Complaint Case Notes

編號: 0002/2008/IP

標題: An institution kept the visitors’ identification document

立案原因: Complaints


    Company A used an ID checking mechanism on visitors, requiring not only that they show their ID document, register their names, ID card numbers and phone numbers, but also that they exchange their ID documents (such as Staff Card, Driver’s License or Credit Card, etc., with photos attached) for internal Passes. Company A returned the ID documents to their owners upon their returning the passes.
  Resident X claimed that Company A’s conduct violated the Personal Data protection Act and filed a complaint with this Office (GPDP).


    In accordance with the provisions in articles 4.1.(1) and 3.1 of the Personal Data Protection Act, the data processing involved in this case is within the scope of regulation by the said Act.
  According to Company A, this practice was adopted for security reasons. Taking the visitor’s ID documents as collateral was so that visitors return the internal passes to the institution.
  In GPDP’s opinion, according to Article 6 of the Personal Data Protection Act, Company A may, for security reasons, legally demand the checking of visitors’ ID documents, taking notes of their names, ID card numbers and contact phone numbers, provided that the visitors consent to this measure. If the visitors refuse to provide, Company A has the right, for security reasons, to deny access to the visitors.
  In GPDP’s opinion, Company A’s practice of keeps visitor’s original ID documents with photo on them as collaterals of the internal passes constituted a breach of the principle of proportionality in Article 5 of the Personal Data Protection Act. The measure went beyond what security calls for, and constituted over-collecting personal data. Firstly, by checking the original ID document that bears a visitor’s personal data, it should suffice for Company A to verify a visitor’s identity. Should any visitor damage or lose the pass accidentally or for whatever reasons, Company A could invalidate the pass at any time, without jeopardizing its security. There was no need to keep a visitor’s ID document as collateral. Secondly, Company A could recover any loss of passes via other legal channels. Keeping a visitor’s ID document as collateral was by itself a deviation from the purpose of processing personal data, which is internal security.
  In investigation, GPDP also found that Company A needed to improve the practices to ensure the data subjects’ right to information, namely providing more information in the notice post at the entrance.
  In summary, Company A’s practice of keeping visitors’ original identification document did not comply with Article 5.1.(3) of the Personal Data Protection Act, but it did not constitute an administrative offence. There was room for improvement.


    GPDP sent a letter to Company A and informed it to improve, by stopping the practice of keeping visitors’ identification document for exchange of internal pass, and amend the content of the notice to comply with the provisions of Article 10 of the Personal Data Protection Act.
  Company A followed GPDP’s instruction and made improvements.

Please refer to "Personal Data Protection Act", articles 3,4,5,6,10 .