|
[Image of Monitoring Compliance]
Notes
on Appeal Cases Lodged with the Administrative Appeals Board
Under
the Ordinance, an appeal may be lodged by a complainant, or the relevant
data user complained of, against the decisions made by the Privacy Commissioner.
Pursuant to section 39(4), an appeal may be made by a complainant to the
Administrative Appeals Board ("the AAB") against the decision
of the Privacy Commissioner in refusing to exercise his powers to investigate
or to continue to investigate a complaint. An appeal may also be lodged
by a complainant pursuant to section 47(4) against the decision of the
Privacy Commissioner in refusing to issue an enforcement notice against
the data user complained of, after completion of an investigation. Similarly,
a data user that is the subject of an investigation has the right to appeal
to the AAB pursuant to section 50(7) against the decision made by the
Privacy Commissioner in issuing an enforcement notice against it.
A total
of 11 AAB appeal cases were heard during the reporting period. Case notes
on selected appeal cases are presented below.
|
Collection
of library users' personal data on prescribed forms - library
staff unable to furnish privacy policy statement upon request
- alleged lack of rules and regulations relating to personal
data policies and practices - the Privacy Commissioner's failure
to notify the complainant of decision not to investigate within
45 days - DPP1(3), DPP5 and section 39(3)
(AAB
APPEAL NO. 35/2003)
|
|
| |
|
The
Complaint
The
complainant complained that a library collected his personal
data when he applied for facilities including reservation
of Internet access and CD-ROM search services, request for
printed materials or microfilm and application for electricity
supply for a portable computer. Prescribed forms were required
to be completed when such facilities were applied for. The
complainant alleged that the library did not treat his data
as personal data and suspected that there were no rules and
regulations in place because staff were unable to provide
him with any privacy policy statement upon request.
Findings
of the Privacy Commissioner
The
Privacy Commissioner found that personal data were collected
on prescribed forms which contained a personal information
collection statement ("the PICS") setting out the
purposes of collection. In addition, a notice embodying the
PICS was posted inside the library on a public notice board.
A Privacy Policy Statement ("the PPS") was also
found on the website of the administrator of library services.
The Privacy Commissioner was satisfied that reasonably practicable
steps had been taken by the library to comply with the requirements
under DPP1(3) and DPP5 of the Ordinance. Dissatisfied with
the Privacy
Commissioner's decision not to investigate, the complainant
appealed to the AAB.
The
Appeal
In
the appeal the complainant raised additional grounds for appeal
on alleged excessive retention of his personal data by the
library and the use of his personal data for statistical purposes
without his consent. He also appealed against the Privacy
Commissioner's failure to observe the mandatory requirement
laid down in section 39(3) in notifying him of the decision
not to investigate within 45 days of receiving his complaint,
thus rendering the decision void.
The
AAB agreed with the Privacy Commissioner's findings that all
reasonably practicable steps had been taken by the library
in that they had issued a PICS and PPS in compliance with
the requirements of DPP1(3) and DPP5. As for the alleged excessive
retention of personal data by the library and the use of his
personal data for statistical purposes, the Board found insufficient
evidence to support the allegations. Even if a prima facie
case of contravention were established in one of the forms
used by the library, the matter was never the subject of complaint
before the Privacy Commissioner. As such, the matter had no
bearing upon the Privacy Commissioner's refusal to investigate.
Consequently the Board could not say that the decision taken
by the Privacy Commissioner was wrong.
As
for the statutory period of 45 days laid down in section 39(3),
the Board found that nothing in the section indicated non-observance
of the time limit would prevent a complainant from asserting
his legal rights so that it would be in the public interest
to render the Privacy Commissioner's decision void. The complainant's
right to appeal to the AAB or his right to apply for judicial
review of the decision was not affected by the decision being
given after the 45-day period. The Board noted that the complainant
did not provide proof of his identity to the Privacy Commissioner
until the 45-day period had expired, making it impossible
for the Privacy Commissioner to consider his complaint within
the prescribed time. The Board went on to say that if the
requirement under section 39(3) were mandatory, the Privacy
Commissioner would be obliged to carry out an investigation
despite the fact that the case might be one that the Privacy
Commissioner might refuse to investigate under section 39(2).
