Skip to content

Case Notes

Case Notes

This case related to DPP4 - Security of personal data

Case No.:2019C10

A staff member expressed his political views to members through membership communications without his employer’s consent - Section 65, Data Protection Principle 3 and 4

The Complaint

The complainant was a member of an organisation and received an email from the membership division of the organisation. The email included the latest arrangement of membership services due to the recent social incidents, and also some opinions on the said incidents. On the next day, the complainant received another email issued by an officer of the membership division, stating that the opinions expressed in the email on the day before were made by him, which did not represent the organisation’s stance. The complainant was dissatisfied that the officer used his personal data for expressing political views, and thus complained to PCPD against the organisation.


The organisation explained to PCPD that before issuing an email to its members, the staff of the membership division would inform supervisory staff of manager grade or above of the content to seek for approval. The organisation stated that it had explained to its staff members the above practices and procedures of issuing email to members, including the appropriate content of the email. This case stemmed from an unauthorised amendment by the membership officer after obtaining the management’s approval to the draft of the email.

PCPD is of the view that when joining the organisation, the members expected that their personal data provided to the organisation should only be used for membership related matters, and did not expect their personal data to be used for receiving the personal political views of an individual staff member of the organisation.

In view of this case, the organisation has requested all the staff handling membership issues to submit their draft email to the management for approval before sending to the members. Once the draft is approved, no amendment by the staff member is allowed. The organisation has also formulated written regulations on issuing membership email for staff compliance.

Lesson learnt

In this digital era, it is definitely convenient and efficient to update members on the latest development of an organisation through electronic communication. However, employees should regulate its staff on the use of members’ personal data to strike a balance between the convenience brought by technologies and personal data security.

Although this case seems to be the misconduct of an individual staff member, according to section 65(1) of the PDPO, an employer, as the data user, is held liable for the act of its employees. The employer must take practicable steps to ensure that its employees comply with established guidelines, e.g. formulating written policies for staff compliance and monitoring the implementation of the policies. On the contrary, relying on individual staff member’s verbal reminder is not a reliable and systematic monitoring mechanism. The organisation should embrace personal data protection as part of their corporate governance responsibilities and apply it as a business imperative throughout the organisation, starting from the boardroom, to manifest the principle of accountability.

(Uploaded in September 2020)

Category : Provisions/DPPs/COPs/Guidelines : Topic/Subject Matter :