Skip to content

Case Notes

Case Notes

This case related to DPP4 - Security of personal data

Case No.:2019C09

Dental clinic - display of other patient’s medical record to a patient -requesting a patient to send his medical record by mobile phone - Data Protection Principle 4

The Complaint

The complainant went to a dental clinic. To supplement his explanation in discussion of the treatment plan with the complainant, the dentist showed an X-ray film of another patient’s dental exostosis with the patient’s name clearly shown. Moreover, as the complainant needed to provide the dentist with his earlier blood test results, the dentist’s assistant requested the complainant to send the results through a mobile instant messaging application. The complainant considered that the two incidents showed the clinic’s inadequate personal data protection for patients and made a complaint with PCPD.


Regarding personal data protection, PCPD considered that the clinic as a data user is obliged to ensure staff compliance of DPP4 of Schedule 1 to the PDPO when using or handling personal data (especially when sensitive personal data was involved, e.g. medical records, laboratory test results, etc). Staff must adopt all the practicable steps to ensure personal data is protected against unauthorised or accidental access, processing, erasure, loss or use.

Undoubtedly, the use of mobile communication applications in transmitting documents is more common, but data users should be extra vigilant when transmitting sensitive personal data. PCPD recommended the clinic to adopt transmission means with higher security, e.g. encrypted email or by-hand delivery. As a good practice, the clinic staff should explain the risk to the patient when requesting the patient to submit his personal data through mobile communication applications, and allow the patient to choose the way of submission. Moreover, the clinic should also remind its staff that forwarding of patients’ personal data received by mobile communication applications is not allowed, and the personal data must be deleted once the purposes of using the documents are achieved.

On the other hand, in this case, it seems that it was the goodwill of the dentist to refer to a similar X-ray film to help the patient understand the treatment plan. However, if other patient’s personal data was inadvertently disclosed, the relevant requirements of the PDPO might be contravened. PCPD requested the clinic to urge its staff to be more careful when encountering similar situation in future.

Lesson learnt

As public expectation on personal data privacy protection is increasing and medical records are sensitive personal data, medical practitioners should be more vigilant in handling patients’ data and aware of personal data security. Medical institutions should also adopt proper and proportionate data security measures in accordance with the sensitivity of the data, in order to fulfil the reasonable expectation of the public and the duty of data ethics.

(Uploaded in September 2020)

Category : Provisions/DPPs/COPs/Guidelines : Topic/Subject Matter :