The Board asserted that this anomaly was not the intention
of the legislature. In the Board's opinion, the intention
of the legislature could not be that non-compliance would
render the Privacy Commissioner's decision void.
The
AAB's Decision
The
AAB upheld the Privacy Commissioner's decision and dismissed
the appeal.
|
|
|
Unauthorized
disclosure of the complainant's personal data by a property
management company to a neighbour - the purpose of disclosure
was to facilitate civil litigation instituted by the neighbour
- no prescribed consent obtained from the data subject - DPP3
(AAB
APPEAL NO.66/2003)
|
|
|
[Image of image]
|
|
The
Complaint
The
neighbour of the complainant complained to the property management
company against the complainant about noise and dripping water.
In handling the complaint, the property management company
collected information relating to the complaint which contained
the personal data of the complainant. Later, pursuant to the
request of the neighbour, the property management company
disclosed details about the complaint to the neighbour. The
complainant subsequently discovered that the neighbour had
used information about the complaint in a civil action taken
against her. The complainant therefore complained to the Privacy
Commissioner against the property management company for having
disclosed her personal data to the neighbour without her consent.
Findings
of the Privacy Commissioner
The
Privacy Commissioner conducted a preliminary enquiry. In the
course of
that enquiry the property management company explained that
the data were
collected for the purpose of handling the dispute between
the complainant
and the neighbour. It also confirmed disclosure of such data
to the neighbour.
The available evidence indicated that the neighbour, having
obtained the
personal data of the complainant from the property management
company,
then used the data to claim against the complainant for compensation
relating
to the dispute.
Having
considered the purposes of data collection by the management
company
and the purposes of disclosure to the neighbour, the Privacy
Commissioner
was of the view that the disclosure had been made for a purpose
directly related
to the purposes of collection, namely to handle and follow
up the dispute
between the complainant and her neighbour. Such use of the
complainant's
personal data was therefore consistent with the requirement
of DPP3.
Taking
into account the use of the relevant data by the neighbour
in the civil action instituted against the complainant, the
Privacy Commissioner was also of the view that section 58(2)
of the Ordinance was applicable to exempt the data from DPP3.
The Privacy Commissioner considered that such use of the data
by the property management company was for the purpose of
remedying "unlawful or seriously improper conduct"
within the meaning of section 58(1)(d) of the Ordinance.
In
view of the above, the Privacy Commissioner considered investigation
of the complaint unnecessary and exercised his discretion
to refuse investigation pursuant to section 39(2)(d) of the
Ordinance.
The
Appeal
The
complainant appealed to the AAB against the decision of the
Privacy Commissioner not to investigate. The AAB agreed with
the Privacy Commissioner that there was no change of use of
the complainant's personal data by the property management
company in disclosing the data to the neighbour. The AAB opined
that the management company had collected the personal data
for the purposes of handling the dispute between the complainant
and the neighbour and that the disclosure was directly related
to the purposes of collection. It was found that such use
of the complainant's personal data by the management company
was consistent with DPP3 even without the prescribed consent
of the complainant. The AAB however reserved its position
regarding the applicability of an exemption in the case.
The
AAB's Decision
The
AAB upheld the Privacy Commissioner's decision and dismissed
the appeal.
|
|
|
A
mobile telephone subscriber - telephone service contract had
expired - subscriber gave verbal extension for 15 months with
penalty for early termination - subscriber terminated the
account early - the telecom company passed data to a debt
collection agent to recover the sum of the outstanding amount
including a penalty - used for a directly related purpose
- DPP3
(AAB APPEAL NO. 13/2004)
|
|
|
|
|
The
Complaint
The
complainant was a mobile telephone subscriber. After expiration
of the
fixed term service contract of 12 months, the marketing staff
of the telecom
service company approached the complainant by phone and offered
an
extension of service at a concessionary rate for 15 months
subject to a penalty
of $500 for early termination. The complainant continued to
use the telephone
service for about 8 months but then terminated the account.
