dpp1-3.doc

611 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
611
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

dpp1-3.doc

  1. 1. dpp13doc1523.doc 2010/5/12 Notes on enquiry cases related to Data Protection Principle 1 (DPP 1) Case No.: 199802454 Waiver of right in service agreement that the companies may use personal data collected cannot override the requirements of the Personal Data (Privacy) Ordinance. Q: We are a company relating to communication network. Please advise whether by virtue of inclusion of a waiver of right clause by the customer we can use the data collected for other purposes? What action will your office take? A: It is our view that the requirements of the Ordinance are binding on a data user irrespective of any contrary terms contained in an agreement with a data subject. For example, under data protection principle (“DPP”) 1(1)(a) in Schedule 1 to the Ordinance it is provided that personal data shall not be collected except for a lawful purpose directly related to a function or activity of the party that will use the data. This requirement overrides any term or condition in a customer agreement that purports to give the company concerned the right to use personal data for any purpose whatsoever. Further, pursuant to DPP3 personal data shall not, without the “prescribed consent” of the subject of the data, be used for a purpose other than the purpose for which the data were to be used at the time of their collection or a directly related purpose. “Prescribed consent” in the Ordinance basically means express consent given voluntarily. Unless such consent is given to amendments to service agreement that purport to add new, unrelated purposes for which a customer's personal data may be used, the requirement of prescribed consent” under DPP3 will not have been complied with. You also ask what action we will take in relation to such practices. The mere inclusion in a service agreement of terms that purport to override the requirements of the Ordinance may not contravene the Ordinance, but it is confusing to the public and when we come across such terms we will query them with the company concerned. On the other hand, any attempt to make use of such terms in a manner that is inconsistent with the requirements of the Ordinance would be a contravention of the Ordinance. As a general matter, we have powers to investigate suspected contraventions of the Ordinance, both on complaint from the individuals whose personal data are involved or on our own initiative (Part VII of the Ordinance refers). An investigation on our own initiative may take place following what we call a compliance check where we first draw the attention of the party concerned to the suspected contravention and invite a response and the taking of any necessary remedial action. Depending on the response we receive to such an approach, we would consider using our formal powers of investigation. Notes on enquiry cases related to Data Protection Principle 1 (DPP 1) Case No.: 199803996 Whether an employer can ascertain from the Police matters relating to prosecution of an employee. Q: We are a trading company. An employee of our company was charged for theft. As an employer, are we entitled to check with the police relating to prosecution of the employee and the outcome of the Court’s decision? -1-
  2. 2. dpp13doc1523.doc 2010/5/12 A: The question has to be looked at from two angles: your collection of such information and release of the information by the Police to you. So far as your collection of the information is concerned, if such information is given to you orally and not recorded by you, it does not constitute personal data and your collection of the information is not subject to the restrictions of the Ordinance. If the information is recorded, it will constitute personal data of the employee. Your collection of such personal data will then be subject to the requirements of data protection principle (“DPP”) 1 of Schedule 1 to the Ordinance. In particular, DPP 1(1) provides that a data user shall not collect personal data except for a purpose directly related to its functions or activities. It seems to us that if the purpose for collecting the data to which you refer in your letter is, say, for satisfying yourself as an employer as to the integrity of your employee, this may be considered as directly related to your functions and activities as a data user. Hence, the collection by you of the data may be in accordance with the requirements of DPP1(1). However, as a general matter, please note that the Rehabilitation of Offenders Ordinance (Cap. 297) contains certain provisions restricting the disclosure of information relating to previous convictions, or the use of such information as a ground for dismissing or excluding the individual concerned from employment. If you have any doubt concerning whether your intended use of such information is lawful, you should consult your legal advisers. The release of personal data to you by the Police is covered by DPP3 of the Ordinance. Basically, DPP3 provides that personal data should not be used for any purpose other than the purpose for which such data were to be used at the time of collection, unless the “prescribed consent” of the data subject is obtained. In the present case, it seems to us that the purpose of the Police in collecting the information concerned is for the purpose of criminal investigation and prosecution, not for the purpose of assisting an employer to make an assessment of the integrity of the individual concerned. Therefore, any disclosure of the data (which includes disclosure of information inferred from the data) by the Police for this purpose would appear to be in contravention of the requirements of DPP3, unless the “prescribed consent” of the employee in question has been obtained. Please note, however, that “prescribed consent” under the Ordinance means essentially consent given expressly and voluntarily. Hence, any consent obtained by exerting pressure on an individual will not be “prescribed consent”. Even if prescribed consent is obtained from the individual, the Police may still choose not to release the information to you on other legal or policy grounds. Lastly, there is the, at least theoretical, possibility that you could gather the information you want from the courts. This is a natural consequence of the fact that Hong Kong operates under an open justice system. Generally speaking, any person may view the court lists, some of which are also published in newspapers to ascertain the names of individuals against whom criminal cases are being heard in the courts on any particular day. The verdict in all criminal cases is also made public at the time it is given. Incidentally, as a general matter, such disclosure of information by the courts in these circumstances is considered by us to be consistent with DPP3. Notes on enquiry cases related to Data Protection Principle 1 (DPP 1) Case No.: 199803999 -2-
