A property owner had his name being used and made fun of in a poem uploaded onto a chatroom of a website which was set up by residents of the estate of which he resides - no dispute that the act was committed by employee of the company - company disputed liability as act committed by an employee out of his own frolic - meaning of "in the course of employment" - close connection test - DPP3 and section 65(1)
The Complaint
The complainant was a resident of an estate which was managed by the management company. The complainant discovered that his name was being used and made fun of in separate lines of a poem composed and uploaded onto the chatroom of a website operated by residents of the estate. Abbreviations of his flat and block number which were commonly adopted and used by the management company was found displayed together with the uploaded message. In a previous appeal, i.e. AAB Appeal No. 67/2005 lodged by the complainant, the Board ruled that personal data of the complainant were improperly used in contravention of Data Protection Principle 3 and directed the Privacy Commissioner to investigate whether the management company should be responsible for the act or practice in question. Pursuant to the decision given by the AAB, the Privacy Commissioner commenced an investigation against the management company.
Findings by Privacy Commissioner
Although no employee had directly admitted that the poem in question was uploaded by him, the Privacy Commissioner found that there was sufficient evidence to show that the act in question was done by one or more of the management company's employees as (i) the poem was confirmed to have been uploaded through the computer located at the management office of the company, which use was shared amongst its employees; (ii) its employees confirmed that they would visit the website in question to check the latest comments from the residents which might be relevant to management matters; (iii) its employees were aware that some senior officers of the company had been the target of attack in the website; (iv) the complainant's name and address were personal data that could be easily obtained and known to its employees; and (v) that a paper containing the user ID and log-in password was stuck near the computer in question so that other employees can share the use.
The Privacy Commissioner was satisfied that the management company should have knowledge that its employees did access the website in question and that it had not in place sufficient monitoring, policies and guidelines to prevent the improper act of using the owners' personal data. After considering all the circumstances of the case, the Privacy Commissioner found the management company to be responsible for the act or practice of its employees under section 65(1) of the Ordinance and hence had contravened DPP3. An enforcement notice directing the management company to take remedial steps to protect owners' personal data was served under section 50 of the Ordinance. Dissatisfied with the Privacy Commissioner's issuance of the enforcement notice, the management company appealed to the Administrative Appeals Board.
The Appeal
Two grounds of appeal were lodged, first (i) that no personal data were disclosed; and (ii) that the management company should not be held responsible for act committed by its employee not "in the course of employment". In relation to appeal ground (i), the Board confirmed that since the matter had been dealt with in the previous appeal in AAB Appeal No. 67/2005, the Board, being of equal level of authority, would not interfere with the decision on "personal data" previously given. The only issue to decide was whether the management company should be held accountable under section 65(1).
In interpreting and applying the term "in the course of employment", both parties had cited the case of Ming An Insurance Co (HK) Limited v Ritz-Carlton Limited [2002] 3 HKLRD 844, which is a Court of Final Appeal decision on vicarious liability of employer. The test of "close connection" was introduced in this landmark case. Counsel for the management company argued that (i) the company had no knowledge or consent to the act or practice of leaving message on the chatroom of the website; (ii) such act, even if known, was not permitted by the company; (iii) the act or practice was not done to the benefit of the company; (iv) the nature of the contravening act; (ii) the context, time and location during which the act happened, etc. Having taken these factors into account, he opined that such act or practice could not be taken to have any close connection with employment.
The Board disagreed and ruled that the test of "close connection" should be applied in a broad sense for the protection of personal data privacy. Although the act of making fun of name of the owner was not done for management purpose, since there was evidence to show that the management company was aware that the website in question was browsed and visited by its staff and the user ID and login password was stuck near to the computer, the Board found close connection existed that it should be taken to have been done in the "course of employment". Such being the case, the Board found that the management company was to be held responsible under section 65(1) of the Ordinance and the enforcement notice of the Privacy Commissioner properly issued.
The AAB Decision
The Appeal was dismissed.
[P.S. The management company was asked to comply with the terms of the enforcement notice.]
uploaded on web in January 2009