Headquartered in Hong Kong, Tasmania Limited (the ‘Company’) is online food delivery company. With each order, the Company collects marketing information on daily basis the including the feedback from the customers who liked and disliked the service.
The Company has put in place standard questionnaires to collect and update the customers’ feedback from time to time. The information collected includes the respondent’s full name, address, HKID card number and contact telephone number.
At the bottom of the questionnaires, there is one statement stating that “All personal data collected will be used for research purpose only”. However, the clerical staff shared some personal data to other business partners in Macau where they have set up a similar business.
Further, some of the personal data collected is stored at the Company’s cloud which is insecure and staff from its subsidiary company (which runs a beauty salon business) can assess this data and is planning to contact them for some face treatment services.

As a corporate administrator:
(a) Recommend the best practices that the Company should incorporate into its personal data privacy policy/guideline for handling personal data in order to comply with the Personal Data Protection Ordinance