  3. 3. dpp13doc1523.doc 2010/5/12 Definition of subsequent collection under Section 35 of Personal Data (Privacy) Ordinance. Meaning of "material difference" under S35 1 (b)(i) of the Ordinance. Q: We engage in banking activities. We would like to know the definition of “subsequent collection” under S.35 of the Ordinance and whether the transactions of customer account will constitute “subsequent collection”. Secondly, we would like to seek your view as to the meaning of “material difference” under S.35 1(b)(i) of the Ordinance. Please give us your opinion on whether the circumstance of subsequent collections mentioned below are materially different to the first collection. (a) Our bank asks the existing account holder to supply us extra data. (b) The existing account holder becomes a guarantor in another transaction and our bank asks him to give us his personal data again. A:. In our view, all transactions in relation to a customer account which involve a collection of personal data would amount to subsequent collection for the purpose of section 35 of the Ordinance. Such transactions include, for example, the withdrawal of funds from an ATM machine that involves the recording of the commands entered into the ATM by the individual. 2. (a) The reference to “material difference” in section 35 of the Ordinance is basically a reference to the information required to be given to an individual pursuant to data protection principle (“DPP”) 1(3) in Schedule 1 to the Ordinance. In particular, by virtue of DPP1(3) a data user that collects personal data from an individual who is the subject of that data is required to inform that individual explicitly of the following : (i) the purpose for which the data are to be used; (ii) the classes of person (if any) to whom the data may be transferred; and (iii) the individual rights to request access to and correction of personal data of which they are the subject and to whom to make such requests. As the above-mentioned information does not depend directly on the kind or amount of personal data collected, it is possible that “extra data” could be collected without there being a “material difference” in what the individual needs to be informed of pursuant to DPP1(3). However, whether this is so in a particular case depends on its particular facts. For example, if the “extra data” is collected for a purpose that the individual was not previously informed of, there would be a “material difference” for the purposes of section of the Ordinance. (b) Generally speaking, the purposes for using data collected from an individual who is acting as a guarantor will be different from the purposes for using data collected from an individual who has not previously acted as a guarantor or borrowed money as a principal -3-
  4. 4. dpp13doc1523.doc 2010/5/12 from the institution concerned. For example, one of the purposes for using data in the former case is to collect any debt that the guarantor becomes liable for, which is not an applicable purpose in the latter case. This would be a “material difference” for the purpose of section of the Ordinance. Notes on enquiry cases related to Data Protection Principle 1 (DPP 1) Case No.: 199804574 Whether recording of telephone conversations between customers and staff is in breach of the Personal Data (Privacy) Ordinance. Q: We are a trading company. We would like to know whether recording of telephone conversations between customers and our staff would be contravention of the Personal Data (Privacy) Ordinance or other existing Ordinances? A: We are not in a position to advise on this matter other than with respect to the Personal Data (Privacy) Ordinance, which we do below. If you have any doubt about your legal position in this regard, whether under the Ordinance, having considered our advice below, or any other laws of Hong Kong, we suggest you seek advice from a qualified legal practitioner. Generally speaking, the Ordinance is concerned with recorded information that relates to individuals,from which it is reasonably practicable to identify the individual concerned and which is in a form in which access and processing is also reasonably practicable. Such recorded information is referred to as personal data under the Ordinance. To the extent that your activities in recording telephone conversations involve the collection of such data they should comply with the requirements of data protection principle (“DPP”)1 in Schedule 1 to the Ordinance. Under DPP1, you are required to use only those means of collecting personal data that are lawful and fair in the circumstances. Whether or not your proposed means of recording telephone conversations are lawful under the laws of Hong Kong is a matter on which you should obtain qualified legal advice (as indicated above). However, even if what you propose to do is lawful, you must still consider whether it is fair in the circumstances of the case. The approach we take when considering whether a means of collecting personal data, such as recording telephone conversations, that are generally considered as being privacy intrusive are nevertheless fair in the circumstances of the case is to ask whether the purpose to be achieved justifies the use of that means in that case. Also, relevant to this issue is whether less privacy-intrusive means are available to achieve the same result. Examples of the recording of telephone conversations that may be considered fair in the circumstances of the case (subject to proper notice being given to the parties) is in the securities industry where this is done to obtain a record of clients’ instructions for use in the event of a dispute. This provides a significant benefit both to the securities company and its clients as disputes over such instructions can be readily resolved. It is also noteworthy that alternative means of confirming a client’s actual instructions, such as written confirmation being given before they are executed, are not practicable in the context of the securities industry. It is suggested that you adopt a similar approach to the above in considering whether your proposed means of collection of personal data are fair in the particular circumstances of your case. -4-
