The Complaint
1. Summary of Facts
The Complainant was an executive staff of an academic department in a university (the "Department"). At all material time, the Complainant also acted as the secretary (the most senior non-academic member) of a specific management committee within the university (the "Committee"). The Complainant needed to report her duties to the head of the Department and to oversee the general administration and operation of the Committee. On the other hand, the Complainant's supervisor i.e. the head of the Department also acted as the chairman of the Committee.
Since the Complainant's supervisor was dissatisfied with the Complainant's working performance, he sent a warning email to the Complainant and, without the Complainant's consent, copied the full contents of the warning email to all members of the Committee.
2. Issue of the case
Use of personal data without consent.
Outcome
1. Reasoning
An investigation was undertaken by the PCPD. It was noted that the warning email was compiled for the purpose of reviewing the work performance of the Complainant. The university explained that the disclosure of the warning email to all members of the Committee was necessary because one of the purviews of the Committee was to give advice on "deployment of human and other resources" and disclosure of the warning email enabled the Committee members to ascertain the deficiency found on the Complainant's work performance.
The investigation of the PCPD revealed that there was insufficient evidence indicating that the Committee members were empowered to review the work performance of the Complainant. In addition, the Commissioner noted that the Complainant's supervisor mere forwarded the warning email to the Committee members without requesting the recipients to render their advice and views on the Complainant's performance. It was therefore hardly to convince the Commissioner that the email recipients could acknowledge that they were assumed to give views on the contents of the warning email for the purpose of reviewing the Complainant's working performance.
On the basis of the above, the Commissioner considered that the university's disclosure of the warning email to the members of the Committee was not on a "need to know" basis and such disclosure was not for the same purpose as or a purpose directly related to the purpose of collection. Accordingly, the PCPD found that the university had contravened the requirements of DPP3.
2. Action by the PCPD
An enforcement notice was served on the university requiring it to take steps to notify its staff who are empowered to give written warnings to staff members not to disclose the contents of the warnings to any third party unless the disclosure was for the same purpose as or a purpose directly related to the purpose of collection, or the prescribed consent has been obtained from the data subject.
uploaded on web in July 2009