個人資料保護辦公室

Gabinete para a Protecção de Dados Pessoais

Office for Personal Data Protection

Complaint Case Notes
Print

No: 0007/2011/IP

Title: A telecommunication company sending e-bills to unrelated person

Reason: Complaints

Brief:

    Citizen X claimed that Telecommunication Company A (hereinafter as “Company A”) used to send his phone bills, in electronic forms, to his email address. Later, Company A was found sending his bills to an unrelated person since January 2010. Details contained in the bill include the customer’s name, mailing address, mobile phone number, daily airtime and cross-domain communication services, etc. To this, X, on several occasions, called the customer service hotline of Company A, but the problem remained unsolved. X was later informed that Company A had cancelled his e-billing service at the end of November 2010 and had sent the bills to his registered residential address by post instead. However, as of January 2011, X had never received any bills by post.
  X believed that Company A had violated the Personal Data Protection Act by sending his e-bills to an unrelated person, which led to disclosure of his personal data, thus X filed a complaint with GPDP.

Analysis:

    In accordance with Articles 4(1)(1) and 3(1) of the Personal Data Protection Act, to which the processing of data involved in this case is within its regulatory scope.
  After investigation, GPDP found that X had called the customer service hotline of Company A by the end of November 2010, stating that he had not received any e-bills already for a long period of time. After the investigation by Company A, it found that X had called the customer service hotline in early January of 2010 to request Company A to cancel the SMS Reminder service for his phone bills. However, the staff mistakenly changed X’s email address. Company A made prompt rectifications after X’s report, followed by a written explanation and apology.
  According to the information, Company A has a set of measures for information security, including privacy measures for recording, saving, programming, transmitting and processing other personal data, in addition to carrying out daily inspections to verify customer data, for example, whether names and addresses have been correctly inputted into the company system. In addition, the “Procedures of Handling Customer Requests” Company X established, require its staff to verify customers’ personal data, on top of the daily random checks undertaken by supervisors intended to keep track of the status.
  For communication information, apart from the Personal Data Protection Act, certain specific provisions also apply, for example, Articles 7(1) and 7(2) of Law 14/2001 of the “Basic Telecommunications Law”, which stated that “to the telecommunications services users, the following rights are guaranteed: 1) of the inviolable and secret communications in terms of law; 2) of the privacy respected in the charge documents and in the use of their personal data by the service provider”. Obviously, communication information is a kind of personal data of higher importance and is closely related to one’s private life. Data controller should be more cautious when processing such information for enhancing greater protection.
  In this case, since X’s email address for e-bills had been mistakenly changed, until X’s complaint lodged in the same year and Company A’s missending of e-bills to another person, there had undergone a period of ten months. On the other hand, it can be construed that actually there was another user using the email address to which Company A had mistakenly sent, otherwise the email would not have successfully sent out and the message stating “message cannot be delivered” would have come up normally. If this was not found in Company A’s system, it could be confirmed that the information had been delivered.
  Since the handling of data by Company A had constituted a suspected violation of Articles 5(1)(4) and 15, thereby a fine could be imposed. GPDP, in accordance with Article 93, the Administrative Procedural Code, as approved by Law no. 57/99/M of 11 October, conducted a hearing of Company A on the said suspected violation.
  During the hearing, Company A believed that the cause of this case was apparently a human error, i.e., its staff failed to comply with the company’s policies and code of practice, instead of the defects of the Company’s security policies and processes. Company A stated that the concerned staff member was already given with a disciplinary action, while the company also improved the application and handling procedure of e-bills in order to reduce the risk of undetected human error. However, Company A failed to justify that the staff should be liable, whether fully or partly, for the mistakes committed during the performance of his/her duties. In addition, the company was also unable to provide a reasonable and substantial justification for its violation of the Personal Data Protection Act, nor producing any proof to show that the e-bills had not been received by another person. Furthermore, being a data controller, once discovering the mistakenly sending of X’s e-bills, Company A should have requested the email recipient to delete them, but it did not give any evidence on the follow-up actions taken to prevent the unauthorized dissemination or access of X’s personal data.
  Therefore, upon X’s request of applying/cancelling SMS reminder of bills, Company A mistakenly changed X’s email address, thus causing the incoherence between the database information and X’s actual information and the missending of bills to another person’s email address, which already led to the improper disclosure of X’s personal data and posed a risk of abuse.
  In summary, Company A’s processing violated Articles 5(1)(4) and 15 of the Personal Data Protection Act and constituted an administrative offence.

Result:

    In view of the mistaken change of X’s email address, as caused by Company A’s processing of X’s request of applying/cancelling SMS reminder of bills, this led to an incoherence between Company A’s database information and X’s actual information and the missending of X’s personal data to a third party. Such violated Articles 5(1)(4) and 15 of the Personal Data Protection Act. To this, GPDP gave the decision that, based on Article 33(1) of the said law, a fine of MOP4,000 should be imposed, and this punishment has already been implemented.
  On the other hand, to avoid possible recurrence, GPDP also recommended Company A have a review of problems, such as staff authorization, system configuration and so forth.

Reference:
Please refer to "Personal Data Protection Act", articles 3,4,5,15,33 .

Back

Avenida da Praia Grande, N.º 804, Edif. China Plaza, 17.º andar, Macau Tel:(853) 2871 6006 Fax:(853) 2871 6116