Case Notes

(AAB APPEAL NO.23/2020)

Use of electronic health record for other purpose without the Appellant’s consent – remedial measures taken – discretion not to investigate the complaint duly exercised – further investigation cannot reasonably be expected to bring about a more satisfactory result – relief sought beyond the purview under the PDPO

Coram:
Mr Erik Ignatius SHUM Sze-man (Chairman)
Mr Dick KWOK Ngok-chung (Member)
Mr Eugene CHAN Yat-him (Member)

Date of Decision: 16 March 2021

The Complaint

The Appellant consulted a doctor (“Mr A”) of a medical centre. The Appellant was dissatisfied with the medicine prescribed to him by Mr A and hence lodged a complaint to the Medical Council of Hong Kong (“Medical Council”). The complaint was dismissed by the Medical Council on the ground that there was insufficient evidence as proof of any misconduct.

The Appellant subsequently received a SMS notification which stated that Mr A had accessed his electronic health record on the Electronic Health Record Sharing System (“eHRSS”). As a result, the Appellant lodged the second complaint to the Medical Council for an alleged violation of his privacy by Mr A. The case was referred to the Privacy Commissioner for follow-up upon the Appellant’s consent. The Appellant demanded Mr A for compensation and an open apology.

The Privacy Commissioner’s Decision

Upon preliminary enquiry, the Privacy Commissioner found that when Mr A accessed to the Appellant’s electronic health record, he was not providing medical treatment to the Appellant but the access was made for refreshing his memory to deal with enquiry from Medical Council. In this connection, the purpose of Mr A’s access and use of the Appellant’s health records at the material time was inconsistent with the original purpose for which the data was collected, thereby contravening DPP3. Hence, the Privacy Commissioner issued a written warning to Mr A. In response, Mr A undertook that he would abide by the principle of “need-to-know” when he accesses any patient’s Electronic Health Record on the eHRSS in future (“the Undertaking”), and confirmed that he had not accessed the Appellant’s electronic health record via the eHRSS since then.

Given that Mr A had taken remedial measures in response to the written warning, the Privacy Commissioner considered that any investigation into the case was unnecessary and referred the case to the Electronic Health Record Office (“eHR Office”). The Privacy Commissioner also exercised the discretion under section 39(2)(d) of the PDPO not to carry out an investigation into the Appellant’s complaint. Being dissatisfied with the Privacy Commissioner’s decision, the Appellant lodged an appeal to the AAB.

The Appeal

The AAB confirmed the Privacy Commissioner’s decision and dismissed the appeal on the following grounds:

1. It was a one-off incident and there was no evidence suggesting that Mr A had further breached the Undertaking. Given that the Privacy Commissioner had already issued a written warning to Mr A and referred the case to the eHR Office; coupled with the remedial measures taken, the AAB affirmed the Privacy Commissioner’s decision not to conduct further investigation.
2. There was evidence indicating that the Appellant’s major complaint was about the manner in which he was treated by Mr A and the medicines so prescribed; there was however no actual or substantial damage caused upon the Appellant. If the Appellant wishes to seek compensation from Mr A, he may wish to commence a legal proceedings under section 66 of the PDPO. However, he did not decide to do so. Anyhow, the relief intended to be sought by the Appellant in lodging a complaint to the Privacy Commissioner, i.e. to ask for compensation and an open apology from Mr A, was clearly outside the purview of the PDPO.

The AAB’s Decision

The appeal was dismissed.

(Uploaded in May 2021)