Paragraph (b) — “From Which It Is Practicable for the Identity of the Individual To Be
Directly or Indirectly Ascertained”
In applying the condition laid down in paragraph (b) to personal data, the first thing that
should be taken note of is that the word “practicable” wherever it appears in the
Ordinance, is defined under section 2(1) to mean “reasonably practicable”.
In the case of AAB No. 16/2000, the appellant made a complaint to the Commissioner
about a public transport company, due to the fact that whenever he entered or exited
through the toll gates using his senior citizen concessionary payment card, indicator
lights flashed and an alarm went off.
This would reveal to all persons nearby that he was
over 65 which, according to him, amounted to disclosure of his personal data. In its
decision, however, the AAB confirmed the Commissioner’s view that the payment card
in question (not being a personalised card) did not contain personal data belonging to
the appellant and the card could be purchased or possessed by anyone.
Thus, the fact
that the light and sound were emitted when the appellant used the concessionary
payment card to pass through the toll gate did not make it reasonably practicable for
the identity of the appellant to be directly or indirectly ascertained.
The light and sound
signals only identified the type of card used, not the person using it.
Secondly, in deciding whether certain data held by a party satisfies the condition laid
down in paragraph (b) and, in particular, in considering the meaning of the words “from
which” in that paragraph, the Commissioner takes the view that reference to the
individual should be able to be construed from the context of all the relevant
information controlled by the data user, of which the personal data of that individual
forms part. For example, an employer holding a personnel file on one of his employees
would not necessarily have the name of or other identifying information about the
employee explicitly stated on every page. If the employer should be asked whether the
information contained on one such page constitutes the personal data of the employee,
it would be unreasonable and contrary to the Commissioner’s regulatory view for the
employer to say “no” simply because that particular page alone does not reveal the
identity of the employee. Conversely, when it is not practicable on the face of the data
or from other information that it holds for the identity of the data subject to be directly or
indirectly ascertained, the condition laid down in paragraph (b) is not satisfied.
In applying the condition laid down in paragraph (b), the Commissioner will take into
account all relevant data controlled by the party in question. If it is practicable for that
party to ascertain from the totality of such data the identity of the individual, each and
every part of the data (including, in the example given above, any individual page
within the personnel file) also satisfies the condition laid down in paragraph (b). This
totality approach is equally applicable to the situation where the data is contained in
several documents, which, when read or construed together, constitutes the personal
data of an individual. For example, when a separate note of address is found attached
to a personnel file created for a particular employee, although no name is specifically
stated on the note, it is likely to be construed as personal data belonging to the
employee when read with other documents in the file and taking into account the
nature of the matter as a whole.