Improper Collection, Retention, Use and Storage of Personal Data of Residents and Visitors by Property Management Companies

​

Background

1. Property management is closely related to citizens' daily lives. Property management bodies are indispensable to proper management of residential buildings, commercial buildings, industrial buildings, shopping malls, clubhouses and carparks. Property management involves multidisciplinary professional services, including general property management services, environmental management of properties, repair and maintenance of properties, facility management, finance and asset management, human resources management, and legal services related to properties. Such duties as visitor registration, resident card application, issuance of circulars, handling of complaints and litigation, staff management involve the processing of a massive amount of personal data.
2. The Office of the Privacy Commissioner for Personal Data (PCPD) receives enquiries and complaints about the property management industry's processing of personal data from time to time. During the past five years, the PCPD received an average of more than 100 complaints against the property management industry per annum. To raise this industry's awareness of protection of residents and visitors' personal data privacy, the Privacy Commissioner for Personal Data (Commissioner) publishes this investigation report in respect of four complaints recently received by the PCPD against property management companies. These four complaints involved collection, retention and use (including disclosure) of personal data. Through this report, the Commissioner wishes to remind property management bodies to comply with the relevant ​requirements under the Personal Data (Privacy) Ordinance (Ordinance), Chapter 486, Laws of Hong Kong, in their daily practices, and to remind members of the public to protect their own personal data privacy when providing their personal data for property management bodies.
3. In view of the latest development of the property management industry, the PCPD has issued the "Protection of Personal Data Privacy – Guidance on Property Management Sector"^[1], which is published along with this investigation report on the same day.

Investigation Case (1): Cheong Sun Property Agent and Management Company Posted Documents Containing Property Owners' Personal Data in Public

Case Background

4. On 8 March 2022, the PCPD received a complaint against Cheong Sun Property Agent and Management Company (Cheong Sun), which was responsible for the property management of Scenic Garden in Cheung Chau. Cheong Sun was alleged to have posted a notice on overdue arrears to be collected from property owners and a list containing the full English names, full addresses and the amounts in arrears of 48 owners (List) on a notice board located in the public area of the property. Moreover, Cheong Sun also put copies of the notice and the List into the mailboxes of those 48 owners.

Investigation Findings and Contraventions

Cheong Sun Contravened Data Protection Principle (DPP) 3(1)

5. DPP3(1) and (4) of Schedule 1 to the Ordinance stipulates that personal data, without the express and voluntary consent of the data subject, shall only be used (including disclosed or transferred) for the purpose for which the data was to be used at the time of the collection of the data, or a purpose directly related to the purpose.
6. When it comes to posting of notices containing personal data, generally speaking, property management companies have a duty to inform property owners of the issues which may affect their interests. Public display of ​notices for discharge of the above duty is related to building management. However, property management companies should carefully consider and assess the necessity of publishing information containing an individual's personal data and the amount of data involved, especially when sensitive personal data is involved.
7. In this case, Cheong Sun aimed to inform property owners by the notice that those 48 owners' overdue payments had put financial strains on Scenic Garden, and reminded those owners of their duty to pay the arrears as soon as possible. The Commissioner considered that Cheong Sun should have been able to collect the payment of arrears by putting separate notices into the mailboxes of the 48 owners, without any need to attach the List. Moreover, even though Cheong Sun intended to inform other property owners that 48 owners had not paid on time, it was unnecessary to post in public the personal data of those 48 owners. Under the above circumstances, the Commissioner considered that Cheong Sun had contravened the requirements of DPP3(1) as regards the use of personal data in the present case.

Enforcement Action

8. The Commissioner has served an Enforcement Notice on Cheong Sun directing it not to unnecessarily disclose property owners' personal data to third parties when it tries to recover arrears in the future, unless express and voluntary consent of the data subject is obtained, or the disclosure is otherwise in compliance with the law. Moreover, the Commissioner also directs Cheong Sun to formulate clear written policies and guidelines for staff compliance; circulate policies and guidelines among staff on a regular basis; and provide staff training to raise their awareness of personal data protection to prevent recurrence of similar contravention of the Ordinance.

Investigation Case (2): Creative Property Services Consultants Limited Failed to Set Retention Period for the Personal Data Collected During a Mask Distribution Activity and Failed to Properly Place Residents' Personal Data

Case Background

1. Creative Property Services Consultants Limited (Creative Property Services), which was responsible for the management of Ching Ho Estate in Sheung Shui, assisted the government in distributing face masks to ​households in June 2021. Residents who had registered at the main lobby and collected a box of face masks must fill in their names, unit numbers and collection dates on the "Mask Receipt Record" (Receipt Record), and acknowledged receipt of the masks with signature.
2. According to the complainant, Creative Property Services had failed to adopt any measures to cover the entries on the Receipt Record, which was a common form. He could see the personal data of other recipients when he signed on the Receipt Record. Moreover, the complainant stated that the staff of Creative Property Services had placed the Receipt Record in a paper box beside a work desk, without covering relevant records. Hence, the complainant believed that Creative Property Services had not properly protected the personal data of the residents who had collected their masks as stated in the Receipt Record.
3. Besides, the complainant indicated that Creative Property Services had not informed the residents of the retention period of the personal data in the Receipt Record.

