August 4, 2015 -
Hong Kong’s Office of the Privacy Commissioner for Personal Data (PCPD) has updated its guidelines regarding the collection and use of biometric data to address a “broader scope of biometric data”, according to a report by Data Guidance.
The “Guidance on the Collection and Use of Biometric Data” (the Guidance) replaces the 2012 version and explicitly states when biometric data can be collected as well as the privacy measures that ensure that the data is correctly and safely processed.
“This Guidance replaces a previous guidance note which only dealt with fingerprint data,” said Anna Gamvros, partner at Baker & McKenzie. “In this new, quite detailed publication, the PCPD addresses a broader scope of biometric data. What is interesting is that this Guidance seeks to stretch the concepts of personal data in the privacy law by distinguishing between different levels of sensitivity in personal data.”
Hong Kong’s data protection law currently treats personal data and sensitive personal data the same.
With this latest guidance, the PCPD is addressing the previously unclear standards of handling “sensitive data”.
“Despite strong support from the PCPD, and draft proposals in the public consultation document, to include additional protections for biometric data (and more generally sensitive personal data), these were not taken up when the Personal Data (Privacy) Ordinance (‘the Ordinance’) was amended in 2012,” said Alexander Shepherd and Carolyn Bigg, partner and managing associate respectively at Simmons & Simmons. “By publishing the Guidance, the PCPD is returning to this topic and taking the opportunity to promote the strict standards it expects organisations to meet when handling what it describes as ‘sensitive data.'”
Shepherd and Bigg also added that the Guidance “should really be seen, not just as best practice, but as minimum compliance standards.”
Additionally, they state that organizations ought to carefully assess and document their reasoning when using biometric data technologies as to “why it is necessary and proportionate, why less privacy-intrusive alternatives are not available, and the controls implemented to minimise the privacy risks,’ or they “may find it difficult to justify the scheme to the PCPD if a complaint is made.”
Only a day after the Guidance was published, the PCPD released an investigation report that addresses complaints about the excessive collection of employees’ fingerprints by fashion trading firm Queenix (Asia) Limited (‘the Company’).
In the report, the PCPD states that Queenix was found to be in breach of the standards detailed in the Guidance and issued an enforcement notice ordering the company to put an immediate halt to the collection of fingerprint data, as well as to erase all data that was previously collected from employees.
“This is a typical pattern of the PCPD,” said Gamvros. “The PCPD tends to identify the need for guidance when conducting investigations. We have seen this happen with the collection and use of personal data for direct marketing purposes in the 2010 Octopus Case. It will be interesting to see whether, like in that case, there will be any legislative changes inspired by the Guidance.”