Date: 13 June 2022
PCPD Publishes Two Investigation Reports and a New Edition of Guidance Note for the Property Management Sector
The Office of the Privacy Commissioner for Personal Data (PCPD) released two investigation reports today, namely (1) “Investigation Report on the Accidental Disposal of Medical Records of Patients by Town Health Medical & Dental Services Limited (Town Health)” and (2) “Investigation Report on the Improper Collection, Retention and Use of Personal Data of Residents and Visitors by Property Management Companies”. The new edition of “Protection of Personal Data Privacy – Guidance for Property Management Sector” is also published at the same time.
Investigation Report on the Accidental Disposal of Medical Records of Patients by Town Health
On completion of its investigation into an incident which involved an accidental disposal of the medical records of patients by Town Health, the PCPD published an investigation report today. The investigation arose from a data breach notification lodged by Town Health with the PCPD on 2 June 2021, which reported that one of its medical centres located in Fortress Hill area (Medical Centre) had accidentally disposed a carton box (Carton Box) (See Figure 1 for the position of the Carton Box before disposal) which contained patients’ medical records in mid-March 2021. The incident affected a total of 294 patients of the Medical Centre.
Figure 1：Position of the Carton Box Before Disposal
From the evidence collected in the investigation, the Privacy Commissioner for Personal Data (Privacy Commissioner), Ms Ada CHUNG Lai-ling, found that Town Health had the following serious deficiencies which contributed to the accidental yet avoidable disposal of the Carton Box:
In the present case, the Privacy Commissioner found that Town Health had serious deficiencies in ensuring the security of personal data. The Privacy Commissioner considered that Town Health had not taken all practicable steps to ensure that the medical records in question be protected from unauthorised or accidental access, processing, erasure, loss or use, thereby contravening Data Protection Principle 4(1) concerning the security of personal data under the Personal Data (Privacy) Ordinance (PDPO). The Privacy Commissioner has issued an enforcement notice to Town Health, directing Town Health to remedy and prevent recurrence of the contravention.
On the other hand, whilst there is no statutory requirement under the PDPO prescribing a data user to notify the Privacy Commissioner and the data subjects for data breach incidents, or the period within which such notifications are required to be made, the Privacy Commissioner considered that owing to the sensitive nature of the personal data involved in the incident, Town Health should have lodged the data breach notification earlier. The Privacy Commissioner regretted to note that Town Health only lodged the notification nearly three months after the incident.
Lack of staff awareness of personal data protection;
Lack of effective data protection policies and procedures; and
Lack of staff training on personal data protection.
Through the report, the Privacy Commissioner wishes to remind organisations, regardless of whether personal data is lost by accident, leakage or improper disposal, that the potential harm of the loss to individuals should not be underestimated, in particular when sensitive medical records are involved. The Privacy Commissioner recommends that organisations should:
The Privacy Commissioner also reminds organisations that when they suspect or note the occurrence of a data breach incident, they should notify the PCPD as soon as possible. The PCPD will provide assistance and advice to help minimise the damage caused by the data breach incident and improve the personal data system.
Establish a Personal Data Privacy Management Programme for the responsible use and retention of personal data;
Appoint Data Protection Officer(s) to monitor compliance with the PDPO and report any issues to the senior management;
Enhance employees’ awareness of personal data protection and cultivate a personal data protection culture across-the-board;
Provide employees with comprehensive trainings to incorporate personal data protection into their daily duties, with a view to reducing human error caused by a lack of awareness; and
Adopt the same level of security measures for the relevant systems in processing personal data, whether they are computerised or in physical form, and put in adequate resources to enhance the security measures.
