Q: We are being investigated by a supervisory authority. We have kept computer logs for a short period for the purpose of fixing network problems. We are requested by the supervisory authority to provide the computer logs with respect to the activities of our staff to facilitate their investigation. We are concerned that such disclosure may affect the personal data privacy of our staff. The question is, in light of the Personal Data (Privacy) Ordinance ("the Privacy Ordinance"), whether we should accede to the supervisory authority's request.
A: It is not clear to us whether in making those enquiries, the relevant supervisory authority is in fact formally invoking its investigative power under the relevant ordinance establishing the authority ("the Supervision Ordinance"). If the supervisory authority is merely making preliminary enquiries, then it would appear to us that your provision of information to the supervisory authority might contravene the data protection principle ("DPP") 3 of the Privacy Ordinance. However, if the supervisory authority is exercising its statutory power to require information under the Supervision Ordinance, then your failure to provide such information may be an offence under the Supervision Ordinance. In other words, you are compelled by the Supervision Ordinance to provide such information. Therefore, you must comply with the requests of the supervisory authority made pursuant to its statutory investigative power.
The DPP 3 of the Privacy Ordinance provides that personal data are not to be used for any purpose other than the purpose for which such data were to be used at the time of their collection or for a directly related purpose, except with the prescribed consent of the individual concerned. Where the data user is statutorily required to provide the data to a third party the failure of which would constitute an offence, we take the view that such disclosure for compliance purpose necessarily falls within the purpose for which the data were to be used at the time of their collection. On that basis, no prescribed consent is required from the data subject. It is our view that at the time of collection of the data, both parties must have understood that any applicable statute requiring disclosure of data would have to be complied with.