  5. 5. dpp13doc1523.doc 2010/5/12 In addition, DPP1(3) requires that when personal data are collected from the individual who is the subject of the data he or she should be explicitly informed of (a) the purpose for which the data are to be used; (b) the classes of person (if any) to whom the data may be transferred; and (c) the individual's rights to request access to and correction of personal data of which they are the subject and to whom to make such requests. In the case where personal data are collected repeatedly in the same circumstances without a material difference in the information referred to above, it is not necessary to repeat the notification in relation to each collection (section 35 of the Ordinance refers). However, in such circumstances, the individual should be notified on at least an annual basis (section 35 of the Ordinance also refers). If you wish to make use of these provisions, and they apply to your proposal, you should inform both your staff and your customers of the matters required by DPP1(3) at the outset of the recording activity and repeat the notification at least annually. Notes on enquiry cases related to Data Protection Principle 2 (DPP2) and Section 26 Case No.: 199709598 Whether retention and use of customers’ old addresses by a bank are in breach of the requirements of the Personal Data (Privacy) Ordinance. Q: We are a bank operating in Hong Kong. We would like to know whether the use of customers' old addresses for collecting amounts due to us and the disclosure of such data to debt collection agencies would be in breach of the Ordinance? In this regard, it seems to us that an old correspondence address is data which is legitimate for a bank to retain for the following reasons: (a) if correspondence to the current address is returned undelivered, it would be legitimate to try to communicate with the customer at an old address; (b) when a customer is deliberately trying to avoid communicating with the bank with a view to avoiding meeting his obligations, it would be legitimate to try to contact him at an old address; and (c) an old address may provide details of an asset which may still be owned by the customer even though the address may not be one which is used for correspondence. We recognise that to avoid breaching the Ordinance, care would need to be exercised when using an old address for communication purposes and in this situation, it would probably be appropriate for letters to be sent for the personal attention of the customer and by registered mail. We believe also that an old address should not be used for correspondence if the bank is on definitive notice that the address is occupied by a third party. A: The provisions of the Ordinance of direct relevance to this issue are those of Data Protection Principle (“DPP”) 2(1)(b) and 2(2) in Schedule 1 and section 26. In brief, -5-
  6. 6. dpp13doc1523.doc 2010/5/12 DPP 2(1)(b) requires that where there are reasonable grounds for believing that personal data are inaccurate having regard to the purpose for which the data are to be used, all reasonable practical steps should be taken to ensure either (a) that the data are not used for that purpose while those grounds subsist; or (b) to erase the data. DPP2(2) requires that personal data shall not be kept for longer than is necessary for the fulfilment of the purpose for which the data are to be used. Section 26 requires that personal data be erased where the data are no longer required for the purpose for which they were used, subject to certain exceptions, including where erasure is prohibited by law. It follows from the above that personal data may be retained so long as there is a subsisting purpose for which the data were used or the exemptions to section 26 apply. Further, the fact that there are reasonable grounds for believing that the data are inaccurate does not by itself necessitate erasure (DPP2 (1)(b)(i) refers). In such a case, personal data may be retained for use for another purpose for which the data remain accurate or retained pending fulfilment of the purposes for which the date were used. In your question, you set out three general situations where a bank may prefer to retain an old address. We consider that these give a reasonable indication of some general circumstances under which an “old” address may be retained and used. However, in examining any complaint in relation to such retention and use, we are obliged to apply the requirements of the Ordinance to the particular facts of the case. Those facts may disclose a contravention of the said requirements notwithstanding the case’s conformity with one or other of the general situations put forward. As regards the precautions to be taken when an old address is legitimately used for communication as set out in your last paragraph, these are considered reasonable. Notes on enquiry cases related to Data Protection Principle 3 (DPP3) Case No.: 199800677 Whether disclosure to a new owner of a second hand car of the repair record of the previous owner of that car would contravene the Personal Data (Privacy) Ordinance. Q: We are a car company dealing with sale and repair of cars. We would like to know if we are enquired by a new owner of a second hand car of the repair record of the previous owner of the car, whether disclosure of such record would contravene the Ordinance? Do we have an obligation to disclose the previous repair record of a car to a new owner? A: In your question you ask whether the disclosure to a new owner of a second hand car of the repair record of the previous owner of that car would contravene the Ordinance. The first point to make is that the Ordinance is only relevant to this issue to the extent that such records amount to personal data. This would be the case only where the records directly or indirectly relate to a previous owner who is a living individual and it is reasonably practicable to identify the individual from the records by name or otherwise. -6-
