A patient through her solicitors made a data access request to a public hospital, under the control and management of the Hospital Authority, for all her x-ray films taken during her hospitalization period. 6 of her x-ray films could not be located. The appeal related to whether the Hospital Authority was in contravention of Data Protection Principle 4 (“DPP4”) as a result of the loss of the films. (AAB Appeal No.26 of 2007)
The Complaint
The complainant was admitted to a Hospital for treatment and some 15 x-rays were taken of her with her consent during hospitalization. About four years later, the complainant, through her solicitors, made a request to the Hospital for the x-ray films taken. While processing the complainant’s request, it was discovered that 6 of her x-ray films could not be located. The complainant lodged a complaint to the Commissioner against the Hospital for failure to locate the 6 x-ray films.
Findings of the Commissioner
According to the Hospital, x-ray films of a patient were contained in an envelope relating to that patient and could be lent to medical officers upon request. On return of the borrowed envelope, the staff charged with handling of the lending and borrowing of the x-rays films would not check the contents to make sure all relevant x-ray films were returned. The Commissioner was of the view that the Hospital should take more rigorous measures over the security and supervision in handling and storage of x-ray films as they recorded the physical conditions of the patient at a particular time and were not replaceable if accidentally disclosed or lost. Besides, the Hospital should take reasonably practicable steps to ensure that all loaned out x-rays were returned intact. Lack of manpower was not an acceptable explanation. As such, the Commissioner was of the opinion that the Hospital had contravened DPP4. An Enforcement Notice was issued, directing the Hospital to review their current procedures on storage and retrieval of x-ray films and require staff to check that no films were missing on the return of the borrowed x-ray films. Dissatisfied with the decision, the Hospital Authority appealed.
The Appeal
The AAB made it clear that the purpose of DPP4 was to protect against unauthorized or accidental use or erasure of personal data. If personal data was lost, this would give rise to risk of unauthorized or accidental use of personal data. Moreover, unauthorized or accidental erasure of data would result in the loss of such data. The AAB took the view that a purposive construction of the Ordinance should be adopted, that is, although the word ‘loss’ was not used, it was reasonably clear that DPP4 covered loss of personal data arising from security breaches. Furthermore, the AAB rejected the argument made for the Hospital and considered that the “harm” under DPP4(a) should refer to “harm consequent upon the breach of privacy”, including financial loss.
The AAB's Decision
The AAB upheld the Commissioner’s decision in issuing the Enforcement Notice and dismissed the appeal.
uploaded on web in March 2014