An employer posted a list containing the personal data of staff who were to undergo virus testing – DPP 4 – security of personal data
The Complaint
An organisation arranged COVID-19 tests for its staff, including the Complainant, for three consecutive days. On the first day of testing, a list of the staff to be tested was posted outside the staff clinic, and the personal data of the staff on the list, including their names, full HKID Card numbers, dates of birth, phone numbers and staff numbers, were available for viewing by all the people present. The list was photographed by others at the scene. The Complainant was dissatisfied that his employer failed to properly protect the personal data of his staff and lodged a complaint with the PCPD.
Outcome
The organisation explained that the list was provided to the staff clinic so that the nurses of the clinic could preregister the staff to be tested, prepare the necessary materials and verify the staff’s identity. Aiming to assist the staff to ascertain the testing sequence, the nurses posted the list outside the clinic on the day of the test. On the day following the incident, the organisation immediately requested the nurses to remove and safeguard the list.
Upon PCPD’s intervention, the organisation further issued a circular to its staff, requesting them to delete any photos of the list and reminding them to comply with the organisation’s internal rules on personal data privacy. The organisation also undertook to require all departments (including its staff clinic) to exercise care when handling personal data and take all practicable steps to ensure the protection of personal data against unauthorised or accidental access, processing, erasure, loss or use. The organisation further indicated that the documents containing personal data would be encrypted and suitably marked as “Confidential” or “Restricted” when sending them to its staff clinic by email in future.
The PCPD also issued a warning to the organisation, requesting it to urge its staff to handle personal data with prudence and regularly remind its departments to carefully check, whether any documents contain personal data or not before posting them in public. The organisation was also requested to carefully consider and weigh the necessity and extent of displaying such data to avoid committing the same mistake.
Lesson learnt
COVID-19 has quickly escalated into a global health crisis following its outbreak. Employers may arrange regular virus testing for their staff to ensure the health and safety of the community. While prompt anti-epidemic measures are important, employers must not lose sight of the importance of protecting the personal data of their staff. In this case, the nurses’ intention of posting the list might have been to keep the staff informed of the sequence of their respective tests in advance; nonetheless, they failed to consider that the list contained sensitive and excessive personal data. Employers should consider adopting an approach that minimises the disclosure of personal data while seeking to achieve their objective, so as to strike a proper balance between epidemic prevention and privacy protection. Employers should at all times exercise due care in safeguarding the personal data of their staff by formulating guidelines or measures, providing training or education, and raising staff awareness of personal data privacy protection.
(Uploaded in September 2022)