  7. 7. dpp13doc1523.doc 2010/5/12 It is probable that at least some of the repair records to which you refer meet these requirements and hence are personal data. The provisions of the Ordinance of most direct relevance to your enquiry in relation to such personal data are those of Data Protection Principle 3 (“DPP3") in Schedule 1. DPP3 provides that personal data may be used only for a purpose for which the data were to be used at the time of collection, or a directly related purpose. The use, which in this context includes disclosure and transfer, of the personal data for any other purpose would require the express consent of the individual who is the subject of the data given voluntarily. Such repair records are likely to contain data collected from the previous car owner, e.g. details of any accident resulting in the need for the repairs. Such data are presumably collected for the purpose of carrying out the repairs and providing future maintenance services. Applying the requirements of DPP3, you may disclose such data to the new owner for the same purpose, e.g. to assist the provision of future maintenance services. However, before disclosure of previous repair records to a new owner any identifying particulars of the previous owner should be removed, even if the identity of the previous owner is already known to the current owner, as such identifying particulars are not directly related to the purpose of disclosure. In your question you also ask whether or not you have an obligation to disclose the previous repair record of a car to a new owner. Under the Ordinance there is no such obligation. However, whether any such obligation may exist on your part on account of any contract between yourself and the respective car owners or under any other law is a matter on which we are not in a position to comment. We also would like to take this opportunity to remind you that DPP1(3) of the Ordinance requires data users to inform individuals from whom they collect personal data of which they are the subjects, e.g. when inviting an individual to fill in a form giving their personal details on the purchase of a vehicle, of the following : (a) the purpose for which the data are to be used; (b) the classes of person (if any) to whom the data may be transferred; and (c) the individual rights to request access to and correction of personal data of which they are the subject and to whom to make such requests. Notes on enquiry cases related to Data Protection Principle 3 (DPP3) Case No.: 199804492 Whether to make use of a telemarketing company to call previous customers for further business is in breach of the Personal Data (Privacy) Ordinance. Q: Our company proposes to make use of a telemarketing company to call previous customers to solicit further business. Is it a contravention of the Ordinance? A: In order to carry out your proposal, it appears that you will need to transfer the names and telephone numbers of the customers to the telemarketing company. Under the Ordinance this would constitute a use of personal data. Pursuant to data protection principle (“DPP”)3 in Schedule 1 of the Ordinance you may not use (including transfer) personal data other than for a purpose for which the data were -7-
  8. 8. dpp13doc1523.doc 2010/5/12 to be used at the time of their collection, or a directly related purpose, unless you have obtained the express consent given voluntarily by the individuals. Applying the requirements of DPP3 to your proposal, I assume that one of the purposes for which you collect personal data from your customers is in order to contact them and to invite them for more business with your company. If so, in accordance with the requirements of DPP3, you may transfer the data to the telemarketing company, and it may use the data, for this purpose without the prior consent of the individual concerned. Incidentally, this purpose has to be clearly stated in your notice to customers. The notice also has to inform the customers that their personal data may be disclosed to a marketing company for this purpose (as required by DPP1(3)). In addition, in our view the solicitation of customers whether by yourself or another party on your behalf comes within the definition of direct marketing in section 34 of the Ordinance. The said section imposes special requirements on parties undertaking direct marketing activities In particular, the first time that personal data are used for direct marketing the individual should be informed that he or she has the right to request that the data user ceases to use the data for that purpose. Furthermore, the data user is obliged to comply with any such request. This Office has issued a factsheet (Fact Sheet No.3: Personal Data Privacy: Guidelines on Cold-Calling) giving guidance on compliance with these requirements with respect to direct marketing by telephone. We suggest that you bring these requirements to the attention of the telemarketing company with which you are dealing. We also suggest that in your agreement with that company you consider imposing requirements on it to comply with the requirements of the Ordinance in general and of section 34 in particular in relation to personal data you transfer to it. Furthermore, without prejudice to the generality of the said requirements, we suggest you require the company not to use the data concerned for any purpose other than the solicitation of business on your behalf and to erase the data once that purpose is fulfilled. Notes on enquiry cases related to Data Protection Principle 3 (DPP3) Case No.: 199804956 Whether an association may disclose to other bodies complaints received against tour- coordinations. Q: We are a tourist association. We would like to seek your advice as to whether our Association may, under the Ordinance, release to others records of complaints lodged against registered tour coordinators, taking into consideration that consent of the tour coordinators in question has been given for checking complaints with our association. A: This matter is governed by data protection principle (“DPP”)3 in Schedule 1 to the Ordinance. Pursuant to DPP3 you may, subject to any other requirement of law, use (which includes disclose) personal data for a purpose for which the data were collected. It seems to us that one of the purposes for which the association collects personal data in complaints against tour coordinators is to improve their standard of service, which clearly falls within the general functions of your association. Your disclosure of the data concerned to related bodies for this purpose is therefore consistent with the requirements of the Ordinance. -8-
