Complaint Case Notes

編號: 0085/2015/IP

標題: Improper security measures adopted for check list

立案原因: Complaint


    This current complaint stemmed from an employee of Company A, who was once arranged to work for Company B as an contingent staff.  When borrowing the uniform, the Complainant was asked to sign on a checklist, which contained each contingent staff’s name, ID numbers and mobile numbers. This list was simply placed on the counter of the uniform room.  Each of the contingent staff was asked to sign on the list at the start and the end of each day’s work, and the data therein was not covered or concealed.


    According to Article 4(1)(1) and 3(1) of the Personal Data Protection Act (PDPA), the name, ID numbers and mobile numbers are information relating to an identified or identifiable natural person and therefore must be treated as personal data.  The data processing over the contingent staff as carried out by Company B, as a consequence, is subject to the PDPA.  
  In its response, Company B expressed that, being a business venue, it is necessary to protect its legal interests and venue security, and therefore each contingent staff’s identity was verified when entering and leaving its venue. In order to verify their identities, Company B would first obtain the personal data of the contingent staff from Company A.  Furthermore, the said personal data would also be used to verify their identities in case they had to borrow uniforms, which would help protect the Company’s property and record their start and finish times of each day’s work.  The recorded information would then be used to calculate the salaries of each contingent staff sent by Company A.    
  The processing of the said data by Company B was necessary for pursuing its legitimate purposes – the protection of its property, ensuring venue security and the calculation of staff salary.  This justified that its processing is legitimate as it was in compliance with Article 6(5) of the PDPA.  
  The current complaint was basically caused by the inadequate protection of the contingent staff’s personal data during Company B’s data processing, as the Complainant believed.  Since the list was uncovered and simply placed on the service counter, which means the list was also visible to others when anyone was signing it for borrowing and returning uniforms.  To this, Company B pointed out that the list was kept by a specialized staff except when it was passed to the staff for signature, and it was never placed arbitrarily on the counter for others to access the data.  However, Company B could not confirm whether the data had been concealed when the list was passed to the staff for signatures. 
  It is necessary to point out that even if Company B did not place the list on the counter and was kept by its staff, except when it was passed to others for signature, the data was still accessible by anyone, who could have no relations to others’ personal data therein, as long as they were not properly concealed or covered.  In other words, one could have accessed others’ data when signing on the list and this could be an incompliance of Article 15 of the PDPA – security of processing.  After being informed by the GPDP, Company B, took the initiatives to improve its arrangement, including deleting the ID numbers and mobile numbers on the list and covering the personal data that were entered by others.


    Considering that Company B has improved its security measures, for the personal data contained on the mentioned list, in addition that the GPDP has reminded it to comply with Article 15 of the PDPA while processing the respective personal data, the current case was closed. 

Please refer to Article 3, 4, 6 and 15 of the Personal Data Protection Act.