PCPD - Statement by the Privacy Commissioner Following the Judgment made in HCAL 50/2008

Statement by the Privacy Commissioner Following the Judgment made in HCAL 50/2008

1.    The Court of First Instance in the High Court of the HKSAR ("the Court") handed down its Judgment ("the Judgment") on 28 August 2008 in respect of the application for judicial review taken out by Cathay Pacific Airways Limited ("CX") against the decision made by the Privacy Commissioner ("the Commissioner") in an investigation. It allowed the application and quashed the relevant decision and remitted the matter to the Commissioner for "fresh consideration". The Commissioner is currently considering whether to appeal against the Judgment or not.

2.    In the meantime, the Commissioner is aware of the public concerns as to the impact that the Judgment may have on collection of medical data by employers from their employees.

3.    In order to obviate any possible misunderstanding as to the effect of the Judgment, the Commissioner wishes to make the following points:-

(i)    Data Protection Principle ("DPP") 1(1) in Schedule 1 of the Personal Data (Privacy) Ordinance ("the Ordinance") provides, in essence, that only necessary, adequate but not excessive personal data shall be collected by a data user for a lawful purpose directly related to its function or activity. DPP 1(2) provides that personal data shall be collected by means which are lawful and fair.   DPP 1(3) requires a data user to take practicable steps to notify the data subject on or before collection of the personal data as to whether it is obligatory or voluntary for him to supply the data and if it is obligatory, the consequences for failure to supply the data. The data subject shall also be notified of the purpose for which the data are to be used and the classes of persons to whom the data may be transferred. A data user must not do an act or engage in a practice that contravenes a data protection principle.

(ii)    The Data Protection Principles apply even if the contract of employment creates an obligation on the part of the employee to disclose his personal (including medical) data. The collection does not become lawful and fair merely because the contract makes provision for it.

(iii)   As is stated in the Judgment (paragraph 44), "there are cases in which the disclosure of medical records is quite properly and fairly made mandatory". However, whether the disclosure is properly and fairly made mandatory in any particular case is not just a matter of contract between the employer and employee. The Data Protection Principles have to be engaged. In particular, the means of collection must themselves be both lawful and fair.

(iv)   Where consent to the disclosure of personal data is required or requested of the employee, all necessary information and explanation must be provided  to enable the employee to make an informed choice  (cf paragraph 41 of the Judgment).   The employer should avoid language which might reasonably be perceived to be "threatening or oppressive..." or "an abuse of power" (cf paragraphs 51 and 52  of the Judgment).

4.    The Commissioner is empowered under section 12(1) of the Ordinance to approve and issue codes of practice as he finds suitable. In relation to personal data privacy in employment situation, the Commissioner has issued Code of Practice on Human Resource Management ("the HR Code") in 2000 giving practical guidance for collection of personal data (including medical data) of employees by employers as data users. The Judgment does not contain anything that is inconsistent with the practical guidance given in the HR Code whose effects should remain intact.

Click here to view the Judgment of HCAL 50/2008.

END