The Complaint
1. Summary of Facts
The complainant under the arrangement of his company attended a doctor's clinic for a medical examination. On the same day, he made a data access request to the doctor for a copy of the correspondence regarding him sent to the doctor by his company (the "DAR"). The complainant complained that he had not received a substantive reply from the doctor.
2. Issues of the Case
Non-compliance with data access request.
Outcome
1. Reasoning
An investigation was undertaken by the PCPD. It reviewed that after the doctor had received the DAR, he sought the suggestions of the complainant's company on the matter. Since the complainant's company had specifically asked the doctor not to disclose the correspondence on the ground of legal privilege, the company controlled the use of the data and prohibited the doctor from complying with the DAR to provide a copy of the correspondence to the complainant. The doctor was therefore entitled to rely on s20(3)(d) of the Ordinance to refuse to comply with the DAR for copy of the correspondence.
However, the doctor failed to inform the complainant about the refusal to comply with the DAR as required under s21(1) of the Ordinance. Accordingly, the doctor has contravened s21(1) of the Ordinance in relation to the DAR for a copy of the correspondence.
2. Action by the PCPD
An enforcement notice was served on the doctor requiring him to inform the complainant in writing of his refusal to comply with the DAR for a copy of the correspondence; the reasons for the refusal; and the name and address of the other data user concerned in accordance with s21(1) of the Ordinance, and to devise a policy, practice and/or procedure to prevent repetition of the contravention.
3. Improvement action by party complaint against
The doctor had complied with the enforcement notice.