  9. 9. dpp13doc1523.doc 2010/5/12 Case No.: 199805027 Use of personal data obtained from Land Registry for direct marketing purpose. Q: We are a bank. We have obtained the list of Transacted Property addresses which are issued by Land Registry. We intend to use those Transacted Property address for direct marketing purposes, that is for credit card promotion and we will also inform the occupants of those transacted property addresses that we will, without any charge to them, cease to use those data if they so requests (in view of Section 34 of the PDPO). We would therefore request for your opinion on whether we can use the transacted property addresses list for our coming direct marketing campaign? A: It is not clear from your question whether you propose to use the addresses by themselves or together with the name of the registered owner. The former may not constitute personal data and hence their proposed use may not be subject to the requirements of the Ordinance. The latter in recorded form are more obviously personal data and subject to control under the Ordinance. Assuming that the data to be used are personal data, I am afraid a categoric answer cannot be given as to whether what you propose to do is in accordance with the provisions of the Ordinance. One view is that such data are not collected or disclosed by the Land Registry for the purpose of direct marketing and hence their use for this purpose would require the prior consent given voluntarily of the individuals who are the subjects of the data (the requirements of data protection principle (“DPP”)3 in Schedule 1 to the Ordinance refer). Another view is that the Land Registry does not collect the data as such. Rather, pursuant to statutory requirements, it provides a mechanism whereby the data are made available for public inspection with no particular limitation as to the purpose for which they may be used. If so, the data may be used for direct marketing without the prior consent of the individuals concerned. From the point of view of privacy protection, the first of these two views is clearly to be preferred. The fact is that individuals with whom you do not have a past banking relationship may be surprised to receive a direct marketing approach from you and may query how you obtained their contact details. At the very least this may result in a negative consumer reaction. However, the legal issue is not one that has been tested in any case investigated by this Office or in any judicial or quasi judicial proceedings. You may therefore wish to obtain your own legal advice on the matter. Whenever you undertake direct marketing activities, I confirm that you should comply with the requirements of section 34 of the Ordinance, as you indicate you would in this case. Notes on enquiry cases related to Data Protection Principle 3 (DPP3) Case No.: 199805415 Disclosure of accounts of a deceased is not in breach of the Personal Data (Privacy) Ordinance but if the information relates to third parties, consent of those third parties is required. -9-
  10. 10. dpp13doc1523.doc 2010/5/12 Q: We are a bank. We have received a letter from a firm of solicitors acting for the administrator of the estate of a deceased person. We are requested to disclose certain records in relation to accounts which are in the name of the deceased. However the records also include information relating to third parties. Is such disclosure a contravention of the Ordinance? A: The first point to note is that the Ordinance is concerned with personal data, which generally speaking are recorded information relating to living individuals. Hence, insofar as the records concerned relate to the deceased and no living individual, they do not contain personal data and are not subject to the requirements of the Ordinance. However, according to your letter the records include information relating to third parties. Assuming that some or all of the said third parties are living individuals who are identified in the records concerned, disclosure of the records relating to them to the firm of solicitors would be disclosure of personal data. Hence, this is a matter that is subject to the requirements of the Ordinance. The relevant requirements are those of data protection principle (“DPP”)3 in Schedule 1. DPP3 provides that a data user may not use, which includes “disclose” or “transfer”, personal data other than for a purpose for which the data were to be used when they were collected or a directly related purpose without the “prescribed consent” of the individual who is the subject of the data. Prescribed consent is defined under the Ordinance to mean, in essence, express consent given voluntarily. It seems to us that the purpose for which you are being asked to disclose the records concerned, the administration of a deceased estate, is not the purpose for which the personal data in the records were likely to have been collected or a directly related purpose. Hence, to comply with the Ordinance it would be necessary for you to obtain the prior express consent given voluntarily of the individuals concerned for the disclosure. If one or more of the said individuals do not so consent, you will need to consider whether any of the exemptions from the requirements of DPP3, as provided for in Part VIII of the Ordinance, applies. For example, if the non-disclosure of the record concerned would prevent the administrator of the estate from remedying unlawful conduct, such as unlawful withdrawal of funds from the accounts, the disclosure of the records would be allowed pursuant to sections 58(1)(d) and 58(2) of the Ordinance. However, before acting on this or any other exemption we would advise you to obtain legal advice on its applicability to the particular circumstances of your case. Notes on enquiry cases related to Data Protection Principle 3 (DPP3) Case No.: 199805419 Disclosure of staff information by a company to its Staff Union not considered a contravention under the Personal Data (Privacy) Ordinance. Q: We are a staff union. In the past our company was willing to pass on information of our colleagues to us for our staff union. However the company since July 1997 has refused to give such information to us on the ground that such disclosure would contravene the Ordinance. We would like to know whether such disclosure is a contravention of the Ordinance. - 10 -
  11. 11. dpp13doc1523.doc 2010/5/12 A: We confirm that if the disclosure of the data to the Union is for a purpose that is directly related to the purpose for which the data were to be used by the Company when they were collected, the data may be disclosed to, and used by, the Union for that purpose without the prior consent of the individuals concerned (data protection principle 3(“DPP3”) in Schedule 1 to the Ordinance refers). The issue is whether there is such a direct relationship between the purposes of the Company and the Union in using the data. Given the nature of the data concerned, the general purpose for which the Company uses the data appears to be human resources management. In our view, the organisation and administration of a staff union is, as a general matter, directly related to human resources management. Hence, in general terms, we agree that disclosure of the said data to the Union without the consent of the individuals concerned by the Company for the administration of the Union is consistent with the requirements of the Ordinance. However, we consider that it would nevertheless be good practice for the Company to ask its employees on recruitment whether they have any objection to such disclosure and not to so disclose the data of those who do so object. You should note that our view given in response to an enquiry of this sort has no legal force. Furthermore, even if the Company accepts that our view is correct in law, it is under no obligation to resume its previous practice of disclosure. Notes on enquiry cases related to Data Protection Principle 3 (DPP3) Case No.: 199805802 Posting of results of examination involves the disclosure of personal data. Q: I am a university student. I would like to know whether the posting of examination results is a breach of the Ordinance. Can students request the results be posted to them individually? A: The posting of examination results involves the disclosure of personal data. Under the Ordinance disclosure of personal data is a use of personal data and should conform with the requirements of data protection principle (“DPP”) 3 in Schedule 1. DPP3 provides that personal data may not be used (which includes disclosure) without the express consent of the individuals concerned except for a purpose for which the data were to be used when collected or a directly related purpose. Accordingly, examination results may be posted without the prior consent of the student if this is done for a purpose for which the personal data concerned were collected. It is possible that the people who post the examination results may claim that this is the case. However, I note that if the purpose of doing this is merely to inform the individuals concerned of the results, this could be done by notifying each individual directly of his or her result. On this basis, the posting of the results may not be consistent with the requirements of DPP4 to ensure security with respect of personal data. You also ask whether students could require that examination results not to be posted. In our view, this is certainly a matter which students may raise with the University. If the University refuses to change its current practice despite objection from students, a complaint may be lodged with our Office for investigation of whether there is any contravention of DPP4. Notes on enquiry cases related to Data Protection Principle 3 (DPP3) Case No.: 199805978 - 11 -
  12. 12. dpp13doc1523.doc 2010/5/12 Whether disclosure of results of Teaching Evaluation to students is a contravention of the Ordinance. Q: I should be very grateful if the Privacy Commissioner would advise on the following situation which has arisen in our institution. Each semester, our students complete a course and teaching evaluation questionnaire for each of the courses they are studying. This requires them to rate both the course and its content and organisation and the teacher and his/her performance. The results are used by the Head of Department as part of the staff appraisal and development process and the “magic score” (an overall assessment of the teacher’s performance) for each teacher is made available for inspection by the students on that course in the departmental office. The students are pressing for greater access to the results for all courses. We are concerned to as whether such results constitute personal data of the staff concerned under the terms of the Ordinance, and if so, what steps the College would have to take to obtain their consent to publication of the results within the College. In addition, the students have asked that the teaching evaluation results be posted on a notice board. Is this allowed under the Ordinance? A: Your enquiry concerns the disclosure of the results of your Course and Teaching Evaluation (“CTE”) to students. As the results appear to relate to individual staff members who are identified, they appear to constitute personal data. Under the Personal Data (Privacy) Ordinance disclosure of personal data is a use of personal data and is subject to the requirements of data protection principle (“DPP”) 3 in Schedule 1 to the Ordinance. DPP3 provides that personal data may not be used for a purpose other than the purpose for which the data where to be used when they were collected, or a directly related purpose, unless the subject of the data gives prior express consent voluntarily. According to the facts as stated in your enquiry, it appears that one purpose of collecting the data that makes up the CTE is to produce an overall assessment mark that is accessible to students of the relevant department as part of your staff appraisal and development process. If so, disclosure of the overall assessment mark for this purpose accords with the requirements of DPP3. You further indicate that students have requested greater access to the results. This may include the publication of the results of replies to individual questions in the CTE, instead of only an overall mark as done currently. It also involves the accessibility of such results