The telecom
service company sought to recover the outstanding telephone
bill as well as
the penalty. The complainant disputed the right of the telecom
service company
to claim for the penalty and the transfer of his personal
data to a debt collection
agent for recovery, in breach of DPP3.
Findings
of the Privacy Commissioner
The
Privacy Commissioner found that the telecom service company
had collected the personal data of the complainant for the
purpose of providing telephone services. The use of the complainant's
personal data for handling his account, including the recovery
of any outstanding amount, was for a purpose directly related
to the original purpose of collection. Evidence of the telephone
conversation that took place between the complainant and the
staff of the telecom service company on renewal of the contract,
and the fact that the complainant used the renewed service
for 8 months, was relevant in showing the right of the telecom
service company to recover the outstanding amount. The Privacy
Commissioner was also satisfied that the personal data transferred
to the debt collection agent was necessary for taking recovery
action. Thus, no prima facie case of contravention
of DPP3 was made out. Dissatisfied with the Privacy Commissioner's
decision not to investigate, the complainant appealed to the
AAB.
The
Appeal
In
his grounds of appeal the complainant used the argument that
there was no binding contract on the extended use of the telephone
service, as no written confirmation on the renewed terms was
sent to him, and that no "cooling off" period was
offered. He also stated that the telecom service company did
not send him the bill before asking the debt collection agent
to recover the debt on their behalf.
The
Board took the view that most of the grounds of appeal raised
related to
consumer rights and commercial practices which fell outside
the ambit of the
Ordinance for which the Board had no jurisdiction to hear.
The complainant
was advised to pursue other channels in seeking redress. In
deciding whether
there was contravention of DPP3, the Board gave due regard
to the fact that
there was a provision in the original contract that the customer
agreed to the
use of his personal data for debt recovery purposes. In addition,
there was no
dispute about the telephone conversation that took place on
the terms for
continued use. The complainant did continue using the telephone
service but
then terminated the account prematurely. In the circumstances
the Board
agreed with the findings of the Privacy Commissioner that
the transfer of the
personal data to the debt collection agent was for the same
or a directly related
purpose, consistent with DPP3.
The
AAB's Decision
The
AAB upheld the Privacy Commissioner's decision and dismissed
the appeal.
|
|
|
Data
access request for medical records - the hospital requested
an initial
processing fee which was paid - a final processing fee was
demanded after
expiry of the 40 days from receipt of the DAR - requested
documents were
eventually supplied some 60 days from receipt of the DAR -
breach of
section 19(1)
(AAB APPEAL NO. 17/2004)
|
|
|
[Image of image]
|
|
The
Complaint
The
complainant made a data access request ("DAR") to
a hospital in respect of her medical records on the 13th November
2003. The hospital acknowledged the DAR on the 24th November
2003 and requested the complainant to pay an initial processing
fee and clarify the type of data she requested. Three days
later, the complainant paid the fee and clarified her request.
As the complainant received no reply from the hospital on
the 40th day after the DAR, she lodged a complaint with the
Privacy Commissioner.
On
2nd January 2004, the hospital informed the complainant of
the amount of the required fee to comply with her DAR. The
complainant paid the fee on 7th January 2004 and received
some medical notes and X-ray films on 15th January 2004.
Findings
of the Privacy Commissioner
A
preliminary enquiry was conducted and the hospital was found
to have complied with the DAR by sending the complainant the
required medical records within a reasonable time after receipt
of the DAR compliance fee from the complainant. The Privacy
Commissioner was of the view that there was no evidence of
contravention of section 19 of the Ordinance and informed
the complainant that no investigation would be carried out.
