The Complaint
The Appellant enrolled in an IT certificate course (“Course”) at a learning centre (“Learning Centre”) that was appointed by an educational institution (“Institution”). The Learning Centre informed its students that it would contact those who failed the Course for a re-examination. However, there was an error in the Learning Centre’s arrangement and the Appellant failed to receive the notice for re-examination in time (“Incident”).
The Appellant was not satisfied with the response given by the Learning Centre and requested the Institution to investigate the matter. Subsequently, the Appellant lodged two data access requests (“DARs”) (namely DAR1 and DAR2) with the Institution requesting for the information collected during the investigation process. The Institution confirmed possession of the documents as requested by the Appellant in DAR1 and the Appellant’s personal data collected during investigation in DAR2. The Institution agreed to provide the Appellant with copies of the information requested (except the improvement measures regarding the notification of re-examination and other information provided by the Learning Centre such as the agreement between the Institution and the Learning Centre (“Agreement”) and investigation report of the Incident) but redacted the identities of the third parties or their identifying particulars which could reveal their identities. The Institution informed the Appellant of the reasons for refusal and relied on a confidentiality clause in the Agreement, which prohibited the Institution from disclosing various documents between the parties, and recommended the Appellant to submit a DAR to the Learning Centre instead. Dissatisfied with the Institution’s reply, the Appellant lodged a complaint with the Commissioner stating that the Institution had failed to comply with the DARs.
Findings of the Commissioner
Since the Commissioner found that the Institution could refuse disclosure of the various documents due to the confidentiality clause in the Agreement and there were insufficient evidence to support the Appellant’s complaint, the Commissioner decided not to pursue the matter further pursuant to section 39(2)(d) of the Ordinance. The Appellant was not satisfied with the Commissioner’s decision and thus appealed to the AAB.
The Appeal
At the hearing, the Appellant argued that the Commissioner had erred in: (1) deciding that an email address of a third party was not the Appellant’s personal data; (2) deciding that the confidentiality clause in the Agreement was applicable; (3) failing to deal with the Institution’s non-compliance with DAR2; (4) applying a narrow interpretation of the meaning of “indirectly” in relation to the definition of personal data under section 2 of the Ordinance; and (5) failing to notice that the email record was incomplete.
AAB agreed with the Commissioner that the email address of a third party does not relate directly or indirectly to the Appellant and is not the Appellant’s personal data. The DAR right allows the data subject to know what personal data of his/hers is held by the data user. The purpose of the Ordinance was not to allow data subjects to request for any documents that had them mentioned. The Institution was only required to provide a copy of the Appellant’s personal data. Hence, the email address of the third party was not the Appellant’s personal data and the Institution’s redaction of the email addresses before complying with DAR2 was reasonable.
AAB also examined section 20(3)(d) of the Ordinance under which a data user may prohibit another data user from complying with the DAR. Such prohibition arose in this case due to the confidentiality clause in the Agreement. AAB noted that the Institution had informed the Appellant of the reasons for not releasing part of the information including the investigation report by virtue of section 20(3)(d). AAB found the Institution had all along complied with the Ordinance in handling the DARs. AAB also agreed with the Commissioner that section 58(1)(d) and (e) were not applicable in this case. Since the investigation report only contained the telephone conversations between the staff of the Institution and the students concerning the arrangement for re-examination but not the Appellant’s complaint against the Learning Centre, the identity of the Appellant could not be ascertained directly or indirectly from the said report. Further, AAB disagreed with the Appellant’s bare allegation that the Institution provided an incomplete email record.
Decision of AAB
The Appeal was dismissed.
uploaded on web in August 2014