Case Notes

(AAB APPEAL NO.11/2019)

Purpose and manner of collection of personal data – open a letter without consent and knowledge – unfair manner of collection – alleged contravention of DPP1(2) – use of personal data for a new purpose – without data subject’s consent – alleged contravention of DPP3 – security of personal data – measures taken for ensuring the prudence and competence of persons having access to the data – alleged contravention of DPP4 – remedial measures taken – cannot reasonably expect to bring better results – section 64 - disclosing personal data obtained without consent from data users

Coram:
Mr Cheung Kam-leung (Presiding Chairman)
Mr Eugene Chan Yat-him (Member)
Mr Micky Yip Tik-bun (Member)

Date of Decision: 30 June 2020

The Complaint

The Appellant had resided in a hall of a monastery (“the Monastery”) since 1991 and had used a landline telephone number (“the Number”) registered at the Monastery for personal use. The usual practice was for the telecommunications service provider (“the Provider”) to mail the monthly telephone statement to the Monastery, which would be passed on to the Appellant by the manager of the Monastery. In February 2018, the Appellant claimed that the Monastery (the first party bound in this appeal) applied to the Provider (the second party bound in this appeal) to terminate the service of the Number without her approval and knowledge. Upon enquiry with the Provider, the Appellant was informed that the termination request was made by a person claiming to be the representative of the Monastery. When the termination request was made, the staff of the Provider checked the Appellant’s information, including her name, HKID number, and account number with the Monastery’s self-proclaimed representative.

The Appellant thus lodged the following complaints to the Privacy Commissioner:

1. The Monastery collected her personal information unfairly by stealing her monthly telephone statement (allegedly contravening Data Protection Principle (“DPP”) 1(2)) ;
2. The Monastery used the Appellant’s personal data for the purpose of transferring the telephone contract of the Number or applying for termination of service without her consent (allegedly contravening DPP 3); and
3. The Provider failed to take any practicable measures to verify the identity of the caller leading to the termination of the landline telephone services without the Appellant’s consent, as well as disclosing the details of the landline telephone service contract to a third party (allegedly contravening DPP 3 and 4).

The Commissioner’s Decision

Upon investigation, the Privacy Commissioner took the view that it was unreasonable for the Monastery to open the Appellant’s private letter without her consent and this amounted to a collection of personal data by unfair means, in contravention of DPP 1(2). Further, it was a contravention of DPP3 when the Monastery used the Appellant’s personal data and the monthly telephone statement to terminate the Appellant’s telephone services without her consent. As a result, the Privacy Commissioner issued a warning letter to the Monastery.

The Privacy Commissioner also agreed that the Provider failed to take all reasonable and practicable steps to verify the identity of the caller leading to the termination of the landline telephone services. Its employees also failed to follow the procedures of handling termination of service requests lodged by non-registrants. Owing to the fact that two employees of the Provider acted negligently, the Provider was considered as failing to take adequate measures to ensure that personal data held by it was protected against unauthorized or accidental access and processing. This was in contravention of DPP4. As a result, the Privacy Commissioner issued a warning letter to the Provider.

The Privacy Commissioner decided not to pursue the Appellant’s complaint further under section 39(2)(d) of the Ordinance and paragraph 8(h) of his Complaint Handling Policy. The reason was that the complainees (i.e. the Monastery and the Provider) had respectively taken remedial measures and continuing the investigation would thus not reasonably yield a better result. The Privacy Commissioner took the view that the complaints lodged by the Appellant should have been resolved upon his intervention.

Dissatisfied with the Privacy Commissioner’s decision, the Appellant lodged an appeal to the AAB.

The Appeal

Upon consideration of the parties’ submissions and the available evidence, the AAB took the view that the Privacy Commissioner’s decision not to proceed with the Appellant’s complaint was reasonable, legitimate and made in compliance with the established procedures.

For the reasons stated below, the AAB did not find the Appellant’s grounds of appeal convincing:

1. The AAB agreed that the Privacy Commissioner had sufficient information to handle the Appellant’s complaint upon taking into account all relevant materials and factors. The Privacy Commissioner did not deliberately exclude any relevant information. Hence, the Appellant’s allegation that the Privacy Commissioner unfairly handled the complaint was unfounded and without basis.
2. The AAB took the view that the minor discrepancies of facts alleged by the Appellant were not material and would not have any impact on the Privacy Commissioner’s investigation and decision.
3. After his investigation, the Privacy Commissioner issued warning letters to the Monastery and the Provider respectively, pointing out their violations of the DPPs and requesting them to take remedial measures to rectify the breaches. The Monastery and the Provider both undertook to the Privacy Commissioner and implemented certain remedial measures, such as enhancing staff training. Hence, the AAB agreed that further investigation of the case would be unnecessary and could not bring better results.

In this appeal, the Appellant and the Privacy Commissioner also debated about whether section 64 of the Ordinance was applicable. Section 64 of the Ordinance stated that, a person committed an offence if the person disclosed any personal data which was obtained from a data user without the data user’s consent to obtain gain in money or that disclosure has caused any loss or psychological harm to a data subject. The AAB took the view that section 64 of the Ordinance was not applicable in this case because the Monastery was not disclosing the Appellant’s personal data which was obtained from a data user without the data user’s consent.

The AAB’s Decision

The AAB affirmed the Privacy Commissioner’s decision and the appeal was dismissed.

(Uploaded in August 2020)