Despite the fact that she had obtained the personal data requested,
the complainant sought to argue that the hospital was in breach
of the relevant provisions of the Ordinance. She appealed
to the AAB against the Privacy Commissioner's findings.
The
Appeal
The
complainant argued that in order to comply with the requirements
of section 19(1) of the Ordinance, the hospital should have
sent the requested data to her, and not simply demanded payment
of an initial processing fee, within the prescribed 40-day
period.
The
AAB ruled that"..." to comply with the request"
must mean to supply the requested data in the DAR...An acknowledgement
of receipt of the DAR or the issue of a notice of demand for
a fee, without more, is insufficient to discharge that obligation...After
all, the purpose of prescribing the 40 day period is to enable
the requested data to be supplied to the requestor without
delay."
The
AAB however acknowledged that it served no useful purpose
to order an investigation of the matter given that the complainant
had already obtained her medical reports and X-ray films requested
in her DAR. The Privacy Commissioner was asked by the AAB
to consider giving advice to the hospital concerned as to
its future handling of DARs.
The
AAB's Decision
The appeal
was allowed.
(N.B.
In view of the decision taken by AAB, the Privacy Commissioner
subsequently wrote to the hospital concerned regarding the
deliberations of the AAB and explained the statutory requirement
to comply with a DAR as laid down in section 19 of the Ordinance.)
|
|
|
The
complainant applied for sick leave prior to the hearing of
disciplinary
proceedings commenced by his employer - the hearing was postponed
several times - the employer disclosed the fact to the complainant's
doctors
and sought medical confirmation of his fitness to attend the
hearing -
directly related purpose and prevention of dishonesty - DPP3,
section
58(1)(d) and (2)
(AAB APPEAL NO.26/2004)
|
|
|
[Image of image]
|
|
The
Complaint
The
complainant was a member of the disciplinary services and
was subject to disciplinary proceedings. The disciplinary
hearing was postponed several times because, prior to each
scheduled hearing, the complainant claimed that he was sick.
His employer became suspicious of the circumstances and wrote
to his doctors seeking their medical opinion as to whether
the complainant was physically and mentally fit to attend
the disciplinary proceedings. His doctors all confirmed that
he was physically and mentally fit. The complainant complained
that the information about him relating to disciplinary proceedings
was confidential in nature, and that his employer had breached
DPP3 by disclosing the information to his doctors.
Findings
of the Privacy Commissioner
The
Privacy Commissioner conducted a preliminary inquiry and found
that the commencement of disciplinary proceedings was for
the purpose of determining the complainant's future employment
status as the proceedings against him could result in his
termination of employment, or subject him to other disciplinary
measures. The disclosure of the disciplinary proceedings to
the complainant's doctors was for the purpose of ascertaining
his health condition and to advise on his fitness to attend
the proceedings. The Privacy Commissioner decided that there
was no change of use of his personal data in breach of DPP3.
Dissatisfied with the Privacy Commissioner's decision not
to carry out an investigation, the complainant appealed to
the AAB.
The
Appeal
The
complainant alleged that his doctors, being ignorant of the
fact that he was subject to disciplinary proceedings when
originally consulted, could not subsequently offer an informed
medical opinion about his physical and mental fitness to attend
proceedings. He also pointed out that he did eventually attend
the disciplinary hearing which served to indicate that he
was not intent upon avoiding the proceedings, as his employer
had suspected.
The
AAB ruled that the coincidental application for sick leave
immediately prior to each scheduled hearing of his case cast
reasonable doubt in the mind of the employer who then sought
to establish if he was actually trying to avoid the hearing.
