A District Council member posted and disseminated personal data collected from the public domain - Data Protection Principle (DPP) 3
The Complaint
A District Council member posted some leaflets containing personal data of the complainant at building lobbies and other public areas. The leaflets contained the complainant’s name, his salary and MPF contribution records when he was under the employment of a Legislative Councillor’s office. The District Council member revealed that the information of the complainant came from the public record of the Legislative Council (LegCo). The District Council Member also posted the information on the complainant on an online social platform. The complainant was dissatisfied that the District Council member disclosed his personal data and made a complaint to PCPD.
Outcome
According to the information provided in the LegCo’s webpage, Legislative Councillors are provided with remuneration and allowances for expenses arising from LegCo duties. Legislative Councillors must provide their staff names and salary amount on the reimbursement forms, which, together with supporting documents are open for public inspection and reproduction. PCPD considered that the purpose of making Legislative Councillors’ expenditure records public was for public scrutiny of their expenditure and use of public fund. In this case, PCPD must consider whether the disclosure of complainant’s personal data by the District Council member was consistent with or directly related to the original purpose of providing the information for public inspection by the LegCo.
PCPD noted from the leaflets and online posts of the District Council member that, the latter was intended to inform public that the complainant had been a paid staff member of the Legislative Councillor of a political party, instead of an independent volunteer as claimed by the complainant, in order to challenge the complainant’s integrity and political connection. PCPD considered that the purpose for which the District Council member disclosed the complainant’s personal data was inconsistent with the original purpose of allowing public inspection of such data (i.e. public scrutiny of Legislative Councillors’ expenditure and use of public fund), thereby contravened DPP3.
PCPD served an Enforcement Notice on the District Council member directing him to remove the posts containing the complainant’s personal data on the online social platform (leaflets posted at public areas had been removed during PCPD’s investigation), and stop further disclosing the complainant’s personal data. The District Council member had subsequently complied with the Enforcement Notice.
Lesson learnt
It is a common misconception that publicly accessible personal data is “public” data and that can be further used for any purpose without limitation. In fact, the protection afforded by the PDPO also applies to such personal data.
The use of the public record by the District Council member to challenge the complainant’s claim and integrity had far exceeded the original purpose for which the records are made public. The complainant’s personal data had been weaponized in this case, and this should not be encouraged.
Personal privacy is a basic but not absolute human right, and should be balanced with other rights and public interests. Under the trend of encouraging innovation and emphasising right to information, to ensure free flow of data, citizens or organisations should keep in mind the values of being respectful, mutually beneficial and fair when using personal data in the public domain, so as to avoid using the data for purposes irrelevant to the original purpose of collection.
(Uploaded in September 2020)