Introduction

The Report on the Inspection of the Personal Data System of An Estate Agency in Hong Kong (“Inspection Report”) was published by the Privacy Commissioner (“Commissioner”) on 18 December 2017 upon an inspection of the personal data system of a leading estate agency (“Estate Agency”) pursuant to section 36 of the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”). In accordance with section 48 of PDPO, various recommendations were set out under the Inspection Report by the Commissioner upon his inspection of the Estate Agency. In this newsletter, we will provide a succinct summary of the findings and recommendations provided under the Inspection Report.

Findings and recommendations

Areas for improvement

The Inspection Report finds that the Estate Agency made reasonably good efforts generally to ensure proper management of customers’ data. The Commissioner was satisfied with the Estate Agency’s top management commitment to data privacy protection by designating a senior management officer to oversee and monitor the compliance of the personal data system. The Commissioner also appreciated that the Estate Agency prudently segmented the authorities and controlled the access rights of its database systems on a need-to-know basis, which would minimise the risk of unauthorised access or leakage of customers’ data. Nonetheless, the following deficiencies and areas for improvement were identified by the Commissioner:

1.          Privacy policies

a.          Practical guidelines relating to the collection of personal data and use of personal data in direct marketing were issued in the form of internal notices. The notices were made in piecemeal fashion and lacked a regular systematic updating and reviewing process.

b.          The Commissioner recommended that:

i.            Master privacy protection policies should be put in place to incorporate personal data protection into every major operation.

ii.          Customers who visited or contacted the Estate Agency’s branches or an individual estate agent in person or through telephone calls should be notified of the Privacy Policy Statement and Personal Information Collection Statement.

iii.        Guidelines or procedures governing individual estate agents on how personal data should be handled securely in transit or requesting relevant documents to be returned to the office on the same day should be in place. 

iv.        Physical documents of personal data should not be stored beyond the retention period (i.e. seven years) and should be properly disposed by document disposal contractors.

v.          Documents with personal data should not be left unattended on staff members’ desks.

2.          Controls and ongoing assessment

a.          There was no process for regular and systematic monitoring or audit on protection of personal data conducted by the Estate Agency.

b.          The Commissioner recommended that:

i.            A regular and systemic compliance audit system should be in place to provide timely reflection.

ii.          Estate agencies should conduct ongoing assessment to ensure that there is due compliance with the policies governing the handling of personal data.

3.          Data breach reporting mechanism

a.          There were no written guidelines or procedures governing the handling process of data loss or leakage.

b.          The Commissioner recommended that:

i.            Clear and detailed written guidelines and procedures should be devised to expedite response to incidents of leakage. Such guidelines and procedures should include the circumstances under which a data breach incident should be reported and the immediate assessment and measures to be taken.

4.          Handling of vendors’ and purchasers’ personal data

a.          There was no strict governance on the registration of purchaser’s personal data into the Estate Agency’s database systems. Most of the individual estate agents kept the purchaser’s personal data in his own possession without registering the same in the database systems or notifying the collection to the Estate Agency.

b.          The Commissioner recommended that:

i.            Personal data privacy right as a whole should not be undermined by individual’s business interests.

ii.          Estate agencies should control the collection, holding, processing or use of personal data of all customers by developing relevant practical guidance so as to request individual estate agents to input personal data of vendors and purchasers into the database systems.

5.          Governance in technical aspect

a.          There wasn’t a formal IT security governance organisation, nor a company-wide IT security policy applicable to personal data privacy.

b.          The Commissioner recommended that:

i.            A healthy IT system free from cyber-attack should be in place.

ii.          Estate agencies should designate personnel from top management to oversee IT security and formulate IT security policies based on their business models.

6.          Training and education

a.          Most of the staff members were unaware of the internal notices and practical guidelines issued governing the handling of personal data.

b.          The Commissioner recommended that:

i.            Policies and guidelines should be circulated on a timely and regular basis and effective manner.

ii.          A department to perform a proactive role in building a privacy-respectful culture and promoting compliance of personal data protection should be assigned.

Implications for all

Whilst the Inspection Report was targeting on the estate agency industry, certain recommendations provided by the Commissioner shed lights on similar issues faced by other industries that deal with voluminous amount of personal data. For instance, insurance companies and online stores/selling platforms also require stringent privacy policies governing the general operation and life cycle of clients’ and customers’ personal data. These companies should prudently segment the control access rights of their database systems and formulate an effective data breach reporting mechanism. A healthy system does not only build trust with clients and customers but also put staff members at ease.

In fact, most of the recommendations provided by the Commissioner are applicable to many corporations. In particular, the data breach reporting mechanism and governance in technical aspect are crucial to companies that deal with vast amount of personal data electronically. Without a comprehensive system under these two areas, companies may place their clients’ personal data at a very vulnerable position of such data being lost or leaked.