Download “Investigation Report: Accidental Disposal of Medical Records of Patients by Town Health Medical & Dental Services Limited”:
Investigation Report on the Improper Collection, Retention and Use of Personal Data of Residents and Visitors by Property Management Companies
During the past five years, the PCPD received an average of more than 100 complaints against property management companies per annum. To raise the property management sector’s awareness of the need to protect the personal data privacy of residents and visitors, the Privacy Commissioner published an investigation report in respect of four complaints recently received by the PCPD against property management companies. The four complaints involved four property management companies, which are, respectively:-
After conducting investigations into the four complaints, the Privacy Commissioner found that the four property management companies had contravened the relevant requirements of Data Protection Principles of the PDPO as regards the collection, retention period, use and security of personal data, respectively.
Cheong Sun Property Agent and Management Company – The company displayed the full names and addresses of property owners in an overdue notice which was posted on a public notice board;
Creative Property Services Consultants Limited – In a face mask distribution activity, the company did not cover a common form containing the names and addresses of residents who had collected the masks, so that passers-by could clearly see their personal data; nor did the company specify any retention period for the personal data;
H-Privilege Limited – The relevant security guard did not abide by the company’s established policy and revealed the phone number of a resident to another resident without authorisation; and
Wilson Property Management Limited – The company imposed a mandatory requirement for delivery workers to show their Hong Kong Identity Cards for the purpose of registration as visitors before they were allowed entry to the relevant building (please refer to the Annex for details of the complaint cases).
The Privacy Commissioner has served Enforcement Notices on the four property management companies, directing them to remedy and prevent recurrence of their respective contraventions.
Five Recommendations for the Property Management Sector
Through the report, the Privacy Commissioner would like to make 5 recommendations to property management bodies. They are recommended to:-
New Edition of “Protection of Personal Data Privacy – Guidance for Property Management Sector”
In view of the latest development of the property management industry, the PCPD has in parallel updated the “Protection of Personal Data Privacy – Guidance for Property Management Sector”. The content covers the most common issues relating to the handling of personal data.
The Privacy Commissioner said, “Property management bodies should adopt good practices in accordance with relevant laws and guidelines to properly safeguard the personal data privacy of residents and visitors, which is an indispensable part of the provision of high-quality and professional services by such bodies. Respecting the personal data privacy of residents and visitors would not only serve to underscore the excellence of the management company’s service, enhance its competitiveness, but would also enable the company to gain the trusts of residents and visitors and minimise disputes and misunderstanding among the parties, thus creating a win-win situation for everyone.”
Introduce a Personal Data Privacy Management Programme to include the protection of personal data privacy as part of their governance responsibilities;
Carry out a Privacy Impact Assessment before implementing new policies or measures which may involve the collection of personal data, and consider whether there are any less privacy-intrusive alternatives;
Appoint Data Protection Officer(s) to ensure the organisation’s compliance with the requirements under the PDPO and implementation of a Privacy Management Programme; the bodies should also establish a culture of respecting personal data privacy;
Treat residents’ personal data as important assets of property management bodies and provide training according to the needs of staff members; and
Regularly review and update policies and guidelines on the processing of personal data. Property management bodies should also monitor the daily routines of staff effectively to ensure that they understand the requirements of the PDPO.
Download the Executive Summary of “Investigation Report: Improper Collection, Retention and Use of the Personal Data of Residents and Visitors by Property Management Companies”: https://www.pcpd.org.hk/english/enforcement/commissioners_findings/files/r22_14226_e.pdf
Download “Protection of Personal Data Privacy – Guidance for Property Management Sector”: https://www.pcpd.org.hk//english/resources_centre/publications/files/property_e.pdf
Particulars of Improper Collection, Retention and Use of Personal Data of Residents and Visitors by Property Management Companies
Investigation Case (1)
The Privacy Commissioner, Ms Ada CHUNG Lai-ling (centre), Ms Amy CHAN Mei-yee, Chief Personal Data Officer (Complaints) (left) and Mr Brad KWOK Ching-hei, Acting Chief Personal Data Officer (Compliance & Enquiries) (right) introduced the two investigation reports and the new edition of Guidance Note for the Property Management Sector.
