrastructure to store client data safely, otherwise, they may breach DPP4 if client data is not reasonably protected against unauthorized or accidental access, processing, erasure, loss or use. Measures that financial institutions may take include installation of proper anti-virus and anti-theft software, use of encryption technology to safeguard confidential information over the internet and adoption of proper and secure measures to verify client identities when activities are conducted via the internet.
Outsourcing
Financial institutions will frequently outsource data processing to third parties. As mentioned above, the data user shall adopt contractual or other means to observe DPP2 (accuracy and duration of retention) and DPP4 (security of personal data).
Multi-national companies – transfer of personal data outside Hong Kong
For multi-national financial institutions, it is often the case that they might need to transfer personal data outside Hong Kong. PDPO, s 33 prohibits the transfer of personal data outside Hong Kong unless one of the prescribed conditions is met. However, this section has not yet come into force.
PDPO s 33 did not fall within the ambit for review under the Paper and there is currently no timeframe for the enactment of s 33. Nevertheless, financial institutions might still need to get ready for satisfying PDPO, s 33. ‘. If the section is in force, financial institutions might need to seek the written consent of the employees or clients if their personal data need to be transferred out of Hong Kong.
Collection of ID
Financial institutions often need to collect ID numbers or copies of IDs from their customers or clients. Care must be taken to ensure compliance with the Code of Practice on the Identity Card Number and other Personal Identifiers issued by the Commissioner. The code specifies circumstances under which ID information can be collected. While it is usually not difficult to satisfy one of those circumstances, sometimes the collection of ID card numbers may not be justified. In the supermarket gift coupon case discussed above, the Commissioner held that it was not necessary to collect ID card numbers for the purpose of verifying whether a customer is an existing customer of the credit provider. Other information such as the account number could also serve this purpose. Therefore, in collecting ID card numbers, one must consider whether the ID card numbers are necessary and whether there is an alternative to substitute for the collection of ID card numbers.
References:
The Commissioner’s website, Code of Practice on the Identity Card Number and other Personal Identifiers
The Commissioner’s website: Collection of Personal Data by Credit Provider for Business Promotion (21 September 2007)
ORIGINALLY PUBLISHED ON LEXISNEXIS