First published: 19th October 2010
Prompted by the recent serious public concern about the mishandling of customers’ personal data by the Octopus group of companies, Hong Kong's Privacy Commissioner for Personal Data, Mr. Allan Chiang has published a new Guidance Note, titled “Guidance on the Collection and Use of Personal Data in Direct Marketing” providing data users with practical guidance on compliance with the requirements under the Personal Data (Privacy) Ordinance while engaging in the collection and use of personal data for direct marketing. It replaces the previous Fact Sheet, “Guidelines on Cold-Calling” and the Guidance Note on “Cross-Marketing Activities” previously issued by the Commissioner.
The note covers:
- Collection of personal data for direct marketing of products and services has to be related to the original purpose of data collection
- Personal data should not be excessively collected
- Data subjects should be informed that it is voluntary for them to supply additional personal data required for direct marketing purposes
- Collection of personal data should be made by lawful and fair means, avoiding deceptive and misleading means and "bundled consent"
- A Personal Information Collection Statement (“PICS”) should be effectively communicated to the data subject
- “Purpose of use” of personal data and “classes of data transferees” should be defined with a reasonable degree of certainty
- Recommends good practice for use of personal data collected from public registers for direct marketing
- Requirements for managing customers’ opt-out requests under section 34(1) of the Ordinance:
- Control of direct marketing activities carried out by agent, contractors or business partners
- Recommended good practice for the maintenance of an opt-out list
- Guidance on data users transferring customers’ personal data to a third party in return for monetary gains.