The secretary who was responsible to simply transmit documents but did not control the collection, holding or processing of the data contained in the documents was not a "data user" within the meaning of the PD(P)O. Even if she was a data user, there was insufficient evidence to show any breach of DPP4 when the document was lost.
Credit card application form and data passed to secretary for onward transmission - the documents were lost in the chain of transmission - no concrete evidence to show who caused the loss - single incident - case of lack of security not proved - definition of "data user" and DPP4
The Complaint
The complaint was an employee in one of the companies in a conglomerate. As part of the staff benefits offered by the company, the complainant was entitled to apply for a bank card issued jointly by the conglomerate and a bank. The standard procedure in this regard was for the employee to provide his or her personal data in a form and to submit the completed form to his or her supervisor for approval, after which the documents would be passed to the relevant associated accompany within the group for further processing and onward submission to the bank.
The complainant completed the form and entrusted it to the secretary of her supervisor together with other personal data relating to her, for approval by the supervisor. The documents were subsequently lost. The complainant alleged that the secretary and the employer company had mishandled her personal data.
Findings of the Privacy Commissioner
The PCPD made inquiries with the secretary. According to the secretary, after the supervisor's approval, she had passed the documents to the associated company concerned, located on different floor in the same building through the internal mail system of the company. The office messenger confirmed that documents had been delivered to the associated company but could not confirm whether those were the documents that had been submitted by the complainant. The associated company had no record of the said documents. There was no evidence to show how the documents became lost. Neither was there sufficient evidence to show who was responsible for causing the loss of the documents. Furthermore, it was found that this was the first time such an incident had happened. On this basis, the Privacy Commissioner exercised his power under section 39(2)(d) of the PD(P)O to refuse to carry out an investigation of the case, on the ground that any investigation was in the circumstances unnecessary as it would not likely lead to any useful result. The complainant appealed.
The appeal
The Administrative Appeals Board held that the secretary in the case was only responsible for the transmission of personal data, but did not control the collecting, holding, processing or other use of the data. Hence she was not a "data user" within the meaning of the PD(P)O in relation to the personal data concerned. Furthermore, her handling of the data of the complainant was reasonable and within her scope of duties. She was not found to have breached the requirements of the PD(P)O.
The Administrative Appeals Board further held that it was not clear whether, in approving the credit card application as part of its staff benefits, the employer company was actually processing data on its own behalf and therefore a data user with respect to the personal data of the complainant under the PD(P)O. However, even assuming that it was a data user in relation to the data concerned, there was no evidence to show that the documents were lost while in the custody of the employer company (rather that after delivery to the associated company). Furthermore, all normal procedures had been followed in the handling of the data, and there was no evidence to show that any defect existed in the manner of the handling of personal data by the company. Since this was an isolated incident, there was insufficient evidence to show any breach of DPP 4 in Schedule 1 to the Ordinance, which requires a data user to take all reasonably practicable steps to safeguard the security of personal data. Any further investigation would in any event be unlikely to yield a firm conclusion on the facts concerning the loss of the documents. The Privacy Commissioner was justified in refusing to carry out an investigation.
AAB's decision
The appeal was dismissed.