Fitness centre chain California Fitness has been rapped over the knuckles by the privacy watchdog for putting at risk the personal details of 220,000 customers who have signed up for its exercise courses.
An investigation by the Office of the Privacy Commissioner for Personal Data, prompted by two complaints in 2011, found California Fitness had breached privacy law by asking customers to supply too much personal information – including their dates of birth – and storing photocopies of members’ identity cards.
The watchdog warned that any leak of the information could have resulted in serious identity theft.
California Fitness argued that copies of ID cards were needed to calculate staff commissions from memberships, and that they asked for dates of birth so they could make birthday offers to members.
Privacy Commissioner Allan Chiang Yam-wang, who released the investigation report on Thursday, dismissed the centre’s arguments as “ridiculous”. “Customers have no responsibility to help the company in its staff remuneration system,” said Chiang, adding that collecting members’ age range or month of birth should be enough for birthday promotions.
While Chiang was satisfied that collecting ID card numbers was acceptable, he ruled that collection of members’ dates of birth and making copies of their ID cards amounted to excessive collection of personal data and thus contravening the privacy law.
He served California Fitness an enforcement notice on November 21, ordering it to rectify the situation.
A spokesman for California Fitness said it disagreed with some of the findings in the commissioner’s probe and would lodge an appeal.
Chiang added many organisations in Hong Kong had taken clients’ privacy too lightly.
“It is irresponsible for organisations to collect [detailed personal] data for identification and authentication purposes without seriously assessing the risk … of using alternative and less privacy-intrusive means,” said Chiang, “They tend to over-emphasise their administrative and operational convenience.”
The number of complaints about collection and handling of personal data relating to ID cards has risen from 87 in 2008 to 191 last year. For the first 10 months of this year, there have already been 187 such complaints.