to all students who may wish to consider taking a particular course, rather than only to the students who have completed that course as at present. Regarding CTE data already collected before your adoption of the new policy, the above amounts to a new purpose for which such data are to be used. It therefore follows from the requirements of DPP3 that the disclosure should not be given without the prior express consent given voluntarily of the staff members concerned. If a new policy is adopted that includes such disclosure, however, the new purposes can be included in the purposes for which the data concerned are collected. No consent for the new purposes from the individuals concerned will be required by DPP3 in relation to the data collected subsequent to the adoption of this policy, although as a matter of good practice you should consider prior notification to those individuals. You also mentioned that the students have asked for the CTE data to be posted in a notice board in the departmental office. Please note in this connection that DPP4 in the Ordinance requires that all reasonably practicable steps be taken to ensure that personal data are protected against, inter alia, unauthorized access or use, having regard to the harm that could result if such thing should occur. It seems to us - 12 -
  13. 13. dpp13doc1523.doc 2010/5/12 that CTE data involves information which is sensitive in nature. If they are to be displayed publicly on a notice board they will be seen by people who have no need to have access to them, creating potential harm to the individual concerned. For that reason, in order to comply with DPP4, we suggest that such data be kept in some secure place, with access limited to those students with a demonstrated need to refer to such data, e.g. for the purpose of course selection. Notes on enquiry cases related to Data Protection Principle 3 (DPP3) Case No.: 199806092 Disclosure of contact details of examiners and contractors registered under Buildings’ Lifts and Tower Platforms (Safety) Ordinance. Q: Under the Buildings’ Lift and Tower Platforms (Safety) Ordinance, examiners and contractors are required to be registered under the Electrical and Mechanical Services Department. Is it a breach of the Ordinance when details of these examiners and contractors are disclosed not for the purpose they are collected. Can we disclose the information to some representatives of the related trades and impose on them the restriction to use the personal data provided to them? A: Your enquiry concerns the disclosure of the contact details of examiners and contractors registered with your department under the Buildings’ Lift and Tower Platforms (Safety) Ordinance. It is not expressly stated in your question whether the “examiners and contractors” referred to above include individuals. However, this seems likely. To the extent that this is so, under the Personal Data (Privacy) Ordinance (the “Ordinance”) the contact details would constitute personal data and their disclosure would be a “use” of personal data. The use of personal data is subject to the requirements of data protection principle (“DPP”)3 in Schedule 1 to the Ordinance. By virtue of DPP3 personal data shall not, without the “prescribed consent” of the data subject, be used for any purpose other than: (a) the purpose for which the data were to be used at the time of the collection of the data; and (b) a purpose directly related to the purpose referred to in paragraph (a). Under the Ordinance “prescribed consent” is defined, in essence, to mean express consent given voluntarily. In your question you state that your purpose in collecting the personal data concerned was not the same as the purpose for which you wish to disclose the data. If this is so, and furthermore the purpose of disclosure is also not for a directly related purpose, you may only disclose the personal data for the proposed purpose if you have obtained the prescribed consent of the individuals concerned. On the other hand, you may wish to consider whether you are defining the purpose for which you collected the data concerned too narrowly. If, for example, you collected the data at least partly to enable members of the public to contact the individuals who are so registered, your disclosure of the data as proposed would appear not to contravene the requirements of DPP3. - 13 -
  14. 14. dpp13doc1523.doc 2010/5/12 A further alternative you may wish to consider is for you to send the first communication from the representatives inviting those who wish to receive further communications to reply directly to their representatives. Incidentally, you also mentioned the proposal to impose on the representatives restriction on the use of the personal data provided to them. The imposition of any such condition is not relevant for the purposes of the Ordinance. However, to do so would to some extent discourage the abuse of personal data, hence we would encourage you to do so as a matter of good practice. Notes on enquiry cases related to Data Protection Principle 3 (DPP3) Case No.: 199806115 Whether the use of database maintained by the Registration of Persons Office is in contravention of the Personal Data (Privacy) Ordinance. Q: We are a government department. We would like to know whether in order to search for the HKID number of offenders, we can make use of the database maintained by the Registration of Persons Office. A: Our view is that pursuant to Reg. 8(1) of the Registration of Persons Regulations (Cap. 177, sub. Leg.) the said database is kept by the Commissioner of Registration for the purposes of the said Ordinance and Regulations. While such purposes consist mainly in purposes related to the normal functions of the Immigration Department, they also include the purpose of disclosure pursuant to Reg. 24. In particular, Reg. 24 allows the disclosure of information with the written permission of the Chief Secretary for Administration. Hence, if a registration officer discloses to you information held in the database pursuant to written permission from the Chief Secretary for Administration, it would appear to us that such disclosure constitutes one of the purposes for which the data are held. Accordingly, this would be consistent with the requirements of the Personal Data (Privacy) Ordinance. Conversely, should the Registration of Persons Office