20 January 2022
Authored by: Charmaine Koo and Timothy Chow
Covid restrictions and laws require many businesses to collect personal data of their customers to track their entry into their premises and movements. However, many business do not pay attention to what happens with the data after collection and whether their collection, storage and erasure complies with the Privacy laws in Hong Kong. The Hong Kong Privacy Commissioner recently published a report on “Security Measures Taken by Restaurants to Protect Customers’ Information Collected during the Registration Required under the COVID-19 Anti-pandemic Measures”. Upon receiving complaints from the public, investigations of 14 restaurants were carried out in relation to their handling of personal data collected under Covid-19 anti-pandemic measures.
Restaurants in breach
Under the Prevention and Control of Disease (Requirement and Directions) (Business and Premises) Regulation, restaurants are required to ensure that customers (before entering the premises) either (i) use the “LeaveHomeSafe” mobile app to scan the restaurants’ QR codes, or (ii) register their names, contact numbers and dates and times of their visits.
The Privacy Commissioner found that the practices of all 14 restaurants exposed customers’ personal data to unauthorised, or accidental, access or use. The practices included the use of common registration forms, books, or uncut sheets of paper, the failure to use a collection box for the forms, or to cover the collection box at all times. Such practices were found to be in breach of the Personal Data Privacy Ordinance (PDPO). Although the restaurants took remedial action including newly designed individual registration forms, using form-collection boxes made of opaque material, and reminding staff to cover collection boxes, the Privacy Commissioner still decided to issue enforcement notices.
The Report reminded restaurants that:-
Regardless of the scale of business, mode of operation and availability of resources, all restaurants have responsibility to comply with the requirements of the PDPO in the collection, holding, processing and use of personal data;
In addition to incorporating privacy protection in the workflow of data processing, restaurants must also provide appropriate training and guidance for their staff;
Restaurants must adopt measures to provide clear guidelines for their staff on the process and purpose of customer registration, and ensure the proper conduct of their staff, so as to avoid the collection and processing of personal data from being hampered by human negligence or error. An explanation of the need and purpose of data registration to customers can help minimise unnecessary misunderstanding;
In response to anti-pandemic measures, restaurants need to raise the awareness of their staff to personal data privacy protection. By strengthening personal data privacy protection, restaurants will be able to enhance their goodwill, competitive edge, and potential business opportunities.
Since the publication of this Report, the Government has announced that restaurant customers of restaurants must use the “LeaveHomeSafe” app and may no longer use the registration method. However, other businesses or organisations that require registration of customers’ personal data should ensure that their registration system complies with the PDPO and is in line with the observations in the Report.
Taking a proactive approach
It is important to note that the Privacy Commissioner not only has the power to conduct investigations upon receiving a complaint, but may take its own initiative to carry out inspections of any personal data system. The Privacy Commissioner has been active in monitoring compliance by businesses and, since 1997, has issued 51 investigation reports and 12 inspection reports involving varied industries ranging from financial institutions, food and beverage companies, public authorities and utilities, to the retail industry.
It is clear that the Privacy Commissioner takes a proactive approach and businesses should also be proactive in reviewing their practices and systems. The numerous investigation and inspection reports provide useful guidelines on what is regarded as good practice. Maintaining a sound and compliant system is better than taking remedial action when the Privacy Commissioner comes knocking at the door.
For further information, please contact: