PCPD - The Privacy Commissioner Not to Appeal in the Cathay Pacific Case

1.        The Privacy Commissioner has decided not to appeal against the Court’s decision in the Cathay Pacific Airways Limited (CX) case following CX’s agreement to make changes in the way it seeks consent from cabin crew members who took long or frequent sick leave to the release of their past medical data which were relevant to the causes of their absences.

The Background

2.        The case concerns CX which required its cabin crew members who took long or frequent sick leave to consent to the release of their medical data for the previous 12 months which related to the causes of their absences. The Privacy Commissioner (the Commissioner) carried out an investigation to determinate whether such act or practice contravened the requirements of the Personal Data (Privacy) Ordinance (the Ordinance), in particular, Data Protection Principle (DPP) 1, which stipulates that the collection of the personal data shall be necessary, adequate but not excessive (DPP1(1)) and that the means of collection shall be lawful and fair in the circumstances of the case (DPP1(2)).

3.        The Commissioner concluded his investigation on 18 January 2007. He found that the collection of the medical data under the specific circumstances of the case was necessary, adequate but not excessive for the purpose of rehabilitation and assessment of the cabin crew members’ suitability of performing the inherent requirement of the job. To that extent, there was no contravention of the requirements of DPP1(1). To determine whether the means of collection of the data was lawful and fair, the Commissioner examined CX’s Cabin Crew Attendance Monitoring Programme (AMP) which set out the policy and purposes of collection of the medical data as well as the Consent Form which listed out the kind of medical data which the cabin crew members were asked to consent to release. The Commissioner also examined CX’s newsletter issued to its cabin crew members on this issue. The Commissioner found that there was an element of threat in the manner CX expressed its requirement especially through its newsletter wherein it was indicated that failure to provide consent would be treated as a disciplinary and grievance matter. To that extent, the Commissioner decided that CX’s collection of the medical data was not fair in the circumstances. Accordingly, the Commissioner served an enforcement notice on CX directing it to cease the practice of collecting past medical data under the threat of a disciplinary process and to destroy the data so collected.

4.        CX appealed to the Administrative Appeals Board (AAB) against the Commissioner’s decision to issue the enforcement notice. On 2 May 2008, the AAB upheld the decision of the Commissioner.

5.        CX then applied on 23 May 2008 to the Court of First Instance of the High Court for a judicial review of the decisions made by both the Commissioner and the AAB. The application was heard on 11 and 12 July 2008 before the Honourable Justices Hartmann and Lunn JJ (the Judges).

The Judgment

6.        By its Judgment (HCAL 50/2008) delivered on 28 August 2008, the Court quashed the decisions of the Commissioner and the AAB. It decided that in circumstances when disclosure of personal data is properly rendered mandatory, it is necessary for the data user (i.e. CX in this case) to advise the data subjects (i.e. the cabin crew members in this case) of the adverse consequence of failing to make disclosure, that being the case, the advice given by CX to its cabin crew members therefore, did not of itself, constitute a threat or the exertion of undue influence to the latter.

7.        The Judges however commented that the disquiet expressed by the Commissioner and the AAB, “was to a material degree, based on the blunt and brusque manner in which certain of the information concerning the failure to consent to deliver up medical records under the AMP was conveyed to cabin crew members” and the “threatening or oppressive tone of relevant literature”. In relation to the fairness as to the manner of collection of personal data, the Judges pointed out that it is a broad principle “encompassing the form in which relevant information is conveyed as well as the substance of that information”.

8.        The Court ordered that the matter be remitted to the Commissioner for fresh consideration and that this is an “entirely appropriate occasion for such remedial co-operation”.

Actions taken by the Commissioner

9.        Following the Judgment, the Commissioner invited CX to discuss with him the relevant issues and held meetings with its representatives. He suggested to CX to remove “the threatening or oppressive tone” from its communications to the cabin crew members. The Commissioner also took the opportunity to persuade CX to review its policies and to change its relevant literature to avoid misunderstanding between its management and the cabin crew members and to better comply with the requirements of the Ordinance.

10.        The Commissioner suggested to CX that it should give sufficient information to its cabin crew members before consent is sought from them to assist them to decide whether to give or withhold consent. When consent is refused, CX should give an opportunity to the cabin crew member to give reasons for their refusal before deciding to engage disciplinary proceedings.

