The Complaint

A patient made a DAR to a doctor for copies of her medical records. The doctor failed to respond within the statutory period of 40 days after receiving the DAR, so the patient lodged a complaint with the PCPD. Upon mediation of the PCPD, the doctor provided the patient with the requested data. A written warning was then issued to the doctor.

The patient later made another DAR to the doctor for copies of her medical records. The doctor again failed to respond to DAR within time. The patient made a second complaint to the PCPD.

Section 19 of the Ordinance requires a data user to comply with a DAR not later than 40 days after receiving the request. If the data user is unable to comply with all or part of the request within the statutory period, he must inform the data subject of the situation and the reasons in writing within the period.

Outcome

After investigation, the doctor was summonsed for an offence under section 19 of the Ordinance. The doctor pleaded guilty and was fined $1,000.

The Complaint

Having subscribed several magazines through a magazine marketing company, the complainant received three marketing calls from representatives of the company. On each of these occasions, the complainant requested the company not to call him again for direct marketing. However, between October and November 2006, the company made two further marketing calls to the complainant, disregarding his earlier opt-out requests.

Outcome

Two summonses were issued against the company for contravening section 34 of the Ordinance. The company admitted in court that they had made marketing calls to the complainant despite his optout requests. The company explained that the complainant had several customer accounts with them but they had only recorded his opt-out request in one of the accounts. The two telephone marketing calls in October and November 2006 were made by using the complainant's data in other accounts.

In mitigation, the company stated that it was not a deliberate act to break the law but due to negligence of their staff. The company stated that they had taken remedial actions, including the consolidation of customer databases, to avoid future recurrence.

The magistrate convicted the company of the offences and imposed a total fine of $6,000.

The Complaint

In October 2005, the complainant made an opt-out request over the telephone to a credit card company requesting them not to send further direct marketing mails to him. However, the company sent marketing mail to him in December 2005. The complainant thus lodged his first complaint to the PCPD. As a result, the company sent an apology later to the complainant confirming the removal of his data from their mailing list. In early 2007, the complainant received two further marketing mails from the company. The complainant thus lodged his second complaint to the PCPD.

Outcome

Two summonses were issued against the company for contravening section 34 of the Ordinance. In mitigation, the company stated that they maintained an opt-out list to avoid sending direct marketing mails to persons who had requested not to receive such mails from them. In their 2007 marketing exercise, the company obtained the complainant's data from a mailing list owner and matched the data with their opt-out list. However, due to the different versions of the complainant's name and address used in the two lists, the matching failed to identify the complainant and direct marketing mails were sent to him. In response to this case, the company improved their "matching" system and would conduct spot check to avoid recurrence.

The magistrate convicted the company of the offences and imposed a total fine of $7,000.