Hospitality companies and other organizations must adhere to privacy best practices when conducting on-the-spot temperature checks
Body temperature and other personal data that’s being gathered in response to the coronavirus pandemic must be collected and stored in compliance with government guidelines, Hong Kong’s privacy council has warned.
Earlier this year, the region’s Privacy Commissioner for Personal Data (PCPD) stated that companies and organizations can collect health data for the purpose of detecting Covid-19 symptoms.
This includes recording temperature readings for employees in an office environment or individuals visiting shopping centers and other leisure venues, for example.
However, the office of the PCPD warned that any data collection practices must comply with the Personal Data (Privacy) Ordinance (PDPO) bill.
A statement released last week [currently only available in Chinese] reiterated the department’s stance, reminding companies and organizations in Hong Kong that non-compliance could leave them in breach of the region’s privacy law.
Since the start of the coronavirus outbreak, businesses around the world have been making use of non-invasive digital thermometers in an attempt to detect in their customers or employees the flu-like symptoms that can accompany Covid-19 infection.
In Hong Kong, these temperature readings are often collected alongside other identifying details such as the person’s name and contact information.
While this information is intended to be useful for track and trace purposes, if care is not taken to ensure the safety of this data, a breach could expose individuals to phishing attempts, cyber scams, or worse.
Businesses and employers have been conducting temperature checks during the coronavirus pandemic
“Body temperature data per se is not regarded as ‘personal data’ under the definition in section 2(1) of the PDPO,” Stephen Kay-yi Wong, Privacy Commissioner for Personal Data, told The Daily Swig.
“However, if a data user also collects other personal data of a data subject, such as his/her facial image, name, and contact details, a breach of the collected data… would put the data subjects concerned at the risk of fraud or phishing activities when people are more prone to falling prey to scams associated with the pandemic.”
Proportionate data collection
Wong told The Daily Swig that the overriding principle of personal data collection should be that “any measures that may include personal data privacy should be necessary, appropriate, and proportionate”.
Companies or organizations should anonymize the data they process, the PCPD says, and should use the least intrusive measures possible.
“Organizations are required to take all practicable steps (such as providing a Personal Information Collection Statement) on or before data collection to inform individuals of the type of personal data to be collected and the purposes, and the classes of persons (e.g. public health authorities) to whom their data may be transferred.
Wong added: “It is also a good practice to inform the individuals through the PICS the maximum period of time for which the data will be retained.”
“Organizations [should] permanently destroy the personal data collected for the purposes of combating Covid-19 when the purpose of collection is fulfilled, such as when there is no evidence suggesting that any visitors have contracted Covid-19 or have close contact with the infected after a reasonable period of time.”
Failure to do the above measures may constitute contravention of the Data Security Principle of the PDPO, Wong warned.
The guidelines come after the office of the PCPD responded to privacy concerns surrounding the collection of data back in March.
At the time, it had received 127 complaints surrounding data misuse. The PCPD stated that though harvesting data was a necessary measure in combatting the virus, non-excessive information should be collected.
The office of the PCPD also released extensive guidelines governing how data should be collected and handled by employers.