The owner of a flat in a residential building wrote to the building manager to complain about the way certain matters had been handled by building management staff and some members of the Owners Committee. She requested that her identity not be disclosed. In reply the manager confirmed that it was his practice not to disclose the identity of any complainant.
At a subsequent meeting of the Owners Committee a formal resolution was passed ordering the building manager to disclose to the Committee the identity of the complainant. The manager, under the impression that he was bound by the relevant Deed of Mutual Covenant (DMC) to do so, complied with the resolution. The complainant was aggrieved and complained to the PCPD.
Investigation revealed that there was in fact no such requirement under the DMC.
The Commissioner's views on the matter
The building manager acted in contravention of DPP3, which stipulates that personal data shall not be used, without the consent of the data subject, for any purpose other than the original purpose for which the data were collected. Upon warning, he undertook to the PCPD to observe closely the provisions of the Ordinance and not to disclose to a third party the identity of a complainant without the latter's consent.
As the complainant clearly objected to her identity being disclosed to the Owners Committee the building manager should have resisted the order by the Owners Committee to disclose the information. Moreover, the way the Owners Committee sought to obtain the data was unfair in the circumstances, which was a breach of the requirement of DPP1(2) to collect personal data only by means that are fair in the circumstances of the case.