Date: 17 June 2019
Privacy Commissioner's Response to Suspected Unauthorised Access to Hospital Authority's Accident and Emergency Information System
Regarding the suspected unauthorised access to the Hospital Authority’s Accident and Emergency Information System, the Privacy Commissioner for Personal Data, Hong Kong (Privacy Commissioner) Mr Stephen Kai-yi WONG made the following observation and response:
The Privacy Commissioner has initiated a compliance check and is not able to provide further details at this stage.
The Personal Data (Privacy) Ordinance (the Ordinance) aims to prevent personal data from being misused. The Data Protection Principles under the Ordinance regulate the collection, storage, retention, use, security, transparency, access and correction of personal data.
Under the Ordinance, there are exemption provisions for certain circumstances, one of which is about emergency life saving. For example, if a data subject fainted in a car accident, for life saving, the hospital can use his personal data (such as telephone number) or disclose his health data to his family doctor without his consent (section 59 of the Ordinance). If the use of such data would cause harm to the data subject, this exemption is not applicable.
Disclosure of personal data for detection of crime is another condition for exemption. However, the hospital should determine if certain criteria are met before relying on this exemption. The hospital should first ask the enforcement authority requesting personal data to provide sufficient information, including the purpose of data collection, the nature of the case being investigated, the relevance of the requested data to the investigation, the reason why the investigation will be hindered if the data is not provided, etc. Moreover, this exemption provision does not empower the enforcement authority to collect data. When the enforcement authority requests the data, it has the duty to inform the hospital whether the supply of the data is obligatory, or the enforcement authority may contravene the Ordinance due to misleading the hospital (section 58 of the Ordinance).
Under the Ordinance, data collectors (e.g. hospitals or enforcement authorities) are required to take practicable security measures to ensure that personal data is protected against unauthorised or accidental access, processing, erasure, loss or use (Data Security Principle).
Moreover, according to the Data Use Principle, patients’ personal data shall only be used for the purposes stated at the time of collection (e.g. identity verification and diagnosis). Unless voluntary and explicit consent of the patient is obtained for the use (including transfer and disclosure) of the data, the Data Use Principle is violated. (Data Use Principle)
All organisations must put in place policies and procedures to regulate the collection, processing and use of personal data; safeguard the personal data; and handle the exemption issues. Any organisation which inadvertently or excessively collects data or requests or misleads other organisation to provide data without any legal basis may contravene the requirements of the Ordinance.
If there is a dispute between the requestor (e.g. enforcement authority) and the provider (e.g. hospital), the requestor may apply for a search warrant from the court.