Personal Information Collection Statement
Faq Section
What is personal data?
Examples of personal data used in everyday life include a person's name, telephone number, fax number, address, sex, age, occupation, marital status, salary and financial status, religious belief, nationality, photo, identity card number, medical records and employment records, including assessments of employment performance.
What is the major amendment on a Personal Information Collection Statement under the Personal Data (Privacy) Ordinance (“Ordinance”)?
The major amendment under the revised Ordinance focuses mainly on the use of personal data in direct marketing. There are two sets of new rules under the Ordinance:
a. Use of personal data for direct marketing; and
b. Provision of personal data to a third party for the purposes of direct marketing
When using personal data for direct marketing purposes for the first time, you must get the consent of the customer and inform them that they may access and correct their personal data or request you to stop using their personal data for this purpose at no cost. Then you must stop using their personal data once requested to do so by the customer.
What are the specific actions that need to be taken before using personal data in direct marketing?
a. For the “Use of personal data for direct marketing”:
Before using personal data for direct marketing purposes, you must inform customers that you intend to use their personal data, and provide them with details of (i) the type of data being collected and (ii) the classes of marketing subjects. The details should be easily readable and understandable. Customers may express their consent through the channel provided by you in which the consent can be an “indication of no objection” to use their personal data, therefore an “opt out” is acceptable.
b. For “Provision of personal data to a third party for the purposes of direct marketing”:
Before transferring personal data to a third party, you must inform customers that their personal data will be transferred to a third party for direct marketing purposes (for gain, if applicable) by written notice including type of data being transferred, classes of persons to which data will be provided and classes of marketing subjects.
You must provide a channel for customers to express their consent for transferring their personal data by allowing them to show “indication of no objection”.
Is it mandatory to provide a tick box for customers to indicate their objection? Is it allowable to advise them to communicate their consent to us by sending an email instead?
The notification must be presented in a manner that is easily understandable and in written form, which is easily readable.
Therefore, it is recommended to provide a tick box for customers to indicate their objection.
With an online purchase platform, can the PICS statement be presented to customers by use of a pop-up window?
Yes, as long as the PICS statement is presented to customers in an easily understandable and readable format.
What is a data processor?
A data processor is a person who processes personal data not for his own purposes but on behalf of another person. For example, an SMS service provider who sends an SMS containing travel policy details to a policyholder on behalf of MSIG.
Does a data processor need to get the consent of customers before contacting them on behalf of another person?
No, he does not.
If an agent is collecting personal information from a potential customer for a price quotation but has not decided which insurance company to refer to, does the agent need to present the PICS to this potential customer? If yes, what version of the PICS sh
If the agent intends to use the personal data of the customer for direct marketing purposes, he needs to present the PICS to the customer before/at the time of collecting of his/her personal data.
According to the grandfather exception, the new rule does not apply to personal data which is used before 1 April 2013. What happens in the event that an eDM has been sent to a customer before 1 April 2013 but failed to reach the customer and bounced back
No. As the eDM did not reach the customer successfully before 1 April 2013, the grandfather exception does not apply to this personal data. You must get his consent before using direct marketing to contact him under the new rule.
If I get the consent of a customer to use direct marketing before the effective date, and then the customer’s address changes and is updated, can I still use the new address for direct marketing without notifying the customer?
Yes, you may use direct marketing to contact this customer as long as you have got his consent before the effective date of the new rule and he has not withdrawn his consent for direct marketing.
If I have sent a letter/email to a customer notifying them or to obtain their consent, but no feedback is received from the customer, does it mean I can use their data for direct marketing purposes?
No, you can only do so when you have received their explicit consent for direct marketing.
If a customer applies for a credit card from a bank and has given consent to the bank to use his personal data for direct marketing purposes, does the bank need to seek the consent of that customer to transfer data to its associate company (insurance comp
Yes, new consent has to be obtained if the bank later intends to transfer the customer’s personal data to the bank’s associate company (insurance company) for the latter’s direct marketing of its products.
Can customers withdraw their consent?
Yes, customers may request to opt out of your use of their personal data at any time. You must stop using the data for direct marketing purposes and notify any person to whom data has been provided to stop using the data for direct marketing purposes once you receive the customer’s request.
What are the penalties for breaching the Ordinance?
For breaching the Ordinance with regard to using personal data for direct marketing purposes, the maximum penalty is HK$500,000 and 3 years imprisonment.
For breaching the Ordinance with regard to providing personal data to a third party for the purposes of direct marketing for gain, the maximum penalty is HK$1,000,000 and 5 years imprisonment. If not for gain, the maximum penalty is HK$500,000 and 3 years imprisonment.
When does the Ordinance come into force?
The Ordinance is effective starting from 1 April 2013. Starting from 1 April 2013, all policy transactions will be bound by the Ordinance.
Will MSIG provide new application/proposal forms together with new PICS that are compliant with the Ordinance?
Yes. Following the guidance recently released by the HKFI, we have prepared an interim version of the PICS in loose sheets to supersede the PICS originally printed on the application/proposal forms.
For more detailed information, please refer to the relevant guidelines by visiting the website of the Office of the Privacy Commission for Personal Data, Hong Kong (http://www.pcpd.org.hk).
Question Set
Faq Question
Faq Answer
Examples of personal data used in everyday life include a person's name, telephone number, fax number, address, sex, age, occupation, marital status, salary and financial status, religious belief, nationality, photo, identity card number, medical records and employment records, including assessments of employment performance.
Faq Question
Faq Answer
The major amendment under the revised Ordinance focuses mainly on the use of personal data in direct marketing. There are two sets of new rules under the Ordinance:
- Use of personal data for direct marketing; and
- Provision of personal data to a third party for the purposes of direct marketing
When using personal data for direct marketing purposes for the first time, you must get the consent of the customer and inform them that they may access and correct their personal data or request you to stop using their personal data for this purpose at no cost. Then you must stop using their personal data once requested to do so by the customer.
Faq Question
Faq Answer
a. For the “Use of personal data for direct marketing”:
Before using personal data for direct marketing purposes, you must inform customers that you intend to use their personal data, and provide them with details of (i) the type of data being collected and (ii) the classes of marketing subjects. The details should be easily readable and understandable. Customers may express their consent through the channel provided by you in which the consent can be an “indication of no objection” to use their personal data, therefore an “opt out” is acceptable.
b. For “Provision of personal data to a third party for the purposes of direct marketing”:
Before transferring personal data to a third party, you must inform customers that their personal data will be transferred to a third party for direct marketing purposes (for gain, if applicable) by written notice including type of data being transferred, classes of persons to which data will be provided and classes of marketing subjects.
You must provide a channel for customers to express their consent for transferring their personal data by allowing them to show “indication of no objection”.
Faq Question
Faq Answer
The notification must be presented in a manner that is easily understandable and in written form, which is easily readable.
Therefore, it is recommended to provide a tick box for customers to indicate their objection.
Faq Question
Faq Answer
Yes, as long as the PICS statement is presented to customers in an easily understandable and readable format.
Faq Question
Faq Answer
A data processor is a person who processes personal data not for his own purposes but on behalf of another person. For example, an SMS service provider who sends an SMS containing travel policy details to a policyholder on behalf of MSIG.
Faq Question
Faq Answer
No, he does not.
Faq Question
Faq Answer
If the agent intends to use the personal data of the customer for direct marketing purposes, he needs to present the PICS to the customer before/at the time of collecting of his/her personal data.
Faq Question
Faq Answer
No. As the eDM did not reach the customer successfully before 1 April 2013, the grandfather exception does not apply to this personal data. You must get his consent before using direct marketing to contact him under the new rule.
Faq Question
Faq Answer
Yes, you may use direct marketing to contact this customer as long as you have got his consent before the effective date of the new rule and he has not withdrawn his consent for direct marketing.
Faq Question
Faq Answer
No, you can only do so when you have received their explicit consent for direct marketing.
Faq Question
Faq Answer
Yes, new consent has to be obtained if the bank later intends to transfer the customer’s personal data to the bank’s associate company (insurance company) for the latter’s direct marketing of its products.
Faq Question
Faq Answer
Yes, customers may request to opt out of your use of their personal data at any time. You must stop using the data for direct marketing purposes and notify any person to whom data has been provided to stop using the data for direct marketing purposes once you receive the customer’s request.
Faq Question
Faq Answer
For breaching the Ordinance with regard to using personal data for direct marketing purposes, the maximum penalty is HK$500,000 and 3 years imprisonment.
For breaching the Ordinance with regard to providing personal data to a third party for the purposes of direct marketing for gain, the maximum penalty is HK$1,000,000 and 5 years imprisonment. If not for gain, the maximum penalty is HK$500,000 and 3 years imprisonment.
Faq Question
Faq Answer
The Ordinance is effective starting from 1 April 2013. Starting from 1 April 2013, all policy transactions will be bound by the Ordinance.
Faq Question
Faq Answer
Yes. Following the guidance recently released by the HKFI, we have prepared an interim version of the PICS in loose sheets to supersede the PICS originally printed on the application/proposal forms.
For more detailed information, please refer to the relevant guidelines by visiting the website of the Office of the Privacy Commission for Personal Data, Hong Kong (http://www.pcpd.org.hk).