Enquiry Case Notes

編號: 0032/2011/RP

標題: Collecting personal data of people claiming refund and processing sensitive data


    The Macao Pass S. A. (hereinafter referred to as the Company) consulted the GPDP of collecting the personal data of the non-personalized “Macao Pass” holders who claimed refund, as well as the data of holders of the personalized “Macao Pass for the Disabled”.


  I. Collecting the personal data of the non-personalized “Macao Pass” holders who claimed refund
  Under Articles 4(1)(1) and 3(1) of the Personal Data Protection Act, the relevant processing in this case is regulated by the Personal Data Protection Act (Law 8/2005).
  Generally speaking, if a cardholder submits to the Company a completed, signed Application Form for Refund or Cancelling the Non-personalized Macao Pass Card, it is deemed that the applicant has agreed to the company’s processing of his data. The Company, therefore, achieved the legitimacy set forth by Article 6 of the Law last said. At the same time, it must comply all the principles under Article 5, in particular the principle of proportionality of Article 5(1) (3).
  According to the enquiry, in order to avoid the refund abuse of the non-personalized “Macao Pass”, the company will collect the name, type and number of his identity document, and the contact number an applicant who claimed a refund, if the balance is above MOP$100 or more. As no detailed information on the processing purpose has been provided, GPDP could not conduct further analysis. Normally, because of the large number of users of this card, the said personal data may help to establish users’ identities and to record and verify cardholders for avoiding service abuse. In addition, refund payments are paid by cheques. To these, GPDP believed that collecting the above data is not against the principle of proportionality.
  Moreover, according to Articles 111 to 139 of the Civil Code, it is possible for persons with no legal capacity to apply for the card refund. In order to cash a cheque, GPDP recommends their parents, guardians or legal representatives to file an application on their behalf.
  As for the design of the form, the Company could establish that of its own since this is its internal matters. However, according to Articles 10(1) and 10(2) of the Personal Data Protection Act, the Company should include a “Personal Data Collection Statement” in the application form to ensure the cardholders’ right to information.

II. Regarding the personal data processing of the personalized “Macao Pass for the Disabled”
  In order to support the “Concessionary Bus Fare Scheme for the Disabled” promoted by the MSAR Government, the company introduced the “Macao Pass for the Disabled” (“Disabled Bus Pass”). If this bus pass is not simply used as an IC card for settling bus fare, but also as an electronic purse, containing the cardholder’s personal data and records of spending habits, it will regarded as a personalized financial product. According to the contents of the Application Form for the Personalized Macao Pass Card, the Company requires the applicant to provide his personal data. For applicants under 18 years of age, personal data of their parents or guardians are also needed. Then, the processing of personal data followed is regulated by the said Law.
  Apart from minors, applicants of the Macao Pass for the Disabled also include the interdictors and quasi-interdictors governed by Article 122 et seq, Civil Code. The Company, therefore, must take note of the validity of their consent. Otherwise, it should also obtain the consent from those who legitimately represent them.
  Since there might be sensitive data in an application form, in addition that the Company may also collect copies of the Registration Certificate of Disability Evaluation, the laws, however, generally forbid processing of sensitive data. In view of this, the Company, before the processing of personal data, must ensure the consent of the subjects have been given, or it fulfills the legitimacy governed by Articles 6 and 7 of the Personal Data Protection Act. If an applicant submits a completed application form for bus fare concession, he was voluntarily giving his explicit consent to the Company’s processing. GPDP believed that the Company has the legitimacy for processing then.
  After consulting the document named The Production Process of the Macao Pass Card for the Disabled, provided by the company, GPDP found that the company would input the application form data into its data system. GPDP believed that, since the Evaluation of Registered Disabled Individuals is regarded as sensitive data, if simply for providing the relevant services and checking if an applicant qualified for the application, the company can input the data relevant to this purpose into its system (for example, expiry date of the Registration Certificate of Disability Evaluation), and do not input data irrelevant to this purpose to avoid over collection of data. Moreover, since sensitive data is processed by the company, it should adopt the security measures provided for in Article 16 to guarantee the non-discrimination principle, as governed by Article 7(2) of the Personal Data Protection Act.
  At present, if senior citizens or students use their Macao Pass for their bus fare, the machine will produce an alert sound, whereas a different kind of alert is produced if a Macao Pass for the Disabled is used. Consequently, apart from the bus driver who has to identify a cardholder as his job requires, other passengers may also know the cardholder is a disabled person from the different alert sound. This will lead to the leakage of sensitive health data and violated the non-discrimination principle. Therefore, GPDP recommends the Company take other effective and proper measures to establish cardholders’ identities and thereof to avoid discrimination caused by information leaked from the bus pass.

III. Regarding the issues of declaration
  After checking the data this case involved, the Company has applied to the GPDP for its processing of personal data, in accordance with Article 21(1) of the Personal Data Protection Act, of the “Macao Pass” holders. Therefore, GPDP recommends the Company verify whether what it applied for differs from the processing of the current case, in order to apply for or to amend their application according to the laws.

Please refer to "Personal Data Protection Act", articles 3,4,5,6,7,10,16,21 .