The disclosure of the disciplinary proceedings to his doctors
in seeking to obtain professional medical advice was also
relevant in determining whether the complainant was physically
and mentally fit to attend the hearing. Such data were to
be used for a directly related purpose and hence there was
no contravention of DPP3. The Board went on to consider the
application of an exemption. The disclosure of the information
about the complainant to his doctors was for the purpose of
ascertaining the reason why the complainant was unable to
attend the hearing i.e. whether it was because of a genuine
health condition or out of a deliberate attempt to avoid disciplinary
proceedings. The AAB opined that such purpose was for the
prevention or preclusion of dishonesty by the complainant
and decided that the exemption under section 58 was applicable
to the case.
The
AAB's Decision
The
AAB upheld the Privacy Commissioner's decision and dismissed
the appeal.
|
|
|
The
complainant alleged disclosure of his witness statement by
an unidentified person to his employer in reporting crime
and illegal acts - he could not specify the identity of the
data user - there was no evidence of unfair or illegal collection
of the statement - disclosure exempted under section 58(2)
- components of "complaint" under section 37
(AAB APPEAL NO.32/2004)
|
|
|
|
|
The
Complaint
The
complainant was a public officer involved in an operation
leading to the arrest of certain people. He provided a witness
statement to the police in relation to the operation. However,
he was not asked to testify at the trial and the statement
was not tendered as evidence. After the trial, a person lodged
a complaint with the Department the complainant worked for
accusing the complainant of giving a false statement to the
police and being involved in other criminal acts. A copy of
the statement was enclosed in the complaint received by the
Department. The complainant lodged a complaint with the Privacy
Commissioner alleging that the informant unfairly and illegally
collected his statement and improperly used the data contained
in the statement without his consent.
Findings
of the Privacy Commissioner
As
the complainant failed, as required under section 37 of the
Ordinance, to identify the person against whom he complained,
the Privacy Commissioner refused to investigate. There was
no prima facie evidence of unfair or illegal collection
of the complainant's personal data. In addition, the statement
was used for the purpose of reporting an alleged false statement
so as to enable the Department to detect, prevent or preclude
seriously improper, dishonest and criminal conduct of its
employee. The use of the statement in making the complaint
fell within the exempted purposes under section 58(1)(a) and
(d) and that failure to use the data would prejudice that
purpose. By virtue of section 58(2), such an act was exempted
from DPP3 of the Ordinance. Accordingly, the Privacy Commissioner
refused to investigate pursuant to section 39.
The
Appeal
The
complainant argued that the Privacy Commissioner failed to
ascertain if the person had lawfully and fairly collected
his personal data and also failed to adequately explain the
reason for adopting the exemption under section 58 in refusing
an investigation.
The
AAB ruled that section 37(1) of the Ordinance required the
complainant to specify the data user complained against. The
mere provision of a source through which the data user could
somehow be identified was not sufficient. The complainant
was unable to name the informant and only provided the Privacy
Commissioner with the name of the officer who handled the
informant's complaint. The AAB found that the requirement
under section 37 was not satisfied in that the complainant
failed to name the data user in his complaint.
The
provision of a false statement to the police is an illegal
and criminal act. The person who used the statement and reported
the matter for the purpose of detecting crime, and punishing
illegal or improper conduct, or dishonesty was doing it for
an exempted purpose under section 58(1). Failure to use the
data would likely prejudice the investigation by the Department
into the conduct complained of. The invocation of the exemption
provision under section 58(2) was proper, thus no contravention
of the Ordinance was shown.
The
AAB also ruled that there was no evidence suggesting how the
statement was collected and that mere possession of it did
not amount to unfair or illegal collection. The AAB agreed
that in the absence of prima facie evidence suggesting
a contravention under the Ordinance, the Privacy Commissioner
was entitled to exercise his discretion under section 39 and
refuse an investigation.
The
AAB acknowledged that a complaint had to be supported on grounds
and with evidence, and that the Privacy Commissioner could
refuse to investigate if these conditions were not met. To
do otherwise would result in an injustice to the party being
complained against, and lead to an abuse of the complaint
mechanism.
The
AAB's Decision
The
AAB upheld the Privacy Commissioner's decision and dismissed
the appeal.
|
|
|