The Complaint
The Complainant was a Police Officer. When the Police searched a financial institution in a criminal intimidation case, it accidentally found some loan information related to the Complainant. Though it was proved that the criminal intimidation case did not involve any criminal elements upon investigation, the Police started an internal investigation on the Complainant and obtained the Complainant's transaction records ("the Data") from a Bank. The Complainant was dissatisfied that the Bank had disclosed the Data to the Police without his prior consent and thus lodged a complaint with the PCPD.
According to the Bank, it received a letter from the Police requesting that it provide the Data of the Complainant for disciplinary investigation of the Complainant's financial status. The Police stated in the letter that the request was exempt from the provisions of sections 58(1)(d) and (2) of the Ordinance. The Bank believed that enforcement authorities were empowered to obtain customer information from them without giving them any detailed explanation, and their liabilities were exempted under sections 58(1)(d) and (2) of the Ordinance. The Bank also believed that by quoting exemptions 58(1)(d) and (2) of the Ordinance in the letter, the Police had clearly indicated that the Complainant's personal data were used for the purpose of prevention, preclusion or remedy (including punishment) of unlawful or seriously improper conduct, or dishonesty or malpractice by persons, and the Police should have reasonably believed that if the Complainant's personal data were not used in such way, it would be likely to prejudice the matters referred to in section 58(1)(d) of the Ordinance. Thus, the Bank supplied the Data of the Complainant to the Police without trying to ask for details of the investigation from the Police.
Outcome
Though the Police stated in the letter that the request was exempt from sections 58(1)(d) and (2) of the Ordinance, the Bank must have known that the exemptions of sections 58(1)(d) and (2) were related to DPP3, which was about the use of personal data. It was up to the data user holding the personal data (i.e. the Bank) to consider whether it was appropriate to rely on the exemption when the personal data were used in such way. In other words, under the circumstances of the case, if the exemption was not applicable, the liability was vested in the Bank, not the Police. Moreover, sections 58(1)(d) and (2) of the Ordinance are exemption provisions which allow data users to be exempted from DPP3 when the conditions in relevant provisions are satisfied. The sections do not require that the data users must not comply with DPP3. Therefore, the Bank could not simply take the Police's statement that sections 58(1)(d) and (2) of the Ordinance were applicable as legally binding requirements and believe that it must supply the Data to the Police.
In the Commissioner's view, the Bank should have known that the Data were its customer's sensitive personal data and that it had the duty to keep the Data confidential. Such duty should not be ignored and the provision of the Data to the Police was not within its customer's reasonable privacy expectation. The Bank should try to understand the details of the case and analyze objectively, and make enquiries with the Police to decide if the circumstances satisfied the requirements of section 58(1)(d) of the Ordinance. On the other hand, section 58(2)(b) of the Ordinance stipulates that the exemption is applicable in a case in which compliance with DPP3 would be likely to prejudice the matters referred to in section 58(1) of the Ordinance. The Bank should have reasonable ground to believe that non-disclosure of the Data would be likely to prejudice the purpose of section 58(1)(d). In this case, even if the Bank had learnt about the details of the Police's investigation of the Complainant, the Bank had to analyze the facts objectively to see whether it would be likely to prejudice or hinder the purpose of section 58(1)(d) if DPP3 was applicable.
In this case, the Commissioner was of the view that the Bank could not believe that provision of the Data to the Police complied with section 58(1)(d) by simply relying on the letter of the Police, and could not reasonably believe that it would be likely to prejudice the purpose referred by the Police if DPP3 was applicable so that the exemption of section 58(2) of the Ordinance could be relied on. Hence, the Commissioner opined that the Bank's act of providing the Data to the Police had contravened DPP3.
The Bank subsequently accepted the PCPD's advice and formulated policies requiring the staff of the bank, when encountering similar requests from the Police, to make enquiries with the Police to learn more about the details of the case before deciding whether to provide the data to the Police or not.
uploaded on web in July 2013