Investigation Findings and Contraventions

Creative Property Services Contravened DPP2(2)

12. DPP2(2) of Schedule 1 to the Ordinance stipulates that personal data shall not be kept longer than is necessary for the fulfillment of the purpose (including any directly related purpose) for which the data is or is to be used.
13. Before a property management company decides to collect residents' personal data, it should determine the purpose of collection and specify the retention period of the personal data, and ensure that the personal data shall not be kept longer than is necessary for the fulfilment of the purpose (including any directly related purpose) for which the data is or is to be used, so as to comply with the requirements of DPP2(2).
14. In this case, Creative Property Services failed to specify the retention period of the personal data contained in the Receipt Record at the material time. It was not until the intervention of the PCPD then Creative Property Services decided when to destroy the personal data. Hence, the Commissioner found that Creative Property Services had contravened the requirements of DPP2(2) as regards the retention of personal data.

​

Creative Property Services Contravened DPP4(1)

15. DPP4(1) of Schedule 1 to the Ordinance stipulates that all practicable steps shall be taken to ensure that any personal data held by a data user should be protected against unauthorised or accidental access, processing, erasure, loss or use.
16. Regarding the use of a common form to acknowledge receipt of masks, the Commissioner was of the view that Creative Property Services would have been able to prevent irrelevant persons from accessing the personal data by properly covering the personal data or using individual forms for registration, as well as providing proper training for frontline staff before the mask distribution activity had taken place. Regarding the alleged placing in public of the Receipt Record in the paper box beside the work desk, from the photo provided by the complainant, the Receipt Record had indeed been placed beside the work desk and the personal data therein could be clearly seen by passers-by.
17. Having considered the above, the Commissioner was of the view that Creative Property Services had not taken all practicable steps to protect the residents' personal data in the Receipt Record against unauthorised or accidental access, processing, erasure, loss or use, in such a way that the requirements of DPP4(1) as regards security of personal data had been contravened.

Enforcement Action

18. The Commissioner has served an Enforcement Notice on Creative Property Services directing it to confirm destruction of the residents' personal data collected during the mask distribution activity, and to formulate guidelines on setting the retention period of personal data collected. Moreover, Creative Property Services shall, through circulars and/or routine instructions, request its staff to strictly follow the instructions in processing personal data, and remind them to properly handle and keep the documents or records containing personal data.
19. Moreover, the Commissioner has also directed Creative Property Services to include the above guidelines and instructions in staff training to enhance their awareness of personal data protection, and conduct effective and regular monitoring to ensure ongoing implementation of and compliance ​with the above guidelines and instructions, and prevent recurrence of similar contravention of the Ordinance.

Investigation Case (3): H-Privilege Limited Disclosed a Resident's Phone Number to Another Resident Without Consent

Case Background

20. The complainant was a resident of Parker 33 in Shau Kei Wan, which was managed by H-Privilege Limited (H-Privilege). On 14 July 2021, the complainant received a call from another resident to whom he had never given his phone number. The resident told the complainant that he had obtained the complainant's phone number from a security guard of Parker 33.

Investigation Findings and Contraventions

H-Privilege Contravened DPP3(1)

21. DPP3(1) and (4) of Schedule 1 to the Ordinance stipulates that personal data, without the express and voluntary consent of the data subject, shall only be used (including disclosed or transferred) for the purpose for which the data was to be used at the time of the collection of the data, or a purpose directly related to the purpose.
22. In the present case, the security guard in this case failed to abide by H-Privilege's established policy on the handling of personal data, and disclosed the complainant's phone number to the resident concerned without obtaining prior authorisation of staff at manager level or above and/or the complainant's consent. Moreover, the Commissioner was of the view that the complainant gave his phone number to H-Privilege at the outset for communication about property management. The security guard's disclosure of the complainant's phone number to the resident concerned for private communication was a significant deviation from the purpose of use for which the complainant had consented to, and was also inconsistent with H-Privilege's original purpose of collection.
23. Hence, the Commissioner found that H-Privilege had contravened the requirements of DPP3(1) as regards the use of personal data.

​

Enforcement Action

24. The Commissioner has served an Enforcement Notice on H-Privilege directing it to regularly circulate among the staff its established policy on the handling of residents' personal data and the circular issued in respect of this case. The staff shall not disclose or provide residents' personal data to anyone without authorisation or consent from the residents concerned. H-Privilege is also directed to include the above policy and circular in staff training to enhance their awareness of personal data protection, and also conduct effective and regular monitoring to ensure implementation of and compliance with the above policy and circular, in order to prevent recurrence of similar contravention of the Ordinance.

Investigation Case (4): Wilson Property Management Limited Recorded Visitor's Identity Card Number without Offering Less Privacy-intrusive Alternatives

Case Background

25. The complainant was a food delivery worker of a takeaway platform. On 5 December 2021, when the complainant delivered food to a unit at Tung Yuk Court in Shau Kei Wan, which was managed by Wilson Property Management Limited (Wilson), a security guard requested him to present his Hong Kong Identity Card for visitor registration. A notice stating that visitors must present their Identity Cards for registration was also posted at the reception counter. The complainant proposed to provide other identification documents for visitor registration, but the security guard insisted that only Hong Kong Identity Card would be accepted. In the end, the complainant was denied access to the building after refusing to present his Identity Card.

Investigation Findings and Contraventions

26. DPP1(1) of Schedule 1 to the Ordinance stipulates that personal data shall be collected for a lawful purpose directly related to a function or activity of the data user who is to use the data; the collection of the data is necessary for or directly related to that purpose; and the data is adequate but not excessive in relation to that purpose.
27. Moreover, Identity Card numbers are sensitive personal data. Data users can only collect Identity Card numbers under the conditions stated in the ​Ordinance and the "Code of Practice on the Identity Card Number and other Personal Identifiers" (Code) issued by the Commissioner under the Ordinance.
28. According to the Code, property management companies may record visitors' Identity Card numbers at building entrances. However, the Code also points out that property management companies should, wherever practicable, give visitors the option to adopt alternatives which are less privacy-intrusive than providing their Identity Card numbers (e.g. accepting other identification documents for registration, or calling the residents concerned to identify the visitors).
29. In the present case, Wilson could in fact have adopted less privacy-intrusive alternatives (e.g. accepting his staff card as proof of identity when the visitor was trying to enter the building to perform his duties, or allowing the security guard to confirm with the resident concerned about the purpose of visit) for visitor identification. However, apart from collection of Identity Card numbers, Wilson failed to offer any less privacy-intrusive alternatives to visitors. The Commissioner found that such an act had contravened the requirements of the Code and the requirements under DPP1(1) as regards the collection of personal data.

Enforcement Action

30. The Commissioner has served an Enforcement Notice on Wilson directing it to review the visitor registration procedures and allow visitors (no matter whether they are on an errand) to adopt alternatives which are less privacy-intrusive than providing their Identity Card numbers for registration; formulate written policies and guidelines for staff compliance; regularly circulate the policies and guidelines among its staff; provide staff training to enhance their awareness of personal data protection; and conduct effective and regular monitoring to ensure ongoing implementation of and compliance with the above policies and guidelines.

Recommendations

31. The Commissioner encourages property management bodies (including owners' corporations, owners' committees, mutual aid committees and property management companies) to "self-regulate" by adopting good practice in accordance with the law and guidance, to protect and respect ​personal data of residents, and earn residents' trust and support in fulfilling their management duty.
32. Through this report, the Commissioner would like to make the following recommendations to property management bodies:
    1. The Commissioner encourages property management bodies to introduce the "Personal Data Privacy Management Programme" to include the protection of personal data privacy as part of their corporate governance responsibilities, and to adopt the top-down approach to implement open and transparent information policies and conventions, so as to show their determination in exemplifying good corporate governance and in seeking trust from residents. For details, please refer to the "Privacy Management Programme: A Best Practice Guide"^[2] issued by the PCPD.
    2. Before formulating policies or measures about the collection of personal data, a Privacy Impact Assessment should be carried out to identify any privacy issues associated with the implementation of the policies or measures, so as to determine whether the policies or measures are really needed and whether there are any less privacy-intrusive alternatives, and to strike a reasonable balance between the discharge of property management duties and the protection of personal data privacy of residents and visitors.
    3. A Data Protection Officer should be appointed to ensure the organisational compliance with the requirements under the Ordinance and implementation of the "Personal Data Privacy Management Programme". Organisations should allocate resources to enhance staff awareness of personal data privacy protection, by clearly disseminating relevant and updated information (e.g. offering practical tips from time to time in internal newsletters, and providing channels such as intranet for easy browsing of necessary information at any time). Organisations should establish a culture of respecting personal data privacy and thoroughly implement policies protecting personal data by adopting a top-down approach.
    ​
    4. Residents' personal data should be treated as important assets of property management bodies, and all personal data collected should be kept safely and processed carefully; staff awareness or sensitivity as regards the protection of residents' personal data should be enhanced, by applying the concept of privacy protection to the staff's daily work routine and providing training based on the needs of relevant staff so that they will properly process residents' personal data.
    5. Policies and guidelines on processing personal data should be reviewed and updated on a regular basis, and through proactive communication, staff should be made to understand the personal data privacy issues they may encounter at work, and provided with effective and professional solutions and knowledge; staff's routine work procedure should be monitored effectively to help them better understand the requirements of the Ordinance, so as to create a work environment and a mode of operation which protect personal data privacy.