The Privacy Commissioner, Ms Ada CHUNG Lai-ling, made five recommendations to organisations regarding the “Investigation Report on the Accidental Disposal of Medical Records of Patients by Town Health”.
The PCPD received a complaint against Cheong Sun Property Agent and Management Company (Cheong Sun), which was responsible for the property management of Scenic Garden in Cheung Chau. Cheong Sun was alleged to have posted an overdue notice on arrears to be collected from property owners (see Figure 2) and a list containing the full English names, full addresses and the amounts in arrears of 48 owners on a notice board located in the public area of the property (see Figure 3).
From the evidence collected in the investigation, the Privacy Commissioner considered that Cheong Sun should have been able to collect the payment of arrears by putting separate notices into the mailboxes of the 48 owners. Moreover, it was unnecessary to post in public the personal data of those 48 owners. Therefore, the Privacy Commissioner considered that Cheong Sun had contravened the requirements of Data Protection Principle (DPP) 3(1) of the PDPO as regards the use of personal data in the present case.
Figure 2: Location of the Notice Board
Investigation Case (2)
Figure 3: Extract of the List Containing the Personal Data of
48 Owners (with personal data masked)
Creative Property Services Consultants Limited (Creative Property Services), which was responsible for the management of Ching Ho Estate in Sheung Shui, assisted the Government in distributing face masks to households. Residents who had collected face masks were required to register their names, unit numbers and collection dates on a common form, and acknowledge receipt of the masks with signature (See Figure 4). It was alleged in the complaint that Creative Property Services had not informed the residents of the retention period of the personal data in the common form, and had not properly protected the personal data of the residents as stated in the common form as the personal data therein could be clearly seen by passers-by.
Figure 4: The Common Form in a Paper Box beside a Work Desk (with personal data masked)
As Creative Property Services failed to specify the retention period of the personal data contained in the common form at the material time, the Privacy Commissioner found that it had contravened the requirements of DPP2(2) of the PDPO as regards the retention of personal data.
In addition, the Privacy Commissioner was of the view that Creative Property Services had not taken all practicable steps to protect the residents’ personal data in the common form, thereby contravening the requirements of DPP4(1) of the PDPO as regards the security of personal data.
Investigation Case (3)
The complainant was a resident of Parker 33 in Shau Kei Wan. He received a call from another resident to whom he had never given his phone number. The resident told the complainant that he had obtained the complainant’s phone number from a security guard of the building. Hence, the complainant lodged a complaint with the PCPD against H-Privilege Limited (H-Privilege), which was responsible for the management of Parker 33.
The security guard in this case failed to abide by H-Privilege’s established policy on the handling of personal data and disclosed the complainant’s phone number to the other resident without authorisation. This was a significant deviation from the purpose of use for which the complainant had consented to, and was also inconsistent with H-Privilege’s original purpose of collection. The Privacy Commissioner found that H-Privilege had contravened the requirements of DPP3(1) of the PDPO as regards the use of personal data.
Investigation Case (4)
The complainant was a food delivery worker of a takeaway platform. When the complainant delivered food to a unit at Tung Yuk Court in Shau Kei Wan, which was managed by Wilson Property Management Limited (Wilson), a security guard requested the complainant to present his Hong Kong Identity Card for visitor registration, and refused to accept his request for using other identification documents for visitor registration (See Figure 5). In the end, the complainant was denied access to the building after refusing to present his Identity Card.
Figure 5: Notice Placed on the Reception Counter of Tung Yuk Court
Identity Card numbers are sensitive personal data. All data users can only collect Identity Card numbers under the conditions stated in the PDPO and the “Code of Practice on the Identity Card Number and other Personal Identifiers” (Code) issued by the Privacy Commissioner under the PDPO.
In the present case, apart from collection of Identity Card numbers, Wilson failed to offer any less privacy-intrusive alternatives to visitors. The Privacy Commissioner found that such an act had contravened the requirements of the Code and the requirements under DPP1(1) of the PDPO as regards the collection of personal data.