Q: We are a medical institution. We have recently received a number of requests from a government department to release patients' last known addresses and clinical data to the department. The government department stated that the said information was required to locate the data subjects and to enable it to consider whether it should apply to court to enforce certain monetary court orders in respect of which they were continuously breaching. The question is whether we can rely on the exemption of "remedying serious improper conduct" provided for in section 58(2) of the Personal Data (Privacy) Ordinance ("the Ordinance") in disclosing the patients' data to the department.
A: It has been held in a court case that a breach of a court order is considered a kind of "seriously improper conduct" within the meaning of section 58 of the Ordinance. Thus, if the government department could establish that the requested data are required for the purpose of enforcing a court order and that the non-disclosure thereof "would be likely to prejudice" the said purpose, then section 58(2) of the Ordinance would exempt the application of Data Protection Principle ("DPP") 3 to the disclosure of the said data. In other words, the disclosure of the said data will not contravene DPP 3 of the Ordinance.
However, with respect to the clinical data, we do not see how they may be used for the purpose of the 'prevention, preclusion or remedying of seriously improper conduct' or how the failure to disclose such data would be likely to prejudice such purpose. On that basis, we are of the view that the release of the patients' clinical data to the government department without the patients' consent will be likely to constitute contravention of DPP 3 of the Ordinance.