11.        CX indicated that it would give due consideration to the various suggestions made by the Commissioner.

Practical measures agreed to be taken by CX

12.        CX has now given an assurance to the Commissioner that it will revise its AMP by making it clear that if a cabin crew member is not willing to consent to the disclosure of his or her medical information, he or she will first be given an opportunity to explain why the requested consent is withheld. Only if and when the cabin crew member fails to give consent and cannot provide any reasonable explanation will disciplinary proceedings be triggered. The revised AMP will make it clear that the cabin crew members’ fitness for continual employment will be assessed on the basis of what information that is available to CX. A decision to terminate the employment of any cabin crew member will not be related to his or her refusal to give consent, but on his or her suitability to perform the inherent requirements of the job.

13.        CX also agrees to take the further steps of inserting a Medical Information Collection Statement in the Consent Form which will spell out, apart from the consequences of refusal to give consent, the collection purposes of the medical data, the purposes of use and the retention period. The medical records will be kept in strict confidence and will only be used by persons who are directly involved in the administration of the cabin crew member’s absences.

14.        CX assures the Commissioner that the revised policy and practices will be effectively communicated to its employees through its relevant literatures comprising the letter to the employee, the reporting sick procedures, the AMP meeting, etc. CX expects that the revised policy and practices will be implemented within 6 weeks (i.e. by the end of November 2008).

Better privacy protection as a result of the proposed changes

15.        The Commissioner reasonably believes that the changes which CX has agreed to make will achieve the following :

(i)    The cabin crew members will know clearly that they have an opportunity to explain why they choose to refuse to give consent. It is only if they fail to give a reasonable explanation that the disciplinary proceedings may commence. Hence, a refusal to give consent will not automatically be followed by disciplinary proceedings consequence;
(ii)    The cabin crew members will clearly know that they have a right to be heard before CX decides to take disciplinary proceedings at which they have an additional opportunity to explain their refusal; and
(iii)    The cabin crew member will clearly know that in assessing his or her fitness for continued employment, any refusal to give consent on his or her part to provide past medical data as requested is not itself a cause for termination of employment.

16.        The Commissioner considers that these measures (i.e. those set out in paragraphs 12 to 14 above), if taken, will remove the element of threat that might be perceived by some cabin crew members and which was the crux of the Commissioner’s concern when deciding in the investigation that the means of collection was unfair. These measures address the concerns of the cabin crew members who might have good reasons to refuse to consent to the release of their past medical data and feared that their refusal to consent would automatically and inevitably lead to disciplinary action.

17.        The application of the Judgment is confined to the particular facts and circumstances of the case which involved CX’s duty to comply with Directive 360 of the Civil Aviation Directives in ensuring that cabin crew members remain medically fit to discharge the duties specified in the operations manual. In any event it does not affect the principles that collection of past medical records of employees by the employer must be justified on the ground that such collection is necessary, adequate and not excessive and are collected by means that are fair in the circumstances under DPP1. In the present situation since CX is now committed to revise its AMP as suggested by the Commissioner, the Commissioner decides that he will not utilize his limited resources in lodging an appeal to the Court of Appeal.

18.        “In considering whether to appeal or not, I had taken various factors into account. Most importantly, I have carefully assessed the impact that the Judgment may have on personal data privacy generally. CX’s agreement to make changes to its procedure will effectively remove the core concern which led me to my earlier determination made in the investigation. That being the case, the appeal would not serve any practical purpose. The Judges have highlighted the importance that a data subject (in this case, the cabin crew member) must be provided with all necessary information in order to make an informed choice. In order to avoid misunderstanding, any communication by employers to employees should, in the words of the Judges, ‘be clearly reasoned, expressed in modest terms’ so that they may not be perceived to be threatening or oppressive. I hope that these positive messages will be followed by employers as data users in respecting the personal data privacy of their employees which is the cornerstone of mutual trust,” said Mr. Roderick B WOO, the Commissioner.

Supplemental to the earlier statement released today:

1.    In agreeing to make changes in the way it seeks consent from cabin crew members in releasing their past medical data, Cathay Pacific Airways Limited (CX) indicated to the Commissioner that it has always been their practice to listen to the reasons why a cabin crew member refuses to give consent; it has always been their stance that a decision to terminate the employment of any cabin crew member will not be related to the refusal to give consent to the release of his/her past medical data, but on his/her suitability to perform the inherent requirements of the job.

2.    The changes CX has agreed to make to its documentation will make it clear in express terms that such are their policies and practices.

3.    The Commissioner finds that by spelling out these existing policies and practices in clear term, CX will help to alleviate any concern on the part of its cabin crew members. He is of the opinion that a clearly written and transparent policy is conducive to better promotion of personal data privacy in this case.

END