Table of Contents Table of Contents
Previous Page  117 / 192 Next Page
Show Menu
Previous Page 117 / 192 Next Page
Page Background

messenger. During the investigation, the law firm provided an undertaking to the


• not to disclose the complainant’s personal data to any person other than the

complainant when delivering any document to the complainant by hand at the

address for service including the business centre, in the course of obtaining

acknowledgment for service; and

• to give clear instructions to its staff for the purposes of complying with the undertaking.


In another case,


which related to service of a trial bundle to a litigant to a matrimonial

case, the staff of a law firm left the bundle in the gap between the front door and the

metal gate of the litigant’s residence. The bundle of documents was not sealed in an

envelope and was easily accessible to passers-by or unrelated parties. The bundle was

later picked up by a security guard on patrol. The law firm did not have written

guidelines to advise its staff on the compliance with DPP4 regarding the manner of

service of a legal document. It was therefore found to have contravened DPP4. The

appropriate steps that a data user should take in similar situations include putting the

documents to be served in a sealed opaque envelope or to make arrangements with

the litigant to collect the same.


In a more recent case,


it was decided by the AAB that the law firm in question did not

contravene DPP4 by placing bundles of properly tied legal documents in sealed

envelopes and leaving the same outside the appellant’s residence when effecting

service of the documents. However, the AAB took the view that it was unnecessary for

the law firm’s staff to exhibit the front page of each document bundle in the lobby of

the building and to take photographs of the same in front of the building management

staff. Such acts posed a risk that the personal data of the appellant might be disclosed

to the management staff and passers-by.

(e) Hospitals and Clinics


Universal Serial Bus (“USB”) flash drives are widely used because of their portability and

high storage capacity. However, their portability and compact size have also increased

the risk of data loss as the USB flash drives containing the data may be misplaced or lost

without the users noticing. An investigation


carried out by the Commissioner against

the Hospital Authority (“HA”) involved the loss of patients’ registration data (including

name, HKID number, home address and contact number) and consultation records of a

psychiatric nurse who was required to work in different clinics for providing psycho-social

health services to pregnant women and postnatal mothers. In the course of carrying out

her duties, she downloaded patients’ registration data and clinical consultation notes

onto the password protected zone of the USB flash drive. One day, she discovered that


See Case Note No. 2002C07, available on the Website:



AAB 19/2014


See Investigation Report No. R08-1935, available on the Website: