(AAB APPEAL NO.11/2019)
Purpose and manner of collection of personal data – open a letter without consent and knowledge – unfair manner of collection – alleged contravention of DPP1(2) – use of personal data for a new purpose – without data subject’s consent – alleged contravention of DPP3 – security of personal data – measures taken for ensuring the prudence and competence of persons having access to the data – alleged contravention of DPP4 – remedial measures taken – cannot reasonably expect to bring better results – section 64 - disclosing personal data obtained without consent from data users
Mr Cheung Kam-leung (Presiding Chairman)
Mr Eugene Chan Yat-him (Member)
Mr Micky Yip Tik-bun (Member)
Date of Decision: 30 June 2020
The Appellant had resided in a hall of a monastery (“the Monastery”) since 1991 and had used a landline telephone number (“the Number”) registered at the Monastery for personal use. The usual practice was for the telecommunications service provider (“the Provider”) to mail the monthly telephone statement to the Monastery, which would be passed on to the Appellant by the manager of the Monastery. In February 2018, the Appellant claimed that the Monastery (the first party bound in this appeal) applied to the Provider (the second party bound in this appeal) to terminate the service of the Number without her approval and knowledge. Upon enquiry with the Provider, the Appellant was informed that the termination request was made by a person claiming to be the representative of the Monastery. When the termination request was made, the staff of the Provider checked the Appellant’s information, including her name, HKID number, and account number with the Monastery’s self-proclaimed representative.
The Appellant thus lodged the following complaints to the Privacy Commissioner:
The Commissioner’s Decision
Upon investigation, the Privacy Commissioner took the view that it was unreasonable for the Monastery to open the Appellant’s private letter without her consent and this amounted to a collection of personal data by unfair means, in contravention of DPP 1(2). Further, it was a contravention of DPP3 when the Monastery used the Appellant’s personal data and the monthly telephone statement to terminate the Appellant’s telephone services without her consent. As a result, the Privacy Commissioner issued a warning letter to the Monastery.
The Privacy Commissioner also agreed that the Provider failed to take all reasonable and practicable steps to verify the identity of the caller leading to the termination of the landline telephone services. Its employees also failed to follow the procedures of handling termination of service requests lodged by non-registrants. Owing to the fact that two employees of the Provider acted negligently, the Provider was considered as failing to take adequate measures to ensure that personal data held by it was protected against unauthorized or accidental access and processing. This was in contravention of DPP4. As a result, the Privacy Commissioner issued a warning letter to the Provider.
The Privacy Commissioner decided not to pursue the Appellant’s complaint further under section 39(2)(d) of the Ordinance and paragraph 8(h) of his Complaint Handling Policy. The reason was that the complainees (i.e. the Monastery and the Provider) had respectively taken remedial measures and continuing the investigation would thus not reasonably yield a better result. The Privacy Commissioner took the view that the complaints lodged by the Appellant should have been resolved upon his intervention.
Dissatisfied with the Privacy Commissioner’s decision, the Appellant lodged an appeal to the AAB.
Upon consideration of the parties’ submissions and the available evidence, the AAB took the view that the Privacy Commissioner’s decision not to proceed with the Appellant’s complaint was reasonable, legitimate and made in compliance with the established procedures.
For the reasons stated below, the AAB did not find the Appellant’s grounds of appeal convincing:
In this appeal, the Appellant and the Privacy Commissioner also debated about whether section 64 of the Ordinance was applicable. Section 64 of the Ordinance stated that, a person committed an offence if the person disclosed any personal data which was obtained from a data user without the data user’s consent to obtain gain in money or that disclosure has caused any loss or psychological harm to a data subject. The AAB took the view that section 64 of the Ordinance was not applicable in this case because the Monastery was not disclosing the Appellant’s personal data which was obtained from a data user without the data user’s consent.
The AAB’s Decision
The AAB affirmed the Privacy Commissioner’s decision and the appeal was dismissed.
(Uploaded in August 2020)