disclose to you information held in its database without the written permission required by Reg. 24 or otherwise give you the use of its database to furnish the information sought by you, such disclosure or other use would be different from the purpose for which the data are being held by that Office under Cap. 177. Such disclosure or other use would amount to contravention of data protection principle 3 in Schedule 1 to the Personal Data (Privacy) Ordinance, which provides that personal data shall not be used for any purpose other than the purpose for which such data were to be used at the time of their collection, unless the express and voluntary consent of the data subject to such use has been obtained (which we assume to be impracticable in the present case). Notes on enquiry cases related to Data Protection Principle 3 (DPP3) Case No.: 199806288 Whether posting a list of competitors on website is a breach of the Ordinance. Q: We will be hosting a skating competition. The data collected from each competitor is: - 14 -
  15. 15. dpp13doc1523.doc 2010/5/12 1. Name 2. Age 3. Sex 4. Membership number and expiry date 5. Certified skating level 6. Name of ice rink they are representing Is posting of such information on our website a contravention of the Personal Data (Privacy) Ordinance? A: Under the Ordinance, posting of such information on the website would be a use of personal data. The use of personal data is subject to the requirements of data protection principle (“DPP”) 3 in Schedule 1 to the Ordinance. By virtue of DPP3 personal data shall not, without the “prescribed consent” of the data subject, be used for any purpose other than (a) the purpose for which the data were to be used at the time of the collection of the data; or (b) a purpose directly related to the purpose referred to in paragraph (a). It appears from your enquiry that it was your intention when you collected the personal data of competitors to post certain items on your website. Presumably your purpose in doing this is to enable those involved and other interested parties to ascertain who will be taking part. If so, the posting of the information at your website for this purpose will not contravene the requirements of DPP3. In case you are not aware of it, DPP1(3) requires that when personal data are collected from the individuals who are the subjects of the data they should be explicitly informed of (a) the purpose for which the data are to be used; (b) the classes of person (if any) to whom the data may be transferred; and (c) the individual rights to request access to and correction of personal data of which they are the subject and to whom to make such requests. In the case under consideration you should therefore have notified prospective competitors under items (b) that their identities would be made known to parties accessing the relevant page of your website. Apart from the legal requirement to do this under DPP1(3), this would assist in avoiding any later arguments about the basis on which the information concerned was collected. Notes on enquiry cases related to Data Protection Principle 3 (DPP3) Case No.: 199709205/199801716 Whether promotion of service through disclosure of information contained in VIP card is a breach of the Ordinance. Q: A promotion was launched by a telecommunication company. Certain VIP card holders of a department store are invited to use the service by dialing the service - 15 -
  16. 16. dpp13doc1523.doc 2010/5/12 number, following his VIP card which serves as the Personal Identification Number (PIN). By using the service, the VIP cardholder will be deemed to have accepted the service and deemed to have authorised the passing of his card information (including name and address) from the department store to the telecommunication company for billing purpose. Please advise: (a) whether one’s telephone number together with his/her VIP card number falls within the definition of “Personal Data”. What if it is only just disclosure of telephone number with his/her VIP card number but without his/her name. Does it amount to personal data? (b) if the answer to (a) is yes, whether the above arrangement between telecommunication company and the department store is in conflict with the Ordinance; and (c) whether the recipient of the information, in this case the telecommunication company has been in breach of the Personal Data (Privacy) Ordinance. A: The answers to your questions are as follows: (a) An individual telephone number and VIP card number together with his or her name in a recorded form are personal data. The issue of whether or not a record of an individual’s telephone number and VIP card number, without his or her name, amounts to personal data turns on whether it is reasonably practicable to identify the individual from these items alone. Clearly, the telecommunication company has no reasonably practicable means to identify the individuals concerned from these items. Even for the department store, it can identify the individuals only through the use of other related information which is not at this point disclosed. It follows that the record of an individual’s telephone number and VIP card number alone do not amount to personal data of the individual. (b) It appears that the department store may be in technical breach of Data Protection Principle (“DPP”) 3 in disclosing such data to the telecommunication company as the purpose of disclosure appears to go beyond the purposes for which department store would have collected the relevant data (please refer to Data Protection Principe (“DPP”) 3 in Schedule 1 to the Ordinance. In such a case, the disclosing party should obtain the express consent of the subject of the data given voluntarily (“prescribed consent” under DPP3) before disclosing the personal data for the new purpose. This apparent breach is “technical” because although the customer has not consented expressly, disclosure apparently takes place only after he or she has taken the positive act of using the telecommunication service and such disclosure is a necessary consequence of that act. In other words, by using the telecommunication service the customer appears to give clear implied consent to the disclosure. (c) It does not appear to us that the telecommunication company has breached the requirements of the Ordinance on the facts as stated in your letter. - 16 -

×