It has been recently discussed in the community whether under section 58 of the Personal Data (Privacy) Ordinance (“the Ordinance”) a data user (e.g. a hospital or a bank) can, or is under a duty to, disclose a data subject’s personal data to a third party without the data subject’s consent.
The Privacy Commissioner for Personal Data, Mr. Roderick Woo makes the following statement:
Under the Data Protection Principle (“DPP”) 3 of the Ordinance, a data user shall not, without the prescribed consent of the data subject, use (including disclose) the personal data of the data subject for a purpose unrelated to the original purpose of collection. The Ordinance contains certain exemption provisions, including section 58(2). If the exemption provision is applicable, the data will be exempted from the relevant requirement of the Ordinance, and a data user who discloses the personal data to a third party under such circumstances should not constitute a contravention of DPP3.
There is no provision in the Ordinance compelling a data user to disclose the personal data of a data subject to a third party. Whether a data user may rely on the exemption under section 58(2) of the Ordinance to disclose the data is for the data user to decide. If he decides to disclose the data by relying on the exemption provisions of the Ordinance, he will have to bear the risk of contravening the Ordinance in the event that it is adjudged that the data are not exempted. Under the Ordinance, a data user has no duty and cannot be compelled to rely on the exemption provisions to disclose others’ personal data.
The Administrative Appeals Board (“the AAB”) has made certain decisions on the applicability of section 58(2) of the Ordinance. The AAB is of the view that, a data user who wishes to rely on section 58(2) of the Ordinance in disclosing the personal data of a data subject to a third party must fulfill two major conditions: (i) the data are to be used for a purpose specified in section 58(1) of the Ordinance, e.g. detection of crime, prevention of unlawful or seriously improper conduct or dishonesty, etc; and (ii) not disclosing the data will likely prejudice the purposes.
Even if the data fulfill the first condition, the data user still has to consider the second condition. According to the AAB, whether non-disclosure of the data will likely prejudice the relevant purposes does not depend upon the subjective belief of the data user, but an objective inference. Data users must be prudent and should not hastily conclude that section 58(2) of the Ordinance is applicable by merely relying on general allegations made by data requestors; otherwise the requirements of DPP3 may be contravened.
A third party who requests for personal data of a data subject from a data user should provide sufficient information to the data user, including the purpose of requesting for the data (e.g. which kind of unlawful conduct he is trying to prevent?), on how non-disclosure of the data would likely prejudice the purposes, etc., so that the data user can consider whether section 58(2) of the Ordinance is applicable. On the other hand, if the data user finds the information inadequate, he should ask for explanation and provision of more information from the requestor. The data user shall not hastily disclose the personal data of the data subject by just relying on the words of or general allegation made by the requestor.
Even if the data are intended to be used for prevention of crime or seriously improper conduct, disclosure of the data on a ground that is not substantiated by evidence may have serious harm on the data subject’s data privacy. Therefore, data users may disclose the data to the third party only upon sufficient information to satisfy himself that the data are exempted.
END