個人資料保護辦公室

Gabinete para a Protecção de Dados Pessoais

Office for Personal Data Protection

Complaint Case Notes
Print

No: 0067/2011/IP

Title: A company posted documents containing personal data inside security booth

Reason: Referral

Brief:

    The Macau Government Tourist Office (MGTO) referred a case to the Office for Personal Data Protection (GPDP). In this case, Citizen A expressed that Company A required the deliveryman to go to the security booth in front of the goods receivable area to register his personal data prior to obtaining the delivery permit. Citizen A was penalized MOP100 for the loss of delivery permit during one of his deliveries.
  After Citizen A refused to pay the fine, he was asked to provide his identity card for photocopying. A few days later, Citizen A discovered that Company A had publicly displayed documents containing his personal data inside the security booth.
  Since Citizen A felt that anyone standing at the security booth could view the abovementioned document, he believed that Company A breached the “Personal Data Protection Act”.

Analysis:

    The data processing of current case is regulated by the “Personal Data Protection Act” under its Article 4(1)(1) and 3(1).
  Company A’s written reply expressed that the visitor registration was necessary to protect the security of the company’s thousands of workers as well as the large amounts of money being exchanged. Although the company requested each visitor to show his or her identity card for registering his or her name and identity card number, no copy of Citizen A’s identity card was collected. Company A was only trying to prevent Citizen A from entering into the company’s restricted internal areas, thereby his data was only transmitted to the security guard on duty and nobody else.
  GPDP felt that, since Company A’s visitor registration served to safeguard the security of the company’s property and staff, it was justified and legitimate, and the interests of the person whose data was being collected did not take precedence. As such, Company A satisfied the legitimacy requirements determined in Article 6(5) of the “Personal Data Protection Act”.
  The visitor registration by Company A aimed at ensuring the security of the company property and staff. Since its objective was justified, legitimate and directly related to the company’s internal administration, the use of data had not deviated from security purpose. In addition, each identity card number was unique and it was an effective way to verify the identity of a person. Being a controller, Company A’s collection of the deliveryman’s name and identity card number was capable of effectively monitoring the identity of visitors as well as the entries and exits from its premises. Since Macau currently had no law regulating the use of identity card numbers, the visitor registration by Company A did not breach the principle of adequacy determined in Article 5 of the “Personal Data Protection Act”.
  Company A registered the personal data of visitors for security purposes. Both the objectives of the registration and the types of data collected were within the scope permitted under GPDP Authorization No. 4/2008.
  Company A denied requesting Citizen A to provide a copy of his identity card when he refused to pay the MOP100 fine. Without any supporting evidence, GPDP had no reason to have a further follow-up.
  After receiving the complaint, GPDP staff carried out two on-site investigations and discovered no documents posted on the security booth. GPDP felt that Company A had posted any document containing Citizen A’s data on the window of the security booth instead of facing the entry and exit door of the security booth, thereby it would not easily be seen by the people pass by. Citizen A’s personal data was not publicly displayed, and was in fact collected for “visitor management” purposes (for the reference of the security guard on duty). This collection of data did not exceed the purpose of security and no improper disclosure took place. However, there was no obstruction to the entrance/exit of the security booth that the document might possibly be seen by other people. Under Article 15 of the “Personal Data Protection Act”, Company A should improve its technical and organizational measures so as to protect the personal data involved.
  In summary, the processing of the visitor’s data by Company A did not breach the “Personal Data Protection Act”.

Result:

    GPDP informed both Citizen A and Company A, in writing, of above-mentioned analysis and decision and recommended Company A to create a “Personal Data Collection Statement” policy for personal data processing and the security of the prudence to data processing. The case was closed.

Reference:
Please refer to "Personal Data Protection Act", articles 3,4,5,6,15 .

Back

Avenida da Praia Grande, N.º 804, Edif. China Plaza, 17.º andar, Macau Tel:(853) 2871 6006